# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2018-19364 |
416 |
|
|
2018-12-13 |
2019-01-04 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome. |
2 |
CVE-2018-18954 |
125 |
|
|
2018-11-15 |
2018-12-18 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory. |
3 |
CVE-2018-15864 |
476 |
|
|
2018-08-25 |
2018-11-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Unchecked NULL pointer usage in resolve_keysym in xkbcomp/parser.y in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because a map access attempt can occur for a map that was never created. |
4 |
CVE-2018-15863 |
476 |
|
|
2018-08-25 |
2018-11-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Unchecked NULL pointer usage in ResolveStateAndPredicate in xkbcomp/compat.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with a no-op modmask expression. |
5 |
CVE-2018-15862 |
476 |
|
|
2018-08-25 |
2018-11-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Unchecked NULL pointer usage in LookupModMask in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with invalid virtual modifiers. |
6 |
CVE-2018-15861 |
476 |
|
|
2018-08-25 |
2018-11-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Unchecked NULL pointer usage in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file that triggers an xkb_intern_atom failure. |
7 |
CVE-2018-15859 |
476 |
|
|
2018-08-25 |
2018-11-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Unchecked NULL pointer usage when parsing invalid atoms in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because lookup failures are mishandled. |
8 |
CVE-2018-15858 |
476 |
|
|
2018-08-25 |
2018-11-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Unchecked NULL pointer usage when handling invalid aliases in CopyKeyAliasesToKeymap in xkbcomp/keycodes.c in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file. |
9 |
CVE-2018-15856 |
399 |
|
DoS |
2018-08-25 |
2018-11-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
An infinite loop when reaching EOL unexpectedly in compose/parser.c (aka the keymap parser) in xkbcommon before 0.8.1 could be used by local attackers to cause a denial of service during parsing of crafted keymap files. |
10 |
CVE-2018-15855 |
476 |
|
|
2018-08-25 |
2018-11-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because the XkbFile for an xkb_geometry section was mishandled. |
11 |
CVE-2018-15854 |
476 |
|
|
2018-08-25 |
2018-11-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because geometry tokens were desupported incorrectly. |
12 |
CVE-2018-15853 |
399 |
|
|
2018-08-25 |
2018-11-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Endless recursion exists in xkbcomp/expr.c in xkbcommon and libxkbcommon before 0.8.1, which could be used by local attackers to crash xkbcommon users by supplying a crafted keymap file that triggers boolean negation. |
13 |
CVE-2018-15594 |
254 |
|
|
2018-08-20 |
2018-10-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests. |
14 |
CVE-2018-15572 |
254 |
|
|
2018-08-19 |
2018-10-31 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks. |
15 |
CVE-2018-13053 |
190 |
|
Overflow |
2018-07-02 |
2018-11-23 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used. |
16 |
CVE-2018-12383 |
200 |
|
+Info |
2018-10-18 |
2018-12-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Firefox < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1. |
17 |
CVE-2018-8043 |
476 |
|
DoS |
2018-03-10 |
2018-05-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8 does not validate certain resource availability, which allows local users to cause a denial of service (NULL pointer dereference). |
18 |
CVE-2018-7755 |
200 |
|
Bypass +Info |
2018-03-08 |
2018-10-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR. |
19 |
CVE-2018-7073 |
284 |
|
|
2018-08-06 |
2018-10-06 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
A local arbitrary file modification vulnerability was identified in HPE Moonshot Provisioning Manager prior to v1.24. |
20 |
CVE-2018-6559 |
200 |
|
+Info |
2018-10-26 |
2018-12-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows local users to obtain names of files in which they would not normally be able to access via an overlayfs mount inside of a user namespace. |
21 |
CVE-2018-6556 |
417 |
|
|
2018-08-10 |
2018-10-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
lxc-user-nic when asked to delete a network interface will unconditionally open a user provided path. This code path may be used by an unprivileged user to check for the existence of a path which they wouldn't otherwise be able to reach. It may also be used to trigger side effects by causing a (read-only) open of special kernel files (ptmx, proc, sys). Affected releases are LXC: 2.0 versions above and including 2.0.9; 3.0 versions above and including 3.0.0, prior to 3.0.2. |
22 |
CVE-2018-2762 |
|
|
|
2018-04-18 |
2018-11-27 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). |
23 |
CVE-2018-1106 |
287 |
|
Bypass |
2018-04-23 |
2018-07-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
An authentication bypass flaw has been found in PackageKit before 1.1.10 that allows users without administrator privileges to install signed packages. A local attacker can use this vulnerability to install vulnerable packages to further compromise a system. |
24 |
CVE-2018-1059 |
200 |
|
+Info |
2018-04-24 |
2018-08-21 |
2.9 |
None |
Local Network |
Medium |
Not required |
Partial |
None |
None |
The DPDK vhost-user interface does not check to verify that all the requested guest physical range is mapped and contiguous when performing Guest Physical Addresses to Host Virtual Addresses translations. This may lead to a malicious guest exposing vhost-user backend process memory. All versions before 18.02.1 are vulnerable. |
25 |
CVE-2018-1050 |
20 |
|
DoS |
2018-03-13 |
2018-11-30 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash. |
26 |
CVE-2017-18344 |
125 |
|
|
2018-07-26 |
2018-11-14 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE). |
27 |
CVE-2017-16611 |
254 |
|
|
2017-12-01 |
2018-01-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker can open (but not read) files on the system as root, triggering tape rewinds, watchdogs, or similar mechanisms that can be triggered by opening files. |
28 |
CVE-2017-13088 |
254 |
|
|
2017-10-17 |
2018-07-18 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients. |
29 |
CVE-2017-13087 |
254 |
|
|
2017-10-17 |
2018-05-16 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients. |
30 |
CVE-2017-13081 |
254 |
|
|
2017-10-17 |
2018-11-13 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients. |
31 |
CVE-2017-13080 |
254 |
|
|
2017-10-17 |
2018-11-13 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients. |
32 |
CVE-2017-13079 |
254 |
|
|
2017-10-17 |
2018-11-13 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients. |
33 |
CVE-2017-13078 |
254 |
|
|
2017-10-17 |
2018-11-13 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients. |
34 |
CVE-2017-2592 |
532 |
|
+Info |
2018-05-08 |
2018-06-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulnerable to an information disclosure. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component error logs (for example, keystone tokens). |
35 |
CVE-2016-9963 |
320 |
|
|
2017-02-01 |
2017-02-15 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via vectors related to log files and bounce messages. |
36 |
CVE-2016-7056 |
320 |
|
|
2018-09-10 |
2019-01-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys. |
37 |
CVE-2016-6224 |
20 |
|
+Info |
2016-07-22 |
2017-08-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
ecryptfs-setup-swap in eCryptfs does not prevent the unencrypted swap partition from activating during boot when using GPT partitioning on a (1) NVMe or (2) MMC drive, which allows local users to obtain sensitive information via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8946. |
38 |
CVE-2016-5337 |
200 |
|
+Info |
2016-06-14 |
2018-12-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information. |
39 |
CVE-2016-5238 |
119 |
|
DoS Overflow |
2016-06-14 |
2018-12-01 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode. |
40 |
CVE-2016-4804 |
119 |
|
DoS Overflow |
2016-06-03 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The read_boot function in boot.c in dosfstools before 4.0 allows attackers to cause a denial of service (crash) via a crafted filesystem, which triggers a heap-based buffer overflow in the (1) read_fat function or an out-of-bounds heap read in (2) get_fat function. |
41 |
CVE-2016-4578 |
200 |
|
+Info |
2016-05-23 |
2018-01-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions. |
42 |
CVE-2016-4569 |
200 |
|
+Info |
2016-05-23 |
2018-01-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface. |
43 |
CVE-2016-4486 |
200 |
|
+Info |
2016-05-23 |
2018-12-20 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message. |
44 |
CVE-2016-4482 |
200 |
|
+Info |
2016-05-23 |
2016-11-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call. |
45 |
CVE-2016-4441 |
119 |
|
DoS Overflow |
2016-05-20 |
2018-12-01 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command. |
46 |
CVE-2016-4020 |
200 |
|
+Info |
2016-05-25 |
2018-12-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR). |
47 |
CVE-2016-3961 |
20 |
|
DoS |
2016-04-15 |
2016-11-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest OS users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area. |
48 |
CVE-2016-3712 |
|
|
DoS Overflow |
2016-05-11 |
2018-01-04 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. |
49 |
CVE-2016-3156 |
399 |
|
DoS |
2016-04-27 |
2018-01-04 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses. |
50 |
CVE-2016-2857 |
119 |
|
DoS Overflow |
2016-04-11 |
2018-12-01 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet. |