CVE-2016-6797 – tomcat: unrestricted access to global resources
https://notcve.org/view.php?id=CVE-2016-6797
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. La implementación ResourceLinkFactory en Apache Tomcat 9.0.0.M1 a 9.0.0.M9, 8.5.0 a 8.5.4, 8.0.0.RC1 a 8.0.36, 7.0.0 a 7.0.70 a 6.0.0 a 6.0.45 no limitaba el acceso de las aplicaciones web a recursos globales JNDI a aquellos relacionados explícitamente con la aplicación web. Por lo tanto, era posible que una aplicación web accediese a cualquier recurso global JNDI sin importar si se había configurado un ResourceLink explícito. It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. • http://rhn.redhat.com/errata/RHSA-2017-0457.html http://www.debian.org/security/2016/dsa-3720 http://www.securityfocus.com/bid/93940 http://www.securitytracker.com/id/1037145 https://access.redhat.com/errata/RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:2247 https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/37220405a377c0182d2afdb • CWE-863: Incorrect Authorization •
CVE-2016-9446 – gstreamer-plugins-bad-free: Missing initialization of allocated heap memory leads to information leak
https://notcve.org/view.php?id=CVE-2016-9446
The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated by thumbnailing a simple 1 frame vmnc movie that does not draw to the allocated render canvas. El decodificador vmnc en el gstreamer no inicializa el lienzo de renderizado, lo que permite a permite a atacantes remotos obtener información sensible como se demuestra mediante la miniatura de una simple película vmnc de un frame que no dibuja el lienzo de renderizado asignado. • http://www.openwall.com/lists/oss-security/2016/11/18/12 http://www.openwall.com/lists/oss-security/2016/11/18/13 http://www.securityfocus.com/bid/94423 https://access.redhat.com/errata/RHSA-2017:2060 https://bugzilla.gnome.org/show_bug.cgi?id=774533 https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM7IXFGHV66KNWGWG6ZBDNKXD2UJL2VQ http • CWE-456: Missing Initialization of a Variable CWE-665: Improper Initialization •
CVE-2017-3317 – mysql: Logging unspecified vulnerability (CPU Jan 2017)
https://notcve.org/view.php?id=CVE-2017-3317
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Logging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. • http://www.debian.org/security/2017/dsa-3767 http://www.debian.org/security/2017/dsa-3770 http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html http://www.securityfocus.com/bid/95585 http://www.securitytracker.com/id/1037640 https://access.redhat.com/errata/RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2018:0279 https://access.redhat.com/errata/RHSA& •
CVE-2017-3244 – mysql: Server: DML unspecified vulnerability (CPU Jan 2017)
https://notcve.org/view.php?id=CVE-2017-3244
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts). • http://www.debian.org/security/2017/dsa-3767 http://www.debian.org/security/2017/dsa-3770 http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html http://www.securityfocus.com/bid/95565 http://www.securitytracker.com/id/1037640 https://access.redhat.com/errata/RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2018:0279 https://access.redhat.com/errata/RHSA& •
CVE-2017-3238 – mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2017)
https://notcve.org/view.php?id=CVE-2017-3238
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts). • http://www.debian.org/security/2017/dsa-3767 http://www.debian.org/security/2017/dsa-3770 http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html http://www.securityfocus.com/bid/95571 http://www.securitytracker.com/id/1037640 https://access.redhat.com/errata/RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2018:0279 https://access.redhat.com/errata/RHSA& •