Total
34395 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-45821 | 1 Artifacthub | 1 Hub | 2024-11-21 | 5.4 Medium |
| Artifact Hub is a web-based application that enables finding, installing, and publishing packages and configurations for CNCF projects. During a security audit of Artifact Hub's code base a security researcher identified a bug in which the `registryIsDockerHub` function was only checking that the registry domain had the `docker.io` suffix. Artifact Hub allows providing some Docker credentials that are used to increase the rate limit applied when interacting with the Docker Hub registry API to read publicly available content. Due to the incorrect check described above, it'd be possible to hijack those credentials by purchasing a domain which ends with `docker.io` and deploying a fake OCI registry on it. <https://artifacthub.io/> uses some credentials that only have permissions to read public content available in the Docker Hub. However, even though credentials for private repositories (disabled on `artifacthub.io`) are handled in a different way, other Artifact Hub deployments could have been using them for a different purpose. This issue has been resolved in version `1.16.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-45805 | 1 Frostming | 2 Pdm, Unearth | 2024-11-21 | 7.8 High |
| pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project `foo` can be targeted by creating the project `foo-2` and uploading the file `foo-2-2.tar.gz` to pypi.org. PyPI will see this as project `foo-2` version `2`, while PDM will see this as project `foo` version `2-2`. The version must only be `parseable as a version` and the filename must be a prefix of the project name, but it's not verified to match the version being installed. Version `2-2` is also not a valid normalized version per PEP 440. Matching the project name exactly (not just prefix) would fix the issue. When installing dependencies with PDM, what's actually installed could differ from what's listed in `pyproject.toml` (including arbitrary code execution on install). It could also be used for downgrade attacks by only changing the version. This issue has been addressed in commit `6853e2642df` which is included in release version `2.9.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-45780 | 1 Google | 1 Android | 2024-11-21 | 7.3 High |
| In Print Service, there is a possible background activity launch due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2023-45779 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the referenced links. | ||||
| CVE-2023-45777 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to launch arbitrary activities using system privileges due to Parcel Mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2023-45725 | 1 Apache | 1 Couchdb | 2024-11-21 | 5.7 Medium |
| Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document. These design document functions are: * list * show * rewrite * update An attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an "update" function. For the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document. Workaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object's headers | ||||
| CVE-2023-45703 | 1 Hcltechsw | 1 Hcl Launch | 2024-11-21 | 5.3 Medium |
| HCL Launch may mishandle input validation of an uploaded archive file leading to a denial of service due to resource exhaustion. | ||||
| CVE-2023-45702 | 2 Hcltechsw, Microsoft | 2 Hcl Launch, Windows | 2024-11-21 | 6.2 Medium |
| An HCL UrbanCode Deploy Agent installed as a Windows service in a non-standard location could be subject to a denial of service attack by local accounts.. | ||||
| CVE-2023-45627 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2024-11-21 | 4.3 Medium |
| An authenticated Denial-of-Service (DoS) vulnerability exists in the CLI service. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected access point. | ||||
| CVE-2023-45626 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2024-11-21 | 5.5 Medium |
| An authenticated vulnerability has been identified allowing an attacker to effectively establish highly privileged persistent arbitrary code execution across boot cycles. | ||||
| CVE-2023-45623 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2024-11-21 | 7.5 High |
| Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the Wi-Fi Uplink service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point. | ||||
| CVE-2023-45622 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2024-11-21 | 7.5 High |
| Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the BLE daemon service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point. | ||||
| CVE-2023-45621 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2024-11-21 | 7.5 High |
| Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the CLI service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point. | ||||
| CVE-2023-45620 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2024-11-21 | 7.5 High |
| Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the CLI service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point. | ||||
| CVE-2023-45619 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2024-11-21 | 8.2 High |
| There is an arbitrary file deletion vulnerability in the RSSI service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point. | ||||
| CVE-2023-45618 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2024-11-21 | 8.2 High |
| There are arbitrary file deletion vulnerabilities in the AirWave client service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point. | ||||
| CVE-2023-45617 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2024-11-21 | 8.2 High |
| There are arbitrary file deletion vulnerabilities in the CLI service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point. | ||||
| CVE-2023-45581 | 1 Fortinet | 1 Forticlient Enterprise Management Server | 2024-11-21 | 7.9 High |
| An improper privilege management vulnerability [CWE-269] in Fortinet FortiClientEMS version 7.2.0 through 7.2.2 and before 7.0.10 allows an Site administrator with Super Admin privileges to perform global administrative operations affecting other sites via crafted HTTP or HTTPS requests. | ||||
| CVE-2023-45560 | 1 Memberscard Project | 1 Memberscard | 2024-11-21 | 7.5 High |
| An issue in Yasukawa memberscard v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. | ||||
| CVE-2023-45558 | 1 Golden Project | 1 Golden | 2024-11-21 | 7.5 High |
| An issue in Golden v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. | ||||