CVSS: 7.5EPSS: 1%CPEs: 9EXPL: 1CVE-2021-35197
https://notcve.org/view.php?id=CVE-2021-35197
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented). En MediaWiki versiones anteriores a 1.31.15, versiones 1.32.x hasta 1.35.x, versiones anteriores a 1.35.3, y versiones 1.36.x anteriores a 1.36.1, unos bots presentan determinados accesos a la API no deseados. Cuando una cuenta de bot presenta un "sitewide block" aplicado, es capaz de "purge" páginas mediante la API de acción de MediaWiki (lo que un "bloqueo del sitio" debería haber impedido) • https://lists.debian.org/debian-lts-announce/2021/10/msg00003.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJDYJQWT43GBD6GNQ4OW7JOZ6WQ6DZTN https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDBPECBWN6LWNSWIQMVXK6PP4YFEUYHA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6AP • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-3630
https://notcve.org/view.php?id=CVE-2021-3630
An out-of-bounds write vulnerability was found in DjVuLibre in DJVU::DjVuTXT::decode() in DjVuText.cpp via a crafted djvu file which may lead to crash and segmentation fault. This flaw affects DjVuLibre versions prior to 3.5.28. Se ha encontrado una vulnerabilidad de escritura fuera de los límites en DjVuLibre en la función DJVU::DjVuTXT::decode() en el archivo DjVuText.cpp por medio de un archivo djvu diseñado que puede conllevar a un fallo de bloqueo y segmentación. Este fallo afecta a las versiones de DjVuLibre versiones anteriores a 3.5.28 • https://bugzilla.redhat.com/show_bug.cgi?id=1977427 https://lists.debian.org/debian-lts-announce/2021/07/msg00002.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MRXCW4BUGAJLGF6IWQWUZ2YBICMZCPK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CIZIAJWGKI26DKDOGJS7J7CIQGHHMIHG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3B4QZCICPZRDXA2HOIACSQNZB2VEHSM https://lists.fedoraproject.org/archives/list/pa • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2021-33503 – python-urllib3: ReDoS in the parsing of authority part of URL
https://notcve.org/view.php?id=CVE-2021-33503
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Se ha detectado un problema en urllib3 versiones anteriores a 1.26.5. Cuando se proporciona una URL que contiene muchos caracteres @ en el componente authority, la expresión regular de autoridad muestra un retroceso catastrófico, causando una denegación de servicio si fue pasado una URL como parámetro o es redirigido a ella por medio de un redireccionamiento HTTP A flaw was found in python-urllib3. When provided with a URL containing many @ characters in the authority component, the authority's regular expression exhibits catastrophic backtracking. • https://github.com/advisories/GHSA-q2q7-5pp4-w6pg https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73 https://security.gentoo.org/glsa/202107-36 https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat.com/security/cve/CVE-2021-33503 ht • CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-28200
https://notcve.org/view.php?id=CVE-2020-28200
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension. El motor Sieve en Dovecot versiones anteriores a 2.3.15, permite un Consumo No controlado de Recursos, como es demostrado por una situación con una expresión regular compleja para la extensión regex • https://dovecot.org/security https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN https://www.openwall.com/lists/oss-security/2021/06/28/3 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-32708 – Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem
https://notcve.org/view.php?id=CVE-2021-32708
Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. • https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74 https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32 https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWPTENBYKI2IG47GI4DHAACLNRLTWUR5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNZSWK4GOMJOOHKLZEOE5AQSLC4DNCRZ https://packagist.org/packages/league/flysystem • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •