Total
323528 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-15124 | 2 Qemu, Redhat | 3 Qemu, Enterprise Linux, Openstack | 2024-11-21 | N/A |
| VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host. | ||||
| CVE-2017-15123 | 1 Redhat | 1 Cloudforms Management Engine | 2024-11-21 | N/A |
| A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to authenticated users only. An attacker could use this flaw to view potentially sensitive information from CloudForms including data such as newly created virtual machines. | ||||
| CVE-2017-15120 | 2 Debian, Powerdns | 2 Debian Linux, Recursor | 2024-11-21 | N/A |
| An issue has been found in the parsing of authoritative answers in PowerDNS Recursor before 4.0.8, leading to a NULL pointer dereference when parsing a specially crafted answer containing a CNAME of a different class than IN. An unauthenticated remote attacker could cause a denial of service. | ||||
| CVE-2017-15119 | 4 Canonical, Debian, Qemu and 1 more | 6 Ubuntu Linux, Debian Linux, Qemu and 3 more | 2024-11-21 | N/A |
| The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS. | ||||
| CVE-2017-15118 | 3 Canonical, Qemu, Redhat | 4 Ubuntu Linux, Qemu, Enterprise Linux and 1 more | 2024-11-21 | N/A |
| A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS. | ||||
| CVE-2017-15113 | 2 Ovirt, Redhat | 3 Ovirt, Rhev Manager, Virtualization | 2024-11-21 | N/A |
| ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues. | ||||
| CVE-2017-15112 | 2 Keycloak-httpd-client-install Project, Redhat | 2 Keycloak-httpd-client-install, Enterprise Linux | 2024-11-21 | N/A |
| keycloak-httpd-client-install versions before 0.8 allow users to insecurely pass password through command line, leaking it via command history and process info to other local users. | ||||
| CVE-2017-15111 | 2 Keycloak-httpd-client-install Project, Redhat | 2 Keycloak-httpd-client-install, Enterprise Linux | 2024-11-21 | N/A |
| keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic link. | ||||
| CVE-2017-15108 | 2 Debian, Spice-space | 2 Debian Linux, Spice-vdagent | 2024-11-21 | 7.8 High |
| spice-vdagent up to and including 0.17.0 does not properly escape save directory before passing to shell, allowing local attacker with access to the session the agent runs in to inject arbitrary commands to be executed. | ||||
| CVE-2017-15107 | 1 Thekelleys | 1 Dnsmasq | 2024-11-21 | N/A |
| A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2.78. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist. | ||||
| CVE-2017-15105 | 3 Canonical, Debian, Nlnetlabs | 3 Ubuntu Linux, Debian Linux, Unbound | 2024-11-21 | N/A |
| A flaw was found in the way unbound before 1.6.8 validated wildcard-synthesized NSEC records. An improperly validated wildcard NSEC record could be used to prove the non-existence (NXDOMAIN answer) of an existing wildcard record, or trick unbound into accepting a NODATA proof. | ||||
| CVE-2017-15101 | 2 Liblouis, Redhat | 7 Liblouis, Enterprise Linux, Enterprise Linux Desktop and 4 more | 2024-11-21 | N/A |
| A missing patch for a stack-based buffer overflow in findTable() was found in Red Hat version of liblouis before 2.5.4. An attacker could cause a denial of service condition or potentially even arbitrary code execution. | ||||
| CVE-2017-15097 | 1 Redhat | 8 Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Server and 5 more | 2024-11-21 | N/A |
| Privilege escalation flaws were found in the Red Hat initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine. | ||||
| CVE-2017-15095 | 5 Debian, Fasterxml, Netapp and 2 more | 31 Debian Linux, Jackson-databind, Oncommand Balance and 28 more | 2024-11-21 | 9.8 Critical |
| A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. | ||||
| CVE-2017-15094 | 1 Powerdns | 1 Recursor | 2024-11-21 | N/A |
| An issue has been found in the DNSSEC parsing code of PowerDNS Recursor from 4.0.0 up to and including 4.0.6 leading to a memory leak when parsing specially crafted DNSSEC ECDSA keys. These keys are only parsed when validation is enabled by setting dnssec to a value other than off or process-no-validate (default). | ||||
| CVE-2017-15093 | 1 Powerdns | 1 Recursor | 2024-11-21 | N/A |
| When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor's configuration. | ||||
| CVE-2017-15092 | 1 Powerdns | 1 Recursor | 2024-11-21 | N/A |
| A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4.0.0 up to and including 4.0.6, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content. | ||||
| CVE-2017-15091 | 1 Powerdns | 1 Authoritative | 2024-11-21 | N/A |
| An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY. | ||||
| CVE-2017-15090 | 1 Powerdns | 1 Recursor | 2024-11-21 | N/A |
| An issue has been found in the DNSSEC validation component of PowerDNS Recursor from 4.0.0 and up to and including 4.0.6, where the signatures might have been accepted as valid even if the signed data was not in bailiwick of the DNSKEY used to sign it. This allows an attacker in position of man-in-the-middle to alter the content of records by issuing a valid signature for the crafted records. | ||||
| CVE-2017-15089 | 2 Infinispan, Redhat | 6 Infinispan, Jboss Data Grid, Jboss Enterprise Application Platform and 3 more | 2024-11-21 | N/A |
| It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. | ||||