CVSS: 8.1EPSS: 0%CPEs: 39EXPL: 1CVE-2020-35491 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource
https://notcve.org/view.php?id=CVE-2020-35491
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con org.apache.commons.dbcp2.datasources.SharedPoolDataSource A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 https://github.com/FasterXML/jackson-databind/issues/2986 https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html https://security.netapp.com/advisory/ntap-20210122-0005 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022&# • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 5.7EPSS: 0%CPEs: 11EXPL: 0CVE-2020-27825
https://notcve.org/view.php?id=CVE-2020-27825
A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat. Se encontró un fallo de uso de la memoria previamente liberada en el archivo kernel/trace/ring_buffer.c en el kernel de Linux (anteriores a la versión 5.10-rc1). Se presentó un problema de carrera en trace_open y el cambio de tamaño del búfer de la CPU ejecutándose paralelamente en diferentes CPUs, puede causar un problema de Denegación de Servicio (DOS). • https://bugzilla.redhat.com/show_bug.cgi?id=1905155 https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html https://security.netapp.com/advisory/ntap-20210521-0008 https://www.debian.org/security/2021/dsa-4843 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2020-27818
https://notcve.org/view.php?id=CVE-2020-27818
A flaw was found in the check_chunk_name() function of pngcheck-2.4.0. An attacker able to pass a malicious file to be processed by pngcheck could cause a temporary denial of service, posing a low risk to application availability. Se encontró un fallo en la función check_chunk_name() de pngcheck-2.4.0. Un atacante capaz de pasar un archivo malicioso para ser procesado por pngcheck podría causar una denegación temporal de servicio, lo que supone un bajo riesgo para la disponibilidad de la aplicación. • https://bodhi.fedoraproject.org/updates/FEDORA-2020-04d5e1ce26 https://bodhi.fedoraproject.org/updates/FEDORA-2020-23432b7b72 https://bodhi.fedoraproject.org/updates/FEDORA-2020-27b168926a https://bodhi.fedoraproject.org/updates/FEDORA-2020-4349e95c4f https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-339db397ad https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-6c93c61069 https://bugzilla.redhat.com/show_bug.cgi?id=1902011 https://lists.debian.org/debian-lts-announce/2022/05/msg00043.html • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-125: Out-of-bounds Read •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2020-27773
https://notcve.org/view.php?id=CVE-2020-27773
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0. Se encontró un fallo en ImageMagick en el archivo MagickCore/gem-private.h. • https://bugzilla.redhat.com/show_bug.cgi?id=1898295 https://lists.debian.org/debian-lts-announce/2021/01/msg00010.html https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html • CWE-369: Divide By Zero •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2020-27775
https://notcve.org/view.php?id=CVE-2020-27775
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0. Se encontró un fallo en ImageMagick en el archivo MagickCore/quantum.h. • https://bugzilla.redhat.com/show_bug.cgi?id=1898300 https://lists.debian.org/debian-lts-announce/2021/03/msg00030.html https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html • CWE-190: Integer Overflow or Wraparound •