CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2019-16163 – oniguruma: Stack exhaustion in regcomp.c because of recursion in regparse.c
https://notcve.org/view.php?id=CVE-2019-16163
Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c. Oniguruma versiones anteriores a 6.9.3, permite un Agotamiento de la Pila en el archivo regcomp.c debido a la recursión en el archivo regparse.c. • https://github.com/kkos/oniguruma/commit/4097828d7cc87589864fecf452f2cd46c5f37180 https://github.com/kkos/oniguruma/compare/v6.9.2...v6.9.3 https://github.com/kkos/oniguruma/issues/147 https://lists.debian.org/debian-lts-announce/2019/09/msg00010.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWOWZZNFSAWM3BUTQNAE3PD44A6JU4KE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZW47MSFZ6WYOAOFXHBDGU4LYACFRKC2Y https://usn.ubuntu.c • CWE-121: Stack-based Buffer Overflow CWE-674: Uncontrolled Recursion •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2019-16159
https://notcve.org/view.php?id=CVE-2019-16159
BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 has a stack-based buffer overflow. The BGP daemon's support for RFC 8203 administrative shutdown communication messages included an incorrect logical expression when checking the validity of an input message. Sending a shutdown communication with a sufficient message length causes a four-byte overflow to occur while processing the message, where two of the overflow bytes are attacker-controlled and two are fixed. BIRD Internet Routing Daemon versiones 1.6.x hasta 1.6.7 y versiones 2.x hasta 2.0.5, presenta un desbordamiento de búfer en la región stack de la memoria. El soporte del demonio BGP para los mensajes de comunicación de apagado administrativo RFC 8203 incluía una expresión lógica incorrecta cuando se comprueba la validez de un mensaje de entrada. • http://bird.network.cz http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00063.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00065.html http://trubka.network.cz/pipermail/bird-users/2019-September/013718.html http://trubka.network.cz/pipermail/bird-users/2019-September/013720.html http://trubka.network.cz/pipermail/bird-users/2019-September/013722.html https://gitlab.labs.nic.cz/labs/bird/commit/1657c41c96b3c07d9265b07dd4912033ead4124b https://gitlab.labs.nic.cz/l • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2016-10937
https://notcve.org/view.php?id=CVE-2016-10937
IMAPFilter through 2.6.12 does not validate the hostname in an SSL certificate. IMAPFilter a través de 2.6.12 no valida el nombre de host en un certificado SSL. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00002.html https://bugs.debian.org/939702 https://github.com/lefcha/imapfilter/issues/142 https://lists.debian.org/debian-lts-announce/2019/10/msg00040.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GBNDFMAIUA6PQMV2P6OKIP7JZQEWX7D2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IQ • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 28EXPL: 0CVE-2019-16056 – python: email.utils.parseaddr wrongly parses email addresses
https://notcve.org/view.php?id=CVE-2019-16056
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally. Se descubrió un problema en Python versiones hasta 2.7.16, versiones 3.x hasta 3.5.7, versiones 3.6.x hasta 3.6.9 y versiones 3.7.x hasta 3.7.4. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html https://access.redhat.com/errata/RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3948 https://bugs.python.org/issue • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 29EXPL: 1CVE-2019-15718 – systemd: systemd-resolved allows unprivileged users to configure DNS
https://notcve.org/view.php?id=CVE-2019-15718
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings. En systemd versión 240, la función bus_open_system_watch_bind_with_description en el archivo shared/bus-util.c (como es usado en systemd-resolve para conectarse a la instancia del sistema D-Bus), llama a sd_bus_set_trusted, lo que deshabilita los controles de acceso para los mensajes entrantes de D-Bus. Un usuario no privilegiado puede explotar esto mediante la ejecución de métodos D-Bus que deberían estar restringidos para usuarios con privilegios, para cambiar la configuración de la resolución DNS. An improper authorization flaw was discovered in systemd-resolved in the way it configures the exposed DBus interface org.freedesktop.resolve1. • http://www.openwall.com/lists/oss-security/2019/09/03/1 https://access.redhat.com/errata/RHSA-2019:3592 https://access.redhat.com/errata/RHSA-2019:3941 https://bugzilla.redhat.com/show_bug.cgi?id=1746057 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B https://lists.fedoraproject.org/archives/list/package-announce% • CWE-285: Improper Authorization •