Filtered by vendor Fedoraproject
Subscribe
Total
5187 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-28658 | 3 Debian, Djangoproject, Fedoraproject | 3 Debian Linux, Django, Fedora | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability. | |||||
CVE-2021-28652 | 3 Debian, Fedoraproject, Squid-cache | 3 Debian Linux, Fedora, Squid | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege. | |||||
CVE-2021-28651 | 4 Debian, Fedoraproject, Netapp and 1 more | 4 Debian Linux, Fedora, Cloud Manager and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption. | |||||
CVE-2021-28650 | 2 Fedoraproject, Gnome | 2 Fedora, Gnome-autoar | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241. | |||||
CVE-2021-28544 | 4 Apache, Apple, Debian and 1 more | 4 Subversion, Macos, Debian Linux and 1 more | 2024-11-21 | 3.5 LOW | 4.3 MEDIUM |
Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable. | |||||
CVE-2021-28543 | 2 Fedoraproject, Varnish-cache | 3 Fedora, Varnish-modules, Varnish-modules Klarlack | 2024-11-21 | 5.0 MEDIUM | 4.0 MEDIUM |
Varnish varnish-modules before 0.17.1 allows remote attackers to cause a denial of service (daemon restart) in some configurations. This does not affect organizations that only install the Varnish Cache product; however, it is common to install both Varnish Cache and varnish-modules. Specifically, an assertion failure or NULL pointer dereference can be triggered in Varnish Cache through the varnish-modules header.append() and header.copy() functions. For some Varnish Configuration Language (VCL) files, this gives remote clients an opportunity to cause a Varnish Cache restart. A restart reduces overall availability and performance due to an increased number of cache misses, and may cause higher load on backend servers. | |||||
CVE-2021-28484 | 2 Fedoraproject, Yubico | 2 Fedora, Yubihsm Connector | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send it data, preventing any further operations until the yubihsm-connector is restarted. An attacker can send 0, 1, or 2 bytes to trigger this. | |||||
CVE-2021-28375 | 3 Fedoraproject, Linux, Netapp | 4 Fedora, Linux Kernel, Cloud Backup and 1 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka CID-20c40794eb85. This is a related issue to CVE-2019-2308. | |||||
CVE-2021-28363 | 3 Fedoraproject, Oracle, Python | 3 Fedora, Peoplesoft Enterprise Peopletools, Urllib3 | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. | |||||
CVE-2021-28163 | 5 Apache, Eclipse, Fedoraproject and 2 more | 23 Ignite, Solr, Jetty and 20 more | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory. | |||||
CVE-2021-28153 | 4 Broadcom, Debian, Fedoraproject and 1 more | 4 Brocade Fabric Operating System Firmware, Debian Linux, Fedora and 1 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.) | |||||
CVE-2021-28116 | 3 Debian, Fedoraproject, Squid-cache | 3 Debian Linux, Fedora, Squid | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody. | |||||
CVE-2021-28091 | 3 Debian, Entrouvert, Fedoraproject | 3 Debian Linux, Lasso, Fedora | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Lasso all versions prior to 2.7.0 has improper verification of a cryptographic signature. | |||||
CVE-2021-28090 | 2 Fedoraproject, Torproject | 2 Fedora, Tor | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
Tor before 0.4.5.7 allows a remote attacker to cause Tor directory authorities to exit with an assertion failure, aka TROVE-2021-002. | |||||
CVE-2021-28089 | 2 Fedoraproject, Torproject | 2 Fedora, Tor | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Tor before 0.4.5.7 allows a remote participant in the Tor directory protocol to exhaust CPU resources on a target, aka TROVE-2021-001. | |||||
CVE-2021-28041 | 4 Fedoraproject, Netapp, Openbsd and 1 more | 11 Fedora, Cloud Backup, Hci Compute Node and 8 more | 2024-11-21 | 4.6 MEDIUM | 7.1 HIGH |
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host. | |||||
CVE-2021-28021 | 3 Debian, Fedoraproject, Stb Project | 3 Debian Linux, Fedora, Stb | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file. | |||||
CVE-2021-27923 | 2 Fedoraproject, Python | 2 Fedora, Pillow | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. | |||||
CVE-2021-27922 | 2 Fedoraproject, Python | 2 Fedora, Pillow | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. | |||||
CVE-2021-27921 | 2 Fedoraproject, Python | 2 Fedora, Pillow | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. |