Filtered by vendor Debian
Subscriptions
Total
10174 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-13934 | 7 Apache, Canonical, Debian and 4 more | 17 Tomcat, Ubuntu Linux, Debian Linux and 14 more | 2024-11-21 | 7.5 High |
| An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. | ||||
| CVE-2020-13933 | 3 Apache, Debian, Redhat | 4 Shiro, Debian Linux, Jboss Amq and 1 more | 2024-11-21 | 7.5 High |
| Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. | ||||
| CVE-2020-13920 | 4 Apache, Debian, Oracle and 1 more | 7 Activemq, Debian Linux, Communications Diameter Signaling Router and 4 more | 2024-11-21 | 5.9 Medium |
| Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12. | ||||
| CVE-2020-13904 | 3 Canonical, Debian, Ffmpeg | 3 Ubuntu Linux, Debian Linux, Ffmpeg | 2024-11-21 | 5.5 Medium |
| FFmpeg 2.8 and 4.2.3 has a use-after-free via a crafted EXTINF duration in an m3u8 file because parse_playlist in libavformat/hls.c frees a pointer, and later that pointer is accessed in av_probe_input_format3 in libavformat/format.c. | ||||
| CVE-2020-13881 | 4 Arista, Canonical, Debian and 1 more | 4 Cloudvision Portal, Ubuntu Linux, Debian Linux and 1 more | 2024-11-21 | 7.5 High |
| In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used. | ||||
| CVE-2020-13871 | 6 Debian, Fedoraproject, Netapp and 3 more | 12 Debian Linux, Fedora, Cloud Backup and 9 more | 2024-11-21 | 7.5 High |
| SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late. | ||||
| CVE-2020-13848 | 2 Debian, Libupnp Project | 2 Debian Linux, Libupnp | 2024-11-21 | 7.5 High |
| Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c. | ||||
| CVE-2020-13777 | 5 Canonical, Debian, Fedoraproject and 2 more | 7 Ubuntu Linux, Debian Linux, Fedora and 4 more | 2024-11-21 | 7.4 High |
| GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application. | ||||
| CVE-2020-13765 | 4 Canonical, Debian, Qemu and 1 more | 4 Ubuntu Linux, Debian Linux, Qemu and 1 more | 2024-11-21 | 5.6 Medium |
| rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation. | ||||
| CVE-2020-13754 | 4 Canonical, Debian, Qemu and 1 more | 5 Ubuntu Linux, Debian Linux, Qemu and 2 more | 2024-11-21 | 6.7 Medium |
| hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. | ||||
| CVE-2020-13753 | 7 Canonical, Debian, Fedoraproject and 4 more | 7 Ubuntu Linux, Debian Linux, Fedora and 4 more | 2024-11-21 | 10.0 Critical |
| The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg-desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal's input buffer, similar to CVE-2017-5226. | ||||
| CVE-2020-13696 | 5 Canonical, Debian, Fedoraproject and 2 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2024-11-21 | 4.4 Medium |
| An issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local attacker with access to the v4l-conf setuid-root program to test for the existence of arbitrary files and to trigger an open on arbitrary files with mode O_RDWR. To achieve this, relative path components need to be added to the device path, as demonstrated by a v4l-conf -c /dev/../root/.bash_history command. | ||||
| CVE-2020-13692 | 6 Debian, Fedoraproject, Netapp and 3 more | 14 Debian Linux, Fedora, Steelstore Cloud Integrated Storage and 11 more | 2024-11-21 | 7.7 High |
| PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. | ||||
| CVE-2020-13659 | 4 Canonical, Debian, Opensuse and 1 more | 4 Ubuntu Linux, Debian Linux, Leap and 1 more | 2024-11-21 | 2.5 Low |
| address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer. | ||||
| CVE-2020-13632 | 9 Brocade, Canonical, Debian and 6 more | 14 Fabric Operating System, Ubuntu Linux, Debian Linux and 11 more | 2024-11-21 | 5.5 Medium |
| ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query. | ||||
| CVE-2020-13630 | 10 Apple, Brocade, Canonical and 7 more | 21 Icloud, Ipados, Iphone Os and 18 more | 2024-11-21 | 7.0 High |
| ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature. | ||||
| CVE-2020-13625 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-11-21 | 7.5 High |
| PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message. | ||||
| CVE-2020-13596 | 6 Canonical, Debian, Djangoproject and 3 more | 7 Ubuntu Linux, Debian Linux, Django and 4 more | 2024-11-21 | 6.1 Medium |
| An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. | ||||
| CVE-2020-13434 | 8 Apple, Canonical, Debian and 5 more | 16 Icloud, Ipados, Iphone Os and 13 more | 2024-11-21 | 5.5 Medium |
| SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. | ||||
| CVE-2020-13428 | 2 Debian, Videolan | 2 Debian Linux, Vlc Media Player | 2024-11-21 | 7.8 High |
| A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 for macOS/iOS allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file. | ||||