| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-36159 |
125 |
|
|
2021-08-03 |
2021-10-18 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\0' terminator one byte too late. |
|
2 |
CVE-2020-25584 |
362 |
|
|
2021-04-07 |
2021-06-03 |
6.2 |
None |
Local |
High |
Not required |
Complete |
Complete |
Complete |
|
In FreeBSD 13.0-STABLE before n245118, 12.2-STABLE before r369552, 11.4-STABLE before r369560, 13.0-RC5 before p1, 12.2-RELEASE before p6, and 11.4-RELEASE before p9, a superuser inside a FreeBSD jail configured with the non-default allow.mount permission could cause a race condition between the lookup of ".." and remounting a filesystem, allowing access to filesystem hierarchy outside of the jail. |
|
3 |
CVE-2020-7457 |
362 |
|
Exec Code |
2020-07-09 |
2022-01-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 11.3-RELEASE before p11, missing synchronization in the IPV6_2292PKTOPTIONS socket option set handler contained a race condition allowing a malicious application to modify memory after being freed, possibly resulting in code execution. |
|
4 |
CVE-2019-9499 |
287 |
|
|
2019-04-17 |
2020-10-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may complete authentication, session key and control of the data connection with a client. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected. |
|
5 |
CVE-2019-9498 |
287 |
|
|
2019-04-17 |
2020-10-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected. |
|
6 |
CVE-2019-5609 |
787 |
|
|
2019-08-30 |
2023-01-31 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
In FreeBSD 12.0-STABLE before r350619, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350619, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bhyve e1000 device emulation used a guest-provided value to determine the size of the on-stack buffer without validation when TCP segmentation offload is requested for a transmitted packet. A misbehaving bhyve guest could overwrite memory in the bhyve process on the host. |
|
7 |
CVE-2019-5605 |
665 |
|
+Info |
2019-07-26 |
2023-03-01 |
6.8 |
None |
Remote |
Low |
??? |
Complete |
None |
None |
|
In FreeBSD 11.3-STABLE before r350217, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, due to insufficient initialization of memory copied to userland in the freebsd32_ioctl interface, small amounts of kernel memory may be disclosed to userland processes. This may allow an attacker to leverage this information to obtain elevated privileges either directly or indirectly. |
|
8 |
CVE-2019-5597 |
20 |
|
Bypass |
2019-05-15 |
2019-06-11 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
In FreeBSD 11.3-PRERELEASE and 12.0-STABLE before r347591, 11.2-RELEASE before 11.2-RELEASE-p10, and 12.0-RELEASE before 12.0-RELEASE-p4, a bug in the pf IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of the first packet allowing maliciously crafted IPv6 packets to cause a crash or potentially bypass the packet filter. |
|
9 |
CVE-2017-15037 |
362 |
|
|
2017-10-05 |
2017-10-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In FreeBSD through 11.1, the smb_strdupin function in sys/netsmb/smb_subr.c has a race condition with a resultant out-of-bounds read, because it can cause t2p->t_name strings to lack a final '\0' character. |
|
10 |
CVE-2017-11103 |
345 |
|
|
2017-07-13 |
2020-08-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated. |
|
11 |
CVE-2016-5766 |
190 |
|
DoS Overflow |
2016-08-07 |
2019-04-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via crafted chunk dimensions in an image. |
|
12 |
CVE-2014-8611 |
119 |
|
DoS Exec Code Overflow |
2015-09-18 |
2016-04-06 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The __sflush function in fflush.c in stdio in libc in FreeBSD 10.1 and the kernel in Apple iOS before 9 mishandles failures of the write system call, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted application. |
|
13 |
CVE-2013-5691 |
264 |
|
DoS +Priv |
2013-09-23 |
2013-10-24 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The (1) IPv6 and (2) ATM ioctl request handlers in the kernel in FreeBSD 8.3 through 9.2-STABLE do not validate SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR, and SIOCSIFNETMASK requests, which allows local users to perform link-layer actions, cause a denial of service (panic), or possibly gain privileges via a crafted application. |
|
14 |
CVE-2013-4851 |
264 |
|
Bypass |
2013-07-29 |
2019-03-18 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The vfs_hang_addrlist function in sys/kern/vfs_export.c in the NFS server implementation in the kernel in FreeBSD 8.3 and 9.x through 9.1-RELEASE-p5 controls authorization for host/subnet export entries on the basis of group information sent by the client, which allows remote attackers to bypass file permissions on NFS filesystems via crafted requests. |
|
15 |
CVE-2013-2171 |
264 |
|
+Priv Bypass |
2013-07-02 |
2019-03-18 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEASE-p4 does not properly determine whether a task should have write access to a memory location, which allows local users to bypass filesystem write permissions and consequently gain privileges via a crafted application that leverages read permissions, and makes mmap and ptrace system calls. |
|
16 |
CVE-2011-4122 |
22 |
|
+Priv Dir. Trav. |
2011-11-17 |
2017-08-29 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Directory traversal vulnerability in openpam_configure.c in OpenPAM before r478 on FreeBSD 8.1 allows local users to load arbitrary DSOs and gain privileges via a .. (dot dot) in the service_name argument to the pam_start function, as demonstrated by a .. in the -c option to kcheckpass. |
|
17 |
CVE-2011-1778 |
119 |
|
DoS Exec Code Overflow |
2012-04-13 |
2018-01-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in libarchive through 2.8.5 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TAR archive. |
|
18 |
CVE-2011-1777 |
119 |
|
DoS Exec Code Overflow |
2012-04-13 |
2018-01-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple buffer overflows in the (1) heap_add_entry and (2) relocate_dir functions in archive_read_support_format_iso9660.c in libarchive through 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ISO9660 image. |
|
19 |
CVE-2010-2020 |
20 |
2
|
+Priv |
2010-05-28 |
2012-11-06 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
sys/nfsclient/nfs_vfsops.c in the NFS client in the kernel in FreeBSD 7.2 through 8.1-PRERELEASE, when vfs.usermount is enabled, does not validate the length of a certain fhsize parameter, which allows local users to gain privileges via a crafted mount request. |
|
20 |
CVE-2010-0318 |
264 |
|
|
2010-01-15 |
2011-08-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2, and 8.0, when creating files during replay of a setattr transaction, uses 7777 permissions instead of the original permissions, which might allow local users to read or modify unauthorized files in opportunistic circumstances after a system crash or power failure. |
|
21 |
CVE-2009-3527 |
362 |
|
DoS +Priv Mem. Corr. |
2009-10-06 |
2009-10-07 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Race condition in the Pipe (IPC) close function in FreeBSD 6.3 and 6.4 allows local users to cause a denial of service (crash) or gain privileges via vectors related to kqueues, which triggers a use after free, leading to a NULL pointer dereference or memory corruption. |
|
22 |
CVE-2009-0689 |
119 |
|
DoS Exec Code Overflow |
2009-07-01 |
2018-11-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number. |
|
23 |
CVE-2008-5162 |
310 |
|
|
2008-11-26 |
2008-12-03 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The arc4random function in the kernel in FreeBSD 6.3 through 7.1 does not have a proper entropy source for a short time period immediately after boot, which makes it easier for attackers to predict the function's return values and conduct certain attacks against the GEOM framework and various network protocols, related to the Yarrow random number generator. |
|
24 |
CVE-2008-5142 |
59 |
|
|
2008-11-18 |
2012-10-31 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
sendbug in freebsd-sendpr 3.113+5.3 on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on a /tmp/pr.##### temporary file. |
|
25 |
CVE-2008-3531 |
119 |
|
Overflow +Priv |
2008-09-05 |
2017-08-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in sys/kern/vfs_mount.c in the kernel in FreeBSD 7.0 and 7.1, when vfs.usermount is enabled, allows local users to gain privileges via a crafted (1) mount or (2) nmount system call, related to copying of "user defined data" in "certain error conditions." |
|
26 |
CVE-2008-0217 |
264 |
|
|
2008-01-16 |
2017-08-08 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The script program in FreeBSD 5.0 through 7.0-PRERELEASE invokes openpty, which creates a pseudo-terminal with world-readable and world-writable permissions when it is not run as root, which allows local users to read data from the terminal of the user running script. |
|
27 |
CVE-2007-0267 |
399 |
|
DoS |
2007-01-17 |
2011-06-10 |
6.6 |
None |
Local |
Low |
Not required |
None |
Complete |
Complete |
|
The ufs_lookup function in the Mac OS X 10.4.8 and FreeBSD 6.1 kernels allows local users to cause a denial of service (kernel panic) and possibly corrupt other filesystems by mounting a crafted UNIX File System (UFS) DMG image that contains a corrupted directory entry (struct direct), related to the ufs_dirbad function. NOTE: a third party states that the FreeBSD issue does not cross privilege boundaries. |
|
28 |
CVE-2007-0166 |
|
|
|
2007-01-11 |
2008-11-15 |
6.6 |
None |
Local |
Medium |
??? |
Complete |
Complete |
Complete |
|
The jail rc.d script in FreeBSD 5.3 up to 6.2 does not verify pathnames when writing to /var/log/console.log during a jail start-up, or when file systems are mounted or unmounted, which allows local root users to overwrite arbitrary files, or mount/unmount files, outside of the jail via a symlink attack. |
|
29 |
CVE-2006-2655 |
|
|
Bypass |
2006-06-02 |
2017-07-20 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The build process for ypserv in FreeBSD 5.3 up to 6.1 accidentally disables access restrictions when using the /var/yp/securenets file, which allows remote attackers to bypass intended access restrictions. |
|
30 |
CVE-2006-2654 |
|
|
Dir. Trav. |
2006-06-02 |
2017-07-20 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Directory traversal vulnerability in smbfs smbfs on FreeBSD 4.10 up to 6.1 allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences. NOTE: this is similar to CVE-2006-1864, but this is a different implementation of smbfs, so it has a different CVE identifier. |
|
31 |
CVE-2003-1230 |
|
|
|
2003-12-31 |
2017-07-11 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The implementation of SYN cookies (syncookies) in FreeBSD 4.5 through 5.0-RELEASE-p3 uses only 32-bit internal keys when generating syncookies, which makes it easier for remote attackers to conduct brute force ISN guessing attacks and spoof legitimate traffic. |
|
32 |
CVE-2002-0824 |
59 |
|
|
2002-08-12 |
2021-03-11 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
BSD pppd allows local users to change the permissions of arbitrary files via a symlink attack on a file that is specified as a tty device. |
|
33 |
CVE-2001-1185 |
|
|
+Priv |
2001-12-10 |
2008-09-05 |
6.2 |
None |
Local |
High |
Not required |
Complete |
Complete |
Complete |
|
Some AIO operations in FreeBSD 4.4 may be delayed until after a call to execve, which could allow a local user to overwrite memory of the new process and gain privileges. |
|
34 |
CVE-2001-1145 |
|
|
|
2001-08-17 |
2008-09-10 |
6.2 |
None |
Local |
High |
Not required |
Complete |
Complete |
Complete |
|
fts routines in FreeBSD 4.3 and earlier, NetBSD before 1.5.2, and OpenBSD 2.9 and earlier can be forced to change (chdir) into a different directory than intended when the directory above the current directory is moved, which could cause scripts to perform dangerous actions on the wrong directories. |
|
35 |
CVE-2001-0371 |
|
|
|
2001-06-18 |
2017-10-10 |
6.2 |
None |
Local |
High |
Not required |
Complete |
Complete |
Complete |
|
Race condition in the UFS and EXT2FS file systems in FreeBSD 4.2 and earlier, and possibly other operating systems, makes deleted data available to user processes before it is zeroed out, which allows a local user to access otherwise restricted information. |
|
36 |
CVE-2000-0092 |
|
|
|
2000-01-19 |
2011-03-08 |
6.2 |
None |
Local |
High |
Not required |
Complete |
Complete |
Complete |
|
The BSD make program allows local users to modify files via a symlink attack when the -j option is being used. |
|
37 |
CVE-1999-0074 |
|
|
|
1997-07-01 |
2022-08-17 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Listening TCP ports are sequentially allocated, allowing spoofing attacks. |
