Search
Total
86024 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-18507 | 2019-04-09 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2014-8155 | 1 Gnu | 1 Gnutls | 2019-04-08 | 4.3 MEDIUM | N/A |
| GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid. | |||||
| CVE-2015-1333 | 1 Linux | 1 Linux Kernel | 2019-04-08 | 4.9 MEDIUM | N/A |
| Memory leak in the __key_link_end function in security/keys/keyring.c in the Linux kernel before 4.1.4 allows local users to cause a denial of service (memory consumption) via many add_key system calls that refer to existing keys. | |||||
| CVE-2015-3212 | 1 Linux | 1 Linux Kernel | 2019-04-08 | 4.9 MEDIUM | N/A |
| Race condition in net/sctp/socket.c in the Linux kernel before 4.1.2 allows local users to cause a denial of service (list corruption and panic) via a rapid series of system calls related to sockets, as demonstrated by setsockopt calls. | |||||
| CVE-2015-4700 | 1 Linux | 1 Linux Kernel | 2019-04-08 | 4.9 MEDIUM | N/A |
| The bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 4.0.6 allows local users to cause a denial of service (system crash) by creating a packet filter and then loading crafted BPF instructions that trigger late convergence by the JIT compiler. | |||||
| CVE-2019-5022 | 2019-04-04 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: this candidate is not about any specific product, protocol, or design, that falls into the scope of the assigning CNA. Notes: None. | |||||
| CVE-2019-10268 | 2019-04-03 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2005-3912 | 2 Debian, Webmin | 2 Debian Linux, Webmin | 2019-04-03 | 7.5 HIGH | N/A |
| Format string vulnerability in miniserv.pl Perl web server in Webmin before 1.250 and Usermin before 1.180, with syslog logging enabled, allows remote attackers to cause a denial of service (crash or memory consumption) and possibly execute arbitrary code via format string specifiers in the username parameter to the login form, which is ultimately used in a syslog call. NOTE: the code execution might be associated with an issue in Perl. | |||||
| CVE-2018-1000999 | 2019-04-02 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: [CVE-2018-20323]. Reason: This candidate is a duplicate of [CVE-2018-20323]. Notes: All CVE users should reference [CVE-2018-20323] instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2019-10675 | 2019-04-01 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2015-1872 | 2 Canonical, Ffmpeg | 2 Ubuntu Linux, Ffmpeg | 2019-03-31 | 6.8 MEDIUM | N/A |
| The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Motion JPEG data. | |||||
| CVE-2019-5026 | 2019-03-28 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none. | |||||
| CVE-2019-5027 | 2019-03-28 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none. | |||||
| CVE-2019-5028 | 2019-03-28 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none. | |||||
| CVE-2019-5025 | 2019-03-28 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none. | |||||
| CVE-2014-3612 | 1 Apache | 1 Activemq | 2019-03-27 | 7.5 HIGH | N/A |
| The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames. | |||||
| CVE-2014-8110 | 1 Apache | 1 Activemq | 2019-03-27 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-1830 | 2 Apache, Microsoft | 2 Activemq, Windows | 2019-03-27 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors. | |||||
| CVE-2014-1904 | 1 Pivotal Software | 1 Spring Framework | 2019-03-27 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action. | |||||
| CVE-2015-4047 | 5 Canonical, Debian, F5 and 2 more | 25 Ubuntu Linux, Debian Linux, Big-ip Access Policy Manager and 22 more | 2019-03-27 | 7.8 HIGH | N/A |
| racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a series of crafted UDP requests. | |||||
| CVE-2018-14038 | 2019-03-27 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-7642. Reason: This candidate is a reservation duplicate of CVE-2018-7642. Notes: All CVE users should reference CVE-2018-7642 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2006-2373 | 1 Microsoft | 3 Windows 2000, Windows Server 2003, Windows Xp | 2019-03-26 | 10.0 HIGH | N/A |
| The Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability." | |||||
| CVE-2017-2660 | 2019-03-26 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: this candidate is not about any specific product, protocol, or design, that falls into the scope of the assigning CNA. Notes: None. | |||||
| CVE-2015-6563 | 2 Apple, Openbsd | 2 Mac Os X, Openssh | 2019-03-26 | 1.9 LOW | N/A |
| The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c. | |||||
| CVE-2015-6564 | 1 Openbsd | 1 Openssh | 2019-03-26 | 6.9 MEDIUM | N/A |
| Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request. | |||||
| CVE-2018-1000061 | 2019-03-25 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2005-3483 | 2 Graphon, Microsoft | 2 Go-global, Windows | 2019-03-25 | 7.5 HIGH | N/A |
| Buffer overflow in GO-Global for Windows 3.1.0.3270 and earlier allows remote attackers to execute arbitrary code via a data block that is longer than the specified data block size. | |||||
| CVE-2010-3718 | 1 Apache | 1 Tomcat | 2019-03-25 | 1.2 LOW | N/A |
| Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack. | |||||
| CVE-2011-0013 | 1 Apache | 1 Tomcat | 2019-03-25 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag. | |||||
| CVE-2011-1184 | 1 Apache | 1 Tomcat | 2019-03-25 | 5.0 MEDIUM | N/A |
| The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. | |||||
| CVE-2011-2204 | 1 Apache | 1 Tomcat | 2019-03-25 | 1.9 LOW | N/A |
| Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file. | |||||
| CVE-2011-2526 | 1 Apache | 1 Tomcat | 2019-03-25 | 4.4 MEDIUM | N/A |
| Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application. | |||||
| CVE-2011-2729 | 2 Apache, Linux | 3 Apache Commons Daemon, Tomcat, Linux Kernel | 2019-03-25 | 5.0 MEDIUM | N/A |
| native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application. | |||||
| CVE-2011-3190 | 1 Apache | 1 Tomcat | 2019-03-25 | 7.5 HIGH | N/A |
| Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request. | |||||
| CVE-2011-5062 | 1 Apache | 1 Tomcat | 2019-03-25 | 5.0 MEDIUM | N/A |
| The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184. | |||||
| CVE-2011-5063 | 1 Apache | 1 Tomcat | 2019-03-25 | 4.3 MEDIUM | N/A |
| The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184. | |||||
| CVE-2011-5064 | 1 Apache | 1 Tomcat | 2019-03-25 | 4.3 MEDIUM | N/A |
| DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184. | |||||
| CVE-2012-0022 | 1 Apache | 1 Tomcat | 2019-03-25 | 5.0 MEDIUM | N/A |
| Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858. | |||||
| CVE-2010-1157 | 1 Apache | 1 Tomcat | 2019-03-25 | 2.6 LOW | N/A |
| Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply. | |||||
| CVE-2010-2227 | 1 Apache | 1 Tomcat | 2019-03-25 | 6.4 MEDIUM | N/A |
| Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer." | |||||
| CVE-2009-2902 | 1 Apache | 1 Tomcat | 2019-03-25 | 4.3 MEDIUM | N/A |
| Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename. | |||||
| CVE-2009-3548 | 1 Apache | 1 Tomcat | 2019-03-25 | 7.5 HIGH | N/A |
| The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges. | |||||
| CVE-2008-0128 | 1 Apache | 1 Tomcat | 2019-03-25 | 5.0 MEDIUM | N/A |
| The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | |||||
| CVE-2008-1947 | 1 Apache | 1 Tomcat | 2019-03-25 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add. | |||||
| CVE-2008-2370 | 1 Apache | 1 Tomcat | 2019-03-25 | 5.0 MEDIUM | N/A |
| Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. | |||||
| CVE-2008-3271 | 1 Apache | 1 Tomcat | 2019-03-25 | 4.3 MEDIUM | N/A |
| Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchronization problem" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve. | |||||
| CVE-2008-4308 | 1 Apache | 1 Tomcat | 2019-03-25 | 2.6 LOW | N/A |
| The doRead method in Apache Tomcat 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20 does not return a -1 to indicate when a certain error condition has occurred, which can cause Tomcat to send POST content from one request to a different request. | |||||
| CVE-2008-5515 | 1 Apache | 1 Tomcat | 2019-03-25 | 5.0 MEDIUM | N/A |
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request. | |||||
| CVE-2009-0033 | 1 Apache | 1 Tomcat | 2019-03-25 | 5.0 MEDIUM | N/A |
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header. | |||||
| CVE-2009-0580 | 1 Apache | 1 Tomcat | 2019-03-25 | 4.3 MEDIUM | N/A |
| Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter. | |||||