Filtered by vendor Opensuse
Subscribe
Total
3124 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14308 | 2 Gnu, Opensuse | 2 Grub2, Leap | 2024-02-04 | 4.4 MEDIUM | 6.4 MEDIUM |
| In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations which can be further used to cause possible integrity, confidentiality and availability impacts during the boot process. | |||||
| CVE-2020-14093 | 4 Canonical, Debian, Mutt and 1 more | 4 Ubuntu Linux, Debian Linux, Mutt and 1 more | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response. | |||||
| CVE-2020-12862 | 4 Canonical, Debian, Opensuse and 1 more | 4 Ubuntu Linux, Debian Linux, Leap and 1 more | 2024-02-04 | 3.3 LOW | 4.3 MEDIUM |
| An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-082. | |||||
| CVE-2020-11095 | 4 Canonical, Fedoraproject, Freerdp and 1 more | 4 Ubuntu Linux, Fedora, Freerdp and 1 more | 2024-02-04 | 5.5 MEDIUM | 5.4 MEDIUM |
| In FreeRDP before version 2.1.2, an out of bound reads occurs resulting in accessing a memory location that is outside of the boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES. This is fixed in version 2.1.2. | |||||
| CVE-2020-13379 | 4 Fedoraproject, Grafana, Netapp and 1 more | 5 Fedora, Grafana, E-series Performance Analyzer and 2 more | 2024-02-04 | 6.4 MEDIUM | 8.2 HIGH |
| The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. | |||||
| CVE-2020-6472 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2024-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory or disk via a crafted Chrome Extension. | |||||
| CVE-2020-9490 | 7 Apache, Canonical, Debian and 4 more | 25 Http Server, Ubuntu Linux, Debian Linux and 22 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. | |||||
| CVE-2020-6426 | 5 Debian, Fedoraproject, Google and 2 more | 6 Debian Linux, Fedora, Chrome and 3 more | 2024-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2020-6490 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2024-02-04 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient data validation in loader in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had been able to write to disk to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2020-13114 | 3 Canonical, Libexif Project, Opensuse | 3 Ubuntu Linux, Libexif, Leap | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data. | |||||
| CVE-2020-11080 | 5 Debian, Fedoraproject, Nghttp2 and 2 more | 9 Debian Linux, Fedora, Nghttp2 and 6 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. | |||||
| CVE-2020-6518 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2024-02-04 | 9.3 HIGH | 8.8 HIGH |
| Use after free in developer tools in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had convinced the user to use developer tools to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2020-15393 | 4 Canonical, Debian, Linux and 1 more | 4 Ubuntu Linux, Debian Linux, Linux Kernel and 1 more | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
| In the Linux kernel 4.4 through 5.7.6, usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka CID-28ebeb8db770. | |||||
| CVE-2020-8927 | 6 Canonical, Debian, Fedoraproject and 3 more | 10 Ubuntu Linux, Debian Linux, Fedora and 7 more | 2024-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits. | |||||
| CVE-2020-17367 | 4 Debian, Fedoraproject, Firejail Project and 1 more | 4 Debian Linux, Fedora, Firejail and 1 more | 2024-02-04 | 4.6 MEDIUM | 7.8 HIGH |
| Firejail through 0.9.62 does not honor the -- end-of-options indicator after the --output option, which may lead to command injection. | |||||
| CVE-2020-8020 | 2 Debian, Opensuse | 2 Debian Linux, Open Build Service | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Improper Neutralization of Input During Web Page Generation vulnerability in open-build-service allows remote attackers to store arbitrary JS code to cause XSS. This issue affects: openSUSE open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb. | |||||
| CVE-2020-14350 | 3 Debian, Opensuse, Postgresql | 3 Debian Linux, Leap, Postgresql | 2024-02-04 | 4.4 MEDIUM | 7.3 HIGH |
| It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23. | |||||
| CVE-2020-6523 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2024-02-04 | 9.3 HIGH | 8.8 HIGH |
| Out of bounds write in Skia in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2020-12625 | 3 Debian, Opensuse, Roundcube | 4 Debian Linux, Backports Sle, Leap and 1 more | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message. | |||||
| CVE-2020-14349 | 2 Opensuse, Postgresql | 2 Leap, Postgresql | 2024-02-04 | 4.6 MEDIUM | 7.1 HIGH |
| It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication. | |||||