Opensuse Leap vulnerabilities

CVE-2020-6487 [MEDIUM] CWE-276 CVE-2020-6487: Insufficient policy enforcement in downloads in Google Chrome prior to 83.0.4103.61 allowed a remote Insufficient policy enforcement in downloads in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2020-6475 [MEDIUM] CVE-2020-6475: Incorrect implementation in full screen in Google Chrome prior to 83.0.4103.61 allowed a remote atta Incorrect implementation in full screen in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to spoof security UI via a crafted HTML page.

CVE-2020-6480 [MEDIUM] CWE-276 CVE-2020-6480: Insufficient policy enforcement in enterprise in Google Chrome prior to 83.0.4103.61 allowed a local Insufficient policy enforcement in enterprise in Google Chrome prior to 83.0.4103.61 allowed a local attacker to bypass navigation restrictions via UI actions.

CVE-2020-6478 [MEDIUM] CVE-2020-6478: Inappropriate implementation in full screen in Google Chrome prior to 83.0.4103.61 allowed a remote Inappropriate implementation in full screen in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to spoof security UI via a crafted HTML page.

CVE-2020-6482 [MEDIUM] CWE-276 CVE-2020-6482: Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.

CVE-2020-6488 [MEDIUM] CWE-276 CVE-2020-6488: Insufficient policy enforcement in downloads in Google Chrome prior to 83.0.4103.61 allowed a remote Insufficient policy enforcement in downloads in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2020-6483 [MEDIUM] CWE-276 CVE-2020-6483: Insufficient policy enforcement in payments in Google Chrome prior to 83.0.4103.61 allowed a remote Insufficient policy enforcement in payments in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2020-6485 [MEDIUM] CWE-20 CVE-2020-6485: Insufficient data validation in media router in Google Chrome prior to 83.0.4103.61 allowed a remote Insufficient data validation in media router in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page.

CVE-2020-6472 [MEDIUM] CVE-2020-6472: Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory or disk via a crafted Chrome Extension.

CVE-2020-6470 [MEDIUM] CWE-79 CVE-2020-6470: Insufficient validation of untrusted input in clipboard in Google Chrome prior to 83.0.4103.61 allow Insufficient validation of untrusted input in clipboard in Google Chrome prior to 83.0.4103.61 allowed a local attacker to inject arbitrary scripts or HTML (UXSS) via crafted clipboard contents.

CVE-2020-6484 [MEDIUM] CWE-276 CVE-2020-6484: Insufficient data validation in ChromeDriver in Google Chrome prior to 83.0.4103.61 allowed a remote Insufficient data validation in ChromeDriver in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted request.

CVE-2020-6489 [MEDIUM] CWE-200 CVE-2020-6489: Inappropriate implementation in developer tools in Google Chrome prior to 83.0.4103.61 allowed a rem Inappropriate implementation in developer tools in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had convinced the user to take certain actions in developer tools to obtain potentially sensitive information from disk via a crafted HTML page.

CVE-2020-6486 [MEDIUM] CVE-2020-6486: Insufficient policy enforcement in navigations in Google Chrome prior to 83.0.4103.61 allowed a remo Insufficient policy enforcement in navigations in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2020-10725 [HIGH] CWE-665 CVE-2020-10725: A flaw was found in DPDK version 19.11 and above that allows a malicious guest to cause a segmentati A flaw was found in DPDK version 19.11 and above that allows a malicious guest to cause a segmentation fault of the vhost-user backend application running on the host, which could result in a loss of connectivity for the other guests running on that host. This is caused by a missing validity check of the descriptor address in the function `virtio_dev_

CVE-2020-13249 [HIGH] CVE-2020-13249: libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a server. NOTE: although mariadb_lib.c was originally based on code shipped for MySQL, this issue does not affect any MySQL components supported by Oracle.

CVE-2020-9484 [HIGH] CWE-502 CVE-2020-9484: When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7. When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassN

CVE-2020-10726 [MEDIUM] CWE-190 CVE-2020-10726: A vulnerability was found in DPDK versions 19.11 and above. A malicious container that has direct ac A vulnerability was found in DPDK versions 19.11 and above. A malicious container that has direct access to the vhost-user socket can keep sending VHOST_USER_GET_INFLIGHT_FD messages, causing a resource leak (file descriptors and virtual memory), which may result in a denial of service.

CVE-2020-12663 [HIGH] CWE-835 CVE-2020-12663: Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers. Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.

CVE-2020-12244 [HIGH] CWE-347 CVE-2020-12244: An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer, allowing an attacker to bypass DNSSEC validation.

CVE-2020-13164 [HIGH] CWE-674 CVE-2020-13164: In Wireshark 3.2.0 to 3.2.3, 3.0.0 to 3.0.10, and 2.6.0 to 2.6.16, the NFS dissector could crash. Th In Wireshark 3.2.0 to 3.2.3, 3.0.0 to 3.0.10, and 2.6.0 to 2.6.16, the NFS dissector could crash. This was addressed in epan/dissectors/packet-nfs.c by preventing excessive recursion, such as for a cycle in the directory graph on a filesystem.