Debian Linux vulnerabilities

CVE-2022-21664 [HIGH] CWE-89 CVE-2022-21664: WordPress is a free and open-source content management system written in PHP and paired with a Maria WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go bac

CVE-2022-21661 [HIGH] CWE-89 CVE-2022-21661: WordPress is a free and open-source content management system written in PHP and paired with a Maria WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via

CVE-2021-46142 [MEDIUM] CWE-416 CVE-2021-46142: An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormali An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.

CVE-2021-28715 [MEDIUM] CVE-2021-28715: Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information rec Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken

CVE-2021-28714 [MEDIUM] CWE-770 CVE-2021-28714: Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information rec Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measur

CVE-2021-46141 [MEDIUM] CWE-416 CVE-2021-46141: An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUri An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.

CVE-2022-22707 [MEDIUM] CWE-787 CVE-2022-22707: In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugi In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual man

CVE-2021-46144 [MEDIUM] CWE-79 CVE-2021-46144: Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Ca Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.

CVE-2022-21662 [MEDIUM] CWE-79 CVE-2022-21662: WordPress is a free and open-source content management system written in PHP and paired with a Maria WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions

CVE-2021-28713 [MEDIUM] CVE-2021-28713: Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relate Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one pr

CVE-2021-28711 [MEDIUM] CVE-2021-28711: Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relate Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one pr

CVE-2021-28712 [MEDIUM] CVE-2021-28712: Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relate Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one pr

CVE-2021-41141 [HIGH] CWE-667 CVE-2021-41141: PJSIP is a free and open source multimedia communication library written in the C language implement PJSIP is a free and open source multimedia communication library written in the C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In various parts of PJSIP, when error/failure occurs, it is found that the function returns without releasing the currently held locks. This could result in a system deadlock, whic

CVE-2021-3842 [HIGH] CWE-1333 CVE-2021-3842: nltk is vulnerable to Inefficient Regular Expression Complexity nltk is vulnerable to Inefficient Regular Expression Complexity

CVE-2021-41819 [HIGH] CWE-565 CVE-2021-41819: CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affe CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

CVE-2021-41817 [HIGH] CWE-1333 CVE-2021-41817: Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

CVE-2021-45960 [HIGH] CWE-682 CVE-2021-45960: In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

CVE-2021-45972 [HIGH] CWE-1284 CVE-2021-45972: The giftrans function in giftrans 1.12.2 contains a stack-based buffer overflow because a value insi The giftrans function in giftrans 1.12.2 contains a stack-based buffer overflow because a value inside the input file determines the amount of data to write. This allows an attacker to overwrite up to 250 bytes outside of the allocated buffer with arbitrary data.

CVE-2021-44716 [HIGH] CWE-400 CVE-2021-44716: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

CVE-2021-45944 [MEDIUM] CWE-416 CVE-2021-45944: Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in sampled_data_sample (called from sa Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in sampled_data_sample (called from sampled_data_continue and interp).