Filtered by vendor Debian
Subscriptions
Filtered by product Debian Linux
Subscriptions
Total
9183 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-25258 | 4 Debian, Fedoraproject, Linux and 1 more | 14 Debian Linux, Fedora, Linux Kernel and 11 more | 2024-11-21 | 4.6 Medium |
| An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur. | ||||
| CVE-2022-24959 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2024-11-21 | 5.5 Medium |
| An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c. | ||||
| CVE-2022-24958 | 4 Debian, Fedoraproject, Linux and 1 more | 19 Debian Linux, Fedora, Linux Kernel and 16 more | 2024-11-21 | 7.8 High |
| drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release. | ||||
| CVE-2022-24921 | 4 Debian, Golang, Netapp and 1 more | 11 Debian Linux, Go, Astra Trident and 8 more | 2024-11-21 | 7.5 High |
| regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression. | ||||
| CVE-2022-24919 | 3 Debian, Fedoraproject, Zabbix | 3 Debian Linux, Fedora, Frontend | 2024-11-21 | 3.7 Low |
| An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. | ||||
| CVE-2022-24917 | 3 Debian, Fedoraproject, Zabbix | 3 Debian Linux, Fedora, Frontend | 2024-11-21 | 3.7 Low |
| An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. | ||||
| CVE-2022-24836 | 5 Apple, Debian, Fedoraproject and 2 more | 6 Macos, Debian Linux, Fedora and 3 more | 2024-11-21 | 7.5 High |
| Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue. | ||||
| CVE-2022-24769 | 6 Debian, Fedoraproject, Linux and 3 more | 6 Debian Linux, Fedora, Linux Kernel and 3 more | 2024-11-21 | 5.9 Medium |
| Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting. | ||||
| CVE-2022-24448 | 3 Debian, Linux, Redhat | 5 Debian Linux, Linux Kernel, Enterprise Linux and 2 more | 2024-11-21 | 3.3 Low |
| An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. | ||||
| CVE-2022-24439 | 4 Debian, Fedoraproject, Gitpython Project and 1 more | 5 Debian Linux, Fedora, Gitpython and 2 more | 2024-11-21 | 8.1 High |
| All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. | ||||
| CVE-2022-24407 | 6 Cyrusimap, Debian, Fedoraproject and 3 more | 14 Cyrus-sasl, Debian Linux, Fedora and 11 more | 2024-11-21 | 8.8 High |
| In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. | ||||
| CVE-2022-24349 | 3 Debian, Fedoraproject, Zabbix | 3 Debian Linux, Fedora, Frontend | 2024-11-21 | 4.6 Medium |
| An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. | ||||
| CVE-2022-24302 | 4 Debian, Fedoraproject, Paramiko and 1 more | 6 Debian Linux, Fedora, Paramiko and 3 more | 2024-11-21 | 5.9 Medium |
| In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure. | ||||
| CVE-2022-24301 | 2 Debian, Minetest | 2 Debian Linux, Minetest | 2024-11-21 | 6.5 Medium |
| In Minetest before 5.4.0, players can add or subtract items from a different player's inventory. | ||||
| CVE-2022-24300 | 2 Debian, Minetest | 2 Debian Linux, Minetest | 2024-11-21 | 9.8 Critical |
| Minetest before 5.4.0 allows attackers to add or modify arbitrary meta fields of the same item stack as saved user input, aka ItemStack meta injection. | ||||
| CVE-2022-24130 | 3 Debian, Fedoraproject, Invisible-island | 3 Debian Linux, Fedora, Xterm | 2024-11-21 | 5.5 Medium |
| xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text. | ||||
| CVE-2022-24070 | 5 Apache, Apple, Debian and 2 more | 7 Subversion, Macos, Debian Linux and 4 more | 2024-11-21 | 7.5 High |
| Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected. | ||||
| CVE-2022-23960 | 4 Arm, Debian, Redhat and 1 more | 45 Cortex-a57, Cortex-a57 Firmware, Cortex-a65 and 42 more | 2024-11-21 | 5.6 Medium |
| Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. | ||||
| CVE-2022-23959 | 5 Debian, Fedoraproject, Redhat and 2 more | 10 Debian Linux, Fedora, Enterprise Linux and 7 more | 2024-11-21 | 9.1 Critical |
| In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections. | ||||
| CVE-2022-23837 | 3 Contribsys, Debian, Redhat | 3 Sidekiq, Debian Linux, Satellite | 2024-11-21 | 7.5 High |
| In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users. | ||||