Search
Total
27796 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9668 | 3 Adobe, Apple, Microsoft | 3 Genuine Service, Macos, Windows | 2022-07-26 | 6.8 MEDIUM | 7.8 HIGH |
| Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links. An unauthenticated attacker could exploit this to elevate privileges in the context of the current user. | |||||
| CVE-2021-36373 | 2 Apache, Oracle | 32 Ant, Agile Plm, Banking Trade Finance and 29 more | 2022-07-25 | 4.3 MEDIUM | 5.5 MEDIUM |
| When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected. | |||||
| CVE-2020-29506 | 1 Dell | 2 Bsafe Crypto-c-micro-edition, Bsafe Micro-edition-suite | 2022-07-25 | 7.5 HIGH | 9.8 CRITICAL |
| Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain an Observable Timing Discrepancy Vulnerability. | |||||
| CVE-2020-28500 | 2 Lodash, Oracle | 16 Lodash, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 13 more | 2022-07-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. | |||||
| CVE-2021-36090 | 3 Apache, Netapp, Oracle | 33 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 30 more | 2022-07-25 | 5.0 MEDIUM | 7.5 HIGH |
| When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. | |||||
| CVE-2020-35167 | 1 Dell | 2 Bsafe Crypto-c-micro-edition, Bsafe Micro-edition-suite | 2022-07-25 | 7.5 HIGH | 9.8 CRITICAL |
| Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability. | |||||
| CVE-2020-17521 | 3 Apache, Netapp, Oracle | 20 Atlas, Groovy, Snapcenter and 17 more | 2022-07-25 | 2.1 LOW | 5.5 MEDIUM |
| Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2. | |||||
| CVE-2020-29651 | 1 Pytest | 1 Py | 2022-07-25 | 5.0 MEDIUM | 7.5 HIGH |
| A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. | |||||
| CVE-2020-35164 | 1 Dell | 2 Bsafe Crypto-c-micro-edition, Bsafe Micro-edition-suite | 2022-07-25 | 7.5 HIGH | 8.1 HIGH |
| Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability. | |||||
| CVE-2020-35168 | 1 Dell | 2 Bsafe Crypto-c-micro-edition, Bsafe Micro-edition-suite | 2022-07-25 | 7.5 HIGH | 9.8 CRITICAL |
| Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability. | |||||
| CVE-2020-28052 | 3 Apache, Bouncycastle, Oracle | 19 Karaf, Legion-of-the-bouncy-castle-java-crytography-api, Banking Corporate Lending Process Management and 16 more | 2022-07-25 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. | |||||
| CVE-2020-35166 | 1 Dell | 2 Bsafe Crypto-c-micro-edition, Bsafe Micro-edition-suite | 2022-07-25 | 7.5 HIGH | 9.8 CRITICAL |
| Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability. | |||||
| CVE-2020-25659 | 2 Oracle, Python-cryptography Project | 2 Communications Cloud Native Core Network Function Cloud Native Environment, Python-cryptography | 2022-07-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. | |||||
| CVE-2021-29921 | 2 Oracle, Python | 6 Communications Cloud Native Core Automated Test Suite, Communications Cloud Native Core Binding Support Function, Communications Cloud Native Core Network Slice Selection Function and 3 more | 2022-07-25 | 7.5 HIGH | 9.8 CRITICAL |
| In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses. | |||||
| CVE-2021-36374 | 2 Apache, Oracle | 33 Ant, Agile Plm, Banking Trade Finance and 30 more | 2022-07-25 | 4.3 MEDIUM | 5.5 MEDIUM |
| When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected. | |||||
| CVE-2021-29799 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2022-07-25 | N/A | 6.5 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises (All versions) could allow an authenticated user to obtain sensitive information due to improper client side validation. IBM X-Force ID: 203738. | |||||
| CVE-2020-10930 | 1 Netgear | 2 R6700, R6700 Firmware | 2022-07-25 | 3.3 LOW | 6.5 MEDIUM |
| This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of URLs. The issue results from the lack of proper routing of URLs. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-9618. | |||||
| CVE-2020-1765 | 3 Debian, Opensuse, Otrs | 4 Debian Linux, Backports Sle, Leap and 1 more | 2022-07-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. | |||||
| CVE-2020-1690 | 1 Redhat | 2 Openstack-selinux, Openstack Platform | 2022-07-25 | 4.9 MEDIUM | 6.5 MEDIUM |
| An improper authorization flaw was discovered in openstack-selinux's applied policy where it does not prevent a non-root user in a container from privilege escalation. A non-root attacker in one or more Red Hat OpenStack (RHOSP) containers could send messages to the dbus. With access to the dbus, the attacker could start or stop services, possibly causing a denial of service. Versions before openstack-selinux 0.8.24 are affected. | |||||
| CVE-2020-14388 | 1 Redhat | 1 3scale Api Management | 2022-07-25 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw was found in the Red Hat 3scale API Management Platform, where member permissions for an API's admin portal were not properly enforced. This flaw allows an authenticated user to bypass normal account restrictions and access API services where they do not have permission. | |||||
| CVE-2020-14340 | 2 Oracle, Redhat | 14 Communications Cloud Native Core Console, Communications Cloud Native Core Network Repository Function, Communications Cloud Native Core Policy and 11 more | 2022-07-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final. | |||||
| CVE-2020-14312 | 1 Fedoraproject | 1 Fedora | 2022-07-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems. | |||||
| CVE-2021-3049 | 1 Paloaltonetworks | 1 Cortex Xsoar | 2022-07-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| An improper authorization vulnerability in the Palo Alto Networks Cortex XSOAR server enables an authenticated network-based attacker with investigation read permissions to download files from incident investigations of which they are aware but are not a part of. This issue impacts: All Cortex XSOAR 5.5.0 builds; Cortex XSOAR 6.1.0 builds earlier than 12099345. This issue does not impact Cortex XSOAR 6.2.0 versions. | |||||
| CVE-2021-25438 | 2 Google, Samsung | 2 Android, Members | 2022-07-25 | 4.6 MEDIUM | 7.8 HIGH |
| Improper access control vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to cause local file inclusion in webview. | |||||
| CVE-2021-25439 | 2 Google, Samsung | 2 Android, Members | 2022-07-25 | 2.1 LOW | 3.3 LOW |
| Improper access control vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to cause arbitrary webpage loading in webview. | |||||
| CVE-2021-25433 | 1 Linux | 1 Tizen | 2022-07-25 | 4.9 MEDIUM | 5.5 MEDIUM |
| Improper authorization vulnerability in Tizen factory reset policy prior to Firmware update JUL-2021 Release allows untrusted applications to perform factory reset using dbus signal. | |||||
| CVE-2021-25507 | 1 Samsung | 1 Samsung Flow | 2022-07-25 | 2.7 LOW | 5.7 MEDIUM |
| Improper authorization vulnerability in Samsung Flow mobile application prior to 4.8.03.5 allows Samsung Flow PC application connected with user device to access part of notification data in Secure Folder without authorization. | |||||
| CVE-2021-43359 | 1 Sun | 1 Ehrd | 2022-07-25 | 9.0 HIGH | 8.8 HIGH |
| Sunnet eHRD has broken access control vulnerability, which allows a remote attacker to access account management page after being authenticated as a general user, then perform privilege escalation to execute arbitrary code and control the system or interrupt services. | |||||
| CVE-2021-3062 | 1 Paloaltonetworks | 2 Pan-os, Vm-series Firewall | 2022-07-25 | 6.0 MEDIUM | 8.8 HIGH |
| An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. Exploitation of this vulnerability enables an attacker to perform any operations allowed by the EC2 role in AWS. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20 VM-Series firewalls; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11 VM-Series firewalls; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14 VM-Series firewalls; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8 VM-Series firewalls. Prisma Access customers are not impacted by this issue. | |||||
| CVE-2021-43792 | 1 Discourse | 1 Discourse | 2022-07-25 | 3.5 LOW | 4.3 MEDIUM |
| Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group (e.g. staff) to view certain tags. Users who were tracking or watching the tags via /preferences/tags, then have their staff status revoked will still see notifications related to the tag, but will not see the tag on each topic. This issue has been patched in stable version 2.7.11. Users are advised to upgrade as soon as possible. | |||||
| CVE-2022-34057 | 1 Scoptrial Project | 1 Scoptrial | 2022-07-25 | 7.5 HIGH | 9.8 CRITICAL |
| The Scoptrial package in PyPI version v0.0.5 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. | |||||
| CVE-2022-30973 | 1 Apache | 1 Tika | 2022-07-22 | 2.6 LOW | 5.5 MEDIUM |
| We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3. | |||||
| CVE-2021-21798 | 1 Gonitro | 1 Nitro Pro | 2022-07-21 | 6.8 MEDIUM | 7.8 HIGH |
| An exploitable return of stack variable address vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a stack variable to go out of scope, resulting in the application dereferencing a stale pointer. This can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger the vulnerability. | |||||
| CVE-2022-31147 | 1 Jqueryvalidation | 1 Jquery Validation | 2022-07-21 | N/A | 7.5 HIGH |
| The jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms. Versions of jquery-validation prior to 1.19.5 are vulnerable to regular expression denial of service (ReDoS) when an attacker is able to supply arbitrary input to the url2 method. This is due to an incomplete fix for CVE-2021-43306. Users should upgrade to version 1.19.5 to receive a patch. | |||||
| CVE-2022-33173 | 1 Couchbase | 1 Couchbase Server | 2022-07-20 | 5.0 MEDIUM | 7.5 HIGH |
| An algorithm-downgrade issue was discovered in Couchbase Server before 7.0.4. Analytics Remote Links may temporarily downgrade to non-TLS connection to determine the TLS port number, using SCRAM-SHA instead. | |||||
| CVE-2022-33713 | 1 Samsung | 1 Cloud | 2022-07-19 | 5.0 MEDIUM | 7.5 HIGH |
| Implicit Intent hijacking vulnerability in Samsung Cloud prior to version 5.2.0 allows attacker to get sensitive information. | |||||
| CVE-2022-22023 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-07-16 | 6.9 MEDIUM | 6.6 MEDIUM |
| Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability. | |||||
| CVE-2021-1600 | 1 Cisco | 1 Intersight Virtual Appliance | 2022-07-15 | 5.8 MEDIUM | 8.3 HIGH |
| Multiple vulnerabilities in Cisco Intersight Virtual Appliance could allow an unauthenticated, adjacent attacker to access sensitive internal services from an external interface. These vulnerabilities are due to insufficient restrictions for IPv4 or IPv6 packets that are received on the external management interface. An attacker could exploit these vulnerabilities by sending specific traffic to this interface on an affected device. A successful exploit could allow the attacker to access sensitive internal services and make configuration changes on the affected device. | |||||
| CVE-2021-1601 | 1 Cisco | 1 Intersight Virtual Appliance | 2022-07-15 | 5.8 MEDIUM | 8.3 HIGH |
| Multiple vulnerabilities in Cisco Intersight Virtual Appliance could allow an unauthenticated, adjacent attacker to access sensitive internal services from an external interface. These vulnerabilities are due to insufficient restrictions for IPv4 or IPv6 packets that are received on the external management interface. An attacker could exploit these vulnerabilities by sending specific traffic to this interface on an affected device. A successful exploit could allow the attacker to access sensitive internal services and make configuration changes on the affected device. | |||||
| CVE-2020-14326 | 2 Netapp, Redhat | 3 Oncommand Insight, Integration Camel K, Resteasy | 2022-07-15 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service. | |||||
| CVE-2022-1678 | 1 Linux | 1 Linux Kernel | 2022-07-15 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients. | |||||
| CVE-2021-25501 | 1 Google | 1 Android | 2022-07-14 | 2.1 LOW | 3.3 LOW |
| An improper access control vulnerability in SCloudBnRReceiver in SecTelephonyProvider prior to SMR Nov-2021 Release 1 allows untrusted application to call some protected providers. | |||||
| CVE-2021-25437 | 1 Linux | 1 Tizen | 2022-07-14 | 10.0 HIGH | 9.8 CRITICAL |
| Improper access control vulnerability in Tizen FOTA service prior to Firmware update JUL-2021 Release allows attackers to arbitrary code execution by replacing FOTA update file. | |||||
| CVE-2022-30885 | 1 Esa | 1 Pyesasky | 2022-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| The pyesasky for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.2.0-1.4.2. | |||||
| CVE-2021-25431 | 2 Google, Samsung | 2 Android, Cameralyzer | 2022-07-14 | 2.1 LOW | 5.5 MEDIUM |
| Improper access control vulnerability in Cameralyzer prior to versions 3.2.1041 in 3.2.x, 3.3.1040 in 3.3.x, and 3.4.4210 in 3.4.x allows untrusted applications to access some functions of Cameralyzer. | |||||
| CVE-2021-3044 | 1 Paloaltonetworks | 1 Cortex Xsoar | 2022-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. This issue impacts: Cortex XSOAR 6.1.0 builds later than 1016923 and earlier than 1271064; Cortex XSOAR 6.2.0 builds earlier than 1271065. This issue does not impact Cortex XSOAR 5.5.0, Cortex XSOAR 6.0.0, Cortex XSOAR 6.0.1, or Cortex XSOAR 6.0.2 versions. All Cortex XSOAR instances hosted by Palo Alto Networks are upgraded to resolve this vulnerability. No additional action is required for these instances. | |||||
| CVE-2021-25417 | 1 Google | 1 Android | 2022-07-14 | 5.0 MEDIUM | 7.5 HIGH |
| Improper authorization in SDP SDK prior to SMR JUN-2021 Release 1 allows access to internal storage. | |||||
| CVE-2021-25412 | 1 Google | 1 Android | 2022-07-14 | 7.2 HIGH | 7.8 HIGH |
| An improper access control vulnerability in genericssoservice prior to SMR JUN-2021 Release 1 allows local attackers to execute protected activity with system privilege via untrusted applications. | |||||
| CVE-2021-25374 | 2 Google, Samsung | 2 Android, Members | 2022-07-14 | 5.0 MEDIUM | 7.5 HIGH |
| An improper authorization vulnerability in Samsung Members "samsungrewards" scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account. | |||||
| CVE-2021-28164 | 3 Eclipse, Netapp, Oracle | 17 Jetty, Cloud Manager, E-series Performance Analyzer and 14 more | 2022-07-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. | |||||