Filtered by vendor Oracle
Subscribe
Total
9622 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41164 | 4 Ckeditor, Drupal, Fedoraproject and 1 more | 10 Ckeditor, Drupal, Fedora and 7 more | 2023-11-07 | 3.5 LOW | 5.4 MEDIUM |
| CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0. | |||||
| CVE-2021-41099 | 5 Debian, Fedoraproject, Netapp and 2 more | 5 Debian Linux, Fedora, Management Services For Element Software And Netapp Hci and 2 more | 2023-11-07 | 6.0 MEDIUM | 7.5 HIGH |
| Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted network payloads or commands. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command. | |||||
| CVE-2021-40690 | 3 Apache, Debian, Oracle | 18 Cxf, Santuario Xml Security For Java, Tomee and 15 more | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. | |||||
| CVE-2021-3749 | 3 Axios, Oracle, Siemens | 3 Axios, Goldengate, Sinec Ins | 2023-11-07 | 7.8 HIGH | 7.5 HIGH |
| axios is vulnerable to Inefficient Regular Expression Complexity | |||||
| CVE-2021-3737 | 6 Canonical, Fedoraproject, Netapp and 3 more | 17 Ubuntu Linux, Fedora, Hci and 14 more | 2023-11-07 | 7.1 HIGH | 7.5 HIGH |
| A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-3612 | 6 Debian, Fedoraproject, Linux and 3 more | 26 Debian Linux, Fedora, Linux Kernel and 23 more | 2023-11-07 | 7.2 HIGH | 7.8 HIGH |
| An out-of-bounds memory write flaw was found in the Linux kernel's joystick devices subsystem in versions before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | |||||
| CVE-2021-3537 | 6 Debian, Fedoraproject, Netapp and 3 more | 20 Debian Linux, Fedora, Active Iq Unified Manager and 17 more | 2023-11-07 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-3518 | 6 Debian, Fedoraproject, Netapp and 3 more | 19 Debian Linux, Fedora, Active Iq Unified Manager and 16 more | 2023-11-07 | 6.8 MEDIUM | 8.8 HIGH |
| There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. | |||||
| CVE-2021-3517 | 6 Debian, Fedoraproject, Netapp and 3 more | 29 Debian Linux, Fedora, Active Iq Unified Manager and 26 more | 2023-11-07 | 7.5 HIGH | 8.6 HIGH |
| There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. | |||||
| CVE-2021-3516 | 6 Debian, Fedoraproject, Netapp and 3 more | 9 Debian Linux, Fedora, Clustered Data Ontap and 6 more | 2023-11-07 | 6.8 MEDIUM | 7.8 HIGH |
| There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability. | |||||
| CVE-2021-3450 | 10 Fedoraproject, Freebsd, Mcafee and 7 more | 35 Fedora, Freebsd, Web Gateway and 32 more | 2023-11-07 | 5.8 MEDIUM | 7.4 HIGH |
| The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j). | |||||
| CVE-2021-3448 | 4 Fedoraproject, Oracle, Redhat and 1 more | 4 Fedora, Communications Cloud Native Core Network Function Cloud Native Environment, Enterprise Linux and 1 more | 2023-11-07 | 4.3 MEDIUM | 4.0 MEDIUM |
| A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity. | |||||
| CVE-2021-3426 | 6 Debian, Fedoraproject, Netapp and 3 more | 10 Debian Linux, Fedora, Cloud Backup and 7 more | 2023-11-07 | 2.7 LOW | 5.7 MEDIUM |
| There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7. | |||||
| CVE-2021-3345 | 2 Gnupg, Oracle | 2 Libgcrypt, Communications Billing And Revenue Management | 2023-11-07 | 7.2 HIGH | 7.8 HIGH |
| _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later. | |||||
| CVE-2021-3326 | 5 Debian, Fujitsu, Gnu and 2 more | 17 Debian Linux, M10-1, M10-1 Firmware and 14 more | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service. | |||||
| CVE-2021-3177 | 5 Debian, Fedoraproject, Netapp and 2 more | 10 Debian Linux, Fedora, Active Iq Unified Manager and 7 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. | |||||
| CVE-2021-39275 | 6 Apache, Debian, Fedoraproject and 3 more | 11 Http Server, Debian Linux, Fedora and 8 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. | |||||
| CVE-2021-39154 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2023-11-07 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39153 | 5 Debian, Fedoraproject, Netapp and 2 more | 13 Debian Linux, Fedora, Snapmanager and 10 more | 2023-11-07 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39152 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2023-11-07 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18. | |||||