CVSS: 7.5EPSS: 4%CPEs: 13EXPL: 0CVE-2018-12023 – jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
https://notcve.org/view.php?id=CVE-2018-12023
17 Mar 2019 — An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. Se ha descubierto un problema en FasterXML jackson-databind, en versiones anteriores a la 2.7.9.4, 2.8.11.2 y 2.9.6. Cuando "Default Typing" está habilitado (globalmente... • http://www.securityfocus.com/bid/105659 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.2EPSS: 0%CPEs: 5EXPL: 1CVE-2018-19872 – qt: Malformed PPM image causing division by zero and crash in qppmhandler.cpp
https://notcve.org/view.php?id=CVE-2018-19872
15 Mar 2019 — An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp. Se ha descubierto un problema en Qt 5.11. Una imagen PPM mal formada provoca una división entre cero y un cierre inesperado en qppmhandler.cpp. It was discovered that Qt incorrectly handled certain PPM images. • http://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates • CWE-369: Divide By Zero •
CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 0CVE-2019-3833 – openwsman: Infinite loop in process_connection() allows denial of service
https://notcve.org/view.php?id=CVE-2019-3833
14 Mar 2019 — Openwsman, versions up to and including 2.6.9, are vulnerable to infinite loop in process_connection() when parsing specially crafted HTTP requests. A remote, unauthenticated attacker can exploit this vulnerability by sending malicious HTTP request to cause denial of service to openwsman server. Openwsman, en versiones hasta e incluyendo la 2.6.9, es vulnerable a un bucle infinito en process_connection() al analizar peticiones HTTP especialmente manipuladas. Un atacante remoto no autenticado podría explotar... • http://bugzilla.suse.com/show_bug.cgi?id=1122623 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 1%CPEs: 20EXPL: 0CVE-2019-3816 – openwsman: Disclosure of arbitrary files outside of the registered URIs
https://notcve.org/view.php?id=CVE-2019-3816
14 Mar 2019 — Openwsman, versions up to and including 2.6.9, are vulnerable to arbitrary file disclosure because the working directory of openwsmand daemon was set to root directory. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to openwsman server. Openwsman, en versiones hasta e incluyendo la 2.6.9, es vulnerable a una divulgación de archivos arbitrarios debido a que el directorio de trabajo del demonio openwsmand se establecía en el directorio root. Un at... • http://bugzilla.suse.com/show_bug.cgi?id=1122623 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 1%CPEs: 6EXPL: 1CVE-2019-9741 – golang: CRLF injection in net/http
https://notcve.org/view.php?id=CVE-2019-9741
13 Mar 2019 — An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. Se ha descubierto un problema en net/http en Go 1.11.5. Es posible la inyección CRLF si el atacante controla un parámetro de url, tal y como queda demostrado por el segundo argumento en http.NewRequest con \r\n, seguido por una cabecera HTTP o un comando Redis. The go-toolset:r... • http://www.securityfocus.com/bid/107432 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-9704 – Ubuntu Security Notice USN-5259-2
https://notcve.org/view.php?id=CVE-2019-9704
12 Mar 2019 — Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (daemon crash) via a large crontab file because the calloc return value is not checked. Vixie Cron, en versiones anteriores a la 3.0pl1-133 en el paquete Debian, permite a los usuarios locales provocar una denegación de servicio (cierre de demonio) mediante un archivo crontab largo debido a que el valor de retorno no se comprueba. USN-5259-1 and USN-5259-2 fixed vulnerabilities in Cron. Unfortunately that update ... • http://www.securityfocus.com/bid/107373 • CWE-252: Unchecked Return Value CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-9705 – Ubuntu Security Notice USN-5259-2
https://notcve.org/view.php?id=CVE-2019-9705
12 Mar 2019 — Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted. Vixie Cron, en versiones anteriores a la 3.0pl1-133 en el paquete Debian, permite a los usuarios locales provocar una denegación de servicio (consumo de memoria) debido a un número de líneas ilimitado. USN-5259-1 and USN-5259-2 fixed vulnerabilities in Cron. Unfortunately that update was incomplete and could introduce ... • http://www.securityfocus.com/bid/107378 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-9687
https://notcve.org/view.php?id=CVE-2019-9687
11 Mar 2019 — PoDoFo 0.9.6 has a heap-based buffer overflow in PdfString::ConvertUTF16toUTF8 in base/PdfString.cpp. PoDoFo, en su versión 0.9.6, tiene un desbordamiento de búfer basado en memoria dinámica (heap) en PdfString::ConvertUTF16toUTF8 en base/PdfString.cpp. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CIC2EXSSMBT3MY2HY42IIY4BUQS2SVYB • CWE-787: Out-of-bounds Write •
CVSS: 5.3EPSS: 3%CPEs: 4EXPL: 0CVE-2019-9658
https://notcve.org/view.php?id=CVE-2019-9658
11 Mar 2019 — Checkstyle before 8.18 loads external DTDs by default. Checkstyle, en versiones anteriores a la 8.18, carga DTD externas por defecto. • https://checkstyle.org/releasenotes.html#Release_8.18 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 1%CPEs: 41EXPL: 0CVE-2019-9636 – python: Information Disclosure due to urlsplit improper NFKC normalization
https://notcve.org/view.php?id=CVE-2019-9636
08 Mar 2019 — Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed c... • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html • CWE-172: Encoding Error •