Page 142 of 1072 results (0.035 seconds)

CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0

CVE-2015-1395

https://notcve.org/view.php?id=CVE-2015-1395

Directory traversal vulnerability in GNU patch versions which support Git-style patching before 2.7.3 allows remote attackers to write to arbitrary files with the permissions of the target user via a .. (dot dot) in a diff file name. Una vulnerabilidad de salto de directorio en GNU en versiones de parche que soportan parcheo Git-style en versiones anteriores a la 2.7.3 permite que atacantes remotos escriban en archivos arbitrarios con los permisos del usuario objetivo mediante un ".." (dot dot) en el nombre de un archivo diff. • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154214.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.html http://www.openwall.com/lists/oss-security/2015/01/27/28 http://www.securityfocus.com/bid/72846 http://www.ubuntu.com/usn/USN-2651-1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775873 https://bugzilla.redhat.com/show_bug.cgi?id=1184490 https://git.savannah.gnu.org/cgit/patch.git/commit/?id=17953b5893f7c9835f0dd2a704 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.1EPSS: 1%CPEs: 7EXPL: 0

CVE-2014-9637

https://notcve.org/view.php?id=CVE-2014-9637

GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file. GNU parche 2.7.2 y anteriores permite que atacantes remotos provoquen una denegación de servicio (consumo de memoria y error de segmentación) mediante un archivo diff manipulado. • http://advisories.mageia.org/MGASA-2015-0068.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154214.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.html http://www.openwall.com/lists/oss-security/2015/01/22/7 http://www.securityfocus.com/bid/72286 http://www.ubuntu.com/usn/USN-2651-1 https://bugzilla.redhat.com/show_bug.cgi?id=1185262 https://git.savannah.gnu.org/cgit/patch.git/commit/?id=0c08d7a902c6fdd49b704623a12d8d672ef18944 • CWE-399: Resource Management Errors •

CVSS: 5.0EPSS: 0%CPEs: 8EXPL: 0

CVE-2013-7423 – glibc: getaddrinfo() writes DNS queries to random file descriptors under high load

https://notcve.org/view.php?id=CVE-2013-7423

The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function. La función send_dg en resolv/res_send.c en GNU C Library (también conocido como glibc o libc6) en versiones anteriores a 2.20 no reutiliza adecuadamente descriptores de fichero, lo que permite a atacantes remotos mandar consultas DNS a ubicaciones no intencionadas a través de un gran número de peticiones que desencadenan una llamada a la función getaddrinfo. It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data. Many Moxa devices suffer from command injection, cross site scripting, and outdated software vulnerabilities. • http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html http://packetstormsecurity.com/files/164014/Moxa-Command-Injection-Cross-Site-Scripting-Vulnerable-Software.html http://rhn.redhat.com/errata/RHSA-2015-0863.html http://seclists.org/fulldisclosure/2021/Sep/0 http://www.openwall.com/lists/oss-security/2015/01/28/20 http://www.securityfocus.com/bid/72844 http://www.ubuntu.com/usn/USN-2519-1 https://access.redhat.com/errata/RHSA-2016:1207 https://github.com/golang&# • CWE-17: DEPRECATED: Code CWE-201: Insertion of Sensitive Information Into Sent Data •

CVSS: 7.8EPSS: 11%CPEs: 7EXPL: 1

CVE-2014-9402 – glibc: denial of service in getnetbyname function

https://notcve.org/view.php?id=CVE-2014-9402

The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process. La implementación nss_dns de getnetbyname en GNU C Library (también conocido como glibc) anterior a 2.21, cuando el backend DNS en la configuración Name Service Switch está habilitado, permite a atacantes remotos causar una denegación de servicio (bucle infinito) mediante el envió de una respuesta positiva mientras el nombre de una red está siendo procesada. Many Cisco devices such as Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P, Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160, and Cisco 160W suffer from having hard-coded credentials, known GNU glibc, known BusyBox, and IoT Inspector identified vulnerabilities. • http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html http://seclists.org/fulldisclosure/2019/Jun/18 http://seclists.org/fulldisclosure/2019/Sep/7 http://www.openwall.com/lists/oss-security/2014/12/18/1 http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628&# • CWE-399: Resource Management Errors CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •

CVSS: 5.1EPSS: 1%CPEs: 1EXPL: 0

CVE-2013-7424 – glibc: Invalid-free when using getaddrinfo()

https://notcve.org/view.php?id=CVE-2013-7424

The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to ping6. Vulnerabilidad en la función getaddrinfo en glibc en versiones anteriores a 2.15, cuando es compilado con libidn y es utilizado el indicador AI_IDN, permite a atacantes dependientes de contexto provocar una denegación de servicio (liberación de memoria no válida) y posiblemente ejecutar código arbitrario a través de vectores no especificados, según lo demostrado en un nombre de dominio internacionalizado para ping6. An invalid free flaw was found in glibc's getaddrinfo() function when used with the AI_IDN flag. A remote attacker able to make an application call this function could use this flaw to execute arbitrary code with the permissions of the user running the application. Note that this flaw only affected applications using glibc compiled with libidn support. • http://rhn.redhat.com/errata/RHSA-2015-1627.html http://www.openwall.com/lists/oss-security/2015/01/29/21 http://www.securityfocus.com/bid/72710 https://bugzilla.redhat.com/show_bug.cgi?id=1186614 https://bugzilla.redhat.com/show_bug.cgi?id=981942 https://sourceware.org/bugzilla/show_bug.cgi?id=18011 https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=2e96f1c7 https://access.redhat.com/security/cve/CVE-2013-7424 • CWE-17: DEPRECATED: Code •