Total
2847 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-37900 | 1 Cncf | 1 Crossplane | 2024-08-02 | 3.4 Low |
| Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, a high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled. The impact is limited due to the high privileges required to be able to create the Package and the eventually consistency nature of controller. This issue is fixed in versions 1.11.5, 1.12.3, and 1.13.0. | ||||
| CVE-2023-37732 | 1 Yasm Project | 1 Yasm | 2024-08-02 | 5.5 Medium |
| Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c and /elf/elf.c, which allows the attacker to cause a denial of service via a crafted file. | ||||
| CVE-2023-37788 | 2 Goproxy Project, Redhat | 5 Goproxy, Openshift, Openshift Data Foundation and 2 more | 2024-08-02 | 7.5 High |
| goproxy v1.1 was discovered to contain an issue which can lead to a Denial of service (DoS) via unspecified vectors. | ||||
| CVE-2023-37463 | 1 Github | 1 Cmark-gfm | 2024-08-02 | 6.4 Medium |
| cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12. | ||||
| CVE-2023-37481 | 1 Ethyca | 1 Fides | 2024-08-02 | 2.7 Low |
| Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. | ||||
| CVE-2023-37480 | 1 Ethyca | 1 Fides | 2024-08-02 | 2.7 Low |
| Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container. | ||||
| CVE-2023-37475 | 1 Avro Project | 1 Avro | 2024-08-02 | 7.5 High |
| Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to `Unmarshal()` to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit `b4a402f4` which has been included in release version `2.13.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-37379 | 1 Apache | 1 Airflow | 2024-08-02 | 8.1 High |
| Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server. Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface. | ||||
| CVE-2023-37142 | 1 Microsoft | 1 Chakracore | 2024-08-02 | 5.5 Medium |
| ChakraCore branch master cbb9b was discovered to contain a segmentation violation via the function Js::EntryPointInfo::HasInlinees(). | ||||
| CVE-2023-37140 | 1 Microsoft | 1 Chakracore | 2024-08-02 | 5.5 Medium |
| ChakraCore branch master cbb9b was discovered to contain a segmentation violation via the function Js::DiagScopeVariablesWalker::GetChildrenCount(). | ||||
| CVE-2023-37141 | 1 Microsoft | 1 Chakracore | 2024-08-02 | 5.5 Medium |
| ChakraCore branch master cbb9b was discovered to contain a segmentation violation via the function Js::ProfilingHelpers::ProfiledNewScArray(). | ||||
| CVE-2023-37143 | 1 Microsoft | 1 Chakracore | 2024-08-02 | 5.5 Medium |
| ChakraCore branch master cbb9b was discovered to contain a segmentation violation via the function BackwardPass::IsEmptyLoopAfterMemOp(). | ||||
| CVE-2023-36818 | 1 Discourse | 1 Discourse | 2024-08-02 | 6.5 Medium |
| Discourse is an open source discussion platform. In affected versions a request to create or update custom sidebar section can cause a denial of service. This issue has been patched in commit `52b003d915`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-36799 | 2 Microsoft, Redhat | 6 .net, Powershell, Visual Studio and 3 more | 2024-08-02 | 6.5 Medium |
| .NET Core and Visual Studio Denial of Service Vulnerability | ||||
| CVE-2023-36606 | 1 Microsoft | 20 Windows 10, Windows 10 1507, Windows 10 1607 and 17 more | 2024-08-02 | 7.5 High |
| Microsoft Message Queuing Denial of Service Vulnerability | ||||
| CVE-2023-36579 | 1 Microsoft | 19 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 16 more | 2024-08-02 | 7.5 High |
| Microsoft Message Queuing Denial of Service Vulnerability | ||||
| CVE-2023-36478 | 4 Debian, Eclipse, Jenkins and 1 more | 4 Debian Linux, Jetty, Jenkins and 1 more | 2024-08-02 | 7.5 High |
| Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds. | ||||
| CVE-2023-36435 | 1 Microsoft | 7 .net, Powershell, Windows 11 21h2 and 4 more | 2024-08-02 | 7.5 High |
| Microsoft QUIC Denial of Service Vulnerability | ||||
| CVE-2023-36431 | 1 Microsoft | 19 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 16 more | 2024-08-02 | 7.5 High |
| Microsoft Message Queuing Denial of Service Vulnerability | ||||
| CVE-2023-36042 | 1 Microsoft | 4 .net, Visual Studio, Visual Studio 2019 and 1 more | 2024-08-02 | 6.2 Medium |
| Visual Studio Denial of Service Vulnerability | ||||