Page 5 of 44 results (0.023 seconds)

CVSS: 9.8EPSS: 1%CPEs: 62EXPL: 0

CVE-2016-9841 – zlib: Out-of-bounds pointer arithmetic in inffast.c

https://notcve.org/view.php?id=CVE-2016-9841

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. inffast.c en zlib 1.2.8 puede permitir que atacantes dependientes del contexto causen un impacto no especificado aprovechando una aritmética de puntero incorrecta.. • http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html http://www.openwall.com/lists/oss-security/2016/12/05/21 http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus •

CVSS: 8.8EPSS: 0%CPEs: 36EXPL: 0

CVE-2016-9842 – zlib: Undefined left shift of negative number

https://notcve.org/view.php?id=CVE-2016-9842

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. La función inflateMark en inflate.c en zlib 1.2.8 podría permitir que los atacantes dependientes del contexto tener un impacto no especificado a través de vectores que implican cambios a la izquierda de enteros negativos. • http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html http://www.openwall.com/lists/oss-security/2016/12/05/21 http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/95131 http://www.securitytracker.com/id/1039427 https:/&# •

CVSS: 5.9EPSS: 0%CPEs: 7EXPL: 0

CVE-2016-7055 – openssl: Carry propagating bug in Montgomery multiplication

https://notcve.org/view.php?id=CVE-2016-7055

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.securityfocus.com/bid/94242 http://www.securitytracker.com/id/1037261 https://access.redhat.com/errata/RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2187 https://h20566.www2.hpe.com/hpsc/doc/public • CWE-682: Incorrect Calculation •

CVSS: 6.1EPSS: 0%CPEs: 98EXPL: 0

CVE-2016-5325 – nodejs: reason argument in ServerResponse#writeHead() not properly validated

https://notcve.org/view.php?id=CVE-2016-5325

CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument. Vulnerabilidad de inyección CRLF en la función ServerResponse#writeHead en Node.js 0.10.x en versiones anteriores a 0.10.47, 0.12.x en versiones anteriores a 0.12.16, 4.x en versiones anteriores a 4.6.0 y 6.x en versiones anteriores a 6.7.0 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques de separación de respuesta HTTP a través del argumento de la razón. It was found that the reason argument in ServerResponse#writeHead() was not properly validated. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request. • http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html http://rhn.redhat.com/errata/RHSA-2017-0002.html http://www.securityfocus.com/bid/93483 https://access.redhat.com/errata/RHSA-2016:2101 https://github.com/nodejs/node/commit/c0f13e56a20f9bde5a67d873a7f9564487160762 https://nodejs.org/en/blog/vulnerability/september-2016-security-releases https://security.gentoo.org/glsa/201612-43 https://access.redhat.com/security/cve/CVE-2016-5325 https://bugzilla.redhat.com/show_bug • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •

CVSS: 7.4EPSS: 0%CPEs: 98EXPL: 0

CVE-2016-7099 – nodejs: wildcard certificates not properly validated

https://notcve.org/view.php?id=CVE-2016-7099

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. La función tls.checkServerIdentity en Node.js 0.10.x en versiones anteriores a 0.10.47, 0.12.x en versiones anteriores a 0.12.16, 4.x en versiones anteriores a 4.6.0 y 6.x en versiones anteriores a 6.7.0 no maneja adecuadamente comodines en los campos de nombres de certificados X.509, lo que permite a atacantes man-in-the-middle suplantar servidores a través de un certificado manipulado. • http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html http://rhn.redhat.com/errata/RHSA-2017-0002.html http://www.securityfocus.com/bid/93191 https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b https://nodejs.org/en/blog/vulnerability/september-2016-security-releases https://access.redhat.com/security/cve/CVE-2016-7099 https://bugzilla.redhat.com/show_bug.cgi?id=1379921 • CWE-19: Data Processing Errors •