CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-33663 – python-jose: algorithm confusion with OpenSSH ECDSA keys and other key formats
https://notcve.org/view.php?id=CVE-2024-33663
25 Apr 2024 — python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217. python-jose hasta 3.3.0 tiene confusión de algoritmos con claves OpenSSH ECDSA y otros formatos de claves. Esto es similar a CVE-2022-29217. An update that fixes one vulnerability is now available. This update for python-python-jose fixes the following issues. • https://github.com/mpdavis/python-jose/issues/346 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-33664 – openSUSE Security Advisory - openSUSE-SU-2024:0149-1
https://notcve.org/view.php?id=CVE-2024-33664
25 Apr 2024 — python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319. python-jose hasta la versión 3.3.0 permite a los atacantes provocar una denegación de servicio (consumo de recursos) durante una decodificación a través de un token JSON Web Encryption (JWE) manipulado con una alta relación de compresión, también conocido como una "bomba... • https://github.com/mpdavis/python-jose/issues/344 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.6EPSS: 7%CPEs: 19EXPL: 0CVE-2023-50186 – GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-50186
19 Apr 2024 — GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of metadata within AV1 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data ... • https://gstreamer.freedesktop.org/security/sa-2023-0011.html • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-121: Stack-based Buffer Overflow •
CVSS: 8.4EPSS: 2%CPEs: 2EXPL: 0CVE-2024-27758 – openSUSE Security Advisory - openSUSE-SU-2024:0082-1
https://notcve.org/view.php?id=CVE-2024-27758
12 Mar 2024 — In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution. En RPyC anterior a 6.0.0, cuando un servidor expone un método que llama al atributo llamado __array__ para un netref proporcionado por el cliente (por ejemplo, np.array(client_netref)), un atacante remoto puede crear una clase que resulte en la ejecución remota de código. An updat... • https://gist.github.com/renbou/957f70d27470982994f12a1d70153d09 • CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: 0%CPEs: 36EXPL: 3CVE-2024-28757 – expat: XML Entity Expansion
https://notcve.org/view.php?id=CVE-2024-28757
10 Mar 2024 — libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). libexpat hasta 2.6.1 permite un ataque de expansión de entidad XML cuando hay un uso aislado de analizadores externos (creados a través de XML_ExternalEntityParserCreate). An XML Entity Expansion flaw was found in libexpat. This flaw allows an attacker to cause a denial of service when there is an isolated use of external parsers. This update for expat fix... • https://github.com/RenukaSelvar/expat_CVE-2024-28757 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 1CVE-2021-45082 – Ubuntu Security Notice USN-6475-1
https://notcve.org/view.php?id=CVE-2021-45082
18 Feb 2022 — An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.) Se ha detectado un problema en Cobbler versiones hasta 3.3.0. En el archivo templar.py, la función check_for_invalid_imports puede permitir que el código Cheetah importe módulos de Python por medio de la subcadena "#from MODULE import". • https://bugzilla.suse.com/show_bug.cgi?id=1193678 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 2CVE-2021-46141 – Debian Security Advisory 5063-1
https://notcve.org/view.php?id=CVE-2021-46141
06 Jan 2022 — An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner. Se ha detectado un problema en uriparser versiones anteriores a 0.9.6. Lleva a cabo operaciones inválidas en uriFreeUriMembers y uriMakeOwner. Two vulnerabilities were discovered in uriparser, a library that parses Uniform Resource Identifiers (URIs), which may result in denial of service or potentially in the the execution of arbitrary code. • https://blog.hartwork.org/posts/uriparser-096-with-security-fixes-released • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 2CVE-2021-46142 – Debian Security Advisory 5063-1
https://notcve.org/view.php?id=CVE-2021-46142
06 Jan 2022 — An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax. Se ha detectado un problema en uriparser versiones anteriores a 0.9.6. Lleva a cabo operaciones libres no válidas en uriNormalizeSyntax. Two vulnerabilities were discovered in uriparser, a library that parses Uniform Resource Identifiers (URIs), which may result in denial of service or potentially in the the execution of arbitrary code. • https://blog.hartwork.org/posts/uriparser-096-with-security-fixes-released • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2021-25322 – python-HyperKitty: hyperkitty-permissions.sh used during %post allows local privilege escalation from hyperkitty user to root
https://notcve.org/view.php?id=CVE-2021-25322
10 Jun 2021 — A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15.2, Factory allows local attackers to escalate privileges from the user hyperkitty or hyperkitty-admin to root. This issue affects: openSUSE Leap 15.2 python-HyperKitty version 1.3.2-lp152.2.3.1 and prior versions. openSUSE Factory python-HyperKitty versions prior to 1.3.4-5.1. Una vulnerabilidad de seguimiento de enlaces simbólicos UNIX (Symlink) en python-HyperKitty de openSUSE Leap 15.2, Factory permite a ataca... • https://bugzilla.suse.com/show_bug.cgi?id=1182373 • CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 1CVE-2020-28049 – Gentoo Linux Security Advisory 202402-02
https://notcve.org/view.php?id=CVE-2020-28049
04 Nov 2020 — An issue was discovered in SDDM before 0.19.0. It incorrectly starts the X server in a way that - for a short time period - allows local unprivileged users to create a connection to the X server without providing proper authentication. A local attacker can thus access X server display contents and, for example, intercept keystrokes or access the clipboard. This is caused by a race condition during Xauthority file creation. Se detectó un problema en SDDM versiones anteriores a 0.19.0. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00031.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •