Page 59 of 1963 results (0.017 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414. Vulnerable versions of Unbound could still amplify an incoming query into a large number of queries directed to a target, even with a lower amplification ratio compared to versions of Unbound that shipped before the mentioned erratum. This issue is about the incomplete fix for CVE-2020-12662, and it does not affect upstream versions of Unbound. Una corrección incompleta fue entregada para CVE-2020-12662 para Unbound en Red Hat Enterprise Linux versión 7, como parte de la errata de RHSA-2020: 2414. Las versiones vulnerables de Unbound aún podrían amplificar una consulta entrante en una gran cantidad de consultas dirigidas a un objetivo, inclusive con un índice de amplificación más bajo en comparación con las versiones de Unbound que se enviaron antes de la errata mencionada. • https://bugzilla.redhat.com/show_bug.cgi?id=1846026 https://access.redhat.com/security/cve/CVE-2020-10772 • CWE-400: Uncontrolled Resource Consumption CWE-406: Insufficient Control of Network Message Volume (Network Amplification) •

CVSS: 6.0EPSS: 0%CPEs: 2EXPL: 2

A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity. Se encontró un fallo de omisión de la firma PGP en fwupd (todas las versiones), que podría conllevar a la instalación de firmware sin firmar. Según aguas arriba, teóricamente es posible omitir la firma, pero no es práctico porque el Linux Vendor Firmware Service (LVFS) no está implementado o habilitado en las versiones de fwupd enviadas con Red Hat Enterprise Linux versiones 7 y 8. • https://github.com/justinsteven/CVE-2020-10759-poc https://bugzilla.redhat.com/show_bug.cgi?id=1844316 https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md https://access.redhat.com/security/cve/CVE-2020-10759 • CWE-347: Improper Verification of Cryptographic Signature •

CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 1

A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system. Se encontró un fallo en el kernel de Linux en las versiones posteriores a 4.5-rc1, en la manera en que mremap manejó DAX Huge Pages. Este fallo permite a un atacante local con acceso a un almacenamiento habilitado para DAX escalar sus privilegios en el sistema A flaw was found in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00022.html https://bugzilla.redhat.com/show_bug.cgi?id=1842525 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5bfea2d9b17f1034a68147a8b03b9789af5700f9 https://lists.debian.org/debian-lts-announce/2020/06/msg00012.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IEM47BXZJLODRH5YNNZSAQ2NVM63MYMC https://security.netapp.com/advisory/ntap-20200702-0004 https://usn.ubuntu.com& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •

CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 1

A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container. Se detectó una vulnerabilidad en todas las versiones de containernetworking/plugins versiones anteriores a 0.8.6, que permite a contenedores maliciosos en los grupos de Kubernetes llevar a cabo ataques de tipo man-in-the-middle (MitM). Un contenedor malicioso puede explotar este fallo mediante el envío de anuncios de enrutadores IPv6 falsos al host u otros contenedores, para redireccionar el tráfico al contenedor malicioso. A vulnerability was found in affected container networking implementations that allow malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. • https://github.com/knqyf263/CVE-2020-10749 http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00063.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00065.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10749 https://groups.google.com/forum/#%21topic/kubernetes-security-announce/BMb_6ICCfp8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DV3HCDZYUTPPVDUMTZXDKK6IUO3JMGJC https://access.redhat.com/security/cve/CVE-2020- • CWE-300: Channel Accessible by Non-Endpoint •

CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 1

A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack. Se encontró un fallo de tipo cross-site scripting (XSS) en RESTEasy en versiones anteriores a 3.11.1.Final y anteriores a 4.5.3.Final, donde no manejaba apropiadamente la codificación de URL cuando ocurre la excepción RESTEASY003870. Un atacante podría usar este fallo para lanzar un ataque XSS reflejado A cross-site scripting (XSS) flaw was found in RESTEasy, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack. • https://bugzilla.redhat.com/show_bug.cgi?id=1814974 https://github.com/quarkusio/quarkus/issues/7248 https://issues.redhat.com/browse/RESTEASY-2519 https://security.netapp.com/advisory/ntap-20210706-0008 https://access.redhat.com/security/cve/CVE-2020-10688 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •