CVSS: 9.1EPSS: 0%CPEs: 12EXPL: 1CVE-2019-20444 – netty: HTTP request smuggling
https://notcve.org/view.php?id=CVE-2019-20444
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." El archivo HttpObjectDecoder.java en Netty versiones anteriores a 4.1.44, permite un encabezado HTTP que carece de ":" dos puntos, que podría ser interpretado como un encabezado separado con una sintaxis incorrecta, o podría ser interpretado como un "invalid fold." A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability. • https://access.redhat.com/errata/RHSA-2020:0497 https://access.redhat.com/errata/RHSA-2020:0567 https://access.redhat.com/errata/RHSA-2020:0601 https://access.redhat.com/errata/RHSA-2020:0605 https://access.redhat.com/errata/RHSA-2020:0606 https://access.redhat.com/errata/RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0811 https://github.com/netty/netty/compare& • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.1EPSS: 0%CPEs: 14EXPL: 1CVE-2019-20445 – netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
https://notcve.org/view.php?id=CVE-2019-20445
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. "El archivo HttpObjectDecoder.java en Netty versiones anteriores a 4.1.44, permite que un encabezado Content-Length esté acompañado por un segundo encabezado Content-Length o por un encabezado Transfer-Encoding." A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a server, it could result in a viable HTTP smuggling vulnerability. • https://access.redhat.com/errata/RHSA-2020:0497 https://access.redhat.com/errata/RHSA-2020:0567 https://access.redhat.com/errata/RHSA-2020:0601 https://access.redhat.com/errata/RHSA-2020:0605 https://access.redhat.com/errata/RHSA-2020:0606 https://access.redhat.com/errata/RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0811 https://github.com/netty/netty/compare& • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 11CVE-2019-18634 – Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC)
https://notcve.org/view.php?id=CVE-2019-18634
In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. En Sudo anterior a la versión 1.8.26, si pwfeedback está habilitado en / etc / sudoers, los usuarios pueden desencadenar un desbordamiento de búfer basado en pila en el proceso de sudo privilegiado. (pwfeedback es una configuración predeterminada en Linux Mint y sistema operativo elemental; sin embargo, NO es el valor predeterminado para paquetes ascendentes y muchos otros, y existiría solo si lo habilita un administrador). • https://www.exploit-db.com/exploits/47995 https://www.exploit-db.com/exploits/48052 https://github.com/Plazmaz/CVE-2019-18634 https://github.com/aesophor/CVE-2019-18634 https://github.com/N1et/CVE-2019-18634 https://github.com/ptef/CVE-2019-18634 https://github.com/paras1te-x/CVE-2019-18634 https://github.com/chanbakjsd/CVE-2019-18634 https://github.com/DDayLuong/CVE-2019-18634 http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00029.html http://pa • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 1CVE-2020-8112 – openjpeg: heap-based buffer overflow in pj_t1_clbl_decode_processor in openjp2/t1.c
https://notcve.org/view.php?id=CVE-2020-8112
opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a different issue than CVE-2020-6851. La función opj_t1_clbl_decode_processor en el archivo openjp2/t1.c en OpenJPEG versión 2.3.1 hasta el 28-01-2020, presenta un desbordamiento del búfer en la región heap de la memoria en el caso qmfbid==1, un problema diferente de CVE-2020-6851. A heap-based buffer overflow flaw was found in the opj_t1_clbl_decode_processor in openjpeg2. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://access.redhat.com/errata/RHSA-2020:0550 https://access.redhat.com/errata/RHSA-2020:0569 https://access.redhat.com/errata/RHSA-2020:0570 https://access.redhat.com/errata/RHSA-2020:0694 https://github.com/uclouvain/openjpeg/issues/1231 https://lists.debian.org/debian-lts-announce/2020/01/msg00035.html https://lists.debian.org/debian-lts-announce/2020/07/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFM77GIFWHOECNIERYJQPI2ZJU57GZ • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 897EXPL: 0CVE-2020-0549 – hw: L1D Cache Eviction Sampling
https://notcve.org/view.php?id=CVE-2020-0549
Cleanup errors in some data cache evictions for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. Unos errores de limpieza en algunos desalojos de caché de datos para algunos procesadores Intel(R), pueden permitir a un usuario autenticado habilitar potencialmente una divulgación de información por medio del acceso local. A microarchitectural timing flaw was found on some Intel processors. A corner case exists where data in-flight during the eviction process can end up in the “fill buffers” and not properly cleared by the MDS mitigations. The fill buffer contents (which were expected to be blank) can be inferred using MDS or TAA style attack methods to allow a local attacker to infer fill buffer values. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00016.html https://kc.mcafee.com/corporate/index?page=content&id=SB10318 https://lists.debian.org/debian-lts-announce/2020/06/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DT2VKDMQ3I37NBNJ256A2EXR7OJHXXKZ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5OUM24ZC43G4IDT3JUCIHJTSDXJSK6Y https://security.netapp.com/advisory/ntap-20200210-0004 https://usn.ubunt • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-404: Improper Resource Shutdown or Release •