Page 7 of 35 results (0.040 seconds)

CVSS: 7.5EPSS: 93%CPEs: 32EXPL: 0

crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter. crypto/rsa/rsa_ameth.c en OpenSSL 1.0.1 en versiones anteriores a 1.0.1q y 1.0.2 en versiones anteriores a 1.0.2e permite a atacantes remotos provocar una denegación de servicio (referencia a puntero NULL y caída de aplicación) a través de una firma RSA PSS ASN.1 que carece de un parámetro de función de generación de máscara. A NULL pointer dereference flaw was found in the way OpenSSL verified signatures using the RSA PSS algorithm. A remote attacker could possibly use this flaw to crash a TLS/SSL client using OpenSSL, or a TLS/SSL server using OpenSSL if it enabled client authentication. • http://fortiguard.com/advisory/openssl-advisory-december-2015 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761 http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173801.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00053.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00070.html http://lists.opensus • CWE-476: NULL Pointer Dereference •

CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0

The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence. La función de Utf8DecoderBase::WriteUtf16Slow en unicode.decoder.cc en Google V8, al igual que como se usa en Node.js anterior a 0.12.6, io.js anterior a 1.8.3 y 2.x antes de 2.3.3 y otros productos, no verifica que haya memoria disponible para un par surrogado UTF-16, lo que permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria) o la posibilidad de causar otro impacto a través de una secuencia de bytes manipulada. • http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable http://www.securityfocus.com/bid/75556 https://codereview.chromium.org/1226493003 https://github.com/joyent/node/issues/25583 https://medium.com/%40iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0

libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors. libuv anterior a 0.10.34 no cancela correctamente los privilegios de grupo, lo que permite a atacantes dependientes de contexto ganar privilegios a través de vectores no especificados. • http://advisories.mageia.org/MGASA-2015-0186.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:228 https://github.com/libuv/libuv/commit/66ab38918c911bcff025562cf06237d7fedaba0c https://github.com/libuv/libuv/pull/215 https://groups.google.com/forum/#%21msg/libuv/0JZxwLMtsMI/jraczskYWWQJ https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150526.html https://security.gentoo.org/glsa/201611-10 • CWE-273: Improper Check for Dropped Privileges •

CVSS: 10.0EPSS: 25%CPEs: 1EXPL: 2

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to execute arbitrary code via a crafted file. Vulnerabilidad de inyección Eval en index.js en el paquete de errores de sintaxis anterior a 1.1.1 para Node.js 0.10.x, utilizado en IBM Rational Application Developer y otros productos, permite a atacantes remotos ejecutar código arbitrario a través de un fichero manipulado. • https://www.exploit-db.com/exploits/34090 http://www-01.ibm.com/support/docview.wss?uid=swg21690815 https://exchange.xforce.ibmcloud.com/vulnerabilities/96728 https://github.com/substack/node-syntax-error/commit/9aa4e66eb90ec595d2dba55e6f9c2dd9a668b309 https://nodesecurity.io/advisories/syntax-error-potential-script-injection • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.5EPSS: 1%CPEs: 145EXPL: 0

Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. Múltiples vulnerabilidades no especificadas en Google V8 anterior a 3.24.35.10, utilizado en Google Chrome anterior a 33.0.1750.146, permiten a atacantes causar una denegación de servicio o posiblemente tener otro impacto a través de vectores desconocidos. • http://advisories.mageia.org/MGASA-2014-0516.html http://googlechromereleases.blogspot.com/2014/03/stable-channel-update.html http://secunia.com/advisories/61184 http://www-01.ibm.com/support/docview.wss?uid=swg21683389 http://www.debian.org/security/2014/dsa-2883 http://www.mandriva.com/security/advisories?name=MDVSA-2015:142 http://www.securityfocus.com/bid/65930 https://code.google.com/p/chromium/issues/detail?id=343964 https://code.google.com/p/chromium/issues/detail?id=3441 •