CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-20011
https://notcve.org/view.php?id=CVE-2016-20011
libgrss through 0.7.0 fails to perform TLS certificate verification when downloading feeds, allowing remote attackers to manipulate the contents of feeds without detection. This occurs because of the default behavior of SoupSessionSync. libgrss hasta la versión 0.7.0 no realiza la verificación del certificado TLS cuando se descargan los feeds, lo que permite a los atacantes remotos manipular el contenido de los feeds sin ser detectados. Esto ocurre debido al comportamiento por defecto de SoupSessionSync • https://bugzilla.gnome.org/show_bug.cgi?id=772647 https://gitlab.gnome.org/GNOME/libgrss/-/issues/4 https://gitlab.gnome.org/GNOME/libgrss/-/merge_requests/7.patch • CWE-295: Improper Certificate Validation •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-33516 – gupnp: allows DNS rebinding which could result in tricking browser into triggering actions against local UPnP services
https://notcve.org/view.php?id=CVE-2021-33516
An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc. Se detectó un problema en GUPnP versiones anteriores a 1.0.7 y 1.1.x y versiones 1.2.x anteriores a 1.2.5. • https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536 https://gitlab.gnome.org/GNOME/gupnp/-/issues/24 https://access.redhat.com/security/cve/CVE-2021-33516 https://bugzilla.redhat.com/show_bug.cgi?id=1964091 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20297 – NetworkManager: Profile with match.path setting triggers crash
https://notcve.org/view.php?id=CVE-2021-20297
A flaw was found in NetworkManager in versions before 1.30.0. Setting match.path and activating a profile crashes NetworkManager. The highest threat from this vulnerability is to system availability. Se encontró un fallo en NetworkManager en versiones anteriores a 1.30.0. Ajustando el archivo match.path y activando un perfil bloquea NetworkManager. • https://bugzilla.redhat.com/show_bug.cgi?id=1943282 https://access.redhat.com/security/cve/CVE-2021-20297 • CWE-20: Improper Input Validation •
CVSS: 3.9EPSS: 0%CPEs: 2EXPL: 1CVE-2020-36314 – file-roller: directory traversal via directory symlink pointing outside of the target directory (incomplete fix for CVE-2020-11736)
https://notcve.org/view.php?id=CVE-2020-36314
fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-11736. El archivo fr-archive-libarchive.c en GNOME file-roller versiones hasta 3.38.0, como es usado GNOME Shell y otro software, permite un Salto de Directorio durante una extracción porque carece de una comprobación de si el parent de un archivo es un enlace simbólico en determinadas situaciones complejas. NOTA: este problema se presenta debido a una corrección incompleta para CVE-2020-11736 A path traversal vulnerability was found in file-roller due to an incomplete fix for CVE-2020-11736. It may still be possible to extract files outside of the intended directory in case of malicious archives containing symbolic links. • https://gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae https://gitlab.gnome.org/GNOME/file-roller/-/issues/108 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KJBZVCHQ4SSX2JAJZVJ5J4P3GEMXJ75 https://access.redhat.com/security/cve/CVE-2020-36314 https://bugzilla.redhat.com/show_bug.cgi?id=1947534 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28650 – gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory (incomplete CVE-2020-36241 fix)
https://notcve.org/view.php?id=CVE-2021-28650
autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241. El archivo autoar-extractor.c en GNOME gnome-autoar versiones anteriores a 0.3.1, tal y como es usado en GNOME Shell, Nautilus y otro software, permite un Salto de Directorio durante la extracción porque carece de una comprobación de si el padre de un archivo es un enlace simbólico en determinadas situaciones complejas. NOTA: este problema se presenta debido a una corrección incompleta del CVE-2020-36241 • https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BN5TVQ7OHZEGY6AGFLAZWCVCI53RYNHQ https://security.gentoo.org/glsa/202105-10 https://access.redhat.com/security/cve/CVE-2021-28650 https://bugzilla.redhat.com/show_bug.cgi?id=1940026 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •