Page 2 of 2324 results (0.006 seconds)

CVSS: 7.8EPSS: 1%CPEs: 7EXPL: 1

05 Jul 2024 — Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long... • https://github.com/roy-aladin/InfraTest • CWE-345: Insufficient Verification of Data Authenticity •

CVSS: 8.1EPSS: 55%CPEs: 54EXPL: 101

01 Jul 2024 — A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. Se encontró una condición de ejecución del controlador de señales en el servidor de OpenSSH (sshd), donde un cliente no se autentica dentro de los segundos de LoginGraceTime (120 de forma predeterminada, 600 en versiones anter... • https://packetstorm.news/files/id/179290 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-364: Signal Handler Race Condition •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

14 Jun 2024 — StorageGRID (formerly StorageGRID Webscale) versions prior to 11.7.0.9 and 11.8.0.5 are susceptible to disclosure of sensitive information via complex MiTM attacks due to a vulnerability in the SSH cryptographic implementation. Las versiones de StorageGRID (anteriormente StorageGRID Webscale) anteriores a 11.7.0.9 y 11.8.0.5 son susceptibles a la divulgación de información confidencial a través de ataques MiTM complejos debido a una vulnerabilidad en la implementación criptográfica SSH. • https://security.netapp.com/advisory/ntap-20240614-0010 •

CVSS: 5.6EPSS: 0%CPEs: 26EXPL: 0

07 May 2024 — An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. Se descubrió un problema en GNO... • https://gitlab.gnome.org/GNOME/glib/-/issues/3268 • CWE-290: Authentication Bypass by Spoofing CWE-940: Improper Verification of Source of a Communication Channel •

CVSS: 7.8EPSS: 0%CPEs: 16EXPL: 0

07 May 2024 — An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing. Se descubrió un problema en la API TLS Java de Bouncy Castle y en el proveedor JSSE anterior a la versión 1.78. Es posible que se produzcan fugas basadas en el tiempo en los protocolos de enlace basados en RSA debido al procesamiento de excepciones. A flaw was found in the Bouncy Castle Java cryptography APIs. • https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •

CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0

17 Apr 2024 — ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1.x and 9.14.1.x contain hard-coded credentials that could allow an attacker to view Deploy configuration information and modify the account credentials. Las versiones 9.12.1.x, 9.13.1.x y 9.14.1.x de la utilidad de administración ONTAP Select Deploy contienen credenciales codificadas que podrían permitir a un atacante ver la información de configuración de Deploy y modificar las credenciales de la cuenta. • https://security.netapp.com/advisory/ntap-20240411-0002 • CWE-259: Use of Hard-coded Password •

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0

17 Apr 2024 — ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1.x and 9.14.1.x are susceptible to a vulnerability which when successfully exploited could allow a read-only user to escalate their privileges. Las versiones 9.12.1.x, 9.13.1.x y 9.14.1.x de la utilidad de administración ONTAP Select Deploy son susceptibles a una vulnerabilidad que, cuando se explota con éxito, podría permitir que un usuario de solo lectura escale sus privilegios. • https://security.netapp.com/advisory/ntap-20240411-0001 • CWE-269: Improper Privilege Management •

CVSS: 3.7EPSS: 0%CPEs: 11EXPL: 0

16 Apr 2024 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attac... • https://security.netapp.com/advisory/ntap-20240426-0004 • CWE-250: Execution with Unnecessary Privileges •

CVSS: 8.6EPSS: 0%CPEs: 30EXPL: 0

13 Apr 2024 — less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases. less hasta 653 permite la ejecución de comandos del sistema operativo mediante un carácter de nueva línea en el nombre de un archivo, po... • http://www.openwall.com/lists/oss-security/2024/04/15/1 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •

CVSS: 7.8EPSS: 89%CPEs: 5EXPL: 2

04 Apr 2024 — HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Los encabezados entrantes HTTP/2 que exceden el límite se almacenan temporalmente en nghttp2 para generar una respuesta HTTP 413 informativa. Si un cliente no deja de enviar encabezados, esto provoca que se agote la memoria. A vulnerability was found in how Apache httpd implements the HTTP/2 protocol... • https://github.com/lockness-Ko/CVE-2024-27316 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •