Page 58 of 611 results (0.017 seconds)

CVSS: 5.0EPSS: 45%CPEs: 8EXPL: 0

CVE-2014-0118 – httpd: mod_deflate denial of service

https://notcve.org/view.php?id=CVE-2014-0118

The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size. La función deflate_in_filter en mod_deflate.c en el módulo mod_deflate en Apache HTTP Server anterior a 2.4.10, cuando la descompresión del cuerpo de una solicitud está habilitada, permite a atacantes remotos causar una denegación de servicio (consumo de recursos) a través de datos de solicitudes manipulados que descomprime a un tamaño mucho más grande. A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. • http://advisories.mageia.org/MGASA-2014-0304.html http://advisories.mageia.org/MGASA-2014-0305.html http://httpd.apache.org/security/vulnerabilities_24.html http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html http://marc.info/?l=bugtraq&m=143403519711434&w=2 http://marc.info/?l=bugtraq&m=143748090628601&w=2 http://marc.info/?l=bugtraq&m=144050155601375&w=2 http://marc.info/?l=bugtraq&m=144493176821532&w=2 http://rhn.redhat.com/errata/RHSA-2014 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 9.3EPSS: 3%CPEs: 7EXPL: 1

CVE-2014-2483 – OpenJDK: Restrict use of privileged annotations (Libraries, 8034985)

https://notcve.org/view.php?id=CVE-2014-2483

Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-4223. NOTE: the previous information is from the July 2014 CPU. Oracle has not commented on another vendor's claim that the issue is related to improper restriction of the "use of privileged annotations." Vulnerabilidad no especificada en el componente Java SE en Oracle Java SE Java SE 7u60 y OpenJDK 7 permite a atacantes remotos afectar la confidencialidad, integridad y disponibilidad a través de vectores relacionados con Libraries, una vulnerabilidad diferente a CVE-2014-4223. NOTA: la información anterior es de la CPU de julio de 2014. • http://hg.openjdk.java.net/jdk7u/jdk7u/hotspot/rev/848481af9003 http://marc.info/?l=bugtraq&m=140852886808946&w=2 http://seclists.org/fulldisclosure/2014/Dec/23 http://secunia.com/advisories/60485 http://secunia.com/advisories/60812 http://security.gentoo.org/glsa/glsa-201502-12.xml http://www.debian.org/security/2014/dsa-2987 http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html http://www.securityfocus.com/archive/1/534161/100/0/threaded http:// •

CVSS: 7.5EPSS: 95%CPEs: 18EXPL: 4

CVE-2014-0226 – Apache httpd mod_status Heap Buffer Overflow Remote Code Execution Vulnerability

https://notcve.org/view.php?id=CVE-2014-0226

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c. Condición de carrera en el módulo mod_status en Apache HTTP Server anterior a 2.4.10 permite a atacantes remotos causar una denegación de servicio (desbordamiento de buffer basado en memoria dinámica), o posiblemente obtener información sensible de credenciales o ejecutar código arbitrario, a través de una solicitud manipulada que provoca el manejo indebido de la tabla de clasificación (scoreboard) dentro de la función status_handler en modules/generators/mod_status.c y la función lua_ap_scoreboard_worker en modules/lua/lua_request.c. A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache HTTPD server. • https://www.exploit-db.com/exploits/34133 https://github.com/shreesh1/CVE-2014-0226-poc http://advisories.mageia.org/MGASA-2014-0304.html http://advisories.mageia.org/MGASA-2014-0305.html http://httpd.apache.org/security/vulnerabilities_24.html http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html http://marc.info/?l=bugtraq&m=143403519711434&w=2 http://marc.info/?l=bugtraq&m=143748090628601&w=2 http://marc.info/?l=bugtraq&m=144050155601375&w=2 http&# • CWE-122: Heap-based Buffer Overflow CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 9.8EPSS: 17%CPEs: 8EXPL: 2

CVE-2014-4650 – Python CGIHTTPServer - Encoded Directory Traversal

https://notcve.org/view.php?id=CVE-2014-4650

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator. El módulo CGIHTTPServer en Python versiones 2.7.5 y 3.3.4, no maneja apropiadamente las URL en las que la codificación de URL es usada para los separadores de ruta, lo que permite a atacantes remotos leer el código fuente del script o conducir un salto de directorio y ejecutar código no deseado por medio de una secuencia de caracteres diseñada, como es demostrado mediante un separador %2f. It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose source of scripts in the cgi-bin directory. • https://www.exploit-db.com/exploits/33894 http://bugs.python.org/issue21766 http://openwall.com/lists/oss-security/2014/06/26/3 https://access.redhat.com/security/cve/cve-2014-4650 https://access.redhat.com/security/cve/CVE-2014-4650 https://bugzilla.redhat.com/show_bug.cgi?id=1113527 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-138: Improper Neutralization of Special Elements •

CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0

CVE-2014-0249

https://notcve.org/view.php?id=CVE-2014-0249

The System Security Services Daemon (SSSD) 1.11.6 does not properly identify group membership when a non-POSIX group is in a group membership chain, which allows local users to bypass access restrictions via unspecified vectors. System Security Services Daemon (SSSD) 1.11.6 no identifica debidamente la pertenencia a un grupo cuando un grupo no POSIX esté en una cadena de pertenencia a grupo, lo que permite a usuarios locales evadir restricciones de acceso a través de vectores no especificados. • https://bugzilla.redhat.com/show_bug.cgi?id=1101751 https://lists.fedorahosted.org/pipermail/sssd-devel/2014-May/019495.html • CWE-264: Permissions, Privileges, and Access Controls •