Total
433 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-43616 | 4 Fedoraproject, Netapp, Npmjs and 1 more | 4 Fedora, Next Generation Application Programming Interface, Npm and 1 more | 2024-08-04 | 9 Critical |
| The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI. | ||||
| CVE-2021-41203 | 1 Google | 1 Tensorflow | 2024-08-04 | 7.8 High |
| TensorFlow is an open source platform for machine learning. In affected versions an attacker can trigger undefined behavior, integer overflows, segfaults and `CHECK`-fail crashes if they can change saved checkpoints from outside of TensorFlow. This is because the checkpoints loading infrastructure is missing validation for invalid file formats. The fixes will be included in TensorFlow 2.7.0. We will also cherrypick these commits on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range. | ||||
| CVE-2021-41106 | 1 Jwt Project | 1 Jwt | 2024-08-04 | 4.4 Medium |
| JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\JWT\Signer\Key\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Versions 3.4.6, 4.0.4, and 4.1.5 have been patched to always load the file contents, deprecated the `Lcobucci\JWT\Signer\Key\LocalFileReference`, and suggest `Lcobucci\JWT\Signer\Key\InMemory` as the alternative. As a workaround, use `Lcobucci\JWT\Signer\Key\InMemory` instead of `Lcobucci\JWT\Signer\Key\LocalFileReference` to create the instances of one's keys. | ||||
| CVE-2021-41087 | 1 In-toto | 1 In-toto-golang | 2024-08-04 | 5.6 Medium |
| in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo). Exploiting this vulnerability is dependent on the specific policy applied. The problem has been fixed in version 0.3.0. | ||||
| CVE-2021-40491 | 2 Debian, Gnu | 2 Debian Linux, Inetutils | 2024-08-04 | 6.5 Medium |
| The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl. | ||||
| CVE-2021-39689 | 1 Google | 1 Android | 2024-08-04 | 6.7 Medium |
| In multiple functions of odsign_main.cpp, there is a possible way to persist system attack due to a logic error in the code. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-206090748 | ||||
| CVE-2021-39158 | 1 Nvidia | 1 Nvcaffe | 2024-08-04 | 8.8 High |
| NVCaffe's python required dependencies list used to contain `gfortran`version prior to 0.17.4, entry which does not exist in the repository pypi.org. An attacker could potentially have posted malicious files to pypi.org causing a user to install it within NVCaffe. | ||||
| CVE-2021-38597 | 1 Wolfssl | 1 Wolfssl | 2024-08-04 | 5.9 Medium |
| wolfSSL before 4.8.1 incorrectly skips OCSP verification in certain situations of irrelevant response data that contains the NoCheck extension. | ||||
| CVE-2021-38295 | 1 Apache | 1 Couchdb | 2024-08-04 | 7.3 High |
| In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2 | ||||
| CVE-2021-37421 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-04 | 9.8 Critical |
| Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. | ||||
| CVE-2021-37188 | 1 Digi | 17 Transport Dr64, Transport Dr64 Firmware, Transport Sr44 and 14 more | 2024-08-04 | 8.8 High |
| An issue was discovered on Digi TransPort devices through 2021-07-21. An authenticated attacker may load customized firmware (because the bootloader does not verify that it is authentic), changing the behavior of the gateway. | ||||
| CVE-2021-36751 | 1 Encsecurity | 1 Datavault | 2024-08-04 | 4.2 Medium |
| ENC DataVault 7.2.3 and before, and OEM versions, use an encryption algorithm that is vulnerable to data manipulation (without knowledge of the key). This is called ciphertext malleability. There is no data integrity mechanism to detect this manipulation. | ||||
| CVE-2021-36367 | 1 Putty | 1 Putty | 2024-08-04 | 8.1 High |
| PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a later spoofed authentication prompt (that the attacker can use to capture credential data, and use that data for purposes that are undesired by the client user). | ||||
| CVE-2021-33887 | 1 Onepeloton | 2 Ttr01, Ttr01 Firmware | 2024-08-04 | 6.8 Medium |
| Insufficient verification of data authenticity in Peloton TTR01 up to and including PTV55G allows an attacker with physical access to boot into a modified kernel/ramdisk without unlocking the bootloader. | ||||
| CVE-2021-33840 | 1 Luca-app | 1 Luca | 2024-08-03 | 7.5 High |
| The server in Luca through 1.1.14 allows remote attackers to cause a denial of service (insertion of many fake records related to COVID-19) because Phone Number data lacks a digital signature. | ||||
| CVE-2021-33712 | 1 Mendix | 1 Saml | 2024-08-03 | 8.8 High |
| A vulnerability has been identified in Mendix SAML Module (All versions < V2.1.2). The configuration of the SAML module does not properly check various restrictions and validations imposed by an identity provider. This could allow a remote authenticated attacker to escalate privileges. | ||||
| CVE-2021-32665 | 1 Wire | 1 Wire | 2024-08-03 | 8.8 High |
| wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to "unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify & verify a device in the conversation. | ||||
| CVE-2021-31783 | 1 Piwigo | 1 Localfiles Editor | 2024-08-03 | 7.5 High |
| show_default.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file parameter is not validated with a proper regular-expression check. | ||||
| CVE-2021-30005 | 1 Jetbrains | 1 Pycharm | 2024-08-03 | 7.8 High |
| In JetBrains PyCharm before 2020.3.4, local code execution was possible because of insufficient checks when getting the project from VCS. | ||||
| CVE-2021-29969 | 2 Mozilla, Redhat | 3 Thunderbird, Enterprise Linux, Rhel Eus | 2024-08-03 | 5.9 Medium |
| If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server. This vulnerability affects Thunderbird < 78.12. | ||||