Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-3254 1 Apache 1 Thrift 2018-01-05 4.0 MEDIUM 6.5 MEDIUM
The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.
CVE-2016-5219 1 Google 1 Chrome 2018-01-05 6.8 MEDIUM 6.3 MEDIUM
A heap use after free in V8 in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2015-3192 2 Fedoraproject, Pivotal Software 2 Fedora, Spring Framework 2018-01-05 4.3 MEDIUM 5.5 MEDIUM
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
CVE-2015-3142 1 Redhat 1 Automatic Bug Reporting Tool 2018-01-05 1.9 LOW 4.7 MEDIUM
The kernel-invoked coredump processor in Automatic Bug Reporting Tool (ABRT) does not properly check the ownership of files before writing core dumps to them, which allows local users to obtain sensitive information by leveraging write permissions to the working directory of a crashed application.
CVE-2016-5216 1 Google 1 Chrome 2018-01-05 6.8 MEDIUM 6.3 MEDIUM
A use after free in PDFium in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file.
CVE-2016-3722 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 4.0 MEDIUM 4.3 MEDIUM
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."
CVE-2016-3723 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 4.0 MEDIUM 4.3 MEDIUM
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.
CVE-2016-5181 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 6.1 MEDIUM
Blink in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android permitted execution of v8 microtasks while the DOM was in an inconsistent state, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via crafted HTML pages.
CVE-2016-3724 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 4.0 MEDIUM 6.5 MEDIUM
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.
CVE-2016-3725 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 5.0 MEDIUM 4.3 MEDIUM
Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).
CVE-2016-3727 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 4.0 MEDIUM 4.3 MEDIUM
The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.
CVE-2016-5189 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 6.5 MEDIUM
Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android permitted navigation to blob URLs with non-canonical origins, which allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via crafted HTML pages.
CVE-2015-8956 2 Google, Linux 2 Android, Linux Kernel 2018-01-05 3.6 LOW 6.1 MEDIUM
The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket.
CVE-2016-5190 1 Google 1 Chrome 2018-01-05 6.8 MEDIUM 6.3 MEDIUM
Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android incorrectly handled object lifecycles during shutdown, which allowed a remote attacker to perform an out of bounds memory read via crafted HTML pages.
CVE-2016-5191 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 6.1 MEDIUM
Bookmark handling in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android had insufficient validation of supplied data, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via crafted HTML pages, as demonstrated by an interpretation conflict between userinfo and scheme in an http://javascript:payload@example.com URL.
CVE-2015-8935 1 Php 1 Php 2018-01-05 4.3 MEDIUM 6.1 MEDIUM
The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.
CVE-2015-8934 3 Canonical, Libarchive, Suse 5 Ubuntu Linux, Libarchive, Linux Enterprise Desktop and 2 more 2018-01-05 4.3 MEDIUM 5.5 MEDIUM
The copy_from_lzss_window function in archive_read_support_format_rar.c in libarchive 3.2.0 and earlier allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted rar file.
CVE-2015-8932 4 Canonical, Debian, Libarchive and 1 more 6 Ubuntu Linux, Debian Linux, Libarchive and 3 more 2018-01-05 4.3 MEDIUM 5.5 MEDIUM
The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift.
CVE-2015-8928 3 Canonical, Libarchive, Suse 5 Ubuntu Linux, Libarchive, Linux Enterprise Desktop and 2 more 2018-01-05 4.3 MEDIUM 5.5 MEDIUM
The process_add_entry function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file.
CVE-2016-10147 1 Linux 1 Linux Kernel 2018-01-05 4.9 MEDIUM 5.5 MEDIUM
crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5).
CVE-2016-4569 3 Canonical, Linux, Novell 10 Ubuntu Linux, Linux Kernel, Suse Linux Enterprise Debuginfo and 7 more 2018-01-05 2.1 LOW 5.5 MEDIUM
The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface.
CVE-2016-3721 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 4.0 MEDIUM 6.5 MEDIUM
Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.
CVE-2016-5187 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 6.5 MEDIUM
Google Chrome prior to 54.0.2840.85 for Android incorrectly handled rapid transition into and out of full screen mode, which allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via crafted HTML pages.
CVE-2016-5188 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 4.3 MEDIUM
Multiple issues in Blink in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux allow a remote attacker to spoof various parts of browser UI via crafted HTML pages.
CVE-2015-8786 2 Oracle, Pivotal Software 2 Solaris, Rabbitmq 2018-01-05 6.8 MEDIUM 6.5 MEDIUM
The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter.
CVE-2015-8916 3 Canonical, Debian, Libarchive 3 Ubuntu Linux, Debian Linux, Libarchive 2018-01-05 4.3 MEDIUM 6.5 MEDIUM
bsdtar in libarchive before 3.2.0 returns a success code without filling the entry when the header is a "split file in multivolume RAR," which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted rar file.
CVE-2015-8920 3 Canonical, Libarchive, Novell 5 Ubuntu Linux, Libarchive, Suse Linux Enterprise Desktop and 2 more 2018-01-05 4.3 MEDIUM 5.5 MEDIUM
The _ar_read_header function in archive_read_support_format_ar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds stack read) via a crafted ar file.
CVE-2016-5223 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 6.5 MEDIUM
Integer overflow in PDFium in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to potentially exploit heap corruption or DoS via a crafted PDF file.
CVE-2016-5192 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 6.5 MEDIUM
Blink in Google Chrome prior to 54.0.2840.59 for Windows missed a CORS check on redirect in TextTrackLoader, which allowed a remote attacker to bypass cross-origin restrictions via crafted HTML pages.
CVE-2015-8923 3 Canonical, Libarchive, Novell 5 Ubuntu Linux, Libarchive, Suse Linux Enterprise Desktop and 2 more 2018-01-05 4.3 MEDIUM 6.5 MEDIUM
The process_extra function in libarchive before 3.2.0 uses the size field and a signed number in an offset, which allows remote attackers to cause a denial of service (crash) via a crafted zip file.
CVE-2016-5220 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 6.5 MEDIUM
PDFium in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android incorrectly handled navigation within PDFs, which allowed a remote attacker to read local files via a crafted PDF file.
CVE-2016-5217 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 6.5 MEDIUM
The extensions API in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android incorrectly permitted access to privileged plugins, which allowed a remote attacker to bypass site isolation via a crafted HTML page.
CVE-2016-5186 1 Google 1 Chrome 2018-01-05 6.8 MEDIUM 5.3 MEDIUM
Devtools in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android incorrectly handled objects after a tab crash, which allowed a remote attacker to perform an out of bounds memory read via crafted PDF files.
CVE-2016-5226 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 6.1 MEDIUM
Blink in Google Chrome prior to 55.0.2883.75 for Linux, Windows and Mac executed javascript: URLs entered in the URL bar in the context of the current tab, which allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar.
CVE-2016-5225 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 4.3 MEDIUM
Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android incorrectly handled form actions, which allowed a remote attacker to bypass Content Security Policy via a crafted HTML page.
CVE-2016-0789 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 4.3 MEDIUM 6.1 MEDIUM
CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
CVE-2016-5224 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 4.3 MEDIUM
A timing attack on denormalized floating point arithmetic in SVG filters in Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to bypass the Same Origin Policy via a crafted HTML page.
CVE-2016-5218 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 6.5 MEDIUM
The extensions API in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android incorrectly handled navigation within PDFs, which allowed a remote attacker to temporarily spoof the contents of the Omnibox (URL bar) via a crafted HTML page containing PDF data.
CVE-2015-8924 3 Canonical, Libarchive, Novell 5 Ubuntu Linux, Libarchive, Suse Linux Enterprise Desktop and 2 more 2018-01-05 4.3 MEDIUM 5.5 MEDIUM
The archive_read_format_tar_read_header function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tar file.
CVE-2016-2116 2 Canonical, Jasper Project 2 Ubuntu Linux, Jasper 2018-01-05 4.3 MEDIUM 5.7 MEDIUM
Memory leak in the jas_iccprof_createfrombuf function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file.
CVE-2016-5193 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 4.3 MEDIUM
Google Chrome prior to 54.0 for iOS had insufficient validation of URLs for windows open by DOM, which allowed a remote attacker to bypass restrictions on navigation to certain URL schemes via crafted HTML pages.
CVE-2016-5214 1 Google 1 Chrome 2018-01-05 4.3 MEDIUM 4.3 MEDIUM
Google Chrome prior to 55.0.2883.75 for Windows mishandled downloaded files, which allowed a remote attacker to prevent the downloaded file from receiving the Mark of the Web via a crafted HTML page.
CVE-2015-8925 3 Canonical, Libarchive, Suse 5 Ubuntu Linux, Libarchive, Linux Enterprise Desktop and 2 more 2018-01-05 4.3 MEDIUM 5.5 MEDIUM
The readline function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read) via a crafted mtree file, related to newline parsing.
CVE-2015-1573 1 Linux 1 Linux Kernel 2018-01-05 4.9 MEDIUM 5.5 MEDIUM
The nft_flush_table function in net/netfilter/nf_tables_api.c in the Linux kernel before 3.18.5 mishandles the interaction between cross-chain jumps and ruleset flushes, which allows local users to cause a denial of service (panic) by leveraging the CAP_NET_ADMIN capability.
CVE-2015-1547 2 Debian, Libtiff 2 Debian Linux, Libtiff 2018-01-05 4.3 MEDIUM 6.5 MEDIUM
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.
CVE-2016-2100 1 Theforeman 1 Foreman 2018-01-05 6.5 MEDIUM 5.4 MEDIUM
Foreman before 1.10.3 and 1.11.0 before 1.11.0-RC2 allow remote authenticated users to read, modify, or delete private bookmarks by leveraging the (1) edit_bookmarks or (2) destroy_bookmarks permission.
CVE-2016-2089 1 Jasper Project 1 Jasper 2018-01-05 4.3 MEDIUM 6.5 MEDIUM
The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted JPEG 2000 image.
CVE-2015-8926 3 Canonical, Libarchive, Suse 5 Ubuntu Linux, Libarchive, Linux Enterprise Desktop and 2 more 2018-01-05 4.3 MEDIUM 5.5 MEDIUM
The archive_read_format_rar_read_data function in archive_read_support_format_rar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted rar archive.
CVE-2016-0790 2 Jenkins, Redhat 2 Jenkins, Openshift 2018-01-05 5.0 MEDIUM 5.3 MEDIUM
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.
CVE-2014-9767 2 Hiphop Virtual Machine For Php Project, Php 2 Hiphop Virtual Machine For Php, Php 2018-01-05 4.3 MEDIUM 4.3 MEDIUM
Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.