CVSS: 7.5EPSS: 2%CPEs: 5EXPL: 0CVE-2020-9369
https://notcve.org/view.php?id=CVE-2020-9369
Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial of service (disk consumption from temporary files, and a flood of notifications to listmasters) via a series of requests with malformed parameters. Sympa versiones 6.2.38 hasta 6.2.52, permite a atacantes remotos causar una denegación de servicio (consumo de disco de archivos temporales y una avalancha de notificaciones para listmasters) por medio de una serie de peticiones con parámetros malformados. • https://github.com/sympa-community/sympa/issues/886 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6TMVZ5LVYCCIHGEC7RQUMGUE7DJWUXN7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A3FUYYLV6URRLAJVWXNJYK2CNOKKNHXC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO4WJYNNHWM7DUKCN4EWYYYPXZSOI7BQ https://sympa-community.github.io/security/2020-001.html https://www.debian.org/security/2020/dsa-4818 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-9365
https://notcve.org/view.php?id=CVE-2020-9365
An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read has been detected in the pure_strcmp function in utils.c. Se detectó un problema en Pure-FTPd versión 1.0.49. Ha sido detectado una lectura fuera de límites (OOB) en la función pure_strcmp en el archivo utils.c. • https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b58e https://github.com/jedisct1/pure-ftpd/commit/bf6fcd4935e95128cf22af5924cdc8fe5c0579da https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22P44PECZWNDP7CMBL7NRBMNFS73C5Z2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5NSUDWXZVWUCL6R2PTX3KBB42Z62CA5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U5DBVHJCXWRSJPNJQCJQCKZF6ZDPZCKA https://security.gentoo. • CWE-125: Out-of-bounds Read •
CVSS: 6.9EPSS: 0%CPEs: 8EXPL: 1CVE-2020-8130 – rake: OS Command Injection via egrep in Rake::FileList
https://notcve.org/view.php?id=CVE-2020-8130
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`. Se presenta una vulnerabilidad de inyección de comandos de Sistema Operativo en Ruby Rake versiones anteriores a 12.3.3, en la función Rake::FileList cuando se suministra un nombre de archivo que comienza con el carácter de tubería "|". • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html https://hackerone.com/reports/651518 https://lists.debian.org/debian-lts-announce/2020/02/msg00026.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/523CLQ62VRN3VVC52KMPTROCCKY4Z36B https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMX4ARNX2JLRJMSH4N3J3UBMUT5CI44 https://usn.ubuntu.com/4295-1 https://access.redhat.com/security/cve/CVE-2020-8130 https:&#x • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 1CVE-2019-18182
https://notcve.org/view.php?id=CVE-2019-18182
pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable a non-default XferCommand and retrieve an attacker-controlled crafted database and package. pacman versiones anteriores a 5.2, es vulnerable a una inyección de comandos arbitraria en el archivo conf.c en la función download_with_xfercommand(). Esto puede ser explotado cuando son usadas las bases de datos sin firma. Para explotar la vulnerabilidad, el usuario debe habilitar un XferCommand no predeterminado y recuperar una base de datos y un paquete diseñados y controlados por el atacante. • https://git.archlinux.org/pacman.git/commit/?id=808a4f15ce82d2ed7eeb06de73d0f313620558ee https://git.archlinux.org/pacman.git/tree/src/pacman/conf.c?h=v5.1.3#n263 https://github.com/alpinelinux/alpine-secdb/blob/master/v3.11/community.yaml https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2TTUXXUW5OCOASIRMJK4RHEPLEA33Y6C https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K53C45EDWBU3UCN3IRIGR5EZUNWXS7BW https://lists.fedoraproject.org/archives&#x • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 1CVE-2019-18183
https://notcve.org/view.php?id=CVE-2019-18183
pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file. pacman versiones anteriores a 5.2, es vulnerable a una inyección de comandos arbitraria en la biblioteca lib/libalpm/sync.c en la función apply_deltas(). Esto puede ser explotado cuando son usadas las bases de datos sin firma. Para explotar la vulnerabilidad, el usuario debe habilitar la funcionalidad delta no predeterminada y recuperar una base de datos y un archivo delta diseñado, controlados por el atacante. • https://git.archlinux.org/pacman.git/commit/?id=c0e9be7973be6c81b22fde91516fb8991e7bb07b https://git.archlinux.org/pacman.git/tree/lib/libalpm/sync.c?h=v5.1.3#n767 https://github.com/alpinelinux/alpine-secdb/blob/master/v3.11/community.yaml https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2TTUXXUW5OCOASIRMJK4RHEPLEA33Y6C https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K53C45EDWBU3UCN3IRIGR5EZUNWXS7BW https://lists.fedoraproject.org/archives&# • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •