CVSS: 9.6EPSS: 0%CPEs: 51EXPL: 0CVE-2017-10110 – OpenJDK: insufficient access control checks in ImageWatched (AWT, 8174098)
https://notcve.org/view.php?id=CVE-2017-10110
20 Jul 2017 — Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can resu... • http://www.debian.org/security/2017/dsa-3919 •
CVSS: 9.6EPSS: 1%CPEs: 44EXPL: 0CVE-2017-10111 – OpenJDK: incorrect range checks in LambdaFormEditor (Libraries, 8184185)
https://notcve.org/view.php?id=CVE-2017-10111
20 Jul 2017 — Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact a... • http://www.debian.org/security/2017/dsa-3919 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 52EXPL: 0CVE-2017-10115 – OpenJDK: DSA implementation timing attack (JCE, 8175106)
https://notcve.org/view.php?id=CVE-2017-10115
20 Jul 2017 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java... • http://www.debian.org/security/2017/dsa-3919 • CWE-385: Covert Timing Channel •
CVSS: 8.3EPSS: 1%CPEs: 53EXPL: 0CVE-2017-10116 – OpenJDK: LDAPCertStore following referrals to non-LDAP URLs (Security, 8176067)
https://notcve.org/view.php?id=CVE-2017-10116
20 Jul 2017 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE... • http://www.debian.org/security/2017/dsa-3919 •
CVSS: 5.9EPSS: 0%CPEs: 52EXPL: 0CVE-2017-10135 – OpenJDK: PKCS#8 implementation timing attack (JCE, 8176760)
https://notcve.org/view.php?id=CVE-2017-10135
20 Jul 2017 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Ja... • http://www.debian.org/security/2017/dsa-3919 • CWE-385: Covert Timing Channel •
CVSS: 9.1EPSS: 55%CPEs: 34EXPL: 0CVE-2017-9788 – httpd: Uninitialized memory reflection in mod_auth_digest
https://notcve.org/view.php?id=CVE-2017-9788
13 Jul 2017 — In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. En Apache httpd, en versiones... • http://www.debian.org/security/2017/dsa-3913 • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-456: Missing Initialization of a Variable •
CVSS: 5.3EPSS: 3%CPEs: 28EXPL: 0CVE-2017-3142 – An error in TSIG authentication can permit unauthorized zone transfers
https://notcve.org/view.php?id=CVE-2017-3142
30 Jun 2017 — An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient or accepting bogus NOTIFY packets. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0... • http://www.securityfocus.com/bid/99339 • CWE-20: Improper Input Validation CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 28%CPEs: 28EXPL: 1CVE-2017-3143 – An error in TSIG authentication can permit unauthorized dynamic updates
https://notcve.org/view.php?id=CVE-2017-3143
30 Jun 2017 — An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2. Un atacante que pueda enviar y recibir mensajes a un servidor DNS autoritativo y que conozca un nombre de clave TSIG válido para la zona ... • https://github.com/saaph/CVE-2017-3143 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 70%CPEs: 39EXPL: 0CVE-2017-7668 – httpd: ap_find_token() buffer overread
https://notcve.org/view.php?id=CVE-2017-7668
20 Jun 2017 — The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. Los cambios en el análisis sintáctico estricto de HTTP añadidos en las versiones 2.2.32 y 2.4.24 de Apache httpd introdujeron un error en el análisis de listas... • http://www.debian.org/security/2017/dsa-3896 • CWE-122: Heap-based Buffer Overflow CWE-125: Out-of-bounds Read CWE-126: Buffer Over-read •
CVSS: 9.8EPSS: 9%CPEs: 35EXPL: 0CVE-2017-3167 – httpd: ap_get_basic_auth_pw() authentication bypass
https://notcve.org/view.php?id=CVE-2017-3167
20 Jun 2017 — In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. En Apache httpd, en versiones 2.2.x anteriores a la 2.2.33 y versiones 2.4.x anteriores a la 2.4.26, el uso de ap_get_basic_auth_pw() por parte de módulos de terceros fuera de la fase de autenticación puede dar lugar a que se omitan requisitos de autenticación.. It was discovered that the use of httpd... • http://www.debian.org/security/2017/dsa-3896 • CWE-287: Improper Authentication •