Search Results (285 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-3520 5 Lz4 Project, Netapp, Oracle and 2 more 12 Lz4, Active Iq Unified Manager, Cloud Backup and 9 more 2024-11-21 9.8 Critical
There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.
CVE-2021-3422 1 Splunk 1 Splunk 2024-11-21 7.5 High
The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. The vulnerability impacts Splunk Enterprise versions before 7.3.9, 8.0 versions before 8.0.9, and 8.1 versions before 8.1.3. It does not impact Universal Forwarders. When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. Implementation of either or both reduces the severity to Medium.
CVE-2021-33845 1 Splunk 1 Splunk 2024-11-21 5.3 Medium
The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message. The potential vulnerability impacts Splunk Enterprise instances before 8.1.7 when configured to repress verbose login errors.
CVE-2021-31566 5 Debian, Fedoraproject, Libarchive and 2 more 14 Debian Linux, Fedora, Libarchive and 11 more 2024-11-21 7.8 High
An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.
CVE-2021-31559 1 Splunk 1 Splunk 2024-11-21 7.5 High
A crafted request bypasses S2S TCP Token authentication writing arbitrary events to an index in Splunk Enterprise Indexer 8.1 versions before 8.1.5 and 8.2 versions before 8.2.1. The vulnerability impacts Indexers configured to use TCPTokens. It does not impact Universal Forwarders.
CVE-2021-26253 1 Splunk 1 Splunk 2024-11-21 8.1 High
A potential vulnerability in Splunk Enterprise's implementation of DUO MFA allows for bypassing the MFA verification in Splunk Enterprise versions before 8.1.6. The potential vulnerability impacts Splunk Enterprise instances configured to use DUO MFA and does not impact or affect a DUO product or service.
CVE-2021-22923 7 Fedoraproject, Haxx, Netapp and 4 more 25 Fedora, Curl, Cloud Backup and 22 more 2024-11-21 5.3 Medium
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
CVE-2021-22901 6 Haxx, Netapp, Oracle and 3 more 35 Curl, Active Iq Unified Manager, Cloud Backup and 32 more 2024-11-21 8.1 High
curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.
CVE-2020-8286 9 Apple, Debian, Fedoraproject and 6 more 22 Mac Os X, Macos, Debian Linux and 19 more 2024-11-21 7.5 High
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
CVE-2020-8231 6 Debian, Haxx, Oracle and 3 more 6 Debian Linux, Libcurl, Communications Cloud Native Core Policy and 3 more 2024-11-21 7.5 High
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.
CVE-2020-8169 5 Debian, Haxx, Redhat and 2 more 7 Debian Linux, Curl, Jboss Core Services and 4 more 2024-11-21 7.5 High
curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).
CVE-2020-14155 7 Apple, Gitlab, Netapp and 4 more 22 Macos, Gitlab, Active Iq Unified Manager and 19 more 2024-11-21 5.3 Medium
libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.
CVE-2019-5729 1 Splunk 1 Software Development Kit 2024-11-21 N/A
Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS server certificates, which could result in man-in-the-middle attacks.
CVE-2019-5727 1 Splunk 1 Splunk 2024-11-21 N/A
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.
CVE-2019-3800 27 Anynines, Apigee, Appdynamics and 24 more 55 Elasticsearch, Logme, Mongodb and 52 more 2024-11-21 N/A
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.
CVE-2019-20838 4 Apple, Pcre, Redhat and 1 more 5 Macos, Pcre, Enterprise Linux and 2 more 2024-11-21 7.5 High
libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.
CVE-2019-20454 4 Fedoraproject, Pcre, Redhat and 1 more 4 Fedora, Pcre2, Enterprise Linux and 1 more 2024-11-21 7.5 High
An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.
CVE-2018-7432 1 Splunk 1 Splunk 2024-11-21 N/A
Splunk Enterprise 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.7, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allow remote attackers to cause a denial of service via a crafted HTTP request.
CVE-2018-7431 1 Splunk 1 Splunk 2024-11-21 N/A
Directory traversal vulnerability in the Splunk Django App in Splunk Enterprise 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3; and Splunk Light before 6.6.0 allows remote authenticated users to read arbitrary files via unspecified vectors.
CVE-2018-7429 1 Splunk 1 Splunk 2024-11-21 N/A
Splunkd in Splunk Enterprise 6.2.x before 6.2.14 6.3.x before 6.3.11, and 6.4.x before 6.4.8; and Splunk Light before 6.5.0 allow remote attackers to cause a denial of service via a malformed HTTP request.