Redhat Enterprise Linux vulnerabilities

CVE-2019-3842 [HIGH] CWE-285 CVE-2019-3842: In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the enviro In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather tha

CVE-2019-3887 [MEDIUM] CWE-863 CVE-2019-3887: A flaw was found in the way KVM hypervisor handled x2APIC Machine Specific Rregister (MSR) access wi A flaw was found in the way KVM hypervisor handled x2APIC Machine Specific Rregister (MSR) access with nested(=1) virtualization enabled. In that, L1 guest could access L0's APIC register values via L2 guest, when 'virtualize x2APIC mode' is enabled. A guest could use this flaw to potentially crash the host kernel resulting in DoS issue. Kernel versio

CVE-2019-3880 [MEDIUM] CWE-22 CVE-2019-3880: A flaw was found in the way samba implemented an RPC endpoint emulating the Windows registry service A flaw was found in the way samba implemented an RPC endpoint emulating the Windows registry service API. An unprivileged attacker could use this flaw to create a new registry hive file anywhere they have unix permissions which could lead to creation of a new file in the Samba share. Versions before 4.8.11, 4.9.6 and 4.10.2 are vulnerable.

CVE-2019-0757 [MEDIUM] CVE-2019-0757: A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package's folder structure, aka 'NuGet Package Manager Tampering Vulnerability'.

CVE-2019-0211 [HIGH] CWE-416 CVE-2019-0211: In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executi In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are

CVE-2019-0160 [CRITICAL] CWE-120 CVE-2019-0160: Buffer overflow in system firmware for EDK II may allow unauthenticated user to potentially enable e Buffer overflow in system firmware for EDK II may allow unauthenticated user to potentially enable escalation of privilege and/or denial of service via network access.

CVE-2019-3877 [MEDIUM] CWE-601 CVE-2019-3877: A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allo A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect U

CVE-2019-3878 [HIGH] CWE-305 CVE-2019-3878: A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse pr A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authenticatio

CVE-2019-3856 [HIGH] CWE-190 CVE-2019-3856: An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 befo An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

CVE-2019-3857 [HIGH] CWE-190 CVE-2019-3857: An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

CVE-2019-3838 [MEDIUM] CWE-648 CVE-2019-3838: It was found that the forceput operator could be extracted from the DefineResource method in ghostsc It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

CVE-2019-3874 [MEDIUM] CWE-400 CVE-2019-3874: The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable.

CVE-2018-16838 [MEDIUM] CWE-284 CVE-2018-16838: A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD d A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.

CVE-2019-3855 [HIGH] CWE-190 CVE-2019-3855: An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

CVE-2018-20615 [HIGH] CWE-125 CVE-2018-20615: An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder in HAProxy 1.8.x and 1.9.x An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder in HAProxy 1.8.x and 1.9.x through 1.9.0 which can result in a crash. The processing of the PRIORITY flag in a HEADERS frame requires 5 extra bytes, and while these bytes are skipped, the total frame length was not re-checked to make sure they were present in the frame.

CVE-2019-7221 [HIGH] CWE-416 CVE-2019-7221: The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free. The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free.

CVE-2019-7222 [MEDIUM] CVE-2019-7222: The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.

CVE-2019-9903 [MEDIUM] CWE-787 CVE-2019-9903: PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict marking, leading to stack consumpt PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary.

CVE-2019-6454 [MEDIUM] CWE-787 CVE-2019-6454: An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-obje An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the sta

CVE-2019-3816 [HIGH] CWE-22 CVE-2019-3816: Openwsman, versions up to and including 2.6.9, are vulnerable to arbitrary file disclosure because t Openwsman, versions up to and including 2.6.9, are vulnerable to arbitrary file disclosure because the working directory of openwsmand daemon was set to root directory. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to openwsman server.