Debian Linux vulnerabilities

CVE-2020-36281 [HIGH] CWE-125 CVE-2020-36281: Leptonica before 1.80.0 allows a heap-based buffer over-read in pixFewColorsOctcubeQuantMixed in col Leptonica before 1.80.0 allows a heap-based buffer over-read in pixFewColorsOctcubeQuantMixed in colorquant1.c.

CVE-2021-21366 [MEDIUM] CWE-115 CVE-2021-21366: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer mo xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some d

CVE-2020-36277 [HIGH] CWE-670 CVE-2020-36277: Leptonica before 1.80.0 allows a denial of service (application crash) via an incorrect left shift i Leptonica before 1.80.0 allows a denial of service (application crash) via an incorrect left shift in pixConvert2To8 in pixconv.c.

CVE-2021-21381 [HIGH] CWE-74 CVE-2021-21381: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special

CVE-2021-28153 [MEDIUM] CWE-59 CVE-2021-28153: An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREAT An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink

CVE-2020-13936 [HIGH] CVE-2020-13936: An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitra An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

CVE-2021-21772 [HIGH] CWE-416 CVE-2021-21772: A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3 A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2020-13959 [MEDIUM] CWE-79 CVE-2020-13959: The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm f The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked

CVE-2021-21375 [MEDIUM] CWE-400 CVE-2021-21375: PJSIP is a free and open source multimedia communication library written in C language implementing PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP version 2.10 and earlier, after an initial INVITE has been sent, when two 183 responses are received, with the first one causing negotiation failure, a crash will occur. This

CVE-2021-20272 [HIGH] CWE-617 CVE-2021-20272: A flaw was found in privoxy before 3.0.32. An assertion failure could be triggered with a crafted CG A flaw was found in privoxy before 3.0.32. An assertion failure could be triggered with a crafted CGI request leading to server crash.

CVE-2021-21165 [HIGH] CWE-362 CVE-2021-21165: Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially e Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2021-21179 [HIGH] CWE-416 CVE-2021-21179: Use after free in Network Internals in Google Chrome on Linux prior to 89.0.4389.72 allowed a remote Use after free in Network Internals in Google Chrome on Linux prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2021-21161 [HIGH] CWE-787 CVE-2021-21161: Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2021-20273 [HIGH] CWE-20 CVE-2021-20273: A flaw was found in privoxy before 3.0.32. A crash can occur via a crafted CGI request if Privoxy is A flaw was found in privoxy before 3.0.32. A crash can occur via a crafted CGI request if Privoxy is toggled off.

CVE-2021-20276 [HIGH] CWE-119 CVE-2021-20276: A flaw was found in privoxy before 3.0.32. Invalid memory access with an invalid pattern passed to p A flaw was found in privoxy before 3.0.32. Invalid memory access with an invalid pattern passed to pcre_compile() may lead to denial of service.

CVE-2021-21188 [HIGH] CWE-416 CVE-2021-21188: Use after free in Blink in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentia Use after free in Blink in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-35523 [HIGH] CWE-190 CVE-2020-35523: An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allo An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVE-2021-21166 [HIGH] CWE-362 CVE-2021-21166: Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially e Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2021-21174 [HIGH] CVE-2021-21174: Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote att Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2021-21160 [HIGH] CWE-787 CVE-2021-21160: Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.