# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2022-23645 |
125 |
|
|
2022-02-18 |
2022-03-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
swtpm is a libtpms-based TPM emulator with socket, character device, and Linux CUSE interface. Versions prior to 0.5.3, 0.6.2, and 0.7.1 are vulnerable to out-of-bounds read. A specially crafted header of swtpm's state, where the blobheader's hdrsize indicator has an invalid value, may cause an out-of-bounds access when the byte array representing the state of the TPM is accessed. This will likely crash swtpm or prevent it from starting since the state cannot be understood. Users should upgrade to swtpm v0.5.3, v0.6.2, or v0.7.1 to receive a patch. There are currently no known workarounds. |
2 |
CVE-2022-2078 |
121 |
|
DoS Overflow |
2022-06-30 |
2022-10-26 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code. |
3 |
CVE-2022-1852 |
476 |
|
DoS |
2022-06-30 |
2022-10-26 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU. |
4 |
CVE-2022-0987 |
|
|
|
2022-06-28 |
2022-07-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. This issue allows a local user to measure the time the methods take to execute and know whether a file owned by root or other users exists. |
5 |
CVE-2022-0487 |
416 |
|
|
2022-02-04 |
2022-04-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to 5.14 rc1. |
6 |
CVE-2021-43389 |
125 |
|
|
2021-11-04 |
2022-07-25 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c. |
7 |
CVE-2021-20320 |
200 |
|
+Info |
2022-02-18 |
2022-03-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A flaw was found in s390 eBPF JIT in bpf_jit_insn in arch/s390/net/bpf_jit_comp.c in the Linux kernel. In this flaw, a local attacker with special user privilege can circumvent the verifier and may lead to a confidentiality problem. |
8 |
CVE-2021-20297 |
20 |
|
|
2021-05-26 |
2021-06-03 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
A flaw was found in NetworkManager in versions before 1.30.0. Setting match.path and activating a profile crashes NetworkManager. The highest threat from this vulnerability is to system availability. |
9 |
CVE-2021-20257 |
835 |
|
DoS |
2022-03-16 |
2023-02-02 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. |
10 |
CVE-2021-20239 |
119 |
|
Overflow +Info |
2021-05-28 |
2022-08-05 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality. |
11 |
CVE-2021-20221 |
787 |
|
|
2021-05-13 |
2023-02-02 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. |
12 |
CVE-2021-4115 |
|
|
|
2022-02-21 |
2022-08-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and a new one being spawned |
13 |
CVE-2021-3941 |
369 |
|
|
2022-03-25 |
2023-02-03 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR. |
14 |
CVE-2021-3930 |
193 |
|
DoS |
2022-02-18 |
2022-10-25 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition. |
15 |
CVE-2021-3679 |
835 |
|
DoS |
2021-08-05 |
2022-10-27 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service. |
16 |
CVE-2021-3655 |
20 |
|
|
2021-08-05 |
2022-10-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. |
17 |
CVE-2021-3620 |
209 |
|
|
2022-03-03 |
2023-02-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality. |
18 |
CVE-2021-3611 |
787 |
|
DoS Overflow |
2022-05-11 |
2023-02-02 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. |
19 |
CVE-2021-3598 |
119 |
|
Overflow |
2021-07-06 |
2023-02-03 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability. |
20 |
CVE-2021-3595 |
824 |
|
|
2021-06-15 |
2021-09-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. |
21 |
CVE-2021-3594 |
824 |
|
|
2021-06-15 |
2021-09-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. |
22 |
CVE-2021-3593 |
824 |
|
|
2021-06-15 |
2022-05-13 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. |
23 |
CVE-2021-3592 |
824 |
|
|
2021-06-15 |
2021-09-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. |
24 |
CVE-2021-3569 |
787 |
|
Mem. Corr. |
2021-06-03 |
2022-10-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
A stack corruption bug was found in libtpms in versions before 0.7.2 and before 0.8.0 while decrypting data using RSA. This flaw could result in a SIGBUS (bad memory access) and termination of swtpm. The highest threat from this vulnerability is to system availability. |
25 |
CVE-2021-3527 |
770 |
|
DoS |
2021-05-26 |
2022-09-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. |
26 |
CVE-2021-3505 |
331 |
|
|
2021-04-19 |
2021-06-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A flaw was found in libtpms in versions before 0.8.0. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. The highest threat from this vulnerability is to data confidentiality. |
27 |
CVE-2021-3446 |
330 |
|
|
2021-03-25 |
2022-10-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A flaw was found in libtpms in versions before 0.8.2. The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. |
28 |
CVE-2021-3426 |
22 |
|
Dir. Trav. |
2021-05-20 |
2022-10-25 |
2.7 |
None |
Local Network |
Low |
??? |
Partial |
None |
None |
There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7. |
29 |
CVE-2021-3416 |
835 |
|
Overflow Bypass |
2021-03-18 |
2023-02-02 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. |
30 |
CVE-2021-0129 |
|
|
|
2021-06-09 |
2022-10-29 |
2.7 |
None |
Local Network |
Low |
??? |
Partial |
None |
None |
Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. |
31 |
CVE-2020-25743 |
476 |
|
|
2020-10-06 |
2020-10-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call. |
32 |
CVE-2020-14373 |
416 |
|
DoS |
2020-09-03 |
2020-09-10 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
A use after free was found in igc_reloc_struct_ptr() of psi/igc.c of ghostscript-9.25. A local attacker could supply a specially crafted PDF file to cause a denial of service. |
33 |
CVE-2020-12458 |
732 |
|
|
2020-04-29 |
2022-04-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords). |
34 |
CVE-2020-11669 |
|
|
|
2020-04-10 |
2020-05-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd. |
35 |
CVE-2020-10769 |
125 |
|
DoS |
2020-06-26 |
2023-02-02 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of service. |
36 |
CVE-2020-10763 |
532 |
|
|
2020-11-24 |
2020-12-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords. |
37 |
CVE-2020-10756 |
125 |
|
+Info |
2020-07-09 |
2022-04-05 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1. |
38 |
CVE-2020-2732 |
200 |
|
+Info |
2020-04-08 |
2020-06-10 |
2.3 |
None |
Local Network |
Medium |
??? |
Partial |
None |
None |
A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest. |
39 |
CVE-2019-19338 |
203 |
|
|
2020-07-13 |
2020-07-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability. |
40 |
CVE-2019-18391 |
787 |
|
DoS Overflow |
2019-12-23 |
2023-02-02 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands. |
41 |
CVE-2019-16680 |
22 |
|
Dir. Trav. |
2019-09-21 |
2019-12-20 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction. |
42 |
CVE-2019-14907 |
125 |
|
|
2020-01-21 |
2022-11-16 |
2.6 |
None |
Remote |
High |
Not required |
None |
None |
Partial |
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless). |
43 |
CVE-2019-14850 |
406 |
|
DoS |
2021-03-18 |
2021-03-24 |
2.6 |
None |
Remote |
High |
Not required |
None |
None |
Partial |
A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side. |
44 |
CVE-2019-14826 |
613 |
|
|
2019-09-17 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session. |
45 |
CVE-2019-13456 |
203 |
|
+Info |
2019-12-03 |
2022-01-01 |
2.9 |
None |
Local Network |
Medium |
Not required |
Partial |
None |
None |
In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the "Dragonblood" attack and CVE-2019-9494. |
46 |
CVE-2019-12067 |
476 |
|
DoS |
2021-06-02 |
2022-05-13 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null. |
47 |
CVE-2019-11135 |
|
|
|
2019-11-14 |
2022-10-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. |
48 |
CVE-2019-10183 |
200 |
|
+Info |
2019-07-03 |
2023-02-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The virt-install utility used to provision new virtual machines, in virt-manager v2.2.0, has introduced an option '--unattended' to create VMs without user interaction. This option accepts guest VM password as command line arguments. An attacker could obtain these passwords though process listings on the system. |
49 |
CVE-2019-10146 |
79 |
|
XSS |
2020-03-18 |
2023-02-02 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
A Reflected Cross Site Scripting flaw was found in the pki-ca module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser. |
50 |
CVE-2019-7317 |
416 |
|
|
2019-02-04 |
2022-05-23 |
2.6 |
None |
Remote |
High |
Not required |
None |
None |
Partial |
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute. |