Canonical: Security Vulnerabilities
A vulnerability in maasserver.api.get_file_by_name of Ubuntu MAAS allows unauthenticated network clients to download any file. This issue affects: Ubuntu MAAS versions prior to 1.9.2.
CVSS Score
8.6
EPSS Score
0.007
Published
2019-04-22
A vulnerability in the REST API of Ubuntu MAAS allows an attacker to cause a logged-in user to execute commands via cross-site scripting. This issue affects MAAS versions prior to 1.9.2.
CVSS Score
9.6
EPSS Score
0.004
Published
2019-04-22
A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an attacker to brute-force filenames. This issue affects Ubuntu MAAS versions prior to 1.9.2.
CVSS Score
2.0
EPSS Score
0.002
Published
2019-04-22
Juju Core's Joyent provider before version 1.25.5 uploads the user's private ssh key.
CVSS Score
6.4
EPSS Score
0.004
Published
2019-04-22
The SeaMicro provisioning of Ubuntu MAAS logs credentials, including username and password, for the management interface. This issue affects Ubuntu MAAS versions prior to 1.9.2.
CVSS Score
5.5
EPSS Score
0.002
Published
2019-04-22
Content Hub before version 0.0+15.04.20150331-0ubuntu1.0 DBUS API only requires a file path for a content item, it doesn't actually require the confined app have access to the file to create a transfer. This could allow a malicious application using the DBUS API to export file:///etc/passwd which would then send a copy of that file to another app.
CVSS Score
3.9
EPSS Score
0.002
Published
2019-04-22
Any Python module in sys.path can be imported if the command line of the process triggering the coredump is Python and the first argument is -m in Apport before 2.19.2 function _python_module_path.
CVSS Score
7.4
EPSS Score
0.0
Published
2019-04-22
FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.
CVSS Score
9.8
EPSS Score
0.209
Published
2019-04-22
FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.
CVSS Score
9.8
EPSS Score
0.067
Published
2019-04-22
libavcodec/hevcdec.c in FFmpeg 3.4 and 4.1.2 mishandles detection of duplicate first slices, which allows remote attackers to cause a denial of service (NULL pointer dereference and out-of-array access) or possibly have unspecified other impact via crafted HEVC data.
CVSS Score
8.8
EPSS Score
0.02
Published
2019-04-19