Filtered by vendor Redhat
Subscriptions
Total
23207 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-39332 | 3 Fedoraproject, Nodejs, Redhat | 3 Fedora, Node.js, Enterprise Linux | 2025-11-03 | 9.8 Critical |
| Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects. This is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | ||||
| CVE-2023-39331 | 2 Nodejs, Redhat | 2 Node.js, Enterprise Linux | 2025-11-03 | 7.5 High |
| A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | ||||
| CVE-2023-38552 | 3 Fedoraproject, Nodejs, Redhat | 3 Fedora, Node.js, Enterprise Linux | 2025-11-03 | 7.5 High |
| When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. | ||||
| CVE-2023-38473 | 2 Avahi, Redhat | 3 Avahi, Enterprise Linux, Rhel Eus | 2025-11-03 | 6.2 Medium |
| A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function. | ||||
| CVE-2023-38472 | 2 Avahi, Redhat | 3 Avahi, Enterprise Linux, Rhel Eus | 2025-11-03 | 6.2 Medium |
| A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function. | ||||
| CVE-2023-38471 | 2 Avahi, Redhat | 3 Avahi, Enterprise Linux, Rhel Eus | 2025-11-03 | 6.2 Medium |
| A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function. | ||||
| CVE-2023-38470 | 2 Avahi, Redhat | 3 Avahi, Enterprise Linux, Rhel Eus | 2025-11-03 | 6.2 Medium |
| A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function. | ||||
| CVE-2023-38469 | 2 Avahi, Redhat | 3 Avahi, Enterprise Linux, Rhel Eus | 2025-11-03 | 6.2 Medium |
| A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record. | ||||
| CVE-2023-37903 | 2 Redhat, Vm2 Project | 3 Acm, Multicluster Engine, Vm2 | 2025-11-03 | 9.8 Critical |
| vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software. | ||||
| CVE-2023-31484 | 3 Cpanpm Project, Perl, Redhat | 3 Cpanpm, Perl, Enterprise Linux | 2025-11-03 | 8.1 High |
| CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. | ||||
| CVE-2023-31083 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2025-11-03 | 4.7 Medium |
| An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur. | ||||
| CVE-2023-30608 | 3 Debian, Redhat, Sqlparse Project | 5 Debian Linux, Rhui, Satellite and 2 more | 2025-11-03 | 5.5 Medium |
| sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2023-30588 | 2 Nodejs, Redhat | 3 Node.js, Enterprise Linux, Rhel Eus | 2025-11-03 | 5.3 Medium |
| When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20. | ||||
| CVE-2023-30581 | 2 Nodejs, Redhat | 3 Node.js, Enterprise Linux, Rhel Eus | 2025-11-03 | 7.5 High |
| The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js | ||||
| CVE-2023-2977 | 2 Opensc Project, Redhat | 2 Opensc, Enterprise Linux | 2025-11-03 | 7.1 High |
| A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible. | ||||
| CVE-2023-2952 | 3 Debian, Redhat, Wireshark | 3 Debian Linux, Enterprise Linux, Wireshark | 2025-11-03 | 5.3 Medium |
| XRA dissector infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file | ||||
| CVE-2023-2858 | 3 Debian, Redhat, Wireshark | 3 Debian Linux, Enterprise Linux, Wireshark | 2025-11-03 | 5.3 Medium |
| NetScaler file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file | ||||
| CVE-2023-2856 | 3 Debian, Redhat, Wireshark | 3 Debian Linux, Enterprise Linux, Wireshark | 2025-11-03 | 5.3 Medium |
| VMS TCPIPtrace file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file | ||||
| CVE-2023-2855 | 3 Debian, Redhat, Wireshark | 3 Debian Linux, Enterprise Linux, Wireshark | 2025-11-03 | 5.3 Medium |
| Candump log parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file | ||||
| CVE-2023-28450 | 2 Redhat, Thekelleys | 3 Enterprise Linux, Rhel Eus, Dnsmasq | 2025-11-03 | 7.5 High |
| An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020. | ||||