CVSS: 5.3EPSS: 0%CPEs: 57EXPL: 1CVE-2019-7317 – libpng: use-after-free in png_image_free in png.c
https://notcve.org/view.php?id=CVE-2019-7317
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute. La función png_image_free en el archivo png.c en libpng versiones 1.6.x anteriores a 1.6.37, presenta un uso de la memoria previamente liberada porque la función png_image_free_function es llamada bajo png_safe_execute. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html http://www.securityfocus.com/bid/108098 https:/ • CWE-400: Uncontrolled Resource Consumption CWE-416: Use After Free •
CVSS: 7.5EPSS: 1%CPEs: 9EXPL: 2CVE-2019-6690 – Python GnuPG 0.4.3 Improper Input Validation
https://notcve.org/view.php?id=CVE-2019-6690
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component. python-gnupg 0.4.3 permite que los atacantes dependientes del contexto engañen a gnupg para descifrar texto cifrado diferente al planeado. Para realizar el ataque, la frase de contraseña para gnupg debe estar controlada por el adversario y el texto cifrado debería ser fiable. Relacionado con un problema CWE-20: validación de entradas incorrecta que afecta al componente de la funcionalidad afectada. • https://github.com/brianwrf/CVE-2019-6690 https://github.com/stigtsp/CVE-2019-6690-python-gnupg-vulnerability http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html http://www.securityfocus.com/bid/106756 https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability https://lists.debian.org/debian-lts-announ • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 10EXPL: 0CVE-2017-16232
https://notcve.org/view.php?id=CVE-2017-16232
LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue ** EN DISPUTA ** LibTIFF 4.0.8 tiene múltiples vulnerabilidades de fuga de memoria, lo que permite que los atacantes provoquen una denegación de servicio (consumo de memoria), tal y como queda demostrado con tif_open.c, tif_lzw.c y tif_aux.c. NOTA: los terceros eran incapaces de reproducir el problema. • http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00036.html http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00041.html http://packetstormsecurity.com/files/150896/LibTIFF-4.0.8-Memory-Leak.html http://seclists.org/fulldisclosure/2018/Dec/32 http://seclists.org/fulldisclosure/2018/Dec/47 http://www.openwall.com/lists/oss-security/2017/11/01/11 http://www.openwall.com/lists/oss-security/2017/11/01/3 http://www.openwall.com/lists/oss-security/2017& • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 5.3EPSS: 0%CPEs: 17EXPL: 0CVE-2018-16876 – ansible: Information disclosure in vvv+ mode with no_log on
https://notcve.org/view.php?id=CVE-2018-16876
ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data. ansible en versiones anteriores a las 2.5.14, 2.6.11 y 2.7.5 es vulnerable a un fallo de divulgación de información en el modo vvv+ con "no_log" habilitado, el cual podría provocar el filtrado de datos sensibles. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html http://www.securityfocus.com/bid/106225 https://access.redhat.com/errata/RHSA-2018:3835 https://access.redhat.com/errata/RHSA-2018:3836 https://access.redhat.com/errata/RHSA-2018:3837 https://access.redhat.com/errata/RHSA-2018:3838 https://access.redhat.com/errata& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 21%CPEs: 8EXPL: 0CVE-2018-16873
https://notcve.org/view.php?id=CVE-2018-16873
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u". • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html http://www.securityfocus.com/bid/106226 https://bugzilla&# • CWE-20: Improper Input Validation •