The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2021-33120 | Out of bounds read under complex microarchitectural condition in memory subsystem for some Intel Atom(R) Processors may allow authenticated user to potentially enable information disclosure or cause denial of service via network access. | MEDIUM | Feb 10, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-22570 | Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file\'s name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | MEDIUM | Feb 2, 2022 | 10.19.45.23 (Wind River Linux LTS 19) |
CVE-2021-4160 | There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb). | MEDIUM | Feb 7, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-23807 | An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances. | MEDIUM | Jan 22, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-23304 | The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9495. | MEDIUM | Jan 18, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-23303 | The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494. | MEDIUM | Jan 18, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-0319 | Out-of-bounds Read in vim/vim prior to 8.2. | MEDIUM | Jan 22, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-0238 | phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) | MEDIUM | Jan 16, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-0213 | vim is vulnerable to Heap-based Buffer Overflow | MEDIUM | Jan 15, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-0204 | A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service. | MEDIUM | Jan 17, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-0197 | phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) | MEDIUM | Jan 13, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-0196 | phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) | MEDIUM | Jan 13, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-4203 | A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information. | MEDIUM | Jan 12, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-4202 | A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem. | MEDIUM | Jan 12, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-22844 | LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field. | MEDIUM | Jan 10, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-22827 | storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | MEDIUM | Jan 9, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-22826 | nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | MEDIUM | Jan 9, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-22825 | lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | MEDIUM | Jan 9, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2022-22707 | In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system. | MEDIUM | Jan 6, 2022 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-46143 | In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. | MEDIUM | Jan 6, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-45452 | Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. | MEDIUM | Jan 5, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-45116 | An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language\'s variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key. | MEDIUM | Jan 5, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-45115 | An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. | MEDIUM | Jan 5, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-41043 | Use after free in tcpslice triggers AddressSanitizer, no other confirmed impact. | MEDIUM | Jan 5, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-45960 | In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). | MEDIUM | Jan 3, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-4193 | vim is vulnerable to Out-of-bounds Read | MEDIUM | Jan 1, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-4192 | vim is vulnerable to Use After Free | MEDIUM | Jan 1, 2022 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-45485 | In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn\'t properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses. | MEDIUM | Dec 25, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-45469 | In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds memory access when an inode has an invalid last xattr entry. | MEDIUM | Dec 25, 2021 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-44224 | A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). | MEDIUM | Dec 24, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-41819 | CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. | MEDIUM | Dec 21, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-41817 | Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. | MEDIUM | Dec 21, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-4166 | vim is vulnerable to Out-of-bounds Read | MEDIUM | Dec 25, 2021 | 10.19.45.25 (Wind River Linux LTS 19) |
CVE-2021-4156 | An out-of-bounds read flaw was found in libsndfile\'s FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws. | MEDIUM | Dec 23, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-41496 | Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values. NOTE: The vendor does not agree this is a vulnerability; the negative dimensions can only be created by an already privileged user (or internally) | MEDIUM | Dec 18, 2021 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-41495 | Null Pointer Dereference vulnerability exists in numpy.sort in NumPy < and 1.19 in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays. NOTE: While correct that validation is missing, an error can only occur due to an exhaustion of memory. If the user can exhaust memory, they are already privileged. Further, it should be practically impossible to construct an attack which can target the memory exhaustion to occur at exactly this place | MEDIUM | Dec 18, 2021 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-33430 | A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulneraility; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke denial of service by exhausting memory. Triggering this further requires the use of uncommon API (complicated structured dtypes), which is very unlikely to be available to an unprivileged user | MEDIUM | Dec 17, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-45088 | XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page. | MEDIUM | Dec 16, 2021 | 10.19.45.23 (Wind River Linux LTS 19) |
CVE-2021-45078 | stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699. | MEDIUM | Dec 15, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-44733 | A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object. | MEDIUM | Dec 17, 2021 | 10.19.45.22 (Wind River Linux LTS 19) |
CVE-2021-43818 | lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. | MEDIUM | Dec 16, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-4083 | A read-after-free memory flaw was found in the Linux kernel\'s garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system. This flaw affects Linux kernel versions prior to 5.16-rc4. | MEDIUM | Dec 16, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-4011 | A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SwapCreateRegister function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | MEDIUM | Dec 15, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-4010 | A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcScreenSaverSuspend function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | MEDIUM | Dec 15, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-4009 | A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcXFixesCreatePointerBarrier function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | MEDIUM | Dec 15, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-4008 | A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcRenderCompositeGlyphs function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | MEDIUM | Dec 15, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-44717 | Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. | MEDIUM | Dec 10, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-44716 | net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. | MEDIUM | Dec 10, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-4069 | vim is vulnerable to Use After Free | MEDIUM | Dec 9, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |
CVE-2021-4019 | vim is vulnerable to Heap-based Buffer Overflow | MEDIUM | Dec 4, 2021 | 10.19.45.21 (Wind River Linux LTS 19) |