# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2021-27851 |
59 |
|
|
2021-04-26 |
2022-07-29 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable. |
2 |
CVE-2021-3981 |
276 |
|
|
2022-03-10 |
2022-10-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released. |
3 |
CVE-2020-29562 |
617 |
|
DoS |
2020-12-04 |
2021-03-19 |
2.1 |
None |
Remote |
High |
??? |
None |
None |
Partial |
The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service. |
4 |
CVE-2020-27618 |
835 |
|
DoS |
2021-02-26 |
2022-10-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228. |
5 |
CVE-2020-23856 |
416 |
|
DoS |
2021-05-18 |
2022-01-01 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, int line) function at src/parser.c, which could cause a denial of service via the pointer variable caller->callee. |
6 |
CVE-2020-15011 |
74 |
|
|
2020-06-24 |
2021-11-30 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page. |
7 |
CVE-2020-14150 |
|
|
DoS |
2020-06-15 |
2020-08-31 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash). NOTE: there is a risk only if Bison is used with untrusted input, and an observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug reports were intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison. |
8 |
CVE-2020-10029 |
787 |
|
Overflow |
2020-03-04 |
2022-11-10 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. |
9 |
CVE-2019-19126 |
665 |
|
Bypass |
2019-11-19 |
2022-11-08 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. |
10 |
CVE-2019-7309 |
|
|
|
2019-02-03 |
2020-08-24 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled. |
11 |
CVE-2018-20483 |
200 |
|
+Info |
2018-12-26 |
2020-08-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl. |
12 |
CVE-2017-1000455 |
346 |
|
|
2018-01-02 |
2018-01-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in "the store", violating a fundamental security assumption of GNU Guix. |
13 |
CVE-2017-1000383 |
200 |
|
+Info |
2017-10-31 |
2017-11-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
GNU Emacs version 25.3.1 (and other versions most likely) ignores umask when creating a backup save file ("[ORIGINAL_FILENAME]~") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the emacs binary. |
14 |
CVE-2017-11671 |
338 |
|
|
2017-07-26 |
2018-04-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation. |
15 |
CVE-2016-9401 |
416 |
|
Bypass |
2017-01-23 |
2020-09-14 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address. |
16 |
CVE-2016-2781 |
20 |
|
|
2017-02-07 |
2021-02-25 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. |
17 |
CVE-2015-8777 |
254 |
|
Bypass |
2016-01-20 |
2018-01-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. |
18 |
CVE-2015-1345 |
119 |
|
DoS Overflow |
2015-02-12 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option. |
19 |
CVE-2013-4577 |
264 |
|
|
2014-05-12 |
2014-05-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A certain Debian patch for GNU GRUB uses world-readable permissions for grub.cfg, which allows local users to obtain password hashes, as demonstrated by reading the password_pbkdf2 directive in the file. |
20 |
CVE-2013-2207 |
264 |
|
|
2013-10-09 |
2017-07-01 |
2.6 |
None |
Local |
High |
Not required |
Partial |
Partial |
None |
pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system. |
21 |
CVE-2011-5320 |
119 |
|
DoS Overflow |
2017-10-18 |
2017-11-08 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
scanf and related functions in glibc before 2.15 allow local users to cause a denial of service (segmentation fault) via a large string of 0s. |
22 |
CVE-2010-0002 |
20 |
|
|
2010-01-14 |
2011-08-08 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The /etc/profile.d/60alias.sh script in the Mandriva bash package for Bash 2.05b, 3.0, 3.2, 3.2.48, and 4.0 enables the --show-control-chars option in LS_OPTIONS, which allows local users to send escape sequences to terminal emulators, or hide the existence of a file, via a crafted filename. |
23 |
CVE-2008-3896 |
200 |
|
+Info |
2008-09-03 |
2018-10-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Grub Legacy 0.97 and earlier stores pre-boot authentication passwords in the BIOS Keyboard buffer and does not clear this buffer before and after use, which allows local users to obtain sensitive information by reading the physical memory locations associated with this buffer. |
24 |
CVE-2006-7254 |
19 |
|
DoS |
2019-04-10 |
2019-04-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The nscd daemon in the GNU C Library (glibc) before version 2.5 does not close incoming client sockets if they cannot be handled by the daemon, allowing local users to carry out a denial of service attack on the daemon. |
25 |
CVE-2006-4624 |
94 |
|
|
2006-09-07 |
2018-10-17 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof messages in the error log and possibly trick the administrator into visiting malicious URLs via CRLF sequences in the URI. |
26 |
CVE-2006-4573 |
|
|
DoS |
2006-10-24 |
2011-03-08 |
2.6 |
None |
Remote |
High |
Not required |
None |
None |
Partial |
Multiple unspecified vulnerabilities in the "utf8 combining characters handling" (utf8_handle_comb function in encoding.c) in screen before 4.0.3 allows user-assisted attackers to cause a denial of service (crash or hang) via certain UTF8 sequences. |
27 |
CVE-2006-1902 |
119 |
|
Overflow |
2006-04-20 |
2018-10-18 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is "not correctly interpreting an offset to a pointer as a signed value." |
28 |
CVE-2006-1712 |
|
|
XSS |
2006-04-11 |
2011-03-08 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the private archive script (private.py) in GNU Mailman 2.1.7 allows remote attackers to inject arbitrary web script or HTML via the action argument. |
29 |
CVE-2005-3137 |
|
|
|
2005-10-05 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
The (1) cfmailfilter and (2) cfcron.in files for cfengine 1.6.5 allow local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2005-2960. |
30 |
CVE-2005-2960 |
|
|
|
2005-10-05 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
cfengine 1.6.5 and 2.1.16 allows local users to overwrite arbitrary files via a symlink attack on temporary files used by vicf.in, a different vulnerability than CVE-2005-3137. |
31 |
CVE-2005-2180 |
|
|
|
2005-07-11 |
2016-10-18 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
gen-index in GNATS 4.0, 4.1.0, and possibly earlier versions, when installed setuid, does not properly check files passed to the -o argument and opens the file with write access, which allows local users to overwrite arbitrary files. |
32 |
CVE-2005-1918 |
22 |
|
Dir. Trav. |
2005-12-31 |
2018-10-19 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "incorrect optimization" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving "/../" sequences with a leading "/". |
33 |
CVE-2005-0990 |
|
|
|
2005-05-02 |
2018-10-03 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
unshar (unshar.c) in sharutils 4.2.1 allows local users to overwrite arbitrary files via a symlink attack on the unsh.X temporary file. |
34 |
CVE-2004-2459 |
|
|
|
2004-12-31 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Unknown vulnerability in gnubiff 1.2.0 and earlier allows local users to obtain passwords, related to the password table. |
35 |
CVE-2004-2014 |
|
|
|
2004-12-31 |
2018-10-03 |
2.6 |
None |
Local |
High |
Not required |
None |
Partial |
Partial |
Wget 1.9 and 1.9.1 allows local users to overwrite arbitrary files via a symlink attack on the name of the file being downloaded. |
36 |
CVE-2004-1453 |
|
|
|
2004-12-31 |
2017-10-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
GNU glibc 2.3.4 before 2.3.4.20040619, 2.3.3 before 2.3.3.20040420, and 2.3.2 before 2.3.2-r10 does not restrict the use of LD_DEBUG for a setuid program, which allows local users to gain sensitive information, such as the list of symbols used by the program. |
37 |
CVE-2004-1382 |
|
|
|
2004-12-31 |
2016-10-18 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
The glibcbug script in glibc 2.3.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2004-0968. |
38 |
CVE-2004-1377 |
|
|
|
2004-12-27 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
The (1) fixps (aka fixps.in) and (2) psmandup (aka psmandup.in) scripts in a2ps before 4.13 allow local users to overwrite arbitrary files via a symlink attack on temporary files. |
39 |
CVE-2004-1296 |
|
|
|
2004-12-31 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
The (1) eqn2graph and (2) pic2graph scripts in groff 1.18.1 allow local users to overwrite arbitrary files via a symlink attack on temporary files. |
40 |
CVE-2004-0970 |
|
|
|
2005-02-09 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
The (1) gzexe, (2) zdiff, and (3) znew scripts in the gzip package, as used by other packages such as ncompress, allows local users to overwrite files via a symlink attack on temporary files. NOTE: the znew vulnerability may overlap CVE-2003-0367. |
41 |
CVE-2004-0969 |
|
|
|
2005-02-09 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
The groffer script in the Groff package 1.18 and later versions, as used in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. |
42 |
CVE-2004-0968 |
|
|
|
2005-02-09 |
2017-10-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
The catchsegv script in glibc 2.3.2 and earlier allows local users to overwrite files via a symlink attack on temporary files. |
43 |
CVE-2004-0966 |
|
|
|
2005-02-09 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
The (1) autopoint and (2) gettextize scripts in the GNU gettext package 1.14 and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other operating systems, allows local users to overwrite files via a symlink attack on temporary files. |
44 |
CVE-2004-0422 |
|
|
|
2004-07-07 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
flim before 1.14.3 creates temporary files insecurely, which allows local users to overwrite arbitrary files of the Emacs user via a symlink attack. |
45 |
CVE-2004-0256 |
|
|
|
2004-11-23 |
2018-05-03 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp. |
46 |
CVE-2003-0858 |
399 |
|
DoS |
2003-12-15 |
2017-10-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
Zebra 0.93b and earlier, and quagga before 0.95, allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface. |
47 |
CVE-2003-0854 |
|
|
|
2003-11-17 |
2017-10-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
ls in the fileutils or coreutils packages allows local users to consume a large amount of memory via a large -w value, which can be remotely exploited via applications that use ls, such as wu-ftpd. |
48 |
CVE-2003-0367 |
20 |
|
|
2003-07-02 |
2019-05-23 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
znew in the gzip package allows local users to overwrite arbitrary files via a symlink attack on temporary files. |
49 |
CVE-2002-0389 |
|
|
|
2002-06-18 |
2016-12-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Pipermail in Mailman stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives. |
50 |
CVE-2001-1593 |
59 |
|
|
2014-04-05 |
2014-05-01 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
The tempname_ensure function in lib/routines.h in a2ps 4.14 and earlier, as used by the spy_user function and possibly other functions, allows local users to modify arbitrary files via a symlink attack on a temporary file. |