Netapp: >> Cloud Backup Security Vulnerabilities
A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.
CVSS Score
7.8
EPSS Score
0.006
Published
2020-06-09
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
CVSS Score
7.5
EPSS Score
0.022
Published
2020-06-06
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim's ntpd instance.
CVSS Score
5.9
EPSS Score
0.004
Published
2020-06-04
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
CVSS Score
6.5
EPSS Score
0.005
Published
2020-05-28
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-05-27
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
CVSS Score
7.0
EPSS Score
0.002
Published
2020-05-27
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-05-27
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
CVSS Score
6.1
EPSS Score
0.011
Published
2020-05-19
gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux kernel 3.16 through 5.6.13 relies on kstrdup without considering the possibility of an internal '\0' value, which allows attackers to trigger an out-of-bounds read, aka CID-15753588bcd4.
CVSS Score
6.5
EPSS Score
0.017
Published
2020-05-18
The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space.
CVSS Score
5.3
EPSS Score
0.0
Published
2020-05-15