Filtered by vendor Redhat
Subscriptions
Total
23062 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-8184 | 4 Canonical, Debian, Rack Project and 1 more | 5 Ubuntu Linux, Debian Linux, Rack and 2 more | 2024-11-21 | 7.5 High |
| A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix. | ||||
| CVE-2020-8177 | 6 Debian, Fujitsu, Haxx and 3 more | 19 Debian Linux, M10-1, M10-1 Firmware and 16 more | 2024-11-21 | 7.8 High |
| curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. | ||||
| CVE-2020-8174 | 4 Netapp, Nodejs, Oracle and 1 more | 13 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 10 more | 2024-11-21 | 8.1 High |
| napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0. | ||||
| CVE-2020-8172 | 3 Nodejs, Oracle, Redhat | 8 Node.js, Banking Extensibility Workbench, Blockchain Platform and 5 more | 2024-11-21 | 7.4 High |
| TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0. | ||||
| CVE-2020-8169 | 5 Debian, Haxx, Redhat and 2 more | 7 Debian Linux, Curl, Jboss Core Services and 4 more | 2024-11-21 | 7.5 High |
| curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s). | ||||
| CVE-2020-8167 | 3 Debian, Redhat, Rubyonrails | 4 Debian Linux, Satellite, Satellite Capsule and 1 more | 2024-11-21 | 6.5 Medium |
| A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains. | ||||
| CVE-2020-8166 | 3 Debian, Redhat, Rubyonrails | 4 Debian Linux, Satellite, Satellite Capsule and 1 more | 2024-11-21 | 4.3 Medium |
| A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token. | ||||
| CVE-2020-8164 | 4 Debian, Opensuse, Redhat and 1 more | 6 Debian Linux, Backports Sle, Leap and 3 more | 2024-11-21 | 7.5 High |
| A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. | ||||
| CVE-2020-8162 | 3 Debian, Redhat, Rubyonrails | 4 Debian Linux, Satellite, Satellite Capsule and 1 more | 2024-11-21 | 7.5 High |
| A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits. | ||||
| CVE-2020-8161 | 4 Canonical, Debian, Rack Project and 1 more | 5 Ubuntu Linux, Debian Linux, Rack and 2 more | 2024-11-21 | 8.6 High |
| A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure. | ||||
| CVE-2020-8131 | 2 Redhat, Yarnpkg | 2 Quay, Yarn | 2024-11-21 | 7.5 High |
| Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package. | ||||
| CVE-2020-8130 | 6 Canonical, Debian, Fedoraproject and 3 more | 7 Ubuntu Linux, Debian Linux, Fedora and 4 more | 2024-11-21 | 6.4 Medium |
| There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`. | ||||
| CVE-2020-8124 | 2 Redhat, Url-parse Project | 2 Service Mesh, Url-parse | 2024-11-21 | 5.3 Medium |
| Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. | ||||
| CVE-2020-8116 | 2 Dot-prop Project, Redhat | 4 Dot-prop, Enterprise Linux, Rhel Eus and 1 more | 2024-11-21 | 7.3 High |
| Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects. | ||||
| CVE-2020-8112 | 3 Debian, Redhat, Uclouvain | 4 Debian Linux, Enterprise Linux, Rhel E4s and 1 more | 2024-11-21 | 8.8 High |
| opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a different issue than CVE-2020-6851. | ||||
| CVE-2020-8037 | 5 Apple, Debian, Fedoraproject and 2 more | 6 Mac Os X, Macos, Debian Linux and 3 more | 2024-11-21 | 7.5 High |
| The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a large amount of memory. | ||||
| CVE-2020-7943 | 2 Puppet, Redhat | 5 Puppet Enterprise, Puppet Server, Puppetdb and 2 more | 2024-11-21 | 7.5 High |
| Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13 | ||||
| CVE-2020-7942 | 2 Puppet, Redhat | 4 Puppet, Puppet Agent, Satellite and 1 more | 2024-11-21 | 6.5 Medium |
| Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19 | ||||
| CVE-2020-7789 | 2 Node-notifier Project, Redhat | 2 Node-notifier, Ansible Automation Platform | 2024-11-21 | 5.6 Medium |
| This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array. | ||||
| CVE-2020-7788 | 3 Debian, Ini Project, Redhat | 5 Debian Linux, Ini, Enterprise Linux and 2 more | 2024-11-21 | 7.3 High |
| This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context. | ||||