CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Novell » Opensuse » 13.1 : Security Vulnerabilities

Cpe Name:cpe:/o:novell:opensuse:13.1
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-1419 Bypass 2015-01-28 2015-01-28
5.0
None Remote Low Not required None Partial None
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
2 CVE-2015-1382 20 DoS 2015-02-03 2015-02-19
5.0
None Remote Low Not required None None Partial
parsers.c in Privoxy before 3.0.23 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related to an HTTP time header.
3 CVE-2015-1381 399 DoS 2015-02-03 2015-02-19
5.0
None Remote Low Not required None None Partial
Multiple unspecified vulnerabilities in pcrs.c in Privoxy before 3.0.23 allow remote attackers to cause a denial of service (segmentation fault or memory consumption) via unspecified vectors.
4 CVE-2015-1380 20 DoS 2015-02-03 2015-02-19
5.0
None Remote Low Not required None None Partial
jcc.c in Privoxy before 3.0.23 allows remote attackers to cause a denial of service (abort) via a crafted chunk-encoded body.
5 CVE-2015-1196 59 2015-01-21 2015-02-11
4.3
None Remote Medium Not required None Partial None
GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.
6 CVE-2015-0552 22 Dir. Trav. 2015-01-15 2015-02-17
6.4
None Remote Low Not required None Partial Partial
Directory traversal vulnerability in the gcab_folder_extract function in libgcab/gcab-folder.c in gcab 0.4 allows remote attackers to write to arbitrary files via crafted path in a CAB file, as demonstrated by "\tmp\moo."
7 CVE-2015-0255 200 DoS +Info 2015-02-13 2015-02-26
6.4
None Remote Low Not required Partial None Partial
X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request.
8 CVE-2014-9512 59 2015-02-12 2015-02-12
6.4
None Remote Low Not required None Partial Partial
rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path.
9 CVE-2014-9496 119 Overflow 2015-01-16 2015-01-22
10.0
None Remote Low Not required Complete Complete Complete
The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read.
10 CVE-2014-9402 399 DoS 2015-02-24 2015-02-24
7.8
None Remote Low Not required None None Complete
The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.
11 CVE-2014-8643 264 Bypass 2015-01-14 2015-02-27
7.1
None Remote Medium Not required None Complete None
Mozilla Firefox before 35.0 on Windows allows remote attackers to bypass the Gecko Media Plugin (GMP) sandbox protection mechanism by leveraging access to the GMP process, as demonstrated by the OpenH264 plugin's process.
12 CVE-2014-8642 310 +Info 2015-01-14 2015-02-27
4.3
None Remote Medium Not required Partial None None
Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not consider the id-pkix-ocsp-nocheck extension in deciding whether to trust an OCSP responder, which makes it easier for remote attackers to obtain sensitive information by sniffing the network during a session in which there was an incorrect decision to accept a compromised and revoked certificate.
13 CVE-2014-8640 362 DoS 2015-01-14 2015-02-27
5.0
None Remote Low Not required None None Partial
The mozilla::dom::AudioParamTimeline::AudioNodeInputValue function in the Web Audio API implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly restrict timeline operations, which allows remote attackers to cause a denial of service (uninitialized-memory read and application crash) via crafted API calls.
14 CVE-2014-8158 119 DoS Exec Code Overflow 2015-01-26 2015-02-27
6.8
None Remote Medium Not required Partial Partial Partial
Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image.
15 CVE-2014-8157 189 DoS Exec Code Overflow 2015-01-26 2015-02-27
7.5
None Remote Low Not required Partial Partial Partial
Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow.
16 CVE-2014-8148 264 Exec Code 2015-01-26 2015-01-27
7.2
Admin Local Low Not required Complete Complete Complete
The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges.
17 CVE-2014-8080 DoS 2014-11-03 2015-02-10
5.0
None Remote Low Not required None None Partial
The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.
18 CVE-2014-5177 20 2014-08-03 2014-12-23
1.2
None Local High Not required Partial None None
libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors.
19 CVE-2014-3693 DoS Exec Code 2014-11-07 2014-12-31
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in the socket manager of Impress Remote in LibreOffice 4.x before 4.2.7 and 4.3.x before 4.3.3 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to TCP port 1599.
20 CVE-2014-2913 Exec Code 2014-05-07 2014-06-05
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments.
21 CVE-2014-2554 20 2014-04-23 2014-04-24
4.3
None Remote Medium Not required None Partial None
OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element.
22 CVE-2014-2528 Exec Code 2014-08-26 2014-08-27
6.8
None Remote Medium Not required Partial Partial Partial
kcleanup.cpp in KDirStat 2.7.3 does not properly quote strings when deleting a directory, which allows remote attackers to execute arbitrary commands via a ' (single quote) character in the directory name, a different vulnerability than CVE-2014-2527.
23 CVE-2014-2527 Exec Code 2014-08-26 2014-08-27
6.8
None Remote Medium Not required Partial Partial Partial
kcleanup.cpp in KDirStat 2.7.0 does not properly quote strings when deleting a directory, which allows remote attackers to execute arbitrary commands via a " (double quote) character in the directory name, a different vulnerability than CVE-2014-2528.
24 CVE-2014-2386 189 DoS Overflow 2014-03-25 2014-03-25
5.0
None Remote Low Not required None None Partial
Multiple off-by-one errors in Icinga, possibly 1.10.2 and earlier, allow remote attackers to cause a denial of service (crash) via unspecified vectors to the (1) display_nav_table, (2) print_export_link, (3) page_num_selector, or (4) page_limit_selector function in cgi/cgiutils.c or (5) status_page_num_selector function in cgi/status.c, which triggers a stack-based buffer overflow.
25 CVE-2014-1934 59 2014-05-08 2014-05-09
3.3
None Local Medium Not required None Partial Partial
tag.py in eyeD3 (aka python-eyed3) 7.0.3, 0.6.18, and earlier for Python allows local users to modify arbitrary files via a symlink attack on a temporary file.
26 CVE-2014-1909 189 Exec Code Overflow Bypass 2014-05-13 2014-05-14
7.5
None Remote Low Not required Partial Partial Partial
Integer signedness error in system/core/adb/adb_client.c in Android Debug Bridge (ADB) for Android 4.4 in the Android SDK Platform Tools 18.0.1 allows ADB servers to execute arbitrary code via a negative length value, which bypasses a signed comparison and triggers a stack-based buffer overflow.
27 CVE-2014-1839 2014-03-11 2014-03-12
4.4
None Local Medium Not required Partial Partial Partial
The Execute class in shellutils in logilab-commons before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file.
28 CVE-2014-1838 59 2014-03-11 2014-03-12
4.4
None Local Medium Not required Partial Partial Partial
The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf.
29 CVE-2014-0979 DoS 2014-01-22 2014-02-21
2.1
None Local Low Not required None None Partial
The start_authentication function in lightdm-gtk-greeter.c in LightDM GTK+ Greeter before 1.7.1 does not properly handle the return value from the lightdm_greeter_get_authentication_user function, which allows local users to cause a denial of service (NULL pointer dereference) via an empty username.
30 CVE-2014-0247 2014-07-03 2014-10-24
10.0
None Remote Low Not required Complete Complete Complete
LibreOffice 4.2.4 executes unspecified VBA macros automatically, which has unspecified impact and attack vectors, possibly related to doc/docmacromode.cxx.
31 CVE-2014-0179 20 DoS 2014-08-03 2014-12-23
1.9
None Local Medium Not required None None Partial
libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of some vectors. CVE-2014-5177 is used for other API methods.
32 CVE-2014-0133 119 Exec Code Overflow 2014-03-28 2014-03-31
5.1
None Remote High Not required Partial Partial Partial
Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request.
33 CVE-2013-7423 17 2015-02-24 2015-02-24
5.0
None Remote Low Not required None Partial None
The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of request that trigger a call to the getaddrinfo function.
34 CVE-2013-7336 DoS 2014-05-07 2015-01-02
1.9
None Local Medium Not required None None Partial
The qemuMigrationWaitForSpice function in qemu/qemu_migration.c in libvirt before 1.1.3 does not properly enter a monitor when performing seamless SPICE migration, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) by causing domblkstat to be called at the same time as the qemuMonitorGetSpiceMigrationStatus function.
35 CVE-2013-6394 310 2013-12-13 2014-03-05
2.1
None Local Low Not required None Partial None
Percona XtraBackup before 2.1.6 uses a constant string for the initialization vector (IV), which makes it easier for local users to defeat cryptographic protection mechanisms and conduct plaintext attacks.
36 CVE-2013-4509 255 2013-11-23 2014-01-23
1.9
None Local Medium Not required Partial None None
The default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlier, when IBus.InputPurpose.PASSWORD is not set and used with GNOME 3, does not obscure the entered password characters, which allows physically proximate attackers to obtain a user password by reading the lockscreen.
37 CVE-2013-4487 189 DoS Mem. Corr. 2013-11-20 2013-11-20
5.0
None Remote Low Not required None None Partial
Off-by-one error in the dane_raw_tlsa in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.16 and 3.2.x before 3.2.6 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries. NOTE: this issue is due to an incomplete fix for CVE-2013-4466.
38 CVE-2013-4159 264 2014-08-06 2014-08-07
7.5
None Remote Low Not required Partial Partial Partial
ctdb before 2.3 in OpenSUSE 12.3 and 13.1 does not create temporary files securely, which has unspecified impact related to "several temp file vulnerabilities" in (1) tcp/tcp_connect.c, (2) server/eventscript.c, (3) tools/ctdb_diagnostics, (4) config/gdb_backtrace, and (5) include/ctdb_private.h.
39 CVE-2013-3713 200 +Info 2014-01-10 2014-01-13
4.4
None Local Medium Not required Partial Partial Partial
The image creation configuration in aaa_base before 16.26.1 for openSUSE 13.1 KDE adds the root user to the "users" group when installing from a live image, which allows local users to obtain sensitive information and possibly have other unspecified impacts, as demonstrated by reading /etc/shadow.
40 CVE-2013-2027 264 Bypass 2015-02-13 2015-02-13
4.6
None Local Low Not required Partial Partial Partial
Jython 2.2.1 uses the current umask to set the privileges of the class cache files, which allows local users to bypass intended access restrictions via unspecified vectors.
41 CVE-2013-0348 264 +Info 2013-12-13 2014-01-13
2.1
None Local Low Not required Partial None None
thttpd.c in sthttpd before 2.26.4-r2 and thttpd 2.25b use world-readable permissions for /var/log/thttpd.log, which allows local users to obtain sensitive information by reading the file.
Total number of vulnerabilities : 41   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.