Total
200 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0975 | 2 Microsoft, Trellix | 2 Windows, Agent | 2023-11-07 | N/A | 7.8 HIGH |
| A vulnerability exists in Trellix Agent for Windows version 5.7.8 and earlier, that allows local users, during install/upgrade workflow, to replace one of the Agent’s executables before it can be executed. This allows the user to elevate their permissions. | |||||
| CVE-2022-4326 | 2 Microsoft, Trellix | 2 Windows, Endpoint Security | 2023-11-07 | N/A | 6.0 MEDIUM |
| Improper preservation of permissions vulnerability in Trellix Endpoint Agent (xAgent) prior to V35.31.22 on Windows allows a local user with administrator privileges to bypass the product protection to uninstall the agent via incorrectly applied permissions in the removal protection functionality. | |||||
| CVE-2022-44020 | 2 Fedoraproject, Opendev | 3 Fedora, Sushy-tools, Virtualbmc | 2023-11-07 | N/A | 5.5 MEDIUM |
| An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an "unsupported, production-like configuration." | |||||
| CVE-2021-45446 | 1 Hitachi | 1 Vantara Pentaho | 2023-11-07 | N/A | 7.5 HIGH |
| A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located inside the directory. | |||||
| CVE-2021-43816 | 2 Fedoraproject, Linuxfoundation | 2 Fedora, Containerd | 2023-11-07 | 6.0 MEDIUM | 9.1 CRITICAL |
| containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible. | |||||
| CVE-2021-43708 | 1 Helpsystems | 1 Titus Data Classification | 2023-11-07 | 2.1 LOW | 5.5 MEDIUM |
| The Labeling tool in Titus Classification Suite 18.8.1910.140 allows users to avoid the generation of a classification label by using Excel's safe mode. | |||||
| CVE-2021-41091 | 2 Fedoraproject, Mobyproject | 2 Fedora, Moby | 2023-11-07 | 4.6 MEDIUM | 6.3 MEDIUM |
| Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers. | |||||
| CVE-2021-41089 | 2 Fedoraproject, Mobyproject | 2 Fedora, Moby | 2023-11-07 | 4.4 MEDIUM | 6.3 MEDIUM |
| Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted. | |||||
| CVE-2021-30912 | 1 Apple | 2 Mac Os X, Macos | 2023-11-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| The issue was addressed with improved permissions logic. This issue is fixed in macOS Monterey 12.0.1, Security Update 2021-007 Catalina, macOS Big Sur 11.6.1. A malicious application may gain access to a user's Keychain items. | |||||
| CVE-2020-6564 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2023-11-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page. | |||||
| CVE-2020-18329 | 1 Carel | 3 Pcoweb Card Bios, Pcoweb Card Boot, Pcoweb Card Web | 2023-11-07 | N/A | 7.5 HIGH |
| An issue was discovered in Rehau devices that use a pCOWeb card BIOS v6.27, BOOT v5.00, web version v2.2, allows attackers to gain full unauthenticated access to the configuration and service interface. | |||||
| CVE-2020-15113 | 2 Etcd, Fedoraproject | 2 Etcd, Fedora | 2023-11-07 | 3.6 LOW | 7.1 HIGH |
| In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700). | |||||
| CVE-2020-13230 | 3 Cacti, Debian, Fedoraproject | 3 Cacti, Debian Linux, Fedora | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). | |||||
| CVE-2019-19620 | 1 Dell | 1 Red Cloak Windows Agent | 2023-11-07 | 2.1 LOW | 3.3 LOW |
| In SecureWorks Red Cloak Windows Agent before 2.0.7.9, a local user can bypass the generation of telemetry alerts by removing NT AUTHORITY\SYSTEM permissions from a file. This is limited in scope to the collection of process-execution telemetry, for executions against specific files where the SYSTEM user was denied access to the source file. | |||||
| CVE-2019-13727 | 4 Debian, Fedoraproject, Google and 1 more | 7 Debian Linux, Fedora, Chrome and 4 more | 2023-11-07 | 6.8 MEDIUM | 8.8 HIGH |
| Insufficient policy enforcement in WebSockets in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||||
| CVE-2019-13682 | 1 Google | 1 Chrome | 2023-11-07 | 6.8 MEDIUM | 8.8 HIGH |
| Insufficient policy enforcement in external protocol handling in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||||
| CVE-2019-13668 | 1 Google | 1 Chrome | 2023-11-07 | 4.3 MEDIUM | 7.4 HIGH |
| Insufficient policy enforcement in developer tools in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2017-5033 | 6 Apple, Debian, Google and 3 more | 9 Macos, Debian Linux, Android and 6 more | 2023-11-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword. | |||||
| CVE-2019-16539 | 1 Jenkins | 1 Support Core | 2023-10-25 | 5.5 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete support bundles. | |||||
| CVE-2023-39902 | 1 Nxp | 5 I.mx 8m, I.mx 8m Mini, I.mx 8m Nano and 2 more | 2023-10-24 | N/A | 7.8 HIGH |
| A software vulnerability has been identified in the U-Boot Secondary Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under certain conditions, a crafted Flattened Image Tree (FIT) format structure can be used to overwrite SPL memory, allowing unauthenticated software to execute on the target, leading to privilege escalation. This affects i.MX 8M, i.MX 8M Mini, i.MX 8M Nano, and i.MX 8M Plus. | |||||