Exploit Database
145,683 exploits tracked across all sources.
Linux kernel <4.13.8 - Memory Corruption
The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.
CVSS 6.5
GitLab CE/EE <8.17.8, <9.0.13, <9.1.10, <9.2.10, <9.3.10, <9.4.4 - RCE
GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.
CVSS 8.8
rsyslog < 8.27.0 - Format String Vulnerability in ZMQ3 Input/Output Modules
The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.
CVSS 9.8
NexusPHP 1.5 - Cross-Site Request Forgery and Cross-Site Scripting via Linksmanage.php Parameters
Multiple cross-site request forgery (CSRF) vulnerabilities in NexusPHP 1.5 allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) linkname, (2) url, or (3) title parameter in an add action to linksmanage.php.
CVSS 6.1
Cyrus IMAP < 3.0.3 - Authenticated Arbitrary File Write via SYNCAPPLY, SYNCGET, or SYNCRESTORE Command
Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) SYNCGET or (3) SYNCRESTORE command.
CVSS 6.5
Nagios Core <4.3.3 - Privilege Escalation
Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill `cat /pathname/nagios.lock`" command.
CVSS 6.3
numpy < 1.13.1 - Denial of Service via Empty Input to numpy.pad
The numpy.pad function in Numpy 1.13.1 and older versions is missing input validation. An empty list or ndarray will stick into an infinite loop, which can allow attackers to cause a DoS attack.
CVSS 7.5
tcpdump < 4.9.2 - Out-of-bounds Read in ISAKMP Parser
The ISAKMP parser in tcpdump before 4.9.2 has a buffer over-read in print-isakmp.c:isakmp_rfc3948_print().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in DECnet Parser
The DECnet parser in tcpdump before 4.9.2 has a buffer over-read in print-decnet.c:decnet_print().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in Zephyr Parser
The Zephyr parser in tcpdump before 4.9.2 has a buffer over-read in print-zephyr.c, several functions.
CVSS 9.8
nimbus_jose+jwt - HMAC Bypass via Integer Overflow in Byte-to-Bit Conversion
In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.
CVSS 7.5
Nimbus JOSE+JWT <4.39 - Info Disclosure
Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.
CVSS 3.1
Nimbus JOSE+JWT < 4.36 - Invalid Curve Attack via ECKey Construction
Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
CVSS 7.5
Cacti < 1.1.17 - Authenticated Cross-Site Scripting via External Link Title Field
lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.
CVSS 5.4
tcpdump < 4.9.2 - Out-of-bounds Read in IEEE 802.11 Parser
The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_11.c:parse_elements().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in IEEE 802.15.4 Parser
The IEEE 802.15.4 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_15_4.c:ieee802_15_4_if_print().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in Juniper Protocols Parser
The Juniper protocols parser in tcpdump before 4.9.2 has a buffer over-read in print-juniper.c:juniper_parse_header().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in VTP Parser
The VTP parser in tcpdump before 4.9.2 has a buffer over-read in print-vtp.c:vtp_print().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in IPv6 Mobility Parser
The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-read in print-mobility.c:mobility_opt_print().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in BOOTP Parser
The BOOTP parser in tcpdump before 4.9.2 has a buffer over-read in print-bootp.c:bootp_print().
CVSS 9.8
ImageMagick < 6.9.9-0 and 7.x < 7.0.6-1 - Denial of Service via Crafted PNG File
In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG file could trigger a crash because there was an insufficient check for short files.
CVSS 6.5
ImageMagick < 6.9.8-8 and 7.x < 7.0.5-9 - Denial of Service via JP2 Channel Geometry Validation
In ImageMagick before 6.9.8-8 and 7.x before 7.0.5-9, the ReadJP2Image function in coders/jp2.c does not properly validate the channel geometry, leading to a crash.
CVSS 6.5
tcpdump < 4.9.2 - Out-of-bounds Read in Cisco HDLC Parser
The Cisco HDLC parser in tcpdump before 4.9.2 has a buffer over-read in print-chdlc.c:chdlc_print().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in IPv6 Routing Header Parser
The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer over-read in print-rt6.c:rt6_print().
CVSS 9.8
ARM mbed TLS < 1.3.21 and 2.x < 2.1.9 - Authentication Bypass via X.509 Certificate Chain
ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected.
CVSS 8.1
By Source