CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-9108
https://notcve.org/view.php?id=CVE-2016-9108
03 Feb 2017 — Integer overflow in the js_regcomp function in regexp.c in Artifex Software, Inc. MuJS before commit b6de34ac6d8bb7dd5461c57940acfbd3ee7fd93e allows attackers to cause a denial of service (application crash) via a crafted regular expression. Desbordamiento de entero en la función js_regcomp en regexp.c en Artifex Software, Inc. MuJS en versiones anteriores a commit b6de34ac6d8bb7dd5461c57940acfbd3ee7fd93e permite a atacantes provocar una denegación de servicio (caída de la aplicación) a través de una expres... • http://www.openwall.com/lists/oss-security/2016/10/30/12 • CWE-190: Integer Overflow or Wraparound •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2016-8568
https://notcve.org/view.php?id=CVE-2016-8568
03 Feb 2017 — The git_commit_message function in oid.c in libgit2 before 0.24.3 allows remote attackers to cause a denial of service (out-of-bounds read) via a cat-file command with a crafted object file. La función git_commit_message en oid.c en libgit2 en versiones anteriores a 0.24.3 permite a atacantes remotos provocar una denegación de servicio (lectura fuera de límites) a través de un comando cat-file con un archivo de objeto manipulado. • http://lists.opensuse.org/opensuse-updates/2016-12/msg00075.html • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 1%CPEs: 2EXPL: 1CVE-2017-5330 – Gentoo Linux Security Advisory 201701-69
https://notcve.org/view.php?id=CVE-2017-5330
30 Jan 2017 — ark before 16.12.1 might allow remote attackers to execute arbitrary code via an executable in an archive, related to associated applications. ark en versiones anteriores a 16.12.1 podrían permitir a atacantes remotos ejecutar código arbitrario a través de un ejecutable en un archivo, relacionado con las aplicaciones asociadas. A vulnerability in Ark might allow remote attackers to execute arbitrary code. Versions less than 16.08.3-r1 are affected. • http://www.openwall.com/lists/oss-security/2017/01/10/2 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2016-9085 – Gentoo Linux Security Advisory 201701-61
https://notcve.org/view.php?id=CVE-2016-9085
24 Jan 2017 — Multiple integer overflows in libwebp allows attackers to have unspecified impact via unknown vectors. Múltiples desbordamientos de entero en libwebp permiten a atacantes tener un impacto no especificado a través de vectores desconocidos. Multiple vulnerabilities have been discovered in WebP, the worst of which could allow a remote attacker to cause a Denial of Service condition. Versions less than 0.5.2 are affected. • http://www.openwall.com/lists/oss-security/2016/10/27/3 • CWE-190: Integer Overflow or Wraparound •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2016-10027
https://notcve.org/view.php?id=CVE-2016-10027
12 Jan 2017 — Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response. Condición de carrera en la librería XMPP en Smack en versiones anteriores a 4.1.9, cuando se ha establecido la configuración TLS SecurityMode.required, permite a atacantes man-in-the-middle eludir las protecciones TLS y d... • http://www.openwall.com/lists/oss-security/2016/12/22/12 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.8EPSS: 89%CPEs: 3EXPL: 3CVE-2016-9299 – Jenkins CLI - HTTP Java Deserialization
https://notcve.org/view.php?id=CVE-2016-9299
12 Jan 2017 — The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. El módulo remoting en Jenkins en versiones anteriores a 2.32 y LTS en versiones anteriores a 2.19.3 permite a atacantes remotos ejecutar código arbitrario a través de un objeto Java serializado, lo que desencadena una consulta LDAP a un servidor de terceros. • https://packetstorm.news/files/id/147665 • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2016-8605
https://notcve.org/view.php?id=CVE-2016-8605
12 Jan 2017 — The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected. • http://www.openwall.com/lists/oss-security/2016/10/12/1 • CWE-275: Permission Issues •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0CVE-2016-8606
https://notcve.org/view.php?id=CVE-2016-8606
12 Jan 2017 — The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to execute arbitrary code via an HTTP inter-protocol attack. El servidor REPL (--listen) en GNU Guile 2.0.12 permite a un atacante ejecutar código arbitrario a través de un ataque interprotocolo HTTP. • http://www.openwall.com/lists/oss-security/2016/10/12/2 • CWE-284: Improper Access Control •
CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 0CVE-2016-7543 – bash: Specially crafted SHELLOPTS+PS4 variables allows command substitution
https://notcve.org/view.php?id=CVE-2016-7543
02 Jan 2017 — Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables. Bash en versiones anteriores a 4.4 permite a usuarios locales ejecutar comandos arbitrarios con privilegios root a través de variables de entorno SHELLOPTS y PS4 manipuladas. An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written set... • http://rhn.redhat.com/errata/RHSA-2017-0725.html • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 0CVE-2016-9243 – Ubuntu Security Notice USN-3138-1
https://notcve.org/view.php?id=CVE-2016-9243
28 Nov 2016 — HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size. HKDF en criptografía en versiones anteriores a 1.5.2 devuelve una cadena de bytes vacía si se utiliza con una longitud inferior que algorithm.digest_size. Markus Doering discovered that python-cryptography incorrectly handled certain HKDF lengths. This could result in python-cryptography returning an empty string instead of the expected derived key. • http://www.openwall.com/lists/oss-security/2016/11/09/2 • CWE-20: Improper Input Validation •