CVSS: 3.6EPSS: 0%CPEs: 8EXPL: 2CVE-2014-8737 – binutils: directory traversal vulnerability
https://notcve.org/view.php?id=CVE-2014-8737
Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar. Múltiples vulnerabilidades de salto de directorio en GNU binutils 2.24 y anteriores permiten a usuarios locales eliminar ficheros arbitrarios a través de un .. (punto punto) o nombre completo de ruta en un archivo en (1) strip o (2) objcopy o crear ficheros arbitrarios a través de (3) un .. • http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145256.html http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145352.html http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145746.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147346.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147354.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148427.html http://lists.fedoraproject.or • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 1%CPEs: 8EXPL: 3CVE-2014-8504 – binutils: stack overflow in the SREC parser
https://notcve.org/view.php?id=CVE-2014-8504
Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file. Desbordamiento de buffer basado en pila en la función srec_scan en bfd/srec.c en GNU binutils 2.24 y anteriores permite a atacantes remotos causar una denegación de servicio (caída) y posiblemente tener orto impacto no especificado a través de un fichero manipulado. A stack-based buffer overflow flaw was found in the SREC parser of the libbfd library. A specially crafted file could cause an application using the libbfd library to crash or, potentially, execute arbitrary code with the privileges of the user running that application. • http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145262.html http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145328.html http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145742.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147346.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147354.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148427.html http://secunia.com/advisorie • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 3CVE-2014-8990
https://notcve.org/view.php?id=CVE-2014-8990
default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename. default-rsyncssh.lua en Lsyncd 2.1.5 y anteriores permite a atacantes remotos ejecutar comandos arbitrarios a través de metacaracteres de shell en un nombre de fichero. • http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145114.html http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145131.html http://secunia.com/advisories/62321 http://www.debian.org/security/2015/dsa-3130 http://www.openwall.com/lists/oss-security/2014/11/19/1 http://www.openwall.com/lists/oss-security/2014/11/20/5 http://www.securityfocus.com/bid/71179 https://github.com/axkibe/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52 https://github • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 2.1EPSS: 0%CPEs: 4EXPL: 0CVE-2013-6494
https://notcve.org/view.php?id=CVE-2013-6494
fedup 0.9.0 in Fedora 19, 20, and 21 uses a temporary directory with a static name for its download cache, which allows local users to cause a denial of service (prevention of system updates). fedup 0.9.0 en Fedora 19, 20, y 21 utiliza un directorio temporal con un nombre estático para su caché de descarga, lo que permite a usuarios locales causar una denegación de servicio (prevención de actualizaciones del sistema). • http://lists.fedoraproject.org/pipermail/package-announce/2014-November/141698.html http://lists.fedoraproject.org/pipermail/package-announce/2014-November/142698.html http://lists.fedoraproject.org/pipermail/package-announce/2014-November/142933.html http://www.securityfocus.com/bid/70874 https://bugzilla.redhat.com/show_bug.cgi?id=1066679 https://github.com/wgwoods/fedup/issues/44 • CWE-17: DEPRECATED: Code •
CVSS: 5.1EPSS: 0%CPEs: 6EXPL: 0CVE-2013-0334 – rubygem-bundler: 'bundle install' may install a gem from a source other than expected
https://notcve.org/view.php?id=CVE-2013-0334
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. Bundler anterior a 1.7, cuando múltiples líneas de fuentes del máximo nivel están utilizadas, permite a atacantes remotos instalar gemas arbitrarias con el mismo nombre como otra gema en una fuente diferente. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem. • http://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140609.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140654.html http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140655.html http://lists.opensuse.org/opensuse-updates/2015-03/msg00092.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http&# • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •