Search criteria
23 vulnerabilities by Debian
CVE-2025-68462 (GCVE-0-2025-68462)
Vulnerability from cvelistv5 – Published: 2025-12-18 05:14 – Updated: 2025-12-18 18:53
VLAI?
Summary
Freedombox before 25.17.1 does not set proper permissions for the backups-data directory, allowing the reading of dump files of databases.
Severity ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Debian | FreedomBox |
Affected:
0 , < 25.17.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T18:22:40.765920Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T18:53:43.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FreedomBox",
"vendor": "Debian",
"versions": [
{
"lessThan": "25.17.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:freedombox:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.17.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Freedombox before 25.17.1 does not set proper permissions for the backups-data directory, allowing the reading of dump files of databases."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T05:22:44.915Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://salsa.debian.org/freedombox-team/freedombox/-/commit/8ba444990b4af6eec4b6b2b26482b107d"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68462",
"datePublished": "2025-12-18T05:14:11.920Z",
"dateReserved": "2025-12-18T05:14:11.592Z",
"dateUpdated": "2025-12-18T18:53:43.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8454 (GCVE-0-2025-8454)
Vulnerability from cvelistv5 – Published: 2025-08-01 05:41 – Updated: 2025-08-01 13:47
VLAI?
Summary
It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then.
Severity ?
9.8 (Critical)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Debian | devscripts |
Affected:
0
|
Credits
Uwe Kleine-König
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-8454",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-01T13:45:28.913524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T13:47:20.337Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "devscripts",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Uwe Kleine-K\u00f6nig"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then.\u003cbr\u003e"
}
],
"value": "It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T07:54:21.202Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"url": "https://bugs.debian.org/1109251"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2025-8454",
"datePublished": "2025-08-01T05:41:09.361Z",
"dateReserved": "2025-08-01T05:31:30.538Z",
"dateUpdated": "2025-08-01T13:47:20.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6297 (GCVE-0-2025-6297)
Vulnerability from cvelistv5 – Published: 2025-07-01 16:16 – Updated: 2025-07-01 17:30
VLAI?
Title
dpkg-deb: Fix cleanup for control member with restricted directories
Summary
It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is
documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on
adversarial .deb packages or with well compressible files, placed
inside a directory with permissions not allowing removal by a non-root
user, this can end up in a DoS scenario due to causing disk quota
exhaustion or disk full conditions.
Severity ?
8.2 (High)
CWE
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-6297",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T17:30:21.146019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T17:30:37.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "dpkg",
"vendor": "Debian",
"versions": [
{
"lessThan": "ed6bbd445dd8800308c67236ba35d08004c98e82",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is\ndocumented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on\nadversarial .deb packages or with well compressible files, placed\ninside a directory with permissions not allowing removal by a non-root\nuser, this can end up in a DoS scenario due to causing disk quota\nexhaustion or disk full conditions.\u003cbr\u003e"
}
],
"value": "It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is\ndocumented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on\nadversarial .deb packages or with well compressible files, placed\ninside a directory with permissions not allowing removal by a non-root\nuser, this can end up in a DoS scenario due to causing disk quota\nexhaustion or disk full conditions."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T17:21:05.050Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "dpkg-deb: Fix cleanup for control member with restricted directories",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2025-6297",
"datePublished": "2025-07-01T16:16:54.624Z",
"dateReserved": "2025-06-19T07:40:18.350Z",
"dateUpdated": "2025-07-01T17:30:37.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53391 (GCVE-0-2025-53391)
Vulnerability from cvelistv5 – Published: 2025-06-28 00:00 – Updated: 2025-06-30 13:32
VLAI?
Summary
The Debian zuluPolkit/CMakeLists.txt file for zuluCrypt through the zulucrypt_6.2.0-1 package has insecure PolicyKit allow_any/allow_inactive/allow_active settings that allow a local user to escalate their privileges to root.
Severity ?
9.3 (Critical)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53391",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-30T13:29:30.436671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T13:32:33.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108288"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "zulucrypt",
"vendor": "Debian",
"versions": [
{
"lessThanOrEqual": "zulucrypt_6.2.0-1",
"status": "affected",
"version": "zulucrypt_5.5.0-1",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Debian zuluPolkit/CMakeLists.txt file for zuluCrypt through the zulucrypt_6.2.0-1 package has insecure PolicyKit allow_any/allow_inactive/allow_active settings that allow a local user to escalate their privileges to root."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-28T21:37:51.430Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugs.debian.org/1108288"
},
{
"url": "https://salsa.debian.org/debian/zulucrypt/-/blob/9d661c9f384c4d889d3387944e14ac70cfb9684b/debian/patches/fix_zulupolkit_policy.patch"
},
{
"url": "https://deb.debian.org/debian/pool/main/z/zulucrypt/zulucrypt_6.2.0-1.dsc"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-53391",
"datePublished": "2025-06-28T00:00:00.000Z",
"dateReserved": "2025-06-28T00:00:00.000Z",
"dateUpdated": "2025-06-30T13:32:33.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-7210 (GCVE-0-2014-7210)
Vulnerability from cvelistv5 – Published: 2025-06-26 20:52 – Updated: 2025-06-27 18:43
VLAI?
Summary
pdns specific as packaged in Debian in version before 3.3.1-1 creates a too privileged MySQL user. It was discovered that the maintainer scripts of pdns-backend-mysql grant too wide database permissions for the pdns user. Other backends
are not affected.
Severity ?
9.8 (Critical)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2014-7210",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T18:43:03.978949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T18:43:10.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdns",
"vendor": "Debian",
"versions": [
{
"lessThan": "3.3.1-1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "pdns specific as packaged in Debian in version before 3.3.1-1 creates a too privileged MySQL user. It was discovered that the maintainer scripts of pdns-backend-mysql grant too wide database permissions for the pdns user. Other backends\nare not affected.\u003cbr\u003e"
}
],
"value": "pdns specific as packaged in Debian in version before 3.3.1-1 creates a too privileged MySQL user. It was discovered that the maintainer scripts of pdns-backend-mysql grant too wide database permissions for the pdns user. Other backends\nare not affected."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T20:52:47.356Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2016/05/msg00046.html"
},
{
"url": "https://salsa.debian.org/debian/pdns/-/commit/f0de6b3583039bb63344fbd5eb246939264d7b05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-7210",
"datePublished": "2025-06-26T20:52:47.356Z",
"dateReserved": "2014-09-27T00:00:00.000Z",
"dateUpdated": "2025-06-27T18:43:10.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47153 (GCVE-0-2025-47153)
Vulnerability from cvelistv5 – Published: 2025-05-01 00:00 – Updated: 2025-05-02 19:02
VLAI?
Summary
Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to out-of-bounds access. NOTE: this is not a problem in the Node.js software itself. In particular, the Node.js website's download page does not offer prebuilt Node.js for Linux on i386.
Severity ?
6.5 (Medium)
CWE
- CWE-1102 - Reliance on Machine-Dependent Data Representation
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47153",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T14:42:34.213508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T15:33:48.673Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-02T19:02:41.441Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00003.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/02/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://packages.debian.org",
"defaultStatus": "unknown",
"packageName": "nodejs",
"platforms": [
"i386"
],
"product": "trixie",
"vendor": "Debian",
"versions": [
{
"lessThanOrEqual": "nodejs_20.19.0+dfsg-2_i386.deb",
"status": "affected",
"version": "nodejs_0.10.0~dfsg1-1_i386.deb",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to out-of-bounds access. NOTE: this is not a problem in the Node.js software itself. In particular, the Node.js website\u0027s download page does not offer prebuilt Node.js for Linux on i386."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1102",
"description": "CWE-1102 Reliance on Machine-Dependent Data Representation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T17:11:42.151Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=892601"
},
{
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922075"
},
{
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076350"
},
{
"url": "https://github.com/nodejs/node-v0.x-archive/issues/4549"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-47153",
"datePublished": "2025-05-01T00:00:00.000Z",
"dateReserved": "2025-05-01T00:00:00.000Z",
"dateUpdated": "2025-05-02T19:02:41.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2312 (GCVE-0-2024-2312)
Vulnerability from cvelistv5 – Published: 2024-04-05 19:40 – Updated: 2025-02-13 17:33
VLAI?
Summary
GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass.
Severity ?
6.7 (Medium)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Debian | Debian based GNU GRUB |
Affected:
0 , < 2.12-1ubuntu5
(semver)
|
Credits
Mate Kukri
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:52.852Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2312"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240426-0003/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gnu:grub2:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "grub2",
"vendor": "gnu",
"versions": [
{
"lessThan": "2.12-1ubuntu5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T15:39:12.205993Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T17:44:12.763Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"packageName": "grub2",
"platforms": [
"Linux"
],
"product": "Debian based GNU GRUB",
"repo": "https://git.savannah.gnu.org/cgit/grub.git",
"vendor": "Debian",
"versions": [
{
"lessThan": "2.12-1ubuntu5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mate Kukri"
}
],
"descriptions": [
{
"lang": "en",
"value": "GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu\u0027s peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T09:06:32.801Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127"
},
{
"tags": [
"issue-tracking"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2312"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240426-0003/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-2312",
"datePublished": "2024-04-05T19:40:02.848Z",
"dateReserved": "2024-03-07T23:53:27.661Z",
"dateUpdated": "2025-02-13T17:33:46.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7207 (GCVE-0-2023-7207)
Vulnerability from cvelistv5 – Published: 2024-01-05 00:39 – Updated: 2025-05-07 20:19
VLAI?
Summary
Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames.
Severity ?
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Debian | Debian cpio |
Affected:
0 , < 2.14+dfsg-1
(semver)
|
Credits
Ingo Brückl
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7207",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T20:19:09.313064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T20:19:53.516Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:57:35.151Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=376d663340a9dc91c91a5849e5713f07571c1628"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163"
},
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2023/12/21/8"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7207"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/01/05/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"packageName": "cpio",
"platforms": [
"Linux"
],
"product": "Debian cpio",
"vendor": "Debian",
"versions": [
{
"lessThan": "2.14+dfsg-1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ingo Br\u00fcckl"
}
],
"descriptions": [
{
"lang": "en",
"value": "Debian\u0027s cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-01-05T15:06:12.336Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=376d663340a9dc91c91a5849e5713f07571c1628"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163"
},
{
"tags": [
"mailing-list"
],
"url": "https://www.openwall.com/lists/oss-security/2023/12/21/8"
},
{
"tags": [
"issue-tracking"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7207"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/01/05/1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2023-7207",
"datePublished": "2024-01-05T00:39:49.690Z",
"dateReserved": "2024-01-05T00:09:37.741Z",
"dateUpdated": "2025-05-07T20:19:53.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2787 (GCVE-0-2022-2787)
Vulnerability from cvelistv5 – Published: 2022-08-27 11:30 – Updated: 2024-09-16 19:51
VLAI?
Title
stricter rules on chroot names
Summary
Schroot before 1.6.13 had too permissive rules on chroot or session names, allowing a denial of service on the schroot service for all users that may start a schroot session.
Severity ?
No CVSS data available.
CWE
- insufficient sanitiztion of chroot and session names
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://codeberg.org/shelter/reschroot/commit/6f7166a285e1e97aea390be633591f9791b29a6d"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-security-announce/2022/msg00182.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00007.html"
},
{
"name": "GLSA-202210-11",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "schroot",
"vendor": "Debian",
"versions": [
{
"lessThan": "1.6.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Schroot before 1.6.13 had too permissive rules on chroot or session names, allowing a denial of service on the schroot service for all users that may start a schroot session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "insufficient sanitiztion of chroot and session names",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"url": "https://codeberg.org/shelter/reschroot/commit/6f7166a285e1e97aea390be633591f9791b29a6d"
},
{
"url": "https://lists.debian.org/debian-security-announce/2022/msg00182.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00007.html"
},
{
"name": "GLSA-202210-11",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-11"
}
],
"source": {
"advisory": "https://lists.debian.org/debian-security-announce/2022/msg00182.html",
"defect": [
"DSA-5213-1"
],
"discovery": "EXTERNAL"
},
"title": "stricter rules on chroot names",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2022-2787",
"datePublished": "2022-08-27T11:30:20.934090Z",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-09-16T19:51:44.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1664 (GCVE-0-2022-1664)
Vulnerability from cvelistv5 – Published: 2022-05-26 08:20 – Updated: 2024-09-17 02:16
VLAI?
Title
directory traversal for in-place extracts with untrusted v2 and v3 source packages with debian.tar
Summary
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
Severity ?
No CVSS data available.
CWE
- directory traversal
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.819Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24be"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-security-announce/2022/msg00115.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00033.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221007-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "dpkg",
"vendor": "Debian",
"versions": [
{
"changes": [
{
"at": "1.20.10",
"status": "unaffected"
},
{
"at": "1.19.8",
"status": "unaffected"
},
{
"at": "1.18.26",
"status": "unaffected"
}
],
"lessThan": "1.21.8",
"status": "affected",
"version": "1.14.17",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-05-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "directory traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-07T00:00:00.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b"
},
{
"url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5"
},
{
"url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495"
},
{
"url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24be"
},
{
"url": "https://lists.debian.org/debian-security-announce/2022/msg00115.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00033.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221007-0002/"
}
],
"source": {
"advisory": "https://lists.debian.org/debian-security-announce/2022/msg00115.html",
"defect": [
"DSA-5147-1"
],
"discovery": "EXTERNAL"
},
"title": "directory traversal for in-place extracts with untrusted v2 and v3 source packages with debian.tar",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2022-1664",
"datePublished": "2022-05-26T08:20:15.198Z",
"dateReserved": "2022-05-10T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:16:10.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1239 (GCVE-0-2016-1239)
Vulnerability from cvelistv5 – Published: 2022-02-19 17:05 – Updated: 2024-09-16 18:24
VLAI?
Summary
duck before 0.10 did not properly handle loading of untrusted code from the current directory.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:48:13.664Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://salsa.debian.org/debian/duck/-/commit/b43b5bbf07973c54b8f1c581a941f4facc97177a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "duck",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10"
}
]
}
],
"datePublic": "2016-06-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "duck before 0.10 did not properly handle loading of untrusted code from the current directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-19T19:20:09.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://salsa.debian.org/debian/duck/-/commit/b43b5bbf07973c54b8f1c581a941f4facc97177a"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"DATE_PUBLIC": "2016-06-04T00:00:00.000Z",
"ID": "CVE-2016-1239",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "duck",
"version": {
"version_data": [
{
"version_value": "\u003c 0.10"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "duck before 0.10 did not properly handle loading of untrusted code from the current directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://salsa.debian.org/debian/duck/-/commit/b43b5bbf07973c54b8f1c581a941f4facc97177a",
"refsource": "MISC",
"url": "https://salsa.debian.org/debian/duck/-/commit/b43b5bbf07973c54b8f1c581a941f4facc97177a"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-1239",
"datePublished": "2022-02-19T17:05:11.301Z",
"dateReserved": "2015-12-27T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:24:06.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0543 (GCVE-0-2022-0543)
Vulnerability from cvelistv5 – Published: 2022-02-18 19:25 – Updated: 2025-10-21 23:15
VLAI?
Summary
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
Severity ?
10 (Critical)
CWE
- Lua sandbox escape
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:46.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/1005787"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce"
},
{
"name": "[debian-security-announce] 20220218 [SECURITY] [DSA 5081-1] redis security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-security-announce/2022/msg00048.html"
},
{
"name": "DSA-5081",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5081"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220331-0004/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-0543",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T20:49:14.266148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-28",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0543"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:15:45.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0543"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-28T00:00:00.000Z",
"value": "CVE-2022-0543 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "redis",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2022-02-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Lua sandbox escape",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-27T20:06:10.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/1005787"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce"
},
{
"name": "[debian-security-announce] 20220218 [SECURITY] [DSA 5081-1] redis security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-security-announce/2022/msg00048.html"
},
{
"name": "DSA-5081",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5081"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220331-0004/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html"
}
],
"source": {
"advisory": "DSA-5081-1",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"DATE_PUBLIC": "2022-02-18T00:00:00.000Z",
"ID": "CVE-2022-0543",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "redis",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Lua sandbox escape"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.debian.org/1005787",
"refsource": "MISC",
"url": "https://bugs.debian.org/1005787"
},
{
"name": "https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce",
"refsource": "MISC",
"url": "https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce"
},
{
"name": "[debian-security-announce] 20220218 [SECURITY] [DSA 5081-1] redis security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-security-announce/2022/msg00048.html"
},
{
"name": "DSA-5081",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5081"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220331-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220331-0004/"
},
{
"name": "http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html"
}
]
},
"source": {
"advisory": "DSA-5081-1",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2022-0543",
"datePublished": "2022-02-18T19:25:16.932Z",
"dateReserved": "2022-02-08T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:15:45.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20001 (GCVE-0-2021-20001)
Vulnerability from cvelistv5 – Published: 2022-02-11 19:50 – Updated: 2024-09-16 23:41
VLAI?
Summary
It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation.
Severity ?
No CVSS data available.
CWE
- insecure permissions
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Debian | debian-edu-config |
Affected:
< 2.12.16
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:30:07.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5"
},
{
"name": "[debian-lts-announce] 20220211 [SECURITY] [DLA 2918-1] debian-edu-config security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00012.html"
},
{
"name": "[debian-security-announce] 20220211 [SECURITY] [DSA 5072-1] debian-edu-config security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-security-announce/2022/msg00039.html"
},
{
"name": "DSA-5072",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5072"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "debian-edu-config",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "\u003c 2.12.16"
}
]
}
],
"datePublic": "2022-02-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "insecure permissions",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-14T14:06:28.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5"
},
{
"name": "[debian-lts-announce] 20220211 [SECURITY] [DLA 2918-1] debian-edu-config security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00012.html"
},
{
"name": "[debian-security-announce] 20220211 [SECURITY] [DSA 5072-1] debian-edu-config security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-security-announce/2022/msg00039.html"
},
{
"name": "DSA-5072",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5072"
}
],
"source": {
"advisory": "DSA-5072-1",
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"DATE_PUBLIC": "2022-02-11T00:00:00.000Z",
"ID": "CVE-2021-20001",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "debian-edu-config",
"version": {
"version_data": [
{
"version_value": "\u003c 2.12.16"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "insecure permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5",
"refsource": "MISC",
"url": "https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5"
},
{
"name": "[debian-lts-announce] 20220211 [SECURITY] [DLA 2918-1] debian-edu-config security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00012.html"
},
{
"name": "[debian-security-announce] 20220211 [SECURITY] [DSA 5072-1] debian-edu-config security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-security-announce/2022/msg00039.html"
},
{
"name": "DSA-5072",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5072"
}
]
},
"source": {
"advisory": "DSA-5072-1",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2021-20001",
"datePublished": "2022-02-11T19:50:09.720Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:41:36.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-3811 (GCVE-0-2020-3811)
Vulnerability from cvelistv5 – Published: 2020-05-26 13:04 – Updated: 2024-09-17 00:11
VLAI?
Summary
qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability.
Severity ?
No CVSS data available.
CWE
- mail-address verification bypass
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:44:51.219Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/19/8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/961060"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4692"
},
{
"name": "[debian-lts-announce] 20200604 [SECURITY] [DLA 2234-1] netqmail security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00002.html"
},
{
"name": "USN-4556-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4556-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "netqmail",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "1.06"
}
]
}
],
"datePublic": "2020-05-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "mail-address verification bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-05T20:06:15.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/19/8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/961060"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.debian.org/security/2020/dsa-4692"
},
{
"name": "[debian-lts-announce] 20200604 [SECURITY] [DLA 2234-1] netqmail security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00002.html"
},
{
"name": "USN-4556-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4556-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"DATE_PUBLIC": "2020-05-19T00:00:00.000Z",
"ID": "CVE-2020-3811",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "netqmail",
"version": {
"version_data": [
{
"version_value": "1.06"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "mail-address verification bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2020/05/19/8",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2020/05/19/8"
},
{
"name": "https://bugs.debian.org/961060",
"refsource": "MISC",
"url": "https://bugs.debian.org/961060"
},
{
"name": "https://www.debian.org/security/2020/dsa-4692",
"refsource": "MISC",
"url": "https://www.debian.org/security/2020/dsa-4692"
},
{
"name": "[debian-lts-announce] 20200604 [SECURITY] [DLA 2234-1] netqmail security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00002.html"
},
{
"name": "USN-4556-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4556-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2020-3811",
"datePublished": "2020-05-26T13:04:41.753Z",
"dateReserved": "2019-12-17T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:11:39.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-3812 (GCVE-0-2020-3812)
Vulnerability from cvelistv5 – Published: 2020-05-26 13:04 – Updated: 2024-09-16 16:39
VLAI?
Summary
qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local attacker can test for the existence of files and directories anywhere in the filesystem because qmail-verify runs as root and tests for the existence of files in the attacker's home directory, without dropping its privileges first.
Severity ?
No CVSS data available.
CWE
- information disclosure
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:44:51.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/19/8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/961060"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4692"
},
{
"name": "[debian-lts-announce] 20200604 [SECURITY] [DLA 2234-1] netqmail security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00002.html"
},
{
"name": "USN-4556-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4556-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "netqmail",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "1.06"
}
]
}
],
"datePublic": "2020-05-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local attacker can test for the existence of files and directories anywhere in the filesystem because qmail-verify runs as root and tests for the existence of files in the attacker\u0027s home directory, without dropping its privileges first."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "information disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-05T20:06:17.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/19/8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/961060"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.debian.org/security/2020/dsa-4692"
},
{
"name": "[debian-lts-announce] 20200604 [SECURITY] [DLA 2234-1] netqmail security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00002.html"
},
{
"name": "USN-4556-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4556-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"DATE_PUBLIC": "2020-05-19T00:00:00.000Z",
"ID": "CVE-2020-3812",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "netqmail",
"version": {
"version_data": [
{
"version_value": "1.06"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local attacker can test for the existence of files and directories anywhere in the filesystem because qmail-verify runs as root and tests for the existence of files in the attacker\u0027s home directory, without dropping its privileges first."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "information disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openwall.com/lists/oss-security/2020/05/19/8",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2020/05/19/8"
},
{
"name": "https://bugs.debian.org/961060",
"refsource": "MISC",
"url": "https://bugs.debian.org/961060"
},
{
"name": "https://www.debian.org/security/2020/dsa-4692",
"refsource": "MISC",
"url": "https://www.debian.org/security/2020/dsa-4692"
},
{
"name": "[debian-lts-announce] 20200604 [SECURITY] [DLA 2234-1] netqmail security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00002.html"
},
{
"name": "USN-4556-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4556-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2020-3812",
"datePublished": "2020-05-26T13:04:14.769Z",
"dateReserved": "2019-12-17T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:39:08.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-3810 (GCVE-0-2020-3810)
Vulnerability from cvelistv5 – Published: 2020-05-15 13:42 – Updated: 2024-09-17 01:01
VLAI?
Summary
Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.
Severity ?
No CVSS data available.
CWE
- apt out-of-bounds read in .ar/.tar implemations
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:44:51.170Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Debian/apt/issues/111"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.launchpad.net/bugs/1878177"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.debian.org/debian-security-announce/2020/msg00089.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/"
},
{
"name": "USN-4359-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4359-1/"
},
{
"name": "USN-4359-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4359-2/"
},
{
"name": "FEDORA-2020-f03cfe3df5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "apt",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "before 2.1.2"
}
]
}
],
"datePublic": "2020-05-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "apt out-of-bounds read in .ar/.tar implemations",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-19T02:06:08.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Debian/apt/issues/111"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/bugs/1878177"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.debian.org/debian-security-announce/2020/msg00089.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/"
},
{
"name": "USN-4359-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4359-1/"
},
{
"name": "USN-4359-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4359-2/"
},
{
"name": "FEDORA-2020-f03cfe3df5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/"
}
],
"source": {
"advisory": "https://www.debian.org/security/2020/dsa-4685",
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"DATE_PUBLIC": "2020-05-14T00:00:00.000Z",
"ID": "CVE-2020-3810",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "apt",
"version": {
"version_data": [
{
"version_value": "before 2.1.2"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "apt out-of-bounds read in .ar/.tar implemations"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Debian/apt/issues/111",
"refsource": "MISC",
"url": "https://github.com/Debian/apt/issues/111"
},
{
"name": "https://bugs.launchpad.net/bugs/1878177",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/bugs/1878177"
},
{
"name": "https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6",
"refsource": "MISC",
"url": "https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6"
},
{
"name": "https://lists.debian.org/debian-security-announce/2020/msg00089.html",
"refsource": "MISC",
"url": "https://lists.debian.org/debian-security-announce/2020/msg00089.html"
},
{
"name": "https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/",
"refsource": "MISC",
"url": "https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/"
},
{
"name": "USN-4359-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4359-1/"
},
{
"name": "USN-4359-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4359-2/"
},
{
"name": "FEDORA-2020-f03cfe3df5",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/"
}
]
},
"source": {
"advisory": "https://www.debian.org/security/2020/dsa-4685",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2020-3810",
"datePublished": "2020-05-15T13:42:05.044Z",
"dateReserved": "2019-12-17T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:01:33.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-1093 (GCVE-0-2012-1093)
Vulnerability from cvelistv5 – Published: 2020-02-21 18:05 – Updated: 2024-08-06 18:45
VLAI?
Summary
The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation.
Severity ?
No CVSS data available.
CWE
- script x11-common creates directories in insecure manner
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Debian | x11-common |
Affected:
before 1:7.6+12
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:45:27.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-1093"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2012-1093"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/03/01/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/02/29/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://vladz.devzero.fr/012_x11-common-vuln.html"
},
{
"name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "x11-common",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "before 1:7.6+12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "script x11-common creates directories in insecure manner",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-25T16:06:37.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-1093"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2012-1093"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2012/03/01/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2012/02/29/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://vladz.devzero.fr/012_x11-common-vuln.html"
},
{
"name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-1093",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "x11-common",
"version": {
"version_data": [
{
"version_value": "before 1:7.6+12"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "script x11-common creates directories in insecure manner"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2012-1093",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-1093"
},
{
"name": "https://access.redhat.com/security/cve/cve-2012-1093",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2012-1093"
},
{
"name": "http://www.openwall.com/lists/oss-security/2012/03/01/1",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2012/03/01/1"
},
{
"name": "http://www.openwall.com/lists/oss-security/2012/02/29/1",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2012/02/29/1"
},
{
"name": "http://vladz.devzero.fr/012_x11-common-vuln.html",
"refsource": "MISC",
"url": "http://vladz.devzero.fr/012_x11-common-vuln.html"
},
{
"name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-1093",
"datePublished": "2020-02-21T18:05:01.000Z",
"dateReserved": "2012-02-14T00:00:00.000Z",
"dateUpdated": "2024-08-06T18:45:27.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3467 (GCVE-0-2019-3467)
Vulnerability from cvelistv5 – Published: 2019-12-23 18:04 – Updated: 2024-08-04 19:12
VLAI?
Summary
Debian-edu-config all versions < 2.11.10, a set of configuration files used for Debian Edu, and debian-lan-config < 0.26, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other Kerberos user principals.
Severity ?
No CVSS data available.
CWE
- too permissive access control settings
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Debian | Debian Edu |
Affected:
all versions < 2.11.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[debian-lts-announce] 20191218 [SECURITY] [DLA 2041-1] debian-edu-config security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00023.html"
},
{
"name": "20191218 [SECURITY] [DSA 4589-1] debian-edu-config security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Dec/34"
},
{
"name": "DSA-4589",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4589"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946797"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2019-3467"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947459"
},
{
"name": "DSA-4595",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4595"
},
{
"name": "20191229 [SECURITY] [DSA 4595-1] debian-lan-config security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Dec/44"
},
{
"name": "[debian-lts-announce] 20200115 [SECURITY] [DLA 2063-1] debian-lan-config security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00012.html"
},
{
"name": "USN-4530-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4530-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Debian Edu",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "all versions \u003c 2.11.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Debian-edu-config all versions \u003c 2.11.10, a set of configuration files used for Debian Edu, and debian-lan-config \u003c 0.26, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other Kerberos user principals."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "too permissive access control settings",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-24T23:06:12.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "[debian-lts-announce] 20191218 [SECURITY] [DLA 2041-1] debian-edu-config security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00023.html"
},
{
"name": "20191218 [SECURITY] [DSA 4589-1] debian-edu-config security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Dec/34"
},
{
"name": "DSA-4589",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4589"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946797"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2019-3467"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947459"
},
{
"name": "DSA-4595",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4595"
},
{
"name": "20191229 [SECURITY] [DSA 4595-1] debian-lan-config security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Dec/44"
},
{
"name": "[debian-lts-announce] 20200115 [SECURITY] [DLA 2063-1] debian-lan-config security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00012.html"
},
{
"name": "USN-4530-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4530-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2019-3467",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Debian Edu",
"version": {
"version_data": [
{
"version_value": "all versions \u003c 2.11.10"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Debian-edu-config all versions \u003c 2.11.10, a set of configuration files used for Debian Edu, and debian-lan-config \u003c 0.26, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other Kerberos user principals."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "too permissive access control settings"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[debian-lts-announce] 20191218 [SECURITY] [DLA 2041-1] debian-edu-config security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00023.html"
},
{
"name": "20191218 [SECURITY] [DSA 4589-1] debian-edu-config security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Dec/34"
},
{
"name": "DSA-4589",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4589"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946797",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946797"
},
{
"name": "https://security-tracker.debian.org/tracker/CVE-2019-3467",
"refsource": "CONFIRM",
"url": "https://security-tracker.debian.org/tracker/CVE-2019-3467"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947459",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947459"
},
{
"name": "DSA-4595",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4595"
},
{
"name": "20191229 [SECURITY] [DSA 4595-1] debian-lan-config security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Dec/44"
},
{
"name": "[debian-lts-announce] 20200115 [SECURITY] [DLA 2063-1] debian-lan-config security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00012.html"
},
{
"name": "USN-4530-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4530-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2019-3467",
"datePublished": "2019-12-23T18:04:11.000Z",
"dateReserved": "2018-12-31T00:00:00.000Z",
"dateUpdated": "2024-08-04T19:12:09.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5332 (GCVE-0-2017-5332)
Vulnerability from cvelistv5 – Published: 2019-11-04 20:24 – Updated: 2024-08-05 14:55
VLAI?
Summary
The extract_group_icon_cursor_resource in wrestool/extract.c in icoutils before 0.31.1 can access unallocated memory, which allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable.
Severity ?
No CVSS data available.
CWE
- Other
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:55:35.813Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2017:0837",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0837.html"
},
{
"name": "openSUSE-SU-2017:0167",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00025.html"
},
{
"name": "[oss-security] 20170110 Re: CVE Request: icoutils: exploitable crash in wrestool programm",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2017/01/11/3"
},
{
"name": "95380",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95380"
},
{
"name": "DSA-3765",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3765"
},
{
"name": "openSUSE-SU-2017:0168",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00026.html"
},
{
"name": "USN-3178-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-3178-1"
},
{
"name": "openSUSE-SU-2017:0166",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00024.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1412263"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "icoutils",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "before 0.31.1"
}
]
}
],
"datePublic": "2017-01-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The extract_group_icon_cursor_resource in wrestool/extract.c in icoutils before 0.31.1 can access unallocated memory, which allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-04T20:24:14.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "RHSA-2017:0837",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0837.html"
},
{
"name": "openSUSE-SU-2017:0167",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00025.html"
},
{
"name": "[oss-security] 20170110 Re: CVE Request: icoutils: exploitable crash in wrestool programm",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2017/01/11/3"
},
{
"name": "95380",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95380"
},
{
"name": "DSA-3765",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3765"
},
{
"name": "openSUSE-SU-2017:0168",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00026.html"
},
{
"name": "USN-3178-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-3178-1"
},
{
"name": "openSUSE-SU-2017:0166",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00024.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1412263"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2017-5332",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "icoutils",
"version": {
"version_data": [
{
"version_value": "before 0.31.1"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The extract_group_icon_cursor_resource in wrestool/extract.c in icoutils before 0.31.1 can access unallocated memory, which allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2017:0837",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0837.html"
},
{
"name": "openSUSE-SU-2017:0167",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00025.html"
},
{
"name": "[oss-security] 20170110 Re: CVE Request: icoutils: exploitable crash in wrestool programm",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2017/01/11/3"
},
{
"name": "95380",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95380"
},
{
"name": "DSA-3765",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3765"
},
{
"name": "openSUSE-SU-2017:0168",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00026.html"
},
{
"name": "USN-3178-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-3178-1"
},
{
"name": "openSUSE-SU-2017:0166",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00024.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1412263",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1412263"
},
{
"name": "https://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a",
"refsource": "CONFIRM",
"url": "https://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2017-5332",
"datePublished": "2019-11-04T20:24:14.000Z",
"dateReserved": "2017-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-05T14:55:35.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5331 (GCVE-0-2017-5331)
Vulnerability from cvelistv5 – Published: 2019-11-04 20:24 – Updated: 2024-08-05 14:55
VLAI?
Summary
Integer overflow in the check_offset function in b/wrestool/fileread.c in icoutils before 0.31.1 allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable.
Severity ?
No CVSS data available.
CWE
- Other
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:55:35.800Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2017:0167",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00025.html"
},
{
"name": "[oss-security] 20170110 Re: CVE Request: icoutils: exploitable crash in wrestool programm",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2017/01/11/3"
},
{
"name": "DSA-3765",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3765"
},
{
"name": "openSUSE-SU-2017:0168",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00026.html"
},
{
"name": "95378",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95378"
},
{
"name": "USN-3178-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-3178-1"
},
{
"name": "openSUSE-SU-2017:0166",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00024.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1412248"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "icoutils",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "before 0.31.1"
}
]
}
],
"datePublic": "2017-01-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Integer overflow in the check_offset function in b/wrestool/fileread.c in icoutils before 0.31.1 allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-04T20:24:09.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "openSUSE-SU-2017:0167",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00025.html"
},
{
"name": "[oss-security] 20170110 Re: CVE Request: icoutils: exploitable crash in wrestool programm",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2017/01/11/3"
},
{
"name": "DSA-3765",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3765"
},
{
"name": "openSUSE-SU-2017:0168",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00026.html"
},
{
"name": "95378",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95378"
},
{
"name": "USN-3178-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-3178-1"
},
{
"name": "openSUSE-SU-2017:0166",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00024.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1412248"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2017-5331",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "icoutils",
"version": {
"version_data": [
{
"version_value": "before 0.31.1"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Integer overflow in the check_offset function in b/wrestool/fileread.c in icoutils before 0.31.1 allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2017:0167",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00025.html"
},
{
"name": "[oss-security] 20170110 Re: CVE Request: icoutils: exploitable crash in wrestool programm",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2017/01/11/3"
},
{
"name": "DSA-3765",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3765"
},
{
"name": "openSUSE-SU-2017:0168",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00026.html"
},
{
"name": "95378",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95378"
},
{
"name": "USN-3178-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-3178-1"
},
{
"name": "openSUSE-SU-2017:0166",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00024.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1412248",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1412248"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2017-5331",
"datePublished": "2019-11-04T20:24:09.000Z",
"dateReserved": "2017-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-05T14:55:35.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5333 (GCVE-0-2017-5333)
Vulnerability from cvelistv5 – Published: 2019-11-04 20:24 – Updated: 2024-08-05 14:55
VLAI?
Summary
Integer overflow in the extract_group_icon_cursor_resource function in b/wrestool/extract.c in icoutils before 0.31.1 allows local users to cause a denial of service (process crash) or execute arbitrary code via a crafted executable file.
Severity ?
No CVSS data available.
CWE
- Other
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:55:35.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2017:0837",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0837.html"
},
{
"name": "openSUSE-SU-2017:0167",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00025.html"
},
{
"name": "95678",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95678"
},
{
"name": "[oss-security] 20170110 Re: CVE Request: icoutils: exploitable crash in wrestool programm",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2017/01/11/3"
},
{
"name": "DSA-3765",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3765"
},
{
"name": "openSUSE-SU-2017:0168",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00026.html"
},
{
"name": "USN-3178-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-3178-1"
},
{
"name": "openSUSE-SU-2017:0166",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00024.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1412259"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "icoutils",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "before 0.31.1"
}
]
}
],
"datePublic": "2017-01-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Integer overflow in the extract_group_icon_cursor_resource function in b/wrestool/extract.c in icoutils before 0.31.1 allows local users to cause a denial of service (process crash) or execute arbitrary code via a crafted executable file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-04T20:24:00.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "RHSA-2017:0837",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0837.html"
},
{
"name": "openSUSE-SU-2017:0167",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00025.html"
},
{
"name": "95678",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95678"
},
{
"name": "[oss-security] 20170110 Re: CVE Request: icoutils: exploitable crash in wrestool programm",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2017/01/11/3"
},
{
"name": "DSA-3765",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3765"
},
{
"name": "openSUSE-SU-2017:0168",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00026.html"
},
{
"name": "USN-3178-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-3178-1"
},
{
"name": "openSUSE-SU-2017:0166",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00024.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1412259"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2017-5333",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "icoutils",
"version": {
"version_data": [
{
"version_value": "before 0.31.1"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Integer overflow in the extract_group_icon_cursor_resource function in b/wrestool/extract.c in icoutils before 0.31.1 allows local users to cause a denial of service (process crash) or execute arbitrary code via a crafted executable file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2017:0837",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0837.html"
},
{
"name": "openSUSE-SU-2017:0167",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00025.html"
},
{
"name": "95678",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95678"
},
{
"name": "[oss-security] 20170110 Re: CVE Request: icoutils: exploitable crash in wrestool programm",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2017/01/11/3"
},
{
"name": "DSA-3765",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3765"
},
{
"name": "openSUSE-SU-2017:0168",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00026.html"
},
{
"name": "USN-3178-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-3178-1"
},
{
"name": "openSUSE-SU-2017:0166",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00024.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1412259",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1412259"
},
{
"name": "https://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a",
"refsource": "CONFIRM",
"url": "https://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2017-5333",
"datePublished": "2019-11-04T20:24:00.000Z",
"dateReserved": "2017-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-05T14:55:35.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-5735 (GCVE-0-2018-5735)
Vulnerability from cvelistv5 – Published: 2019-10-30 13:42 – Updated: 2024-09-16 17:58
VLAI?
Title
Backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858
Summary
The Debian backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858; Affects Debian versions 9.9.5.dfsg-9+deb8u15; 9.9.5.dfsg-9+deb8u18; 9.10.3.dfsg.P4-12.3+deb9u5; 9.11.5.P4+dfsg-5.1 No ISC releases are affected. Other packages from other distributions who did similar backports for the fix for 2017-3137 may also be affected.
Severity ?
7.5 (High)
CWE
- The Debian backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:40:51.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2018-5735"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BIND9",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "Debian BIND9 9.9.5.dfsg-9+deb8u15; 9.9.5.dfsg-9+deb8u18; 9.10.3.dfsg.P4-12.3+deb9u5; 9.11.5.P4+dfsg-5.1"
}
]
}
],
"datePublic": "2018-02-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Debian backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858; Affects Debian versions 9.9.5.dfsg-9+deb8u15; 9.9.5.dfsg-9+deb8u18; 9.10.3.dfsg.P4-12.3+deb9u5; 9.11.5.P4+dfsg-5.1 No ISC releases are affected. Other packages from other distributions who did similar backports for the fix for 2017-3137 may also be affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "The Debian backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-30T13:42:57.000Z",
"orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"shortName": "isc"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2018-5735"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-officer@isc.org",
"DATE_PUBLIC": "2018-02-16T13:00:00.000Z",
"ID": "CVE-2018-5735",
"STATE": "PUBLIC",
"TITLE": "Backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BIND9",
"version": {
"version_data": [
{
"version_name": "Debian BIND9",
"version_value": "9.9.5.dfsg-9+deb8u15; 9.9.5.dfsg-9+deb8u18; 9.10.3.dfsg.P4-12.3+deb9u5; 9.11.5.P4+dfsg-5.1"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Debian backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858; Affects Debian versions 9.9.5.dfsg-9+deb8u15; 9.9.5.dfsg-9+deb8u18; 9.10.3.dfsg.P4-12.3+deb9u5; 9.11.5.P4+dfsg-5.1 No ISC releases are affected. Other packages from other distributions who did similar backports for the fix for 2017-3137 may also be affected."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "The Debian backport of the fix for CVE-2017-3137 leads to assertion failure in validator.c:1858"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2018-5735",
"refsource": "CONFIRM",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-5735"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"assignerShortName": "isc",
"cveId": "CVE-2018-5735",
"datePublished": "2019-10-30T13:42:57.183Z",
"dateReserved": "2018-01-17T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:58:19.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0359 (GCVE-0-2017-0359)
Vulnerability from cvelistv5 – Published: 2018-04-13 16:00 – Updated: 2024-09-16 17:38
VLAI?
Title
diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
Summary
diffoscope before 77 writes to arbitrary locations on disk based on the contents of an untrusted archive.
Severity ?
No CVSS data available.
CWE
- writes to arbitrary locations
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Debian | diffoscope |
Affected:
before 77
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:03:56.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/854723"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2017-0359"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "diffoscope",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "before 77"
}
]
}
],
"datePublic": "2017-02-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "diffoscope before 77 writes to arbitrary locations on disk based on the contents of an untrusted archive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "writes to arbitrary locations",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-13T15:57:01.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/854723"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2017-0359"
}
],
"source": {
"advisory": "https://bugs.debian.org/854723",
"discovery": "UNKNOWN"
},
"title": "diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"DATE_PUBLIC": "2017-02-09T21:14:00.000Z",
"ID": "CVE-2017-0359",
"STATE": "PUBLIC",
"TITLE": "diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "diffoscope",
"version": {
"version_data": [
{
"version_value": "before 77"
}
]
}
}
]
},
"vendor_name": "Debian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "diffoscope before 77 writes to arbitrary locations on disk based on the contents of an untrusted archive."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "writes to arbitrary locations"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.debian.org/854723",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/854723"
},
{
"name": "https://security-tracker.debian.org/tracker/CVE-2017-0359",
"refsource": "CONFIRM",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-0359"
}
]
},
"source": {
"advisory": "https://bugs.debian.org/854723",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2017-0359",
"datePublished": "2018-04-13T16:00:00.000Z",
"dateReserved": "2016-11-29T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:38:23.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}