CVSS: 8.1EPSS: 28%CPEs: 8EXPL: 0CVE-2018-16873 – Gentoo Linux Security Advisory 201812-09
https://notcve.org/view.php?id=CVE-2018-16873
14 Dec 2018 — In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git"... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2018-18849 – Ubuntu Security Notice USN-3826-1
https://notcve.org/view.php?id=CVE-2018-18849
26 Nov 2018 — In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value. En Qemu 3.0.0, lsi_do_msgin en hw/scsi/lsi53c895a.c permite el acceso fuera de límites desencadenando un valor msg_len inválido. Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled NE2000 device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. It was discovered that QEMU incorrectly handled the Slirp... • http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00004.html • CWE-125: Out-of-bounds Read •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2017-5934 – Ubuntu Security Notice USN-3794-1
https://notcve.org/view.php?id=CVE-2017-5934
15 Oct 2018 — Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad Cross-Site Scripting (XSS) en el diálogo de enlaces en el editor de la interfaz gráfica de MoinMoin en versiones anteriores a la 1.9.10 permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. It was discovered that MoinMoin incorrectly handled certain i... • http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00024.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-12477 – obs-service-refresh_patches can be tricked into deleting '..' or other unrelated directories
https://notcve.org/view.php?id=CVE-2018-12477
09 Oct 2018 — A Improper Neutralization of CRLF Sequences vulnerability in Open Build Service allows remote attackers to cause deletion of directories by tricking obs-service-refresh_patches to delete them. Affected releases are openSUSE Open Build Service: versions prior to d6244245dda5367767efc989446fe4b5e4609cce. Una vulnerabilidad de neutralización incorrecta de secuencias CRLF en Open Build Service permite que los atacantes remotos provoquen el borrado de directorios engañando a obs-service-refresh_patches para que ... • https://bugzilla.suse.com/show_bug.cgi?id=1108189 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 7.5EPSS: 83%CPEs: 26EXPL: 1CVE-2018-5740 – A flaw in the "deny-answer-aliases" feature can cause an assertion failure in named
https://notcve.org/view.php?id=CVE-2018-5740
28 Aug 2018 — "deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Affects BIND 9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->9.12.2, 9.13.0->9.13.2. "deny-answer-aliases" es una característica poco utilizada que ... • https://github.com/sischkg/cve-2018-5740 • CWE-617: Reachable Assertion •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2018-14522
https://notcve.org/view.php?id=CVE-2018-14522
23 Jul 2018 — An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aubio_pitch_set_unit in pitch/pitch.c, as demonstrated by aubionotes. Se ha descubierto un problema en aubio 0.4.6. Puede ocurrir una señal SEGV en aubio_pitch_set_unit en pitch/pitch.c, tal y como queda demostrado con aubionotes. • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00031.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2018-14523
https://notcve.org/view.php?id=CVE-2018-14523
23 Jul 2018 — An issue was discovered in aubio 0.4.6. A buffer over-read can occur in new_aubio_pitchyinfft in pitch/pitchyinfft.c, as demonstrated by aubionotes. Se ha descubierto un problema en aubio 0.4.6. Puede ocurrir una sobrelectura de búfer en new_aubio_pitchyinfft en pitch/pitchyinfft.c, tal y como queda demostrado con aubionotes. • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00031.html • CWE-125: Out-of-bounds Read •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2018-10360 – file: out-of-bounds read via a crafted ELF file
https://notcve.org/view.php?id=CVE-2018-10360
11 Jun 2018 — The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. La función do_core_note en readelf.c en libmagic.a en file 5.33 permite a atacantes remotos provocar una denegación de servicio (lectura fuera de límites y cierre inesperado de la aplicación) utilizando un archivo ELF manipulado. Alexander Cherepanov discovered that file incorrectly handled a large number of notes. An attack... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00027.html • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-10380 – Debian Security Advisory 4200-1
https://notcve.org/view.php?id=CVE-2018-10380
08 May 2018 — kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ownership of arbitrary files via a symlink attack. kwallet-pam en KDE KWallet en versiones anteriores a la 5.12.6 permite que los usuarios locales obtengan la propiedad de archivos arbitrarios mediante un ataque symlink. Fabian Vogt discovered that incorrect permission handling in the PAM module of the KDE Wallet could allow an unprivileged local user to gain ownership of arbitrary files. • https://bugzilla.suse.com/show_bug.cgi?id=1090863 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.5EPSS: 1%CPEs: 14EXPL: 0CVE-2016-9398
https://notcve.org/view.php?id=CVE-2016-9398
23 Mar 2017 — The jpc_floorlog2 function in jpc_math.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via unspecified vectors. La función jpc_floorlog2 en jpc_math.c en JasPer en versiones anteriores a 1.900.17 permite a atacantes remotos provocar una denegación de servicio (fallo de aserción) a través de vectores no especificados. • http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00008.html • CWE-617: Reachable Assertion •