Filtered by vendor Opensuse
Subscribe
Search
Total
844 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-5331 | 4 Canonical, Debian, Icoutils Project and 1 more | 5 Ubuntu Linux, Debian Linux, Icoutils and 2 more | 2019-11-05 | 4.6 MEDIUM | 7.8 HIGH |
| Integer overflow in the check_offset function in b/wrestool/fileread.c in icoutils before 0.31.1 allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable. | |||||
| CVE-2018-7685 | 1 Opensuse | 1 Libzypp | 2019-10-09 | 4.6 MEDIUM | 7.8 HIGH |
| The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download. | |||||
| CVE-2018-20106 | 1 Opensuse | 1 Yast2-printer | 2019-10-09 | 9.3 HIGH | 8.1 HIGH |
| In yast2-printer up to and including version 4.0.2 the SMB printer settings don't escape characters in passwords properly. If a password with backticks or simliar characters is supplied this allows for executing code as root. This requires tricking root to enter such a password in yast. | |||||
| CVE-2018-17953 | 3 Kernel, Opensuse, Suse | 3 Linux-pam, Leap, Linux Enterprise | 2019-10-09 | 9.3 HIGH | 8.1 HIGH |
| A incorrect variable in a SUSE specific patch for pam_access rule matching in PAM 1.3.0 in openSUSE Leap 15.0 and SUSE Linux Enterprise 15 could lead to pam_access rules not being applied (fail open). | |||||
| CVE-2018-12477 | 1 Opensuse | 1 Leap | 2019-10-09 | 6.4 MEDIUM | 7.5 HIGH |
| A Improper Neutralization of CRLF Sequences vulnerability in Open Build Service allows remote attackers to cause deletion of directories by tricking obs-service-refresh_patches to delete them. Affected releases are openSUSE Open Build Service: versions prior to d6244245dda5367767efc989446fe4b5e4609cce. | |||||
| CVE-2018-12479 | 1 Opensuse | 1 Open Build Service | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| A Improper Input Validation vulnerability in Open Build Service allows remote attackers to cause DoS by specifying crafted request IDs. Affected releases are openSUSE Open Build Service: versions prior to 01b015ca2a320afc4fae823465d1e72da8bd60df. | |||||
| CVE-2018-12473 | 1 Opensuse | 1 Open Build Service | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| A path traversal traversal vulnerability in obs-service-tar_scm of Open Build Service allows remote attackers to cause access files not in the current build. On the server itself this is prevented by confining the worker via KVM. Affected releases are openSUSE Open Build Service: versions prior to 70d1aa4cc4d7b940180553a63805c22fc62e2cf0. | |||||
| CVE-2018-10861 | 4 Ceph, Debian, Opensuse and 1 more | 9 Ceph, Debian Linux, Leap and 6 more | 2019-10-09 | 5.5 MEDIUM | 8.1 HIGH |
| A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. Ceph branches master, mimic, luminous and jewel are believed to be affected. | |||||
| CVE-2017-9286 | 1 Opensuse | 1 Leap | 2019-10-09 | 9.0 HIGH | 8.8 HIGH |
| The packaging of NextCloud in openSUSE used /srv/www/htdocs in an unsafe manner, which could have allowed scripts running as wwwrun user to escalate privileges to root during nextcloud package upgrade. | |||||
| CVE-2017-9274 | 1 Opensuse | 1 Obs-service-source Validator | 2019-10-09 | 9.3 HIGH | 7.8 HIGH |
| A shell command injection in the obs-service-source_validator before 0.7 could be used to execute code as the packager when checking RPM SPEC files with specific macro constructs. | |||||
| CVE-2017-7435 | 1 Opensuse | 1 Libzypp | 2019-10-09 | 9.3 HIGH | 8.1 HIGH |
| In libzypp before 20170803 it was possible to add unsigned YUM repositories without warning to the user that could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system. | |||||
| CVE-2017-7436 | 1 Opensuse | 1 Libzypp | 2019-10-09 | 9.3 HIGH | 8.1 HIGH |
| In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system. | |||||
| CVE-2017-5188 | 1 Opensuse | 1 Open Build Service | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information. | |||||
| CVE-2016-9597 | 5 Canonical, Debian, Hp and 2 more | 6 Ubuntu Linux, Debian Linux, Icewall Federation Agent and 3 more | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as CVE-2016-3705. | |||||
| CVE-2015-0796 | 1 Opensuse | 1 Open Buildservice | 2019-10-09 | 4.6 MEDIUM | 7.8 HIGH |
| In open buildservice 2.6 before 2.6.3, 2.5 before 2.5.7 and 2.4 before 2.4.8 the source service patch application could generate non-standard files like symlinks or device nodes, which could allow buildservice users to break of confinement or cause denial of service attacks on the source service. | |||||
| CVE-2014-0594 | 1 Opensuse | 1 Open Build Service | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent. | |||||
| CVE-2011-3178 | 1 Opensuse | 1 Open Build Service | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| In the web ui of the openbuildservice before 2.3.0 a code injection of the project rebuildtimes statistics could be used by authorized attackers to execute shellcode. | |||||
| CVE-2011-4182 | 1 Opensuse | 1 Sysconfig | 2019-10-09 | 6.8 MEDIUM | 8.1 HIGH |
| Missing escaping of ESSID values in sysconfig of SUSE Linux Enterprise allows attackers controlling an access point to cause execute arbitrary code. Affected releases are sysconfig prior to 0.83.7-2.1. | |||||
| CVE-2011-4181 | 1 Opensuse | 1 Open Build Service | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in open build service allows remote attackers to gain access to source files even though source access is disabled. Affected releases are SUSE open build service up to and including version 2.1.15 (for 2.1) and before version 2.3. | |||||
| CVE-2018-14523 | 3 Aubio, Opensuse, Suse | 3 Aubio, Leap, Linux Enterprise | 2019-10-03 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in aubio 0.4.6. A buffer over-read can occur in new_aubio_pitchyinfft in pitch/pitchyinfft.c, as demonstrated by aubionotes. | |||||
| CVE-2017-8386 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character. | |||||
| CVE-2017-16232 | 3 Libtiff, Opensuse, Suse | 5 Libtiff, Leap, Linux Enterprise Desktop and 2 more | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue. | |||||
| CVE-2017-13082 | 7 Canonical, Debian, Freebsd and 4 more | 12 Ubuntu Linux, Debian Linux, Freebsd and 9 more | 2019-10-03 | 5.8 MEDIUM | 8.1 HIGH |
| Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. | |||||
| CVE-2017-17806 | 5 Debian, Linux, Opensuse and 2 more | 7 Debian Linux, Linux Kernel, Leap and 4 more | 2019-10-03 | 7.2 HIGH | 7.8 HIGH |
| The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization. | |||||
| CVE-2018-11577 | 3 Canonical, Liblouis, Opensuse | 3 Ubuntu Linux, Liblouis, Leap | 2019-10-03 | 6.8 MEDIUM | 8.8 HIGH |
| Liblouis 3.5.0 has a Segmentation fault in lou_logPrint in logging.c. | |||||
| CVE-2018-12180 | 2 Opensuse, Tianocore | 2 Leap, Edk Ii | 2019-10-03 | 6.8 MEDIUM | 8.8 HIGH |
| Buffer overflow in BlockIo service for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via network access. | |||||
| CVE-2018-16412 | 2 Imagemagick, Opensuse | 2 Imagemagick, Leap | 2019-10-03 | 6.8 MEDIUM | 8.8 HIGH |
| ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the coders/psd.c ParseImageResourceBlocks function. | |||||
| CVE-2018-19639 | 1 Opensuse | 1 Supportutils | 2019-10-03 | 7.2 HIGH | 7.8 HIGH |
| If supportutils before version 3.1-5.7.1 is run with -v to perform rpm verification and the attacker manages to manipulate the rpm listing (e.g. with CVE-2018-19638) he can execute arbitrary commands as root. | |||||
| CVE-2016-1645 | 3 Debian, Google, Opensuse | 5 Debian Linux, Chrome, Leap and 2 more | 2019-09-27 | 9.3 HIGH | 8.8 HIGH |
| Multiple integer signedness errors in the opj_j2k_update_image_data function in j2k.c in OpenJPEG, as used in PDFium in Google Chrome before 49.0.2623.87, allow remote attackers to cause a denial of service (incorrect cast and out-of-bounds write) or possibly have unspecified other impact via crafted JPEG 2000 data. | |||||
| CVE-2019-5811 | 3 Fedoraproject, Google, Opensuse | 3 Fedora, Chrome, Leap | 2019-07-25 | 6.8 MEDIUM | 8.8 HIGH |
| Incorrect handling of CORS in ServiceWorker in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||||
| CVE-2019-5816 | 2 Google, Opensuse | 4 Android, Chrome, Backports and 1 more | 2019-07-25 | 6.8 MEDIUM | 8.8 HIGH |
| Process lifetime issue in Chrome in Google Chrome on Android prior to 74.0.3729.108 allowed a remote attacker to potentially persist an exploited process via a crafted HTML page. | |||||
| CVE-2014-5220 | 2 Mdadm Project, Opensuse | 2 Mdadm, Opensuse | 2019-07-16 | 7.2 HIGH | 7.8 HIGH |
| The mdcheck script of the mdadm package for openSUSE 13.2 prior to version 3.3.1-5.14.1 does not properly sanitize device names, which allows local attackers to execute arbitrary commands as root. | |||||
| CVE-2019-9024 | 5 Canonical, Debian, Netapp and 2 more | 5 Ubuntu Linux, Debian Linux, Storage Automation Store and 2 more | 2019-06-18 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c. | |||||
| CVE-2019-7524 | 4 Canonical, Debian, Dovecot and 1 more | 4 Ubuntu Linux, Debian Linux, Dovecot and 1 more | 2019-06-14 | 7.2 HIGH | 7.8 HIGH |
| In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components. | |||||
| CVE-2018-16875 | 2 Golang, Opensuse | 2 Go, Leap | 2019-06-03 | 7.8 HIGH | 7.5 HIGH |
| The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected. | |||||
| CVE-2019-9675 | 3 Canonical, Opensuse, Php | 3 Ubuntu Linux, Leap, Php | 2019-06-03 | 6.8 MEDIUM | 8.1 HIGH |
| ** DISPUTED ** An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: "This issue allows theoretical compromise of security, but a practical attack is usually impossible." | |||||
| CVE-2019-9637 | 5 Canonical, Debian, Netapp and 2 more | 5 Ubuntu Linux, Debian Linux, Storage Automation Store and 2 more | 2019-06-03 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data. | |||||
| CVE-2019-3836 | 3 Fedoraproject, Gnu, Opensuse | 3 Fedora, Gnutls, Leap | 2019-05-30 | 5.0 MEDIUM | 7.5 HIGH |
| It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages. | |||||
| CVE-2019-11009 | 3 Debian, Graphicsmagick, Opensuse | 3 Debian Linux, Graphicsmagick, Leap | 2019-05-23 | 5.8 MEDIUM | 8.1 HIGH |
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer over-read in the function ReadXWDImage of coders/xwd.c, which allows attackers to cause a denial of service or information disclosure via a crafted image file. | |||||
| CVE-2018-20783 | 2 Opensuse, Php | 2 Leap, Php | 2019-05-22 | 5.0 MEDIUM | 7.5 HIGH |
| In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file. This is related to phar_parse_pharfile in ext/phar/phar.c. | |||||
| CVE-2019-3863 | 5 Debian, Libssh2, Netapp and 2 more | 10 Debian Linux, Libssh2, Ontap Select Deploy Administration Utility and 7 more | 2019-05-14 | 6.8 MEDIUM | 8.8 HIGH |
| A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error. | |||||
| CVE-2018-19865 | 2 Opensuse, Qt | 2 Leap, Qt | 2019-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3. | |||||
| CVE-2019-7443 | 4 Fedoraproject, Kde, Opensuse and 1 more | 5 Fedora, Kauth, Backports and 2 more | 2019-05-10 | 9.3 HIGH | 8.1 HIGH |
| KDE KAuth before 5.55 allows the passing of parameters with arbitrary types to helpers running as root over DBus via DBusHelperProxy.cpp. Certain types can cause crashes, and trigger the decoding of arbitrary images with dynamically loaded plugins. In other words, KAuth unintentionally causes this plugin code to run as root, which increases the severity of any possible exploitation of a plugin vulnerability. | |||||
| CVE-2018-19636 | 1 Opensuse | 1 Supportutils | 2019-05-08 | 7.2 HIGH | 7.8 HIGH |
| Supportutils, before version 3.1-5.7.1, when run with command line argument -A searched the file system for a ndspath binary. If an attacker provides one at an arbitrary location it is executed with root privileges | |||||
| CVE-2018-19456 | 2 Opensuse, Wplaunchpad | 2 Leap, Wpbackupplus | 2019-05-08 | 5.0 MEDIUM | 7.5 HIGH |
| The WP Backup+ (aka WPbackupplus) plugin through 2018-11-22 for WordPress allows remote attackers to obtain sensitive information from server folders and files, as demonstrated by download.sql. | |||||
| CVE-2019-9894 | 5 Debian, Fedoraproject, Netapp and 2 more | 5 Debian Linux, Fedora, Oncommand Unified Manager and 2 more | 2019-04-26 | 6.4 MEDIUM | 7.5 HIGH |
| A remotely triggerable memory overwrite in RSA key exchange in PuTTY before 0.71 can occur before host key verification. | |||||
| CVE-2018-20615 | 4 Canonical, Haproxy, Opensuse and 1 more | 5 Ubuntu Linux, Haproxy, Leap and 2 more | 2019-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder in HAProxy 1.8.x and 1.9.x through 1.9.0 which can result in a crash. The processing of the PRIORITY flag in a HEADERS frame requires 5 extra bytes, and while these bytes are skipped, the total frame length was not re-checked to make sure they were present in the frame. | |||||
| CVE-2016-2150 | 5 Debian, Microsoft, Opensuse and 2 more | 12 Debian Linux, Windows, Leap and 9 more | 2019-04-22 | 3.6 LOW | 7.1 HIGH |
| SPICE allows local guest OS users to read from or write to arbitrary host memory locations via crafted primary surface parameters, a similar issue to CVE-2015-5261. | |||||
| CVE-2018-14522 | 3 Aubio, Opensuse, Suse | 3 Aubio, Leap, Linux Enterprise | 2019-04-17 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aubio_pitch_set_unit in pitch/pitch.c, as demonstrated by aubionotes. | |||||
| CVE-2016-3714 | 5 Canonical, Debian, Imagemagick and 2 more | 6 Ubuntu Linux, Debian Linux, Imagemagick and 3 more | 2019-04-15 | 10.0 HIGH | 8.4 HIGH |
| The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick." | |||||