Security Vulnerabilities - CVEs Published In February 2018
The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel before 4.14.2 allows local users to cause a denial of service (deadlock) via DIO requests.
CVSS Score
5.5
EPSS Score
0.0
Published
2018-02-27
There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used.
CVSS Score
8.6
EPSS Score
0.026
Published
2018-02-27
There is a DOS attack vulnerability in Apache Traffic Server (ATS) 5.2.0 to 5.3.2, 6.0.0 to 6.2.0, and 7.0.0 with the TLS handshake. This issue can cause the server to coredump.
CVSS Score
7.5
EPSS Score
0.043
Published
2018-02-27
Two XSS vulnerabilities were fixed in message list and view in the Hupa Webmail application from the Apache James project. An attacker could send a carefully crafted email to a user of Hupa which would trigger a XSS when the email was opened or when a list of messages were viewed. This issue was addressed in Hupa 0.0.3.
CVSS Score
6.1
EPSS Score
0.013
Published
2018-02-27
A buffer overflow vulnerability in the control protocol of Disk Savvy Enterprise v10.4.18 allows remote attackers to execute arbitrary code by sending a crafted packet to TCP port 9124.
CVSS Score
9.8
EPSS Score
0.22
Published
2018-02-27
An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted (authenticated and unauthenticated) requests, an attacker can exhaust a lot of memory on the server side, triggering the OOM killer.
CVSS Score
7.5
EPSS Score
0.007
Published
2018-02-27
An issue was discovered in Icinga 2.x through 2.8.1. By editing the init.conf file, Icinga 2 can be run as root. Following this the program can be used to run arbitrary code as root. This was fixed by no longer using init.conf to determine account information for any root-executed code (a larger issue than CVE-2017-16933).
CVSS Score
7.8
EPSS Score
0.0
Published
2018-02-27
An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted messages, an attacker can cause a NULL pointer dereference, which can cause the product to crash.
CVSS Score
6.5
EPSS Score
0.004
Published
2018-02-27
An issue was discovered in Icinga 2.x through 2.8.1. The lack of a constant-time password comparison function can disclose the password to an attacker.
CVSS Score
8.1
EPSS Score
0.004
Published
2018-02-27
An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (host OS CPU hang) via non-preemptable L3/L4 pagetable freeing.
CVSS Score
6.5
EPSS Score
0.001
Published
2018-02-27