| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2017-1000410 |
200 |
|
Bypass +Info |
2017-12-07 |
2019-04-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations. These are the specifics of this vulnerability: In the function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call that will write to the efs variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs, (void *)val, olen); ... The olen in the above if is attacker controlled, and regardless of that if, in both of these functions the efs variable would eventually be added to the outgoing configuration request that is being built: l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the uninitialized variable would be returned to the attacker (16 bytes). |
|
2 |
CVE-2017-15275 |
119 |
|
Overflow +Info |
2017-11-27 |
2018-10-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Samba before 4.7.3 might allow remote attackers to obtain sensitive information by leveraging failure of the server to clear allocated heap memory. |
|
3 |
CVE-2017-14494 |
200 |
|
+Info |
2017-10-03 |
2018-03-04 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests. |
|
4 |
CVE-2017-11225 |
416 |
|
Exec Code Mem. Corr. +Info |
2017-12-09 |
2017-12-21 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the Primetime SDK metadata functionality. The mismatch between an old and a new object can provide an attacker with unintended memory access -- potentially leading to code corruption, control-flow hijack, or an information leak attack. Successful exploitation could lead to arbitrary code execution. |
|
5 |
CVE-2017-11215 |
416 |
|
Exec Code Mem. Corr. +Info |
2017-12-09 |
2017-12-21 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the Primetime SDK. The mismatch between an old and a new object can provide an attacker with unintended memory access -- potentially leading to code corruption, control-flow hijack, or an information leak attack. Successful exploitation could lead to arbitrary code execution. |
|
6 |
CVE-2017-9788 |
200 |
|
DoS +Info |
2017-07-13 |
2021-06-06 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. |
|
7 |
CVE-2017-3157 |
200 |
|
+Info |
2017-11-20 |
2019-05-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
By exploiting the way Apache OpenOffice before 4.1.4 renders embedded objects, an attacker could craft a document that allows reading in a file from the user's filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections to store the information, tricking the user into saving the document and convincing the user to send the document back to the attacker. The vulnerability is mitigated by the need for the attacker to know the precise file path in the target system, and the need to trick the user into saving the document and sending it back. |
|
8 |
CVE-2016-9446 |
665 |
|
+Info |
2017-01-23 |
2020-11-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated by thumbnailing a simple 1 frame vmnc movie that does not draw to the allocated render canvas. |
|
9 |
CVE-2016-5416 |
200 |
|
+Info |
2017-06-08 |
2019-04-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstation 6 through 7 allows remote attackers to read the default Access Control Instructions. |
|
10 |
CVE-2016-4992 |
200 |
|
+Info |
2017-06-08 |
2017-06-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstation 6 through 7 allows remote attackers to infer the existence of RDN component objects. |
|
11 |
CVE-2016-4455 |
264 |
|
+Info |
2017-04-14 |
2020-09-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The Subscription Manager package (aka subscription-manager) before 1.17.7-1 for Candlepin uses weak permissions (755) for subscription-manager cache directories, which allows local users to obtain sensitive information by reading files in the directories. |
|
12 |
CVE-2015-7529 |
59 |
|
+Priv +Info |
2017-11-06 |
2019-09-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
sosreport in SoS 3.x allows local users to obtain sensitive information from sosreport files or gain privileges via a symlink attack on an archive file in a temporary directory, as demonstrated by sosreport-$hostname-$date.tar in /tmp/sosreport-$hostname-$date. |
