Fedoraproject: >> Fedora >> 35 Security Vulnerabilities
Use After Free in GitHub repository radareorg/radare2 prior to 5.6.2.
CVSS Score
8.4
EPSS Score
0.003
Published
2022-02-16
Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-02-16
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
CVSS Score
9.8
EPSS Score
0.113
Published
2022-02-16
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
CVSS Score
7.5
EPSS Score
0.043
Published
2022-02-15
Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file
CVSS Score
6.3
EPSS Score
0.015
Published
2022-02-14
Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file
CVSS Score
6.3
EPSS Score
0.005
Published
2022-02-14
Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file
CVSS Score
6.3
EPSS Score
0.015
Published
2022-02-14
Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file
CVSS Score
6.3
EPSS Score
0.008
Published
2022-02-14
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVSS Score
8.4
EPSS Score
0.102
Published
2022-02-14
Cross-site Scripting (XSS) - Reflected in GitHub repository phoronix-test-suite/phoronix-test-suite prior to 10.8.2.
CVSS Score
6.8
EPSS Score
0.004
Published
2022-02-14