Security
Headlines
HeadlinesLatestCVEs

Tag

#ssl

CVE-2020-13401: Docker Engine 23.0 release notes

An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.

CVE
#windows#ubuntu#linux#debian#dos#js#git#c++#perl#aws#amd#auth#ssh#rpm#docker#ssl
CVE-2020-13757: python-rsa does not detect ciphertext modification (prepended "0" bytes) in PKCS1_v1_5 · Issue #146 · sybrenstuvel/python-rsa

Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

CVE-2020-11076: puma/History.md at master · puma/puma

In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.

CVE-2020-5752: Druva inSync Windows Client Local Privilege Escalation (CVE-2019-3999 Patch Bypass)

Relative path traversal in Druva inSync Windows Client 6.6.3 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.

CVE-2020-9409: Advisory | TIBCO Software

The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.1.1 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.1.1 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.

CVE-2020-8617: CVE-2020-8617: A logic error in code which checks TSIG validity can be

Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.

CVE-2019-2388: Ops Manager Server Changelog — MongoDB Ops Manager 6.0

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.

CVE-2020-12825: CVE-2020-12825: Stack overflow in cr_parser_parse_any_core in cr-parser.c (#8) · Issues · Archive / libcroco · GitLab

libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any_core in cr-parser.c, leading to stack consumption.

CVE-2020-8156

A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.