CVSS: 8.8EPSS: 1%CPEs: 7EXPL: 2CVE-2021-33477
https://notcve.org/view.php?id=CVE-2021-33477
rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline. rxvt-unicode versión 9.22, rxvt versión 2.7.10, mrxvt versión 0.5.4 y Eterm versión 0.9.7 permiten una ejecución de código (potencialmente remoto) debido al manejo inapropiado de determinadas secuencias de escape (ESC GQ). Una respuesta es terminada con una nueva línea • http://cvs.schmorp.de/rxvt-unicode/Changes?view=log http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583 https://git.enlightenment.org/apps/eterm.git/log https://lists.debian.org/debian-lts-announce/2021/05/msg00026.html https://lists.debian.org/debian-lts-announce/2021/06/msg00010.html https://lists.debian.org/debian-lts-announce/2021/06/msg00011.html https://lists.debian.org/debian-lts-announce/2021/06/msg00012.html https://lists.fedoraproject.org/archive • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20718
https://notcve.org/view.php?id=CVE-2021-20718
mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vectors. mod_auth_openidc versiones 2.4.0 hasta 2.4.7, permite a un atacante remoto causar una condición de denegación de servicio (DoS) por medio de vectores no especificados • https://github.com/zmartzone/mod_auth_openidc https://jvn.jp/en/jp/JVN49704918/index.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HJK366TLFEOIYWTHQSZO24MSDPBXHJU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FV4KYMQWPS3I2QPW2C253MLIAFGBZPLK https://www.oracle.com/security-alerts/cpujan2022.html https://www.zmartzone.eu • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-25287 – python-pillow: Out-of-bounds read in J2K image reader
https://notcve.org/view.php?id=CVE-2021-25287
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. Se ha detectado un problema en Pillow versiones anteriores a 8.2.0,. Se presenta una lectura fuera de límites en J2kDecode, en la función j2ku_graya_la There is an out-of-bounds read in J2kDecode in j2ku_graya_la. For J2k images with multiple bands, it’s legal to have different widths for each band, e.g. 1 byte for L, 4 bytes for A. • https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode https://security.gentoo.org/glsa/202107-33 https://access.redhat.com/security/cve/CVE-2021-25287 https://bugzilla.redhat.com/show_bug.cgi?id=1958226 • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28677 – python-pillow: Excessive CPU use in EPS image reader
https://notcve.org/view.php?id=CVE-2021-28677
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. Se ha detectado un problema en Pillow versiones anteriores a 8.2.0,. • https://github.com/python-pillow/Pillow/pull/5377 https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open https://security.gentoo.org/glsa/202107-33 https://access.redhat.com/security/cve/CVE-2021-28677 https://bugzilla.redhat.com/show_bug.cgi?id=1958257 • CWE-20: Improper Input Validation •
CVSS: 8.5EPSS: 0%CPEs: 18EXPL: 0CVE-2021-30465 – runc: vulnerable to symlink exchange attack
https://notcve.org/view.php?id=CVE-2021-30465
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition. runc versiones anteriores a 1.0.0-rc95, permite un Container Filesystem Breakout por medio de un Salto de Directorio. Para explotar la vulnerabilidad, un atacante debe ser capaz de crear varios contenedores con una configuración de montaje bastante específica. El problema ocurre por medio de un ataque de intercambio de enlaces simbólicos que se basa en una condición de carrera The runc package is vulnerable to a symlink exchange attack whereby an attacker can request a seemingly innocuous container configuration that results in the host filesystem being bind-mounted into the container. • http://www.openwall.com/lists/oss-security/2021/05/19/2 https://bugzilla.opensuse.org/show_bug.cgi?id=1185405 https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f https://github.com/opencontainers/runc/releases https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35ZW6NBZSBH5PWIT7JU4HXOXGFVDCOHH https: • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •