Filtered by vendor Redhat
Subscriptions
Filtered by product Rhel Software Collections
Subscriptions
Total
1793 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-29921 | 3 Oracle, Python, Redhat | 8 Communications Cloud Native Core Automated Test Suite, Communications Cloud Native Core Binding Support Function, Communications Cloud Native Core Network Slice Selection Function and 5 more | 2024-11-21 | 9.8 Critical |
| In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses. | ||||
| CVE-2021-28965 | 3 Fedoraproject, Redhat, Ruby-lang | 7 Fedora, Enterprise Linux, Rhel E4s and 4 more | 2024-11-21 | 7.5 High |
| The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. | ||||
| CVE-2021-28957 | 6 Debian, Fedoraproject, Lxml and 3 more | 7 Debian Linux, Fedora, Lxml and 4 more | 2024-11-21 | 6.1 Medium |
| An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3. | ||||
| CVE-2021-28861 | 3 Fedoraproject, Python, Redhat | 4 Fedora, Python, Enterprise Linux and 1 more | 2024-11-21 | 7.4 High |
| Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks." | ||||
| CVE-2021-27928 | 5 Debian, Galeracluster, Mariadb and 2 more | 8 Debian Linux, Wsrep, Mariadb and 5 more | 2024-11-21 | 7.2 High |
| A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product. | ||||
| CVE-2021-27291 | 4 Debian, Fedoraproject, Pygments and 1 more | 6 Debian Linux, Fedora, Pygments and 3 more | 2024-11-21 | 7.5 High |
| In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. | ||||
| CVE-2021-27290 | 4 Oracle, Redhat, Siemens and 1 more | 6 Graalvm, Enterprise Linux, Rhel Eus and 3 more | 2024-11-21 | 7.5 High |
| ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. | ||||
| CVE-2021-23362 | 3 Npmjs, Redhat, Siemens | 7 Hosted-git-info, Acm, Enterprise Linux and 4 more | 2024-11-21 | 5.3 Medium |
| The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity. | ||||
| CVE-2021-23343 | 2 Path-parse Project, Redhat | 7 Path-parse, Acm, Advanced Cluster Security and 4 more | 2024-11-21 | 5.3 Medium |
| All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity. | ||||
| CVE-2021-23336 | 7 Debian, Djangoproject, Fedoraproject and 4 more | 14 Debian Linux, Django, Fedora and 11 more | 2024-11-21 | 5.9 Medium |
| The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. | ||||
| CVE-2021-23222 | 2 Postgresql, Redhat | 3 Postgresql, Enterprise Linux, Rhel Software Collections | 2024-11-21 | 5.9 Medium |
| A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. | ||||
| CVE-2021-23214 | 3 Fedoraproject, Postgresql, Redhat | 7 Fedora, Postgresql, Enterprise Linux and 4 more | 2024-11-21 | 8.1 High |
| When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. | ||||
| CVE-2021-23017 | 6 F5, Fedoraproject, Netapp and 3 more | 19 Nginx, Fedora, Ontap Select Deploy Administration Utility and 16 more | 2024-11-21 | 7.7 High |
| A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact. | ||||
| CVE-2021-21707 | 5 Debian, Netapp, Php and 2 more | 6 Debian Linux, Clustered Data Ontap, Php and 3 more | 2024-11-21 | 5.3 Medium |
| In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended. | ||||
| CVE-2021-21705 | 4 Netapp, Oracle, Php and 1 more | 5 Clustered Data Ontap, Sd-wan Aware, Php and 2 more | 2024-11-21 | 4.3 Medium |
| In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision. | ||||
| CVE-2021-21703 | 6 Debian, Fedoraproject, Netapp and 3 more | 7 Debian Linux, Fedora, Clustered Data Ontap and 4 more | 2024-11-21 | 7.8 High |
| In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user. | ||||
| CVE-2021-21702 | 5 Debian, Netapp, Oracle and 2 more | 6 Debian Linux, Clustered Data Ontap, Communications Diameter Signaling Router and 3 more | 2024-11-21 | 5.3 Medium |
| In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash. | ||||
| CVE-2021-20270 | 4 Debian, Fedoraproject, Pygments and 1 more | 9 Debian Linux, Fedora, Pygments and 6 more | 2024-11-21 | 7.5 High |
| An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. | ||||
| CVE-2021-1998 | 4 Fedoraproject, Netapp, Oracle and 1 more | 10 Fedora, Active Iq Unified Manager, Oncommand Insight and 7 more | 2024-11-21 | 3.8 Low |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 3.8 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L). | ||||
| CVE-2020-9490 | 7 Apache, Canonical, Debian and 4 more | 28 Http Server, Ubuntu Linux, Debian Linux and 25 more | 2024-11-21 | 7.5 High |
| Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. | ||||