CVSS: 4.0EPSS: 0%CPEs: 12EXPL: 0CVE-2019-17055 – kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol
https://notcve.org/view.php?id=CVE-2019-17055
01 Oct 2019 — base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21. La función base_sock_create en el archivo drivers/isdn/mISDN/socket.c en el módulo de red AF_ISDN en el kernel de Linux versiones hasta 5.3.2 no aplica CAP_NET_RAW, lo que significa que los usuarios no privilegiados pueden crear un socket en bruto, también se conoce como CID-b91ee4aa2a2... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00035.html • CWE-250: Execution with Unnecessary Privileges CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 2CVE-2019-16935 – python: XSS vulnerability in the documentation XML-RPC server in server_title field
https://notcve.org/view.php?id=CVE-2019-16935
28 Sep 2019 — The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. La documentación del servidor XML-RPC en Python versiones hasta 2.7.16, versiones 3.x hasta 3.6.9 y versiones 3.7.x hasta 3.7.4, present... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 3%CPEs: 11EXPL: 0CVE-2019-9433 – libvpx: Use-after-free in vp8_deblock() in vp8/common/postproc.c
https://notcve.org/view.php?id=CVE-2019-9433
27 Sep 2019 — In libvpx, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80479354 En libvpx, se presenta una posible divulgación de información debido a una comprobación de entrada inapropiada. Esto podría conllevar a una divulgación de información remota sin ser necesarios privilegios de ejecución adici... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00049.html • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.1EPSS: 2%CPEs: 9EXPL: 0CVE-2019-9371 – libvpx: Resource exhaustion after memory leak in mkvparser.cc
https://notcve.org/view.php?id=CVE-2019-9371
27 Sep 2019 — In libvpx, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-132783254 En libvpx, se presenta un posible agotamiento de recursos debido a una comprobación de entrada inapropiada. Esto podría conllevar a una denegación de servicio remota sin ser necesarios privilegios de ejecución adicionales. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00049.html • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 3%CPEs: 9EXPL: 0CVE-2019-9325
https://notcve.org/view.php?id=CVE-2019-9325
27 Sep 2019 — In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112001302 En libvpx, se presenta una posible lectura fuera de límites debido a una falta de comprobación de límites. Esto podría conllevar a una divulgación de información remota sin ser necesarios privilegios de ejecución adicionales. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00049.html • CWE-125: Out-of-bounds Read •
CVSS: 8.8EPSS: 0%CPEs: 12EXPL: 0CVE-2019-9278 – libexif: out of bounds write in exif-data.c
https://notcve.org/view.php?id=CVE-2019-9278
27 Sep 2019 — In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774 En libexif, se presenta una posible escritura fuera de límites debido a un desbordamiento de enteros. Esto podría conllevar a una escalada de privilegios remota en el proveedor de contenido multimedi... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00000.html • CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 4%CPEs: 11EXPL: 0CVE-2019-9232 – libvpx: Out of bounds read in vp8_norm table
https://notcve.org/view.php?id=CVE-2019-9232
27 Sep 2019 — In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122675483 En libvpx, se presenta una posible lectura fuera de límites debido a una falta de comprobación de límites. Esto podría conllevar a una divulgación de información remota sin ser necesarios privilegios de ejecución adicionales.... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00049.html • CWE-125: Out-of-bounds Read •
CVSS: 6.3EPSS: 0%CPEs: 14EXPL: 0CVE-2019-13627 – libgcrypt: ECDSA timing attack allowing private key leak
https://notcve.org/view.php?id=CVE-2019-13627
25 Sep 2019 — It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7. Se detectó que había un ataque de sincronización ECDSA en la biblioteca criptográfica libgcrypt20. Versión afectada: 1.8.4-5, 1.7.6-2+deb9u3 y 1.6.3-2+deb8u4. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00060.html • CWE-203: Observable Discrepancy CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 27EXPL: 1CVE-2019-16884 – runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc
https://notcve.org/view.php?id=CVE-2019-16884
25 Sep 2019 — runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. runc versiones hasta 1.0.0-rc8, como es usado en Docker versiones hasta 19.03.2-ce y otros productos, permite omitir la restricción de AppArmor porque el archivo libcontainer/rootfs_linux.go comprueba incorrectamente los destinos de montaje y, por lo tanto,... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00073.html • CWE-41: Improper Resolution of Path Equivalence CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 1CVE-2019-5094 – e2fsprogs: Crafted ext4 partition leads to out-of-bounds write
https://notcve.org/view.php?id=CVE-2019-5094
24 Sep 2019 — An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. Se presenta una vulnerabilidad de ejecución de código explotable en la funcionalidad quota file de E2fsprogs versión 1.45.3. Una partición ext4 especialmente diseñada puede causar una escritura fuera de límites en la pila, resultan... • https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html • CWE-787: Out-of-bounds Write •