| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-21947 |
284 |
|
|
2022-04-01 |
2022-04-11 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
A Improper Access Control vulnerability in Rancher Desktop of SUSE allows attackers in the local network to connect to the Dashboard API (steve) to carry out arbitrary actions. This issue affects: SUSE Rancher Desktop versions prior to V. |
|
2 |
CVE-2021-41819 |
565 |
|
|
2022-01-01 |
2022-05-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. |
|
3 |
CVE-2021-41817 |
|
|
DoS |
2022-01-01 |
2022-05-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. |
|
4 |
CVE-2021-36784 |
269 |
|
|
2022-05-02 |
2022-05-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A Improper Privilege Management vulnerability in SUSE Rancher allows users with the restricted-admin role to escalate to full admin. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13; Rancher versions prior to 2.6.4. |
|
5 |
CVE-2021-36778 |
522 |
|
|
2022-05-02 |
2022-05-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers. This issue affects: SUSE Rancher Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3. |
|
6 |
CVE-2021-32000 |
61 |
|
|
2021-07-28 |
2021-08-11 |
6.6 |
None |
Local |
Low |
Not required |
None |
Complete |
Complete |
|
A UNIX Symbolic Link (Symlink) Following vulnerability in the clone-master-clean-up.sh script of clone-master-clean-up in SUSE Linux Enterprise Server 12 SP3, SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allows local attackers to delete arbitrary files. This issue affects: SUSE Linux Enterprise Server 12 SP3 clone-master-clean-up version 1.6-4.6.1 and prior versions. SUSE Linux Enterprise Server 15 SP1 clone-master-clean-up version 1.6-3.9.1 and prior versions. openSUSE Factory clone-master-clean-up version 1.6-1.4 and prior versions. |
|
7 |
CVE-2021-4200 |
269 |
|
|
2022-05-02 |
2022-05-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A Improper Privilege Management vulnerability in SUSE Rancher allows write access to the Catalog for any user when restricted-admin role is enabled. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13; Rancher versions prior to 2.6.4. |
|
8 |
CVE-2021-4166 |
125 |
|
|
2021-12-25 |
2022-05-17 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
vim is vulnerable to Out-of-bounds Read |
|
9 |
CVE-2020-6449 |
416 |
|
|
2020-03-23 |
2022-03-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
10 |
CVE-2020-6429 |
787 |
|
|
2020-03-23 |
2022-03-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
11 |
CVE-2020-6428 |
787 |
|
|
2020-03-23 |
2022-03-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
12 |
CVE-2020-6427 |
787 |
|
|
2020-03-23 |
2022-03-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
13 |
CVE-2020-6424 |
416 |
|
|
2020-03-23 |
2022-03-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Use after free in media in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
14 |
CVE-2020-6422 |
787 |
|
|
2020-03-23 |
2022-03-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Use after free in WebGL in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
15 |
CVE-2020-5504 |
89 |
|
Sql |
2020-01-09 |
2020-11-10 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. |
|
16 |
CVE-2019-15623 |
|
|
|
2020-02-04 |
2021-10-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled. |
|
17 |
CVE-2019-12303 |
74 |
|
Exec Code |
2019-06-06 |
2022-04-13 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
In Rancher 2 through 2.2.3, Project owners can inject additional fluentd configuration to read files or execute arbitrary commands inside the fluentd container. |
|
18 |
CVE-2019-11038 |
908 |
|
|
2019-06-19 |
2020-10-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code. |
|
19 |
CVE-2019-6287 |
269 |
|
|
2019-04-10 |
2022-04-13 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
In Rancher 2.0.0 through 2.1.5, project members have continued access to create, update, read, and delete namespaces in a project after they have been removed from it. |
|
20 |
CVE-2019-3688 |
276 |
|
|
2019-10-07 |
2019-11-21 |
6.6 |
None |
Local |
Low |
Not required |
None |
Complete |
Complete |
|
The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterprise Server 15 before and including version 4.8-5.8.1 and in SUSE Linux Enterprise Server 12 before and including 3.5.21-26.17.1 had squid:root, 0750 permissions. This allowed an attacker that compromissed the squid user to gain persistence by changing the binary |
|
21 |
CVE-2019-3683 |
732 |
|
|
2020-01-17 |
2020-10-22 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and delete arbitrary resources, contrary to expectations. |
|
22 |
CVE-2018-19655 |
787 |
|
Overflow |
2018-11-29 |
2020-08-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a maliciously crafted raw photo file. |
|
23 |
CVE-2018-19543 |
125 |
|
|
2018-11-26 |
2020-09-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in JasPer 2.0.14. There is a heap-based buffer over-read of size 8 in the function jp2_decode in libjasper/jp2/jp2_dec.c. |
|
24 |
CVE-2018-19541 |
125 |
|
|
2018-11-26 |
2021-01-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15, 1.900.16, 1.900.17, 1.900.18, 1.900.19, 1.900.20, 1.900.21, 1.900.22, 1.900.23, 1.900.24, 1.900.25, 1.900.26, 1.900.27, 1.900.28, 1.900.29, 1.900.30, 1.900.31, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16. There is a heap-based buffer over-read of size 8 in the function jas_image_depalettize in libjasper/base/jas_image.c. |
|
25 |
CVE-2018-19540 |
787 |
|
Overflow |
2018-11-26 |
2021-01-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15, 1.900.16, 1.900.17, 1.900.18, 1.900.19, 1.900.20, 1.900.21, 1.900.22, 1.900.23, 1.900.24, 1.900.25, 1.900.26, 1.900.27, 1.900.28, 1.900.29, 1.900.30, 1.900.31, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16. There is a heap-based buffer overflow of size 1 in the function jas_icctxtdesc_input in libjasper/base/jas_icc.c. |
|
26 |
CVE-2018-19052 |
22 |
|
Dir. Trav. |
2018-11-07 |
2022-03-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character. |
|
27 |
CVE-2018-17962 |
119 |
|
Overflow |
2018-10-09 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. |
|
28 |
CVE-2018-16874 |
20 |
|
Exec Code Dir. Trav. |
2018-12-14 |
2021-03-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution. |
|
29 |
CVE-2018-16873 |
20 |
|
Exec Code |
2018-12-14 |
2021-03-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u". |
|
30 |
CVE-2018-14523 |
125 |
|
|
2018-07-23 |
2019-10-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in aubio 0.4.6. A buffer over-read can occur in new_aubio_pitchyinfft in pitch/pitchyinfft.c, as demonstrated by aubionotes. |
|
31 |
CVE-2018-14522 |
119 |
|
Overflow |
2018-07-23 |
2019-04-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aubio_pitch_set_unit in pitch/pitch.c, as demonstrated by aubionotes. |
|
32 |
CVE-2018-12472 |
287 |
|
|
2018-10-04 |
2019-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
A improper authentication using the HOST header in SUSE Linux SMT allows remote attackers to spoof a sibling server. Affected releases are SUSE Linux SMT: versions prior to 3.0.37. |
|
33 |
CVE-2018-12471 |
611 |
|
|
2018-10-04 |
2019-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
A External Entity Reference ('XXE') vulnerability in SUSE Linux SMT allows remote attackers to read data from the server or cause DoS by referencing blocking elements. Affected releases are SUSE Linux SMT: versions prior to 3.0.37. |
|
34 |
CVE-2018-12122 |
400 |
|
DoS |
2018-11-28 |
2020-03-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. |
|
35 |
CVE-2018-12116 |
444 |
|
|
2018-11-28 |
2020-03-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. |
|
36 |
CVE-2018-8059 |
295 |
|
|
2018-03-11 |
2018-04-12 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Djelibeybi configuration examples for use of NGINX in SUSE Portus 2.3, when applied to certain configurations involving Docker Compose, have a Missing SSL Certificate Validation issue because no proxy_ssl_* directives are used. |
|
37 |
CVE-2017-16232 |
772 |
|
DoS |
2019-03-21 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue. |
|
38 |
CVE-2017-14807 |
89 |
|
Sql |
2020-01-27 |
2020-02-04 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in susestudio-ui-server of SUSE Studio onsite allows remote attackers with admin privileges in Studio to alter SQL statements, allowing for extraction and modification of data. This issue affects: SUSE Studio onsite susestudio-ui-server version 1.3.17-56.6.3 and prior versions. |
|
39 |
CVE-2017-14804 |
20 |
|
|
2018-03-01 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots. |
|
40 |
CVE-2017-14798 |
362 |
|
|
2018-03-01 |
2019-10-03 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A race condition in the postgresql init script could be used by attackers able to access the postgresql account to escalate their privileges to root. |
|
41 |
CVE-2017-13086 |
330 |
|
|
2017-10-17 |
2019-10-03 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. |
|
42 |
CVE-2017-13084 |
330 |
|
|
2017-10-17 |
2019-10-03 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Station-To-Station-Link (STSL) Transient Key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. |
|
43 |
CVE-2017-13082 |
330 |
|
|
2017-10-17 |
2019-10-03 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. |
|
44 |
CVE-2017-13077 |
330 |
|
|
2017-10-17 |
2019-10-03 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. |
|
45 |
CVE-2017-7297 |
|
|
|
2017-03-29 |
2022-04-13 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated users disabling access control via an API call. This is fixed in versions rancher/server:v1.2.4, rancher/server:v1.3.5, rancher/server:v1.4.3, and rancher/server:v1.5.3. |
|
46 |
CVE-2016-9959 |
125 |
|
|
2017-04-12 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
game-music-emu before 0.6.1 allows remote attackers to generate out of bounds 8-bit values. |
|
47 |
CVE-2016-9958 |
119 |
|
Overflow |
2017-04-12 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
game-music-emu before 0.6.1 allows remote attackers to write to arbitrary memory locations. |
|
48 |
CVE-2016-9957 |
119 |
|
Overflow |
2017-04-12 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in game-music-emu before 0.6.1. |
|
49 |
CVE-2016-9398 |
617 |
|
DoS |
2017-03-23 |
2021-02-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The jpc_floorlog2 function in jpc_math.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via unspecified vectors. |
|
50 |
CVE-2016-7797 |
254 |
|
DoS |
2017-03-24 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Pacemaker before 1.1.15, when using pacemaker remote, might allow remote attackers to cause a denial of service (node disconnection) via an unauthenticated connection. |
