Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Fedora
(Fedoraproject)| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-03-22 | CVE-2020-10804 | In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges). | Fedora, Backports_sle, Leap, Phpmyadmin, Package_hub | 8.0 | ||
| 2020-03-22 | CVE-2020-10802 | In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table. | Debian_linux, Fedora, Backports_sle, Leap, Phpmyadmin, Package_hub | 8.0 | ||
| 2020-03-22 | CVE-2020-10803 | In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack. | Debian_linux, Fedora, Backports_sle, Leap, Phpmyadmin, Package_hub | 5.4 | ||
| 2020-03-24 | CVE-2020-10684 | A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection. | Debian_linux, Fedora, Ansible, Ansible_tower, Openstack | 7.1 | ||
| 2020-03-31 | CVE-2019-14905 | A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues. | Fedora, Backports_sle, Leap, Ansible_engine, Ansible_tower, Ceph_storage, Cloudforms_management_engine, Openstack | 5.6 | ||
| 2020-04-02 | CVE-2020-11100 | In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution. | Ubuntu_linux, Debian_linux, Fedora, Haproxy, Leap, Openshift_container_platform | 8.8 | ||
| 2020-04-03 | CVE-2020-11501 | GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol. | Ubuntu_linux, Debian_linux, Fedora, Gnutls, Leap | 7.4 | ||
| 2020-04-07 | CVE-2013-7488 | perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input. | Convert\:\:asn1, Fedora | 7.5 | ||
| 2020-04-07 | CVE-2020-11612 | The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. | Debian_linux, Fedora, Oncommand_api_services, Oncommand_insight, Oncommand_workflow_automation, Netty, Communications_brm_\-_elastic_charging_engine, Communications_cloud_native_core_service_communication_proxy, Communications_design_studio, Communications_messaging_server, Nosql_database, Siebel_core_\-_server_framework, Webcenter_portal | 7.5 | ||
| 2020-04-14 | CVE-2020-11739 | An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may... | Debian_linux, Fedora, Leap, Xen | 7.8 |