Debian Linux vulnerabilities

CVE-2021-39144 [HIGH] CWE-94 CVE-2021-39144: XStream is a simple library to serialize objects to XML and back again. In affected versions this vu XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist lim

CVE-2021-39147 [HIGH] CWE-434 CVE-2021-39147: XStream is a simple library to serialize objects to XML and back again. In affected versions this vu XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist li

CVE-2021-39150 [HIGH] CWE-502 CVE-2021-39150: XStream is a simple library to serialize objects to XML and back again. In affected versions this vu XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to

CVE-2021-39371 [HIGH] CWE-611 CVE-2021-39371: An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.

CVE-2021-39145 [HIGH] CWE-434 CVE-2021-39145: XStream is a simple library to serialize objects to XML and back again. In affected versions this vu XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist li

CVE-2021-39151 [HIGH] CWE-434 CVE-2021-39151: XStream is a simple library to serialize objects to XML and back again. In affected versions this vu XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist li

CVE-2020-36478 [HIGH] CWE-295 CVE-2020-36478: An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A N An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way, then the certificate should be considered invalid.

CVE-2021-39148 [HIGH] CWE-434 CVE-2021-39148: XStream is a simple library to serialize objects to XML and back again. In affected versions this vu XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist li

CVE-2021-39140 [MEDIUM] CWE-502 CVE-2021-39140: XStream is a simple library to serialize objects to XML and back again. In affected versions this vu XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected,

CVE-2021-3731 [MEDIUM] CWE-1021 CVE-2021-3731: LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions.

CVE-2021-37750 [MEDIUM] CWE-476 CVE-2021-37750: The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19. The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.

CVE-2021-39365 [MEDIUM] CVE-2021-39365: In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupS In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.

CVE-2021-38171 [CRITICAL] CWE-252 CVE-2021-38171: adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.

CVE-2021-37698 [HIGH] CWE-295 CVE-2021-37698: Icinga is a monitoring system which checks the availability of network resources, notifies users of Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2

CVE-2021-21847 [HIGH] CWE-680 CVE-2021-21847: Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in “stts” decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker ca

CVE-2021-21843 [HIGH] CWE-680 CVE-2021-21843: Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. After validating the number of r

CVE-2021-21837 [HIGH] CWE-680 CVE-2021-21837: Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user

CVE-2021-21845 [HIGH] CWE-680 CVE-2021-21845: Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in “stsc” decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker ca

CVE-2021-21844 [HIGH] CWE-680 CVE-2021-21844: Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when encountering an atom using the “stco” FOURCC code, can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that ca

CVE-2021-21855 [HIGH] CWE-680 CVE-2021-21855: Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convinc