Vulnerabilities we've disclosed (before March 2020)

A malicious user can inject a data: or vbscript: hotspot link if they control the viewer configuration, which leads to XSS once a user clicks the link.

PID recycling enables an unprivileged user to exploit a PID race in Apport to generate a crash report which contains the ASLR offsets for a privileged process.

Apport reads arbitrary files if ~/.config/apport/settings is a symlink, which can be exploited by an unprivileged user to trigger a denial of service.

An integer overflow in bson_ensure_space (bson.c:613) can lead to a subsequent heap buffer overflow, which can be exploited to gain code execution as the whoopsie user.

A malicious SSH server can trigger an out-of-bounds read by sending a crafted disconnect message, possibly leading to denial of service or information disclosure.

A time-of-check to time-of-use (TOCTOU) vulnerability in Apport enables an unprivileged local user to trick Apport into including the contents of an arbitrary file in a crash report.

An integer overflow when reading large crash dumps (> 4GB) leads to a heap buffer overflow, which may enable a local attacker to gain code execution in the whoopsie daemon. This could enable an attacker to read crash reports belonging to other users and thereby gain access to privileged information.

A malicious SSH server can trigger an out-of-bounds read during Diffie Hellman key exchange, possibly leading to remote information disclosure.

If an attacker is able to control the parameters of a call to the PHP function scrypt_enc, then they can trigger an integer overflow leading to a heap corruption, thereby possibly achieving code execution. There is no risk of exploitation if the server-side PHP code does not pass untrusted parameters to scrypt_enc.

A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.

Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to assertion failure) via an invalid data location in a CRW image file.

A CiffDirectory::readDirectory integer overflow and out-of-bounds read in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file.

An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a zero value for iccOffset.

An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a chunkLength - iccOffset subtraction.

A WebPImage::decodeChunks integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (large heap allocation followed by a very long running loop) via a crafted WEBP image file.

http.cpp in Exiv2 through 0.27.1 allows a malicious HTTP server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character.

An unauthenticated remote attacker could cause a denial of service by triggering an infinite loop in Fizz, Facebook's open source TLS library.

In Libav 12.3, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c has a complex format argument to sscanf.

In FFmpeg 4.1, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because ff_htmlmarkup_to_ass in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.

A denial of service in the subtitle decoder in FFmpeg 4.1 allows attackers to hog the CPU via a crafted video file in Matroska format, because handle_open_brace in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.

A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.

A denial of service in the subtitle decoder in Libav 12.3 allows attackers to hog the CPU via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses strstr.

An attacker with permissions to manage podcasts can read (and publish) arbitrary files from the server hosting an Airsonic media streamer by uploading a specially-crafted XML podcast specification containing one or more XML external entities.

Ansible fetch module has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.

SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to execute arbitrary SPARQL via the uri parameter, leading to a regular expression denial of service (ReDoS), as demonstrated by crafted use of FILTER%20regex in a /individual?uri= request.

If an attacker can control the port, which in itself is a very sensitive value, he can inject arbitrary OS commands due to the usage of exec in a third-party module.

This vulnerability affects a range of Apple products. If the kernel's packet-mangler is enabled, it allows an attacker to remotely trigger an infinite loop in the kernel, thereby preventing the device from accessing the internet and hogging one of its CPU cores.

The node.extend package can be tricked into adding or modifying properties of the Object prototype.

The just-extend package can be tricked into adding or modifying properties of the Object prototype.

If an attacker controls the name of the property to set, they can inject arbitrary properties on Object.prototype.

Using a specially-crafted PS or PDF file, an attacker can corrupt memory when the file is opened or processed by Ghostscript. This is caused by insufficient type checking, leading to type confusion, which could potentially be exploited to execute code even when Ghostscript is running in sandbox mode (using the '-dSAFER' option).

Using a specially-crafted PS or PDF file, an attacker can execute arbitrary shell commands when the file is opened or processed by Ghostscript, even when Ghostscript is running in sandbox mode (using the '-dSAFER' option).

Using a specially-crafted PS or PDF file, an attacker can execute arbitrary code when the file is opened or processed by Ghostscript, even when Ghostscript is running in sandbox mode (using the '-dSAFER' option). This is caused by insufficient type checking, leading to type confusion and memory corruption, which can be exploited to execute code.

If an attacker control boths the path and the cached value, they can deploy a prototype pollution attack and thus overwrite arbitrary properties on Object.prototype.

A remote code execution vulnerability exists in the way the Icecast streaming media server copies HTTP headers from a user request when preparing a request to send to an authentication server. The vulnerability could allow an attacker to craft special HTTP headers that corrupt memory and execute arbitrary code on the server.

The functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype.

A malicious NFS server can trigger a buffer overflow in the kernel when a Mac attempts to mount the NFS share.

An attacker can use the format parameter to inject arbitrary commands.

If an attacker controls the range field for the network scan, they can inject arbitrary OS commands instead of an IP range.

The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

The defaults-deep package can be tricked into adding or modifying properties of the Object prototype.

If an attacker controls the pid parameter, they can inject arbitrary OS commands instead of a process ID.

The extend package can be tricked into adding or modifying properties of the Object prototype.

Under certain common configurations, to compute the namespace Struts will evaluate untrusted user input as OGNL, which allows for an attacker to execute arbitrary code.

An attacker can execute arbitrary code on Ignite nodes via the GridClientJdkMarshaller deserialization endpoint when the Ignite classpath contains vulnerable classes.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves pktmnglr_ipfilter_input in com.apple.packet-mangler in the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (integer overflow and stack-based buffer overflow) via a crafted app.

When deserializing subclasses of AbstractDocument, the class takes a string from the inputStream as the class name. This name is then used to call the no-arg constructor of the class. This vulnerability was fixed by checking the class type before calling newInstance in deserialization.

A remote attacker with local user credentials (possibly a normal user in the vpn group, or root) may be able to underflow the buffer and cause a denial of service.

The Apache Ignite serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3rd party vulnerable classes are present in the Ignite classpath. An attacker can exploit the vulnerability by sending a specially crafted serialized object to one of the deserialization endpoints of some Ignite components: discovery SPI, Ignite persistence, Memcached endpoint and socket steamer.

rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in remote code execution.

The TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.

The Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. An user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.

An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

The Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

A page in the pad editor of Etherpad Lite is vulnerable to cross site scripting (XSS) attack via a maliciously crafted link. This affects all versions of Etherpad Lite before v1.6.3 was released.

Versions of Etherpad Lite before the release of v1.16.3 fail to sanitize the name of the JSONP callback function used in the HTTP API. This allows remote attackers to bypass intended access restrictions, making the HTTP API vulnerable to a reflected file download (RFD) attack.

This vulnerability in Apache Hadoop allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.

Apache Camel's camel-castor component has a Java object deserialization vulnerability. Deserializing untrusted data can lead to security flaws.

This vulnerability gives a local attacker who can trigger DTrace to run the ability to read any memory address within a 32GB range of the kernel's address space.

The XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML external entity (XXE) attacks.

Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.

Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.

Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code.

In Pivotal Spring AMQP versions before 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.

In vulnerable versions of Apache Struts, the REST plugin uses an XStreamHandler with an instance of XStream to deserialize data without applying any type filtering. This makes it possible to provide an XML payload that will allow remote code execution (RCE) when it is deserialized.

The Swagger code generator and parser use the SnakeYaml library to process OpenAPI/Swagger specifications written in YAML. They invoke SnakeYaml insecurely which allows an attacker to parse a malicious specification and execute arbitrary code.

In all versions of Apache Spark from 1.16.0 to 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. The attacker would be able to execute code as the user that ran the Spark application. It does not affect apps run by spark-submit or spark-shell.

Microsoft Edge is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page. This could allow the attacker to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions.