CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2019-5164
https://notcve.org/view.php?id=CVE-2019-5164
An exploitable code execution vulnerability exists in the ss-manager binary of Shadowsocks-libev 3.3.2. Specially crafted network packets sent to ss-manager can cause an arbitrary binary to run, resulting in code execution and privilege escalation. An attacker can send network packets to trigger this vulnerability. Hay una vulnerabilidad de ejecución de código explotable en el binario ss-manager de Shadowsocks-libev versión 3.3.2. Unos paquetes de red especialmente diseñados enviados a ss-manager pueden causar que un binario arbitrario se ejecute, resultando en la ejecución de código y la escalada de privilegios. • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00061.html https://talosintelligence.com/vulnerability_reports/TALOS-2019-0958 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2019-5163
https://notcve.org/view.php?id=CVE-2019-5163
An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 3.3.2. When utilizing a Stream Cipher and a local_address, arbitrary UDP packets can cause a FATAL error code path and exit. An attacker can send arbitrary UDP packets to trigger this vulnerability. Hay una vulnerabilidad de denegación de servicio explotable en la funcionalidad UDPRelay de Shadowsocks-libev versión 3.3.2. Cuando se utiliza un Cifrado de Flujo y un local_address, unos paquetes UDP arbitrarios pueden causar una ruta de código de error FATAL y salir. • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00061.html https://talosintelligence.com/vulnerability_reports/TALOS-2019-0956 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2019-13723 – chromium-browser: use-after-free in bluetooth
https://notcve.org/view.php?id=CVE-2019-13723
Use after free in WebBluetooth in Google Chrome prior to 78.0.3904.108 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. Un uso de la memoria previamente liberada en WebBluetooth en Google Chrome versiones anteriores a 78.0.3904.108, permitió a un atacante remoto, que había comprometido el proceso del renderizador, explotar potencialmente una corrupción de la pila por medio de una página HTML diseñada. • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00035.html https://access.redhat.com/errata/RHSA-2019:3955 https://chromereleases.googleblog.com/2019/11/stable-channel-update-for-desktop_18.html https://crbug.com/1024121 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54XWRJ5LDFL27QXBPIBX3EHO4TPMKN4R https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/USW7PGIHNPE6W3LGY6ZDFLELQGSL52CH https://security.gentoo.org/glsa/202003- • CWE-416: Use After Free CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2019-18622
https://notcve.org/view.php?id=CVE-2019-18622
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. Se detectó un problema en phpMyAdmin versiones anteriores a 4.9.2. Se puede utilizar un nombre de base de datos/tabla diseñado para desencadenar un ataque de inyección SQL por medio de la funcionalidad designer. • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BA4DGF7KTQS6WA2DRNJSW66L43WB7LRV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W5GW4KEMNCBQYZCIXEJYC42OEBBN2NSH https://security.gentoo.org/glsa/202003-39 https://www.phpmyadmin.net/security/PMASA-2019-5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 1CVE-2019-14864 – Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs
https://notcve.org/view.php?id=CVE-2019-14864
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data. Ansible, versiones 2.9.x anteriores a la versión 2.9.1, versiones 2.8.x anteriores a la versión 2.8.7 y Ansible versiones 2.7.x anteriores a la versión 2.7.15, no respeta el flag no_log, configurado en True cuando los plugins de devolución de llamada Sumologic y Splunk son usados para enviar eventos de resultados de tareas para coleccionistas. Esto revelaría y recolectaría cualquier información confidencial. A data disclosure flaw was found in Ansible when using the Splunk and Sumologic modules, as they are not respecting when the flag no_log is enabled. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864 https://github.com/ansible/ansible/issues/63522 https://github.com/ansible/ansible/pull/63527 https://www.debian.org/security/2021/dsa-4950 https://access.redhat.com/security/cve/CVE-2019-14864 https://bugzilla.redhat.com/show_bug.cgi?id=1764148 • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •