CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13775
https://notcve.org/view.php?id=CVE-2020-13775
ZNC 1.8.0 up to 1.8.1-rc1 allows authenticated users to trigger an application crash (with a NULL pointer dereference) if echo-message is not enabled and there is no network. ZNC 1.8.0 hasta 1.8.1-rc1 permite a los usuarios autentificados activar un bloqueo de la aplicación (con una desreferencia del puntero NULL) si el mensaje eco no está habilitado y no hay red. • https://github.com/znc/znc/commit/2390ad111bde16a78c98ac44572090b33c3bd2d8 https://github.com/znc/znc/commit/d229761821da38d984a9e4098ad96842490dc001 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNVBE4T2DRJRQHFRMHYBTN4OSOL6DBHR https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HS3DWGXLVRROQQA57UIPMDM6XMVEMBRA • CWE-476: NULL Pointer Dereference •
CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 1CVE-2020-13401
https://notcve.org/view.php?id=CVE-2020-13401
An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service. Se detectó un problema en Docker Engine versiones anteriores a 19.03.11. Un atacante en un contenedor, con la capacidad CAP_NET_RAW, puede diseñar anuncios de router IPv6, y en consecuencia falsificar hosts IPv6 externos, obtener información confidencial o causar una denegación de servicio. • https://github.com/arax-zaeimi/Docker-Container-CVE-2020-13401 http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00040.html http://www.openwall.com/lists/oss-security/2020/06/01/5 https://docs.docker.com/engine/release-notes https://github.com/docker/docker-ce/releases/tag/v19.03.11 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DN4JQAOXBE3XUNK3FD423LHE3K74EMJT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject. • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2020-13757 – python-rsa: decryption of ciphertext leads to DoS
https://notcve.org/view.php?id=CVE-2020-13757
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation). Python-RSA versión 4.1, ignora bytes '\0' principales durante la desencriptación del texto cifrado. Esto podría tener un impacto relevante para la seguridad, por ejemplo, al ayudar a un atacante a inferir que una aplicación utiliza Python-RSA, o si la longitud del texto cifrado aceptado afecta al comportamiento de la aplicación (por ejemplo, al causar una asignación excesiva de memoria) A flaw was found in the python-rsa package, where it does not explicitly check the ciphertext length against the key size and ignores the leading 0 bytes during the decryption of the ciphertext. This flaw allows an attacker to perform a ciphertext attack, leading to a denial of service. • https://github.com/sybrenstuvel/python-rsa/issues/146 https://github.com/sybrenstuvel/python-rsa/issues/146#issuecomment-641845667 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2KILTHBHNSDUCYV22ODLOKTICJJ7JQIQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYB65VNILRBTXL6EITQTH2PZPK7I23MW https://usn.ubuntu.com/4478-1 https://access.redhat.com/security/cve/CVE-2020-13757 https://bugzilla.redhat.com/show_bug.cgi?id=1848507 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 2CVE-2020-13645
https://notcve.org/view.php?id=CVE-2020-13645
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host. En GNOME glib-networking versiones hasta 2.64.2, la implementación de GTlsClientConnection omite la verificación del nombre de host del certificado TLS del servidor si la aplicación presenta un fallo al especificar la identidad esperada del servidor. Esto está en contraste con su comportamiento documentado previsto, en el fallo de la verificación del certificado. • https://gitlab.gnome.org/GNOME/balsa/-/issues/34 https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LRCUM22YEWWKNMN2BP5LTVDM5P4VWIXS https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK https://security.gentoo.org/glsa/202007-50 htt • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-10936
https://notcve.org/view.php?id=CVE-2020-10936
Sympa before 6.2.56 allows privilege escalation. Sympa versiones anteriores a la versión 6.2.56, permite una escalada de privilegios. • https://github.com/sympa-community/sympa/releases https://lists.debian.org/debian-lts-announce/2020/10/msg00012.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3J4NZLGAF4ZYK52XEBQDTBNHLGBEPXXN https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3TMQ3CORUOWARALACCBG2SBTIGZ5GY5 https://sysdream.com/news/lab https://sysdream.com/news/lab/2020-05-25-cve-2020-10936-sympa-privileges-escalation-to-root https://usn.ubuntu.com/4442- • CWE-269: Improper Privilege Management •