CVSS: 5.5EPSS: 0%CPEs: 14EXPL: 0CVE-2020-8992 – Ubuntu Security Notice USN-4419-1
https://notcve.org/view.php?id=CVE-2020-8992
14 Feb 2020 — ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size. La función ext4_protect_reserved_inode en el archivo fs/ext4/block_validity.c en el kernel de Linux versiones hasta 5.5.3, permite a atacantes causar una denegación de servicio (soft lockup) por medio de un journal size diseñado. It was discovered that a race condition existed in the Precision Time Protocol implementation in the Lin... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00021.html • CWE-400: Uncontrolled Resource Consumption CWE-834: Excessive Iteration •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-0561
https://notcve.org/view.php?id=CVE-2020-0561
13 Feb 2020 — Improper initialization in the Intel(R) SGX SDK before v2.6.100.1 may allow an authenticated user to potentially enable escalation of privilege via local access. Una inicialización inapropiada en el SDK Intel® SGX versiones anteriores a v2.6.100.1, puede habilitar a un usuario autenticado para permitir potencialmente una escalada de privilegios por medio de un acceso local. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00009.html • CWE-665: Improper Initialization •
CVSS: 9.8EPSS: 10%CPEs: 9EXPL: 0CVE-2020-8955 – Gentoo Linux Security Advisory 202003-51
https://notcve.org/view.php?id=CVE-2020-8955
12 Feb 2020 — irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a malformed IRC message 324 (channel mode). La función irc_mode_channel_update en el archivo plugins/irc/irc-mode.c en WeeChat versiones hasta 2.7, permite a atacantes remotos causar una denegación de servicio (desbordamiento del búfer y bloqueo de aplicación) o posiblemente tener otro impacto no es... • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00032.html • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.0EPSS: 0%CPEs: 17EXPL: 0CVE-2019-19921 – runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation
https://notcve.org/view.php?id=CVE-2019-19921
12 Feb 2020 — runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.) runc versiones hasta 1.0.0-rc9, posee un Control de Acceso Incorrecto conllevando a una escalada de privilegios, relacionado con el... • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html • CWE-41: Improper Resolution of Path Equivalence CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 7.5EPSS: 4%CPEs: 10EXPL: 0CVE-2018-14553 – gd: NULL pointer dereference in gdImageClone
https://notcve.org/view.php?id=CVE-2018-14553
11 Feb 2020 — gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. Only affects PHP when linked with an external libgd (not bundled). La función gdImageClone en el archivo gd.c en libgd versiones 2.1.0-rc2 hasta 2.2.5, presenta una desreferencia del puntero NULL que permite a atacantes bloquear una aplicación por medio de una secuencia de llamada de función específica. It was discovered that GD Graphics Libra... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00020.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-476: NULL Pointer Dereference •
CVSS: 9.1EPSS: 5%CPEs: 7EXPL: 1CVE-2020-7060 – global buffer-overflow in mbfl_filt_conv_big5_wchar
https://notcve.org/view.php?id=CVE-2020-7060
10 Feb 2020 — When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash. Cuando se usan determinadas funciones de mbstring para convertir codificaciones multibyte, en PHP versiones 7.2.x por debajo de 7.2.27, versiones 7.3.x por debajo de 7.3.14 y versiones 7.4.x por deba... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVSS: 9.1EPSS: 1%CPEs: 7EXPL: 1CVE-2020-7059 – OOB read in php_strip_tags_ex
https://notcve.org/view.php?id=CVE-2020-7059
10 Feb 2020 — When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash. Cuando se usa la función fgetss() para leer datos con etiquetas de eliminación, en PHP versiones 7.2.x por debajo de 7.2.27, versiones 7.3.x por debajo de 7.3.14 y versiones 7.4.x por debajo de 7.4.2, es posible suministrar dat... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVSS: 9.8EPSS: 2%CPEs: 10EXPL: 1CVE-2019-15606 – nodejs: HTTP header values do not have trailing optional whitespace trimmed
https://notcve.org/view.php?id=CVE-2019-15606
07 Feb 2020 — Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons Una inclusión de espacios en blanco finales en los valores de encabezado HTTP en Nodejs versiones 10, 12 y 13, causa una omisión de autorización según las comparaciones de valores de encabezado. A flaw was found in Node.js where the HTTP(s) header values were not stripped of trailing whitespace. An attacker can use this flaw to send an HTTP(s) request which is valida... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html • CWE-20: Improper Input Validation CWE-138: Improper Neutralization of Special Elements •
CVSS: 7.5EPSS: 4%CPEs: 20EXPL: 1CVE-2019-15604 – nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string
https://notcve.org/view.php?id=CVE-2019-15604
07 Feb 2020 — Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate Una Comprobación Inapropiada del Certificado en Node.js versiones 10, 12 y 13, causa que el proceso se aborte cuando se envía un certificado X.509 diseñado. An encoding error flaw exists in the Node.js code that is used to read a peer certificate in the TLS client authentication. An attacker can use this flaw to crash the process used to handle TLS client authentication. Rogier Scho... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html • CWE-172: Encoding Error CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 33%CPEs: 26EXPL: 1CVE-2019-15605 – nodejs: HTTP request smuggling using malformed Transfer-Encoding header
https://notcve.org/view.php?id=CVE-2019-15605
07 Feb 2020 — HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed El tráfico no autorizado de peticiones HTTP en Node.js versiones 10, 12 y 13, causa la entrega maliciosa de la carga útil cuando la codificación de transferencia es malformada. A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use thi... • https://github.com/jlcarruda/node-poc-http-smuggling • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •