Fedoraproject Fedora vulnerabilities

5,277 known vulnerabilities affecting fedoraproject/fedora.

Total CVEs

5,277

CISA KEV

actively exploited

Public exploits

147

Exploited in wild

101

Severity breakdown

CRITICAL514HIGH2325MEDIUM2265LOW173

Vulnerabilities

Page 62 of 264

CVE-2022-2616MEDIUMCVSS 6.5v372022-08-12

CVE-2022-2616 [MEDIUM] CVE-2022-2616: Inappropriate implementation in Extensions API in Google Chrome prior to 104.0.5112.79 allowed an at Inappropriate implementation in Extensions API in Google Chrome prior to 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to spoof the contents of the Omnibox (URL bar) via a crafted Chrome Extension.

nvd

CVE-2022-2615MEDIUMCVSS 6.5v372022-08-12

CVE-2022-2615 [MEDIUM] CWE-565 CVE-2022-2615: Insufficient policy enforcement in Cookies in Google Chrome prior to 104.0.5112.79 allowed a remote Insufficient policy enforcement in Cookies in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

nvd

CVE-2022-2622MEDIUMCVSS 6.5v372022-08-12

CVE-2022-2622 [MEDIUM] CVE-2022-2622: Insufficient validation of untrusted input in Safe Browsing in Google Chrome on Windows prior to 104 Insufficient validation of untrusted input in Safe Browsing in Google Chrome on Windows prior to 104.0.5112.79 allowed a remote attacker to bypass download restrictions via a crafted file.

nvd

CVE-2022-2611MEDIUMCVSS 4.3v372022-08-12

CVE-2022-2611 [MEDIUM] CVE-2022-2611: Inappropriate implementation in Fullscreen API in Google Chrome on Android prior to 104.0.5112.79 al Inappropriate implementation in Fullscreen API in Google Chrome on Android prior to 104.0.5112.79 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

nvd

CVE-2022-2618MEDIUMCVSS 6.5v372022-08-12

CVE-2022-2618 [MEDIUM] CWE-20 CVE-2022-2618: Insufficient validation of untrusted input in Internals in Google Chrome prior to 104.0.5112.79 allo Insufficient validation of untrusted input in Internals in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to bypass download restrictions via a malicious file .

nvd

CVE-2022-2619MEDIUMCVSS 4.3v372022-08-12

CVE-2022-2619 [MEDIUM] CWE-116 CVE-2022-2619: Insufficient validation of untrusted input in Settings in Google Chrome prior to 104.0.5112.79 allow Insufficient validation of untrusted input in Settings in Google Chrome prior to 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted HTML page.

nvd

CVE-2022-2612MEDIUMCVSS 6.5v372022-08-12

CVE-2022-2612 [MEDIUM] CWE-203 CVE-2022-2612: Side-channel information leakage in Keyboard input in Google Chrome prior to 104.0.5112.79 allowed a Side-channel information leakage in Keyboard input in Google Chrome prior to 104.0.5112.79 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.

nvd

CVE-2022-2605MEDIUMCVSS 6.5v372022-08-12

CVE-2022-2605 [MEDIUM] CWE-125 CVE-2022-2605: Out of bounds read in Dawn in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to pote Out of bounds read in Dawn in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

nvd

CVE-2022-38150HIGHCVSS 7.5v35v362022-08-11

CVE-2022-38150 [HIGH] CWE-400 CVE-2022-38150: In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to asser In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.

nvd

CVE-2021-33643CRITICALCVSS 9.1v35v36+1 more2022-08-10

CVE-2021-33643 [CRITICAL] CWE-125 CVE-2021-33643: An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read.

nvd

CVE-2021-33646HIGHCVSS 7.5v35v36+1 more2022-08-10

CVE-2021-33646 [HIGH] CWE-401 CVE-2021-33646: The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory, which The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak.

nvd

CVE-2022-28131HIGHCVSS 7.5v352022-08-10

CVE-2022-28131 [HIGH] CWE-674 CVE-2022-28131: Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an att Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.

nvd

CVE-2022-31779HIGHCVSS 7.5v35v362022-08-10

CVE-2022-31779 [HIGH] CWE-20 CVE-2022-31779: Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

nvd

CVE-2021-33644HIGHCVSS 8.1v35v36+1 more2022-08-10

CVE-2021-33644 [HIGH] CWE-125 CVE-2021-33644: An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read.

nvd

CVE-2022-31780HIGHCVSS 7.5v35v362022-08-10

CVE-2022-31780 [HIGH] CWE-20 CVE-2022-31780: Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

nvd

CVE-2021-33645HIGHCVSS 7.5v35v36+1 more2022-08-10

CVE-2021-33645 [HIGH] CWE-401 CVE-2021-33645: The th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory, which The th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak.

nvd

CVE-2022-25763HIGHCVSS 7.5v35v362022-08-10

CVE-2022-25763 [HIGH] CWE-444 CVE-2022-25763: Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

nvd

CVE-2022-28129HIGHCVSS 7.5v35v362022-08-10

CVE-2022-28129 [HIGH] CWE-20 CVE-2022-28129: Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows a Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

nvd

CVE-2021-37150HIGHCVSS 7.5v35v362022-08-10

CVE-2021-37150 [HIGH] CWE-20 CVE-2021-37150: Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacke Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

nvd

CVE-2022-2719MEDIUMCVSS 5.5v362022-08-10

CVE-2022-2719 [MEDIUM] CWE-617 CVE-2022-2719: In ImageMagick, a crafted file could trigger an assertion failure when a call to WriteImages was mad In ImageMagick, a crafted file could trigger an assertion failure when a call to WriteImages was made in MagickWand/operation.c, due to a NULL image list. This could potentially cause a denial of service. This was fixed in upstream ImageMagick version 7.1.0-30.

nvd

← Previous62 / 264Next →