Filtered by vendor Fedoraproject
Subscriptions
Total
5319 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-21193 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2025-02-05 | 8.8 High |
| Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||||
| CVE-2021-21148 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2025-02-05 | 8.8 High |
| Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||||
| CVE-2020-6418 | 4 Debian, Fedoraproject, Google and 1 more | 7 Debian Linux, Fedora, Chrome and 4 more | 2025-02-05 | 8.8 High |
| Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||||
| CVE-2020-16009 | 7 Cefsharp, Debian, Fedoraproject and 4 more | 9 Cefsharp, Debian Linux, Fedora and 6 more | 2025-02-05 | 8.8 High |
| Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||||
| CVE-2020-7247 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2025-02-04 | 9.8 Critical |
| smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation. | ||||
| CVE-2020-36193 | 5 Debian, Drupal, Fedoraproject and 2 more | 6 Debian Linux, Drupal, Fedora and 3 more | 2025-02-04 | 7.5 High |
| Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. | ||||
| CVE-2020-35730 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2025-02-04 | 6.1 Medium |
| An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. | ||||
| CVE-2019-13272 | 6 Canonical, Debian, Fedoraproject and 3 more | 25 Ubuntu Linux, Debian Linux, Fedora and 22 more | 2025-02-04 | 7.8 High |
| In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments. | ||||
| CVE-2021-44026 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2025-02-04 | 9.8 Critical |
| Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | ||||
| CVE-2019-16928 | 4 Canonical, Debian, Exim and 1 more | 4 Ubuntu Linux, Debian Linux, Exim and 1 more | 2025-02-04 | 9.8 Critical |
| Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command. | ||||
| CVE-2020-1472 | 9 Canonical, Debian, Fedoraproject and 6 more | 20 Ubuntu Linux, Debian Linux, Fedora and 17 more | 2025-02-04 | 5.5 Medium |
| An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications. | ||||
| CVE-2022-0847 | 7 Fedoraproject, Linux, Netapp and 4 more | 42 Fedora, Linux Kernel, H300e and 39 more | 2025-02-04 | 7.8 High |
| A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system. | ||||
| CVE-2021-21166 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2025-02-04 | 8.8 High |
| Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||||
| CVE-2022-3075 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2025-02-04 | 9.6 Critical |
| Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | ||||
| CVE-2021-30551 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2025-02-04 | 8.8 High |
| Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||||
| CVE-2021-44228 | 13 Apache, Apple, Bentley and 10 more | 168 Log4j, Xcode, Synchro and 165 more | 2025-02-04 | 10 Critical |
| Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. | ||||
| CVE-2021-42013 | 4 Apache, Fedoraproject, Netapp and 1 more | 6 Http Server, Fedora, Cloud Backup and 3 more | 2025-02-04 | 9.8 Critical |
| It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. | ||||
| CVE-2021-41773 | 4 Apache, Fedoraproject, Netapp and 1 more | 4 Http Server, Fedora, Cloud Backup and 1 more | 2025-02-04 | 7.5 High |
| A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013. | ||||
| CVE-2021-37973 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2025-02-04 | 9.6 Critical |
| Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | ||||
| CVE-2021-30554 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2025-02-04 | 8.8 High |
| Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||||