CVE-2020-14312
https://notcve.org/view.php?id=CVE-2020-14312
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems. Se encontró un fallo en la configuración predeterminada de dnsmasq, como es enviado con Fedora versiones anteriores a 31 y en todas las versiones de Red Hat Enterprise Linux, donde escucha en cualquier interfaz y acepta consultas de direcciones fuera de su subred local. • https://bugzilla.redhat.com/show_bug.cgi?id=1851342 • CWE-284: Improper Access Control •
CVE-2020-14779 – OpenJDK: High memory usage during deserialization of Proxy class with many interfaces (Serialization, 8236862)
https://notcve.org/view.php?id=CVE-2020-14779
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6CJCO52DHIQJHLPF6HMTC5Z2VKFRQMY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMJMTXFJRONFT72YAEQNRFKYZZU4W3HD https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKRGVMZT3EUUWKUA6DBT56FT3UOKPHQ2 https://lists.fedoraproject.or • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2020-15803
https://notcve.org/view.php?id=CVE-2020-15803
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget. Zabbix versiones anteriores a 3.0.32rc1, versiones 4.x anteriores a 4.0.22rc1, versiones 4.1.x hasta 4.4.x anteriores a 4.4.10rc1 y versiones 5.x anteriores a 5.0.2rc1, permite un ataque de tipo XSS almacenado en el widget URL • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00007.html https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html https://lists.debian.org/debian-lts-announce/2021/04/msg00018.html https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-10753 – ceph: radosgw: HTTP header injection via CORS ExposeHeader tag
https://notcve.org/view.php?id=CVE-2020-10753
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. Ceph versions 3.x and 4.x are vulnerable to this issue. Se encontró un fallo en el Red Hat Ceph Storage RadosGW (Ceph Object Gateway). • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00062.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10753 https://lists.debian.org/debian-lts-announce/2021/08/msg00013.html https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFU7LXEL2UZE565FJBTY7UGH2O7ZUBVS https://security.gentoo.org/glsa/202105-39 https://usn.ubuntu.com/4528-1 https://access.redhat.com/securi • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVE-2020-6456 – chromium-browser: Insufficient validation of untrusted input in clipboard
https://notcve.org/view.php?id=CVE-2020-6456
Insufficient validation of untrusted input in clipboard in Google Chrome prior to 81.0.4044.92 allowed a local attacker to bypass site isolation via crafted clipboard contents. Una comprobación entrada insuficiente no confiable en clipboard en Google Chrome versiones anteriores a 81.0.4044.92, permitió a un atacante local omitir el aislamiento del sitio por medio de contenidos del portapapeles diseñados. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00031.html https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html https://crbug.com/1040755 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XWIVVYIQU67QR2LHNGGZBS4FZOW2RQO https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFVP775RPRDVY5FUCN7ABH5AE74TQFDD https://lists.fedor • CWE-276: Incorrect Default Permissions •