Debian: >> Debian Linux >> 11.0 Security Vulnerabilities
vpn-user-portal (aka eduVPN or Let's Connect!) before 2.3.14, as packaged for Debian 10, Debian 11, and Fedora, allows remote authenticated users to obtain OS filesystem access, because of the interaction of QR codes with an exec that uses the -r option. This can be leveraged to obtain additional VPN access.
CVSS Score
6.5
EPSS Score
0.006
Published
2021-09-24
When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.
CVSS Score
9.1
EPSS Score
0.004
Published
2021-09-23
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-09-19
libde265 v1.0.4 contains a global buffer overflow in the decode_CABAC_bit function, which can be exploited via a crafted a file.
CVSS Score
6.5
EPSS Score
0.002
Published
2021-09-16
libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma function, which can be exploited via a crafted a file.
CVSS Score
6.5
EPSS Score
0.002
Published
2021-09-16
libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unweighted_pred_8_sse function, which can be exploited via a crafted a file.
CVSS Score
8.8
EPSS Score
0.002
Published
2021-09-16
libde265 v1.0.4 contains a heap buffer overflow in the de265_image::available_zscan function, which can be exploited via a crafted a file.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-09-16
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVSS Score
7.5
EPSS Score
0.11
Published
2021-09-16
A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).
CVSS Score
7.5
EPSS Score
0.061
Published
2021-09-16
ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVSS Score
9.8
EPSS Score
0.448
Published
2021-09-16