CVSS: 8.8EPSS: 2%CPEs: 9EXPL: 0CVE-2020-11100 – haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes
https://notcve.org/view.php?id=CVE-2020-11100
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution. En la función hpack_dht_insert en el archivo hpack-tbl.c en el decodificador HPACK en HAProxy versiones 1.8 hasta 2.x anteriores a 2.1.4, un atacante remoto puede escribir bytes arbitrarios alrededor de una determinada ubicación en la pila (heap) por medio de una petición HTTP/2 diseñada, causando posiblemente una ejecución de código remoto. A flaw was found in the way HAProxy processed certain HTTP/2 request packets. This flaw allows an attacker to send crafted HTTP/2 request packets, which cause memory corruption, leading to a crash or potential remote arbitrary code execution with the permissions of the user running HAProxy. The haproxy hpack implementation in hpack-tbl.c handles 0-length HTTP headers incorrectly. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00002.html http://packetstormsecurity.com/files/157323/haproxy-hpack-tbl.c-Out-Of-Bounds-Write.html http://www.haproxy.org https://bugzilla.redhat.com/show_bug.cgi?id=1819111 https://bugzilla.suse.com/show_bug.cgi?id=1168023 https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88 https://lists.debian.org/debian-security-announce/2020/msg00052.html https://lists.fedoraproject.org/archives/list/packag • CWE-787: Out-of-bounds Write •
CVSS: 6.1EPSS: 0%CPEs: 24EXPL: 0CVE-2020-1927 – httpd: mod_rewrite configurations vulnerable to open redirect
https://notcve.org/view.php?id=CVE-2020-1927
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. En Apache HTTP Server versiones 2.4.0 hasta 2.4.41, los redireccionamientos configurados con mod_rewrite que pretendían ser autorreferenciales podrían ser engañados por nuevas líneas codificadas y redireccionadas en lugar de una URL inesperada dentro de la URL de petición. A flaw was found in Apache HTTP Server (httpd) versions 2.4.0 to 2.4.41. Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirected instead to an unexpected URL within the request URL. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html http://www.openwall.com/lists/oss-security/2020/04/03/1 http://www.openwall.com/lists/oss-security/2020/04/04/1 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r09bb998baee74a2c316446bd1a41ae7f8d7049d09d9ff991471e8775%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.3EPSS: 0%CPEs: 21EXPL: 0CVE-2020-1934 – httpd: mod_proxy_ftp use of uninitialized value
https://notcve.org/view.php?id=CVE-2020-1934
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. En Apache HTTP Server versiones 2.4.0 hasta 2.4.41, mod_proxy_ftp puede usar memoria no inicializada cuando al enviar un proxy hacia un servidor FTP malicioso. A flaw was found in Apache's HTTP server (httpd) .The mod_proxy_ftp module may use uninitialized memory with proxying to a malicious FTP server. The highest threat from this vulnerability is to data confidentiality. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html https://httpd.apache.org/security/vulnerabilities_24.html https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r09bb998baee74a2c316446bd1a41ae7f8d7049d09d9ff991471e8775%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac%40%3Cdev.httpd.apache.org%3E https://lists.apache.org/thread.html/r26706d75f6b9080ca6a29955aeb8 • CWE-456: Missing Initialization of a Variable CWE-908: Use of Uninitialized Resource •
CVSS: 8.8EPSS: 0%CPEs: 52EXPL: 6CVE-2020-8835 – Linux kernel bpf verifier vulnerability
https://notcve.org/view.php?id=CVE-2020-8835
In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780) En el kernel de Linux versiones 5.5.0 y más recientes, el verificador bpf (kernel/bpf/verifier.c) no restringió apropiadamente los límites de registro para operaciones de 32 bits, conllevando a lecturas y escrituras fuera de límites en la memoria del kernel. La vulnerabilidad también afecta a la serie estable de Linux versión 5.4, comenzando con la versión v5.4.7, ya que el commit de introducción fue respaldado en esa derivación. • https://github.com/zilong3033/CVE-2020-8835 https://github.com/digamma-ai/CVE-2020-8835-verification https://github.com/SplendidSky/CVE-2020-8835 https://github.com/Prabhashaka/Exploitation-CVE-2020-8835 https://github.com/johnatag/INF8602-CVE-2020-8835 http://www.openwall.com/lists/oss-security/2021/07/20/1 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef https://git.kernel.org/pub/scm/linux/kernel/git/torvald • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 1CVE-2020-7065 – mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full
https://notcve.org/view.php?id=CVE-2020-7065
In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution. En PHP versiones 7.3.x por debajo de 7.3.16 y versiones 7.4.x por debajo de 7.4.4, mientras se usa la función mb_strtolower() con codificación UTF-32LE, determinadas cadenas no comprobadas pueden causar que PHP sobrescriba el búfer asignado de la pila. Esto podría conllevar a una corrupción de la memoria, bloqueos y potencialmente a una ejecución de código. A vulnerability was found in PHP while using the mb_strtolower() function with UTF-32LE encoding, where certain invalid strings cause PHP to overwrite the stack-allocated buffer. • https://bugs.php.net/bug.php?id=79371 https://security.netapp.com/advisory/ntap-20200403-0001 https://usn.ubuntu.com/4330-1 https://usn.ubuntu.com/4330-2 https://www.debian.org/security/2020/dsa-4719 https://www.oracle.com/security-alerts/cpuoct2021.html https://www.php.net/ChangeLog-7.php#7.4.4 https://www.tenable.com/security/tns-2021-14 https://access.redhat.com/security/cve/CVE-2020-7065 https://bugzilla.redhat.com/show_bug.cgi?id=1820627 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •