CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14806
https://notcve.org/view.php?id=CVE-2019-14806
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. Pallets Werkzeug en versiones anteriores a 0.15.3, cuando es usado con Docker, presenta una aleatoriedad insuficiente del PIN del depurador porque los contenedores Docker comparten la mismo id de máquina. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168 https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246 https://palletsprojects.com/blog/werkzeug-0-15-3-released • CWE-331: Insufficient Entropy •
CVSS: 8.3EPSS: 0%CPEs: 8EXPL: 0CVE-2019-13106
https://notcve.org/view.php?id=CVE-2019-13106
Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while reading a crafted ext4 filesystem, which results in a stack buffer overflow and likely code execution. Das U-Boot versiones 2016.09 hasta 2019.07-rc4, pueden memorizar en la función memset() muchos datos mientras leen un sistema de archivos ext4 diseñado, lo que resulta en un desbordamiento del búfer de la pila y una posible ejecución de código. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00004.html https://gist.github.com/deephooloovoo/d91b81a1674b4750e662dfae93804d75 https://github.com/u-boot/u-boot/commits/master https://lists.denx.de/pipermail/u-boot/2019-July/375516.html • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2019-13104
https://notcve.org/view.php?id=CVE-2019-13104
In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow can cause memcpy() to overwrite a very large amount of data (including the whole stack) while reading a crafted ext4 filesystem. En Das U-Boot versiones 2016.11-rc1 hasta 2019.07-rc4, un subdesbordamiento puede hacer que la función memcpy() sobrescriba una gran cantidad de datos (incluyendo toda la pila) mientras lee un sistema de archivos ext4 diseñado. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00004.html https://gist.github.com/deephooloovoo/d91b81a1674b4750e662dfae93804d75 https://github.com/u-boot/u-boot/commits/master https://lists.denx.de/pipermail/u-boot/2019-July/375514.html • CWE-191: Integer Underflow (Wrap or Wraparound) CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2019-14524
https://notcve.org/view.php?id=CVE-2019-14524
An issue was discovered in Schism Tracker through 20190722. There is a heap-based buffer overflow via a large number of song patterns in fmt_mtm_load_song in fmt/mtm.c, a different vulnerability than CVE-2019-14465. Se descubrió un problema en Schism Tracker a través de 20190722. Hay un desbordamiento de búfer basado en el montón a través de una gran cantidad de patrones de canciones en fmt_mtm_load_song en fmt / mtm.c, una vulnerabilidad diferente a CVE-2019-14465. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00072.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00083.html https://github.com/schismtracker/schismtracker/issues/201 https://github.com/schismtracker/schismtracker/releases/tag/20190805 • CWE-787: Out-of-bounds Write •
CVSS: 8.1EPSS: 4%CPEs: 4EXPL: 0CVE-2019-10181 – icedtea-web: unsigned code injection in a signed JAR file
https://notcve.org/view.php?id=CVE-2019-10181
It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox. Se descubrió icedtea-web hasta 1.7.2 y 1.8.2 inclusive con código ejecutable podría ser inyectado en un archivo JAR sin comprometer la verificación de la firma. Un atacante podría usar este defecto para inyectar un código en un archivo JAR seguro. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181 https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327 https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344 https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html https://seclists.org/bugtraq/2019/Oct/5 https://security.gentoo.org/glsa/2021 • CWE-345: Insufficient Verification of Data Authenticity •