Security Vulnerabilities - CVEs Published In 2021
The Zoom Client for Meetings for Windows installer before version 5.5.4 does not properly verify the signature of files with .msi, .ps1, and .bat extensions. This could lead to a malicious actor installing malicious software on a customer’s computer.
CVSS Score
4.7
EPSS Score
0.002
Published
2021-11-11
The Keybase Client for Android before version 5.8.0 and the Keybase Client for iOS before version 5.8.0 fails to properly remove exploded messages initiated by a user if the receiving user places the chat session in the background while the sending user explodes the messages. This could lead to disclosure of sensitive information which was meant to be deleted from the customer's device.
CVSS Score
3.7
EPSS Score
0.004
Published
2021-11-11
If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.
CVSS Score
4.2
EPSS Score
0.006
Published
2021-11-11
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
CVSS Score
4.2
EPSS Score
0.006
Published
2021-11-11
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
CVSS Score
7.4
EPSS Score
0.015
Published
2021-11-11
OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.
CVSS Score
5.9
EPSS Score
0.003
Published
2021-11-11
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
CVSS Score
4.4
EPSS Score
0.007
Published
2021-11-11
OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).
CVSS Score
4.4
EPSS Score
0.005
Published
2021-11-11
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.
CVSS Score
7.5
EPSS Score
0.116
Published
2021-11-11
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
CVSS Score
9.8
EPSS Score
0.029
Published
2021-11-11