Security Vulnerabilities - CVEs Published In June 2017
Stack-based buffer overflow in dnstracer through 1.9 allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a command line with a long name argument that is mishandled in a strcpy call for argv[0]. An example threat model is a web application that launches dnstracer with an untrusted name string.
CVSS Score
9.8
EPSS Score
0.165
Published
2017-06-05
Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.
CVSS Score
9.8
EPSS Score
0.008
Published
2017-06-05
Document Liberation Project libstaroffice before 2017-04-07 has an out-of-bounds write caused by a stack-based buffer overflow related to the DatabaseName::read function in lib/StarWriterStruct.cxx.
CVSS Score
9.8
EPSS Score
0.008
Published
2017-06-05
Document Liberation Project libmwaw before 2017-04-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the MsWrd1Parser::readFootnoteCorrespondance function in lib/MsWrd1Parser.cxx.
CVSS Score
9.8
EPSS Score
0.005
Published
2017-06-05
In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.
CVSS Score
7.5
EPSS Score
0.003
Published
2017-06-05
Directory Traversal exists in RAR 4.x and 5.x because an unpack operation follows any symlinks, including symlinks contained in the archive. This allows remote attackers to write to arbitrary files via a crafted archive.
CVSS Score
5.5
EPSS Score
0.003
Published
2017-06-04
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the injection is visible at admin/dashboard/vitals-statistics/integrity/check/?external=true.
CVSS Score
8.8
EPSS Score
0.004
Published
2017-06-04
A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\ sequences in the directory parameter.
CVSS Score
7.5
EPSS Score
0.004
Published
2017-06-04
Cross Site Scripting (XSS) exists in Jamroom before 4.2.7 via the Status Update field.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-06-04
In Lenovo Service Bridge before version 4, a user with local privileges on a system could execute code with administrative privileges.
CVSS Score
7.8
EPSS Score
0.0
Published
2017-06-04