Vulnerabilities (CVE)

Filtered by vendor Linuxfoundation Subscribe
Total 272 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-20712 4 Google, Linux, Linuxfoundation and 1 more 32 Android, Linux Kernel, Iot-yocto and 29 more 2024-11-21 N/A 6.7 MEDIUM
In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796914; Issue ID: ALPS07796914.
CVE-2023-20693 3 Google, Linuxfoundation, Mediatek 15 Android, Yocto, Mt6739 and 12 more 2024-11-21 N/A 7.5 HIGH
In wlan firmware, there is possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07664711; Issue ID: ALPS07664711.
CVE-2023-20692 3 Google, Linuxfoundation, Mediatek 11 Android, Yocto, Mt6739 and 8 more 2024-11-21 N/A 7.5 HIGH
In wlan firmware, there is possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07664720; Issue ID: ALPS07664720.
CVE-2023-20691 3 Google, Linuxfoundation, Mediatek 10 Android, Yocto, Mt6739 and 7 more 2024-11-21 N/A 7.5 HIGH
In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07664731; Issue ID: ALPS07664731.
CVE-2023-20690 3 Google, Linuxfoundation, Mediatek 11 Android, Yocto, Mt6739 and 8 more 2024-11-21 N/A 7.5 HIGH
In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07664735; Issue ID: ALPS07664735.
CVE-2023-20689 3 Google, Linuxfoundation, Mediatek 10 Android, Yocto, Mt6739 and 7 more 2024-11-21 N/A 7.5 HIGH
In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07664741; Issue ID: ALPS07664741.
CVE-2022-4875 1 Linuxfoundation 1 Fossology 2024-11-21 3.3 LOW 2.4 LOW
A vulnerability has been found in fossology and classified as problematic. This vulnerability affects unknown code. The manipulation of the argument sql/VarValue leads to cross site scripting. The attack can be initiated remotely. The patch is identified as 8e0eba001662c7eb35f045b70dd458a4643b4553. It is recommended to apply a patch to fix this issue. VDB-217426 is the identifier assigned to this vulnerability.
CVE-2022-48363 1 Linuxfoundation 1 Automotive Grade Linux 2024-11-21 N/A 7.5 HIGH
In MPD before 0.23.8, as used on Automotive Grade Linux and other platforms, the PipeWire output plugin mishandles a Drain call in certain situations involving truncated files. Eventually there is an assertion failure in libmpdclient because libqtappfw passes in a NULL pointer.
CVE-2022-46770 1 Linuxfoundation 1 Mirage Firewall 2024-11-21 N/A 7.5 HIGH
qubes-mirage-firewall (aka Mirage firewall for QubesOS) 0.8.x through 0.8.3 allows guest OS users to cause a denial of service (CPU consumption and loss of forwarding) via a crafted multicast UDP packet (IP address range of 224.0.0.0 through 239.255.255.255).
CVE-2022-46463 1 Linuxfoundation 1 Harbor 2024-11-21 N/A 7.5 HIGH
An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor's position is that this "is clearly described in the documentation as a feature."
CVE-2022-45932 1 Linuxfoundation 1 Opendaylight 2024-11-21 N/A 7.5 HIGH
A SQL injection issue was discovered in AAA in OpenDaylight (ODL) before 0.16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java deleteRole function is affected when the API interface /auth/v1/roles/ is used.
CVE-2022-45931 1 Linuxfoundation 1 Opendaylight 2024-11-21 N/A 7.5 HIGH
A SQL injection issue was discovered in AAA in OpenDaylight (ODL) before 0.16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/UserStore.java deleteUser function is affected when the API interface /auth/v1/users/ is used.
CVE-2022-45930 1 Linuxfoundation 1 Opendaylight 2024-11-21 N/A 7.5 HIGH
A SQL injection issue was discovered in AAA in OpenDaylight (ODL) before 0.16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/DomainStore.java deleteDomain function is affected for the /auth/v1/domains/ API interface.
CVE-2022-45907 1 Linuxfoundation 1 Pytorch 2024-11-21 N/A 9.8 CRITICAL
In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.
CVE-2022-41939 1 Linuxfoundation 1 Knative Func 2024-11-21 N/A 6.1 MEDIUM
knative.dev/func is is a client library and CLI enabling the development and deployment of Kubernetes functions. Developers using a malicious or compromised third-party buildpack could expose their registry credentials or local docker socket to a malicious `lifecycle` container. This issues has been patched in PR #1442, and is part of release 1.8.1. This issue only affects users who are using function buildpacks from third-parties; pinning the builder image to a specific content-hash with a valid `lifecycle` image will also mitigate the attack.
CVE-2022-41354 1 Linuxfoundation 1 Argo-cd 2024-11-21 N/A 4.3 MEDIUM
An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.
CVE-2022-39383 1 Linuxfoundation 1 Kubevela 2024-11-21 N/A 4.9 MEDIUM
KubeVela is an open source application delivery platform. Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. Users who're using v1.6, please update the v1.6.1. Users who're using v1.5, please update the v1.5.8. There are no known workarounds for this issue.
CVE-2022-39222 1 Linuxfoundation 1 Dex 2024-11-21 N/A 9.3 CRITICAL
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex instances with public clients (and by extension, clients accepting tokens issued by those Dex instances) are affected by this vulnerability if they are running a version prior to 2.35.0. An attacker can exploit this vulnerability by making a victim navigate to a malicious website and guiding them through the OIDC flow, stealing the OAuth authorization code in the process. The authorization code then can be exchanged by the attacker for a token, gaining access to applications accepting that token. Version 2.35.0 has introduced a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2022-38817 1 Linuxfoundation 1 Dapr Dashboard 2024-11-21 N/A 7.5 HIGH
Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.
CVE-2022-36025 1 Linuxfoundation 1 Besu 2024-11-21 N/A 9.1 CRITICAL
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution.