Skip to main content

Debian

1306 CVEs vendor

Monthly

CVE-2015-1378 HIGH This Week

cmdlineopts.clp in grml-debootstrap in Debian 0.54, 0.68.x before 0.68.1, 0.7x before 0.78 is sourced without checking that the local directory is writable by non-root users. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Debian Privilege Escalation Grml Debootstrap Bootstrap
NVD GitHub
CVSS 3.0
7.5
EPSS
0.4%
CVE-2017-11565 HIGH This Week

debian/tor.init in the Debian tor_0.2.9.11-1~deb9u1 package for Tor was designed to execute aa-exec from the standard system pathname if the apparmor package is installed, but implements this. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Debian Authentication Bypass Tor
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2017-9525 MEDIUM This Month

In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Ubuntu Debian Privilege Escalation Cron Debian Linux
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2017-0373 HIGH PATCH This Week

The gen_class_pod implementation in lib/Config/Model/Utils/GenClassPod.pm in Config-Model (aka libconfig-model-perl) before 2.102 has a dangerous "use lib" line, which allows remote attackers to have. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.

Debian Information Disclosure Config Model
NVD
CVSS 3.0
7.3
EPSS
0.5%
CVE-2017-8283 CRITICAL PATCH Act Now

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Debian Dpkg
NVD
CVSS 3.0
9.8
EPSS
1.1%
CVE-2015-6674 CRITICAL PATCH Act Now

Buffer underflow vulnerability in the Debian inspircd package before 2.0.5-1+deb7u1 for wheezy and before 2.0.16-1 for jessie and sid. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Debian Inspircd Debian Linux
NVD
CVSS 3.0
9.8
EPSS
1.6%
CVE-2017-7358 HIGH POC This Week

In LightDM through 1.22.0, a directory traversal issue in debian/guest-account.sh allows local attackers to own arbitrary directory path locations and escalate privileges to root when the guest user. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Debian Lightdm Ubuntu Linux
NVD Exploit-DB
CVSS 3.0
7.3
EPSS
1.7%
CVE-2017-6964 HIGH This Week

dmcrypt-get-device, as shipped in the eject package of Debian and Ubuntu, does not check the return value of the (1) setuid or (2) setgid function, which might cause dmcrypt-get-device to execute. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Ubuntu Debian Information Disclosure Ubuntu Linux Debian Linux
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2016-9775 HIGH This Week

The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Tomcat Ubuntu Debian Privilege Escalation Debian Linux +1
NVD
CVSS 3.0
7.8
EPSS
0.1%
CVE-2016-9774 HIGH This Week

The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Tomcat Ubuntu Debian Information Disclosure Debian Linux +1
NVD
CVSS 3.0
7.8
EPSS
0.1%
CVE-2017-6056 HIGH Act Now

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 15.9% and no vendor patch available.

Denial Of Service Apache Tomcat Debian Ubuntu +2
NVD
CVSS 3.0
7.5
EPSS
15.9%
CVE-2016-4484 MEDIUM POC PATCH This Month

The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Debian Authentication Bypass Cryptsetup
NVD VulDB
CVSS 3.0
6.8
EPSS
0.5%
CVE-2016-1247 HIGH POC This Week

The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Nginx Debian Information Disclosure Ubuntu Fedora
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
9.8%
CVE-2016-1240 HIGH POC THREAT Act Now

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 22.1%.

Tomcat Information Disclosure Ubuntu Debian Java
NVD Exploit-DB
CVSS 3.0
7.8
EPSS
22.1%
CVE-2016-7118 MEDIUM This Month

fs/fcntl.c in the "aufs 3.2.x+setfl-debian" patch in the linux-image package 3.2.0-4 (kernel 3.2.81-1) in Debian wheezy mishandles F_SETFL fcntl calls on directories, which allows local users to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Debian Denial Of Service Linux Null Pointer Dereference Debian Linux
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2016-0774 MEDIUM This Month

The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a certain Linux kernel backport in the linux package before 3.2.73-2+deb7u3 on Debian wheezy and the kernel package before. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Debian Denial Of Service Red Hat Linux Linux Kernel +1
NVD
CVSS 3.0
6.8
EPSS
0.0%
CVE-2016-2856 HIGH POC This Week

pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie; the elibc package before 2.15-0ubuntu10.14 on Ubuntu 12.04 LTS and before 2.19-0ubuntu6.8 on Ubuntu 14.04 LTS; and the glibc. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Debian Privilege Escalation Ubuntu Ubuntu Linux Debian Linux
NVD Exploit-DB
CVSS 3.0
8.4
EPSS
0.7%
CVE-2016-1233 HIGH This Week

An unspecified udev rule in the Debian fuse package in jessie before 2.9.3-15+deb8u2, in stretch before 2.9.5-1, and in sid before 2.9.5-1 sets world-writable permissions for the /dev/cuse character. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Debian Privilege Escalation Fuse
NVD
CVSS 3.0
7.8
EPSS
0.1%
CVE-2015-0860 HIGH This Week

Off-by-one error in the extracthalf function in dpkg-deb/extract.c in the dpkg-deb component in Debian dpkg 1.16.x before 1.16.17 and 1.17.x before 1.17.26 allows remote attackers to execute. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Debian RCE Buffer Overflow Ubuntu Linux Dpkg
NVD
CVSS 2.0
7.5
EPSS
4.9%
CVE-2015-0859 HIGH This Week

The Debian build procedure for the smokeping package in wheezy before 2.6.8-2+deb7u1 and jessie before 2.6.9-1+deb8u1 does not properly configure the way Apache httpd passes arguments to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Debian RCE Apache Debian Linux
NVD
CVSS 2.0
7.5
EPSS
2.8%
CVE-2014-8873 CRITICAL Act Now

A .desktop file in the Debian openjdk-7 package 7u79-2.5.5-1~deb8u1 includes a MIME type registration that is added to /etc/mailcap by mime-support, which allows remote attackers to execute arbitrary. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 10.0% and no vendor patch available.

Debian RCE Openjdk
NVD
CVSS 2.0
10.0
EPSS
10.0%
CVE-2015-0840 MEDIUM PATCH This Month

The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Debian Authentication Bypass Dpkg Ubuntu Linux
NVD
CVSS 2.0
4.3
EPSS
0.6%
CVE-2014-9713 MEDIUM This Month

The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Debian Privilege Escalation Openldap Debian Linux
NVD
CVSS 2.0
4.0
EPSS
0.1%
CVE-2014-7209 HIGH This Week

run-mailcap in the Debian mime-support package before 3.52-1+deb7u1 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Debian Mime Support
NVD
CVSS 2.0
7.5
EPSS
0.7%
CVE-2014-7207 MEDIUM This Month

A certain Debian patch to the IPv6 implementation in the Linux kernel 3.2.x through 3.2.63 does not properly validate arguments in ipv6_select_ident function calls, which allows local users to cause. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Debian Linux Linux Kernel
NVD
CVSS 2.0
4.9
EPSS
0.1%
CVE-2014-0484 HIGH This Week

The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment.". Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Debian Privilege Escalation Acpi Support
NVD
CVSS 2.0
7.2
EPSS
0.0%
CVE-2012-0943 LOW POC PATCH Monitor

debian/guest-account in Light Display Manager (lightdm) 1.0.x before 1.0.6 and 1.1.x before 1.1.7, as used in Ubuntu Linux 11.10, allows local users to delete arbitrary files via a space in the name. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. Public exploit code available.

Debian Privilege Escalation Ubuntu Lightdm Ubuntu Linux
NVD Exploit-DB
CVSS 2.0
2.1
EPSS
0.2%
CVE-2014-3127 HIGH This Week

dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Path Traversal Debian Dpkg
NVD
CVSS 2.0
7.1
EPSS
0.8%
CVE-2014-2405 CRITICAL Act Now

Unspecified vulnerability in OpenJDK 6 before 6b31 on Debian GNU/Linux and Ubuntu 12.04 LTS and 10.04 LTS has unknown impact and attack vectors, a different vulnerability than CVE-2014-0462. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Debian Ubuntu Openjdk
NVD
CVSS 2.0
10.0
EPSS
0.6%
CVE-2014-0462 CRITICAL Act Now

Unspecified vulnerability in OpenJDK 6 before 6b31 on Debian GNU/Linux and Ubuntu 12.04 LTS and 10.04 LTS has unknown impact and attack vectors, a different vulnerability than CVE-2014-2405. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Debian Ubuntu Openjdk
NVD
CVSS 2.0
10.0
EPSS
0.6%
CVE-2013-4577 LOW PATCH Monitor

A certain Debian patch for GNU GRUB uses world-readable permissions for grub.cfg, which allows local users to obtain password hashes, as demonstrated by reading the password_pbkdf2 directive in the. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.

Debian Privilege Escalation Grub
NVD
CVSS 2.0
2.1
EPSS
0.2%
CVE-2014-0469 MEDIUM This Month

Stack-based buffer overflow in a certain Debian patch for xbuffy before 3.3.bl.3.dfsg-9 allows remote attackers to execute arbitrary code via the subject of an email, possibly related to indent. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Debian Buffer Overflow RCE Xbuffy
NVD VulDB
CVSS 2.0
6.8
EPSS
3.7%
CVE-2014-1638 LOW Monitor

(1) debian/postrm and (2) debian/localepurge.config in localepurge before 0.7.3.2 use tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new. Rated low severity (CVSS 3.3). No vendor patch available.

Debian Information Disclosure Localepurge
NVD
CVSS 2.0
3.3
EPSS
0.0%
CVE-2013-6409 MEDIUM This Month

Debian adequate before 0.8.1, when run by root with the --user option, allows local users to hijack the tty and possibly gain privileges via the TIOCSTI ioctl. Rated medium severity (CVSS 6.2). No vendor patch available.

Privilege Escalation Debian Adequate
NVD
CVSS 2.0
6.2
EPSS
0.0%
CVE-2013-1444 LOW Monitor

A certain Debian patch for txt2man 1.5.5, as used in txt2man 1.5.5-2, 1.5.5-4, and others, allows local users to overwrite arbitrary files via a symlink attack on /tmp/2222. Rated low severity (CVSS 3.3). No vendor patch available.

Debian Information Disclosure Txt2Man
NVD
CVSS 2.0
3.3
EPSS
0.0%
CVE-2013-5724 LOW Monitor

Phpbb3 before 3.0.11-4 for Debian GNU/Linux uses world-writable permissions for cache files, which allows local users to modify the file contents via standard filesystem write operations. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Debian Phpbb3
NVD
CVSS 2.0
2.1
EPSS
0.0%
CVE-2013-1662 MEDIUM POC This Month

vmware-mount in VMware Workstation 8.x and 9.x and VMware Player 4.x and 5.x, on systems based on Debian GNU/Linux, allows host OS users to gain host OS privileges via a crafted lsb_release binary in. Rated medium severity (CVSS 6.9). Public exploit code available and no vendor patch available.

Privilege Escalation VMware Debian Workstation Player
NVD Exploit-DB
CVSS 2.0
6.9
EPSS
6.1%
CVE-2013-2162 LOW POC Monitor

Race condition in the post-installation script (mysql-server-5.5.postinst) for MySQL Server 5.5 for Debian GNU/Linux and Ubuntu Linux creates a configuration file with world-readable permissions. Rated low severity (CVSS 1.9). Public exploit code available and no vendor patch available.

Debian Information Disclosure Race Condition Ubuntu Ubuntu Linux
NVD
CVSS 2.0
1.9
EPSS
0.1%
CVE-2013-0260 LOW Monitor

Unspecified vulnerability in the Drush Debian Packaging module for Drupal allows local users to obtain database credentials via unknown vectors. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Debian Information Disclosure Drush Debian Packaging
NVD
CVSS 2.0
2.1
EPSS
0.1%
CVE-2013-1427 LOW Monitor

The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP. Rated low severity (CVSS 1.9). No vendor patch available.

PHP Debian Authentication Bypass Lighttpd
NVD
CVSS 2.0
1.9
EPSS
0.0%
CVE-2013-1048 MEDIUM PATCH This Month

The Debian apache2ctl script in the apache2 package squeeze before 2.2.16-6+squeeze11, wheezy before 2.2.22-13, and sid before 2.2.22-13 for the Apache HTTP Server on Debian GNU/Linux does not. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity.

Privilege Escalation Apache Debian Apache2
NVD
CVSS 2.0
4.6
EPSS
0.1%
CVE-2012-2251 MEDIUM This Month

rssh 2.3.2, as used by Debian, Fedora, and others, when the rsync protocol is enabled, allows local users to bypass intended restricted shell access via a (1) "-e" or (2) "--" command line option. Rated medium severity (CVSS 4.4). No vendor patch available.

Debian Authentication Bypass Rssh
NVD
CVSS 2.0
4.4
EPSS
0.0%
CVE-2012-5519 HIGH POC THREAT Act Now

CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 10.2%.

Privilege Escalation Debian Cups
NVD
CVSS 2.0
7.2
EPSS
10.2%
CVE-2012-2317 MEDIUM This Month

The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in the php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze, the php5 package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

PHP Debian Ubuntu Authentication Bypass Php5 Common +3
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-2653 CRITICAL Act Now

arpwatch 2.1a15, as used by Red Hat, Debian, Fedora, and possibly others, does not properly drop supplementary groups, which might allow attackers to gain root privileges by leveraging other. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Information Disclosure Debian Arpwatch
NVD
CVSS 2.0
10.0
EPSS
1.8%
CVE-2012-0216 MEDIUM This Month

The default configuration of the apache2 package in Debian GNU/Linux squeeze before 2.2.16-6+squeeze7, wheezy before 2.2.22-4, and sid before 2.2.22-4, when mod_php or mod_rivet is used, provides. Rated medium severity (CVSS 4.4). No vendor patch available.

XSS Apache Debian Debian Linux
NVD
CVSS 2.0
4.4
EPSS
0.4%
EPSS 0% CVSS 7.5
HIGH This Week

cmdlineopts.clp in grml-debootstrap in Debian 0.54, 0.68.x before 0.68.1, 0.7x before 0.78 is sourced without checking that the local directory is writable by non-root users. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Debian Privilege Escalation Grml Debootstrap +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

debian/tor.init in the Debian tor_0.2.9.11-1~deb9u1 package for Tor was designed to execute aa-exec from the standard system pathname if the apparmor package is installed, but implements this. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Debian Authentication Bypass Tor
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Ubuntu Debian Privilege Escalation +2
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

The gen_class_pod implementation in lib/Config/Model/Utils/GenClassPod.pm in Config-Model (aka libconfig-model-perl) before 2.102 has a dangerous "use lib" line, which allows remote attackers to have. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.

Debian Information Disclosure Config Model
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Debian Dpkg
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Buffer underflow vulnerability in the Debian inspircd package before 2.0.5-1+deb7u1 for wheezy and before 2.0.16-1 for jessie and sid. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Debian Inspircd +1
NVD
EPSS 2% CVSS 7.3
HIGH POC This Week

In LightDM through 1.22.0, a directory traversal issue in debian/guest-account.sh allows local attackers to own arbitrary directory path locations and escalate privileges to root when the guest user. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Debian Lightdm +1
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH This Week

dmcrypt-get-device, as shipped in the eject package of Debian and Ubuntu, does not check the return value of the (1) setuid or (2) setgid function, which might cause dmcrypt-get-device to execute. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Ubuntu Debian Information Disclosure +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Tomcat Ubuntu Debian +3
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Tomcat Ubuntu Debian +3
NVD
EPSS 16% CVSS 7.5
HIGH Act Now

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 15.9% and no vendor patch available.

Denial Of Service Apache Tomcat +4
NVD
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Debian Authentication Bypass Cryptsetup
NVD VulDB
EPSS 10% CVSS 7.8
HIGH POC This Week

The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Nginx Debian Information Disclosure +2
NVD Exploit-DB
EPSS 22% CVSS 7.8
HIGH POC THREAT Act Now

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 22.1%.

Tomcat Information Disclosure Ubuntu +2
NVD Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM This Month

fs/fcntl.c in the "aufs 3.2.x+setfl-debian" patch in the linux-image package 3.2.0-4 (kernel 3.2.81-1) in Debian wheezy mishandles F_SETFL fcntl calls on directories, which allows local users to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Debian Denial Of Service Linux +2
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a certain Linux kernel backport in the linux package before 3.2.73-2+deb7u3 on Debian wheezy and the kernel package before. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Debian Denial Of Service Red Hat +3
NVD
EPSS 1% CVSS 8.4
HIGH POC This Week

pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie; the elibc package before 2.15-0ubuntu10.14 on Ubuntu 12.04 LTS and before 2.19-0ubuntu6.8 on Ubuntu 14.04 LTS; and the glibc. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Debian Privilege Escalation Ubuntu +2
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH This Week

An unspecified udev rule in the Debian fuse package in jessie before 2.9.3-15+deb8u2, in stretch before 2.9.5-1, and in sid before 2.9.5-1 sets world-writable permissions for the /dev/cuse character. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Debian Privilege Escalation Fuse
NVD
EPSS 5% CVSS 7.5
HIGH This Week

Off-by-one error in the extracthalf function in dpkg-deb/extract.c in the dpkg-deb component in Debian dpkg 1.16.x before 1.16.17 and 1.17.x before 1.17.26 allows remote attackers to execute. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Debian RCE Buffer Overflow +2
NVD
EPSS 3% CVSS 7.5
HIGH This Week

The Debian build procedure for the smokeping package in wheezy before 2.6.8-2+deb7u1 and jessie before 2.6.9-1+deb8u1 does not properly configure the way Apache httpd passes arguments to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Debian RCE Apache +1
NVD
EPSS 10% CVSS 10.0
CRITICAL Act Now

A .desktop file in the Debian openjdk-7 package 7u79-2.5.5-1~deb8u1 includes a MIME type registration that is added to /etc/mailcap by mime-support, which allows remote attackers to execute arbitrary. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 10.0% and no vendor patch available.

Debian RCE Openjdk
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Debian Authentication Bypass Dpkg +1
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Debian Privilege Escalation Openldap +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

run-mailcap in the Debian mime-support package before 3.52-1+deb7u1 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Debian Mime Support
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

A certain Debian patch to the IPv6 implementation in the Linux kernel 3.2.x through 3.2.63 does not properly validate arguments in ipv6_select_ident function calls, which allows local users to cause. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Debian Linux +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment.". Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Debian Privilege Escalation Acpi Support
NVD
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

debian/guest-account in Light Display Manager (lightdm) 1.0.x before 1.0.6 and 1.1.x before 1.1.7, as used in Ubuntu Linux 11.10, allows local users to delete arbitrary files via a space in the name. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. Public exploit code available.

Debian Privilege Escalation Ubuntu +2
NVD Exploit-DB
EPSS 1% CVSS 7.1
HIGH This Week

dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Path Traversal Debian Dpkg
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unspecified vulnerability in OpenJDK 6 before 6b31 on Debian GNU/Linux and Ubuntu 12.04 LTS and 10.04 LTS has unknown impact and attack vectors, a different vulnerability than CVE-2014-0462. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Debian Ubuntu +1
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unspecified vulnerability in OpenJDK 6 before 6b31 on Debian GNU/Linux and Ubuntu 12.04 LTS and 10.04 LTS has unknown impact and attack vectors, a different vulnerability than CVE-2014-2405. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Debian Ubuntu +1
NVD
EPSS 0% CVSS 2.1
LOW PATCH Monitor

A certain Debian patch for GNU GRUB uses world-readable permissions for grub.cfg, which allows local users to obtain password hashes, as demonstrated by reading the password_pbkdf2 directive in the. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.

Debian Privilege Escalation Grub
NVD
EPSS 4% CVSS 6.8
MEDIUM This Month

Stack-based buffer overflow in a certain Debian patch for xbuffy before 3.3.bl.3.dfsg-9 allows remote attackers to execute arbitrary code via the subject of an email, possibly related to indent. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Debian Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 3.3
LOW Monitor

(1) debian/postrm and (2) debian/localepurge.config in localepurge before 0.7.3.2 use tempfile to create a safe temporary file but appends a suffix to the original filename and writes to this new. Rated low severity (CVSS 3.3). No vendor patch available.

Debian Information Disclosure Localepurge
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

Debian adequate before 0.8.1, when run by root with the --user option, allows local users to hijack the tty and possibly gain privileges via the TIOCSTI ioctl. Rated medium severity (CVSS 6.2). No vendor patch available.

Privilege Escalation Debian Adequate
NVD
EPSS 0% CVSS 3.3
LOW Monitor

A certain Debian patch for txt2man 1.5.5, as used in txt2man 1.5.5-2, 1.5.5-4, and others, allows local users to overwrite arbitrary files via a symlink attack on /tmp/2222. Rated low severity (CVSS 3.3). No vendor patch available.

Debian Information Disclosure Txt2Man
NVD
EPSS 0% CVSS 2.1
LOW Monitor

Phpbb3 before 3.0.11-4 for Debian GNU/Linux uses world-writable permissions for cache files, which allows local users to modify the file contents via standard filesystem write operations. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Debian Phpbb3
NVD
EPSS 6% CVSS 6.9
MEDIUM POC This Month

vmware-mount in VMware Workstation 8.x and 9.x and VMware Player 4.x and 5.x, on systems based on Debian GNU/Linux, allows host OS users to gain host OS privileges via a crafted lsb_release binary in. Rated medium severity (CVSS 6.9). Public exploit code available and no vendor patch available.

Privilege Escalation VMware Debian +2
NVD Exploit-DB
EPSS 0% CVSS 1.9
LOW POC Monitor

Race condition in the post-installation script (mysql-server-5.5.postinst) for MySQL Server 5.5 for Debian GNU/Linux and Ubuntu Linux creates a configuration file with world-readable permissions. Rated low severity (CVSS 1.9). Public exploit code available and no vendor patch available.

Debian Information Disclosure Race Condition +2
NVD
EPSS 0% CVSS 2.1
LOW Monitor

Unspecified vulnerability in the Drush Debian Packaging module for Drupal allows local users to obtain database credentials via unknown vectors. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Debian Information Disclosure Drush Debian Packaging
NVD
EPSS 0% CVSS 1.9
LOW Monitor

The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP. Rated low severity (CVSS 1.9). No vendor patch available.

PHP Debian Authentication Bypass +1
NVD
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

The Debian apache2ctl script in the apache2 package squeeze before 2.2.16-6+squeeze11, wheezy before 2.2.22-13, and sid before 2.2.22-13 for the Apache HTTP Server on Debian GNU/Linux does not. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity.

Privilege Escalation Apache Debian +1
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

rssh 2.3.2, as used by Debian, Fedora, and others, when the rsync protocol is enabled, allows local users to bypass intended restricted shell access via a (1) "-e" or (2) "--" command line option. Rated medium severity (CVSS 4.4). No vendor patch available.

Debian Authentication Bypass Rssh
NVD
EPSS 10% CVSS 7.2
HIGH POC THREAT Act Now

CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 10.2%.

Privilege Escalation Debian Cups
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in the php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze, the php5 package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

PHP Debian Ubuntu +5
NVD
EPSS 2% CVSS 10.0
CRITICAL Act Now

arpwatch 2.1a15, as used by Red Hat, Debian, Fedora, and possibly others, does not properly drop supplementary groups, which might allow attackers to gain root privileges by leveraging other. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Information Disclosure Debian +1
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The default configuration of the apache2 package in Debian GNU/Linux squeeze before 2.2.16-6+squeeze7, wheezy before 2.2.22-4, and sid before 2.2.22-4, when mod_php or mod_rivet is used, provides. Rated medium severity (CVSS 4.4). No vendor patch available.

XSS Apache Debian +1
NVD
Prev Page 15 of 15

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy