CVSS: 5.9EPSS: 5%CPEs: 180EXPL: 0CVE-2019-1559 – 0-byte record padding oracle
https://notcve.org/view.php?id=CVE-2019-1559
26 Feb 2019 — If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order ... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html • CWE-203: Observable Discrepancy CWE-325: Missing Cryptographic Step •
CVSS: 6.5EPSS: 3%CPEs: 8EXPL: 0CVE-2018-14652 – glusterfs: Buffer overflow in "features/locks" translator allows for denial of service
https://notcve.org/view.php?id=CVE-2018-14652
31 Oct 2018 — The Gluster file system through versions 3.12 and 4.1.4 is vulnerable to a buffer overflow in the 'features/index' translator via the code handling the 'GF_XATTR_CLRLK_CMD' xattr in the 'pl_getxattr' function. A remote authenticated attacker could exploit this on a mounted volume to cause a denial of service. El sistema de archivos Gluster hasta las versiones 3.12 y 4.1.4 es vulnerable a un desbordamiento de búfer en el traductor "features/index" mediante el código que maneja el xattr "GF_XATTR_CLRLK_CMD" e... • https://access.redhat.com/errata/RHSA-2018:3431 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.5EPSS: 2%CPEs: 8EXPL: 0CVE-2018-14654 – glusterfs: "features/index" translator can create arbitrary, empty files
https://notcve.org/view.php?id=CVE-2018-14654
31 Oct 2018 — The Gluster file system through version 4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote attacker with access to mount volumes could exploit this via the 'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the target server. El sistema de archivos Gluster hasta la versión 4.1.4 es vulnerable al abuso del traductor "features/index". Un atacante remoto con acceso a los volúmenes de montaje podría explotar esta vulnerabilidad mediante el xaatrop "GF_XATTROP_ENTRY_IN_K... • https://access.redhat.com/errata/RHSA-2018:3431 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2018-14653 – glusterfs: Heap-based buffer overflow via "gf_getspec_req" RPC message
https://notcve.org/view.php?id=CVE-2018-14653
31 Oct 2018 — The Gluster file system through versions 4.1.4 and 3.12 is vulnerable to a heap-based buffer overflow in the '__server_getspec' function via the 'gf_getspec_req' RPC message. A remote authenticated attacker could exploit this to cause a denial of service or other potential unspecified impact. El sistema de archivos Gluster hasta las versiones 3.12 y 4.1.4 es vulnerable a un desbordamiento de búfer basado en memoria dinámica (heap) en la función "__server_getspec" mediante el mensaje RPC "gf_getspec_req". Un... • https://access.redhat.com/errata/RHSA-2018:3431 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 2%CPEs: 9EXPL: 0CVE-2018-14659 – glusterfs: Unlimited file creation via "GF_XATTR_IOSTATS_DUMP_KEY" xattr allows for denial of service
https://notcve.org/view.php?id=CVE-2018-14659
31 Oct 2018 — The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via use of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated attacker could exploit this by mounting a Gluster volume and repeatedly calling 'setxattr(2)' to trigger a state dump and create an arbitrary number of files in the server's runtime directory. El sistema de archivos Gluster hasta las versiones 3.12 y 4.1.4 es vulnerable a un ataque de denegación de servicio (DoS) mediante el uso del xa... • https://access.redhat.com/errata/RHSA-2018:3431 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 1%CPEs: 9EXPL: 0CVE-2018-14660 – glusterfs: Repeat use of "GF_META_LOCK_KEY" xattr allows for memory exhaustion
https://notcve.org/view.php?id=CVE-2018-14660
31 Oct 2018 — A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node. Se ha encontrado un error en el servidor glusterfs hasta las versiones 4.1.4 y 3.1.2 que permitía el uso repetido del xattr GF_META_LOCK_KEY. Un atacante autenticado remoto podría emplear este error para... • https://access.redhat.com/errata/RHSA-2018:3431 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 3%CPEs: 8EXPL: 0CVE-2018-14661 – glusterfs: features/locks translator passes an user-controlled string to snprintf without a proper format string resulting in a denial of service
https://notcve.org/view.php?id=CVE-2018-14661
31 Oct 2018 — It was found that usage of snprintf function in feature/locks translator of glusterfs server 3.8.4, as shipped with Red Hat Gluster Storage, was vulnerable to a format string attack. A remote, authenticated attacker could use this flaw to cause remote denial of service. Se ha detectado que el uso de la función snprintf en el traductor feature/locks del servidor glusterfs 3.8.4, tal y como se distribuye con Red Hat Gluster Storage, era vulnerable a un ataque de cadena de formato. Un atacante remoto autentica... • https://access.redhat.com/errata/RHSA-2018:3431 • CWE-20: Improper Input Validation CWE-134: Use of Externally-Controlled Format String •
CVSS: 9.8EPSS: 0%CPEs: 30EXPL: 0CVE-2018-1000805 – python-paramiko: Authentication bypass in auth_handler.py
https://notcve.org/view.php?id=CVE-2018-1000805
08 Oct 2018 — Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity. Paramiko en versiones 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 y 1.17.6 contiene una vulnerabilidad de control de acceso incorrecto en el servidor SSH que puede resultar en la ejecución remota de código. Este ataque parece ser explotable mediante conectividad de red. The python-paramiko packa... • https://access.redhat.com/errata/RHBA-2018:3497 • CWE-305: Authentication Bypass by Primary Weakness CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 4%CPEs: 12EXPL: 0CVE-2018-10911 – glusterfs: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
https://notcve.org/view.php?id=CVE-2018-10911
04 Sep 2018 — A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value. Se ha detectado un error en la forma en la que la función dic_unserialize en glusterfs no gestiona los valores de longitud de clave negativos. Un atacante podría utilizar este error para leer la memoria de otras ubicaciones en el valor dict almacenado. A flaw was found in dict.c:dict_unserialize function ... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html • CWE-190: Integer Overflow or Wraparound CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 1%CPEs: 10EXPL: 0CVE-2018-10926 – glusterfs: Device files can be created in arbitrary locations
https://notcve.org/view.php?id=CVE-2018-10926
04 Sep 2018 — A flaw was found in RPC request using gfs3_mknod_req supported by glusterfs server. An authenticated attacker could use this flaw to write files to an arbitrary location via path traversal and execute arbitrary code on a glusterfs server node. Se ha detectado un error en las peticiones RPC que emplean gfs3_mknod_req soportadas por el servidor glusterfs. Un atacante autenticado podría emplear este error para escribir archivos en una ubicación arbitraria mediante un salto de directorio y ejecutar código arbit... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •