admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-05 10:18:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2020-10-14 19:01:48 +00:00
parent b9c640cc89
commit 21e7410993
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
15 changed files with 55 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
2014/6xxx/CVE-2014-6053.json
View File

@ -116,6 +116,11 @@
"refsource": "MLIST",
"name": "[debian-lts-announce] 20191221 [SECURITY] [DLA 2045-1] tightvnc security update",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html"
},
{
"refsource": "UBUNTU",
"name": "USN-4573-1",
"url": "https://usn.ubuntu.com/4573-1/"
}
]
}

5
2018/7xxx/CVE-2018-7225.json
View File

@ -111,6 +111,11 @@
"refsource": "UBUNTU",
"name": "USN-4547-1",
"url": "https://usn.ubuntu.com/4547-1/"
},
{
"refsource": "UBUNTU",
"name": "USN-4573-1",
"url": "https://usn.ubuntu.com/4573-1/"
}
]
}

5
2019/15xxx/CVE-2019-15681.json
View File

@ -88,6 +88,11 @@
"refsource": "UBUNTU",
"name": "USN-4547-1",
"url": "https://usn.ubuntu.com/4547-1/"
},
{
"refsource": "UBUNTU",
"name": "USN-4573-1",
"url": "https://usn.ubuntu.com/4573-1/"
}
]
},

5
2020/14xxx/CVE-2020-14355.json
View File

@ -58,6 +58,11 @@
"refsource": "DEBIAN",
"name": "DSA-4771",
"url": "https://www.debian.org/security/2020/dsa-4771"
},
{
"refsource": "UBUNTU",
"name": "USN-4572-1",
"url": "https://usn.ubuntu.com/4572-1/"
}
]
},

5
2020/14xxx/CVE-2020-14397.json
View File

@ -91,6 +91,11 @@
"refsource": "MLIST",
"name": "[debian-lts-announce] 20200828 [SECURITY] [DLA 2347-1] libvncserver security update",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00045.html"
},
{
"refsource": "UBUNTU",
"name": "USN-4573-1",
"url": "https://usn.ubuntu.com/4573-1/"
}
]
}

5
2020/14xxx/CVE-2020-14402.json
View File

@ -91,6 +91,11 @@
"refsource": "MLIST",
"name": "[debian-lts-announce] 20200828 [SECURITY] [DLA 2347-1] libvncserver security update",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00045.html"
},
{
"refsource": "UBUNTU",
"name": "USN-4573-1",
"url": "https://usn.ubuntu.com/4573-1/"
}
]
}

5
2020/14xxx/CVE-2020-14403.json
View File

@ -76,6 +76,11 @@
"refsource": "MLIST",
"name": "[debian-lts-announce] 20200828 [SECURITY] [DLA 2347-1] libvncserver security update",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00045.html"
},
{
"refsource": "UBUNTU",
"name": "USN-4573-1",
"url": "https://usn.ubuntu.com/4573-1/"
}
]
}

5
2020/14xxx/CVE-2020-14404.json
View File

@ -76,6 +76,11 @@
"refsource": "MLIST",
"name": "[debian-lts-announce] 20200828 [SECURITY] [DLA 2347-1] libvncserver security update",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00045.html"
},
{
"refsource": "UBUNTU",
"name": "USN-4573-1",
"url": "https://usn.ubuntu.com/4573-1/"
}
]
}

2
2020/15xxx/CVE-2020-15224.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "In Open Enclave before version 0.12.0, an information disclosure vulnerability exists when an enclave application using the syscalls provided by the sockets.edl is loaded by a malicious host application. An attacker who successfully exploited the vulnerability could read privileged data from the enclave heap across trust boundaries.\n\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information otherwise considered confidential in an enclave, which could be used in further compromises.\n\nThe issue has been addressed in version 0.12.0 and the current master branch. Users will need to to recompile their applications against the patched libraries to be protected from this vulnerability."
"value": "In Open Enclave before version 0.12.0, an information disclosure vulnerability exists when an enclave application using the syscalls provided by the sockets.edl is loaded by a malicious host application. An attacker who successfully exploited the vulnerability could read privileged data from the enclave heap across trust boundaries. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information otherwise considered confidential in an enclave, which could be used in further compromises. The issue has been addressed in version 0.12.0 and the current master branch. Users will need to to recompile their applications against the patched libraries to be protected from this vulnerability."
}
]
},

5
2020/15xxx/CVE-2020-15229.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability.\n\nDue to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem.\nThe extraction occurs automatically for unprivileged (either installation or with `allow setuid = no`) run of Singularity when a user attempt to run an image which is a local SIF image or a single file containing a squashfs filesystem and is coming from remote sources `library://` or `shub://`.\n\nImage build is also impacted in a more serious way as it can be used by a root user, allowing an attacker to overwrite/create files leading to a system compromise, so far bootstrap methods `library`, `shub` and `localimage` are triggering the squashfs extraction.\n\nThis issue is addressed in Singularity 3.6.4.\n\nAll users are advised to upgrade to 3.6.4 especially if they use Singularity mainly for building image as root user.\n\nThere is no solid workaround except to temporary avoid to use unprivileged mode with single file images in favor of sandbox images instead. Regarding image build, temporary avoid to build from `library` and `shub` sources and as much as possible use `--fakeroot` or a VM for that."
"value": "Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with `allow setuid = no`) run of Singularity when a user attempt to run an image which is a local SIF image or a single file containing a squashfs filesystem and is coming from remote sources `library://` or `shub://`. Image build is also impacted in a more serious way as it can be used by a root user, allowing an attacker to overwrite/create files leading to a system compromise, so far bootstrap methods `library`, `shub` and `localimage` are triggering the squashfs extraction. This issue is addressed in Singularity 3.6.4. All users are advised to upgrade to 3.6.4 especially if they use Singularity mainly for building image as root user. There is no solid workaround except to temporary avoid to use unprivileged mode with single file images in favor of sandbox images instead. Regarding image build, temporary avoid to build from `library` and `shub` sources and as much as possible use `--fakeroot` or a VM for that."
}
]
},
@ -86,7 +86,8 @@
},
{
"refsource": "MISC",
"url": "https://github.com/hpcng/singularity/commit/eba3dea260b117198fdb6faf41f2482ab2f8d53e"
"url": "https://github.com/hpcng/singularity/commit/eba3dea260b117198fdb6faf41f2482ab2f8d53e",
"name": "https://github.com/hpcng/singularity/commit/eba3dea260b117198fdb6faf41f2482ab2f8d53e"
}
]
},

2
2020/15xxx/CVE-2020-15253.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. \n\nAuthentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept."
"value": "Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept."
}
]
},

2
2020/3xxx/CVE-2020-3427.json
View File

@ -37,7 +37,7 @@
"description_data": [
{
"lang": "eng",
"value": "A privilege escalation vulnerability exists in the Duo Authentication for Windows Logon and RDP implementation. This vulnerability could allow an authenticated local attacker to overwrite files in privileged directories.\n\n"
"value": "A privilege escalation vulnerability exists in the Duo Authentication for Windows Logon and RDP implementation. This vulnerability could allow an authenticated local attacker to overwrite files in privileged directories."
}
]
},

2
2020/3xxx/CVE-2020-3483.json
View File

@ -37,7 +37,7 @@
"description_data": [
{
"lang": "eng",
"value": "Duo has identified and fixed an issue with the Duo Network Gateway (DNG) product in which some customer-provided SSL certificates and private keys were not excluded from logging. This issue resulted in certificate and private key information being written out in plain-text to local files on the DNG host. Any private keys logged in this way could be viewed by those with access to the DNG host operating system without any need for reversing encrypted values or similar techniques. An attacker that gained access to the DNG logs and with the ability to intercept and manipulate network traffic between a user and the DNG, could decrypt and manipulate SSL/TLS connections to the DNG and to the protected applications behind it. Duo Network Gateway (DNG) versions 1.3.3 through 1.5.7 are affected.\n\n"
"value": "Duo has identified and fixed an issue with the Duo Network Gateway (DNG) product in which some customer-provided SSL certificates and private keys were not excluded from logging. This issue resulted in certificate and private key information being written out in plain-text to local files on the DNG host. Any private keys logged in this way could be viewed by those with access to the DNG host operating system without any need for reversing encrypted values or similar techniques. An attacker that gained access to the DNG logs and with the ability to intercept and manipulate network traffic between a user and the DNG, could decrypt and manipulate SSL/TLS connections to the DNG and to the protected applications behind it. Duo Network Gateway (DNG) versions 1.3.3 through 1.5.7 are affected."
}
]
},

7
2020/7xxx/CVE-2020-7317.json
View File

@ -74,8 +74,9 @@
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10332"
"refsource": "MISC",
"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10332",
"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10332"
}
]
},
@ -83,4 +84,4 @@
"advisory": "SB10332",
"discovery": "EXTERNAL"
}
}
}

7
2020/7xxx/CVE-2020-7318.json
View File

@ -74,8 +74,9 @@
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10332"
"refsource": "MISC",
"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10332",
"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10332"
}
]
},
@ -83,4 +84,4 @@
"advisory": "SB10332",
"discovery": "EXTERNAL"
}
}
}