cpe:/a:microsoft:.net_framework:3.5.1 cpe:/a:microsoft:.net_framework:1.1:sp1 cpe:/a:microsoft:.net_framework:4.5 cpe:/a:microsoft:.net_framework:1.0:sp3 cpe:/a:microsoft:.net_framework:2.0:sp2 cpe:/a:microsoft:.net_framework:3.5 cpe:/a:microsoft:.net_framework:4.0

CVE-2013-0001

2013-01-09T13:09:37.993-05:00

2013-01-16T00:00:00.000-05:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-01-09T13:20:00.000-05:00

MS MS13-004 The Windows Forms (aka WinForms) component in Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.0 SP2, 4, and 4.5 does not properly initialize memory arrays, which allows remote attackers to obtain sensitive information via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application that leverages a pointer to an unmanaged memory location, aka "System Drawing Information Disclosure Vulnerability."

CVE-2013-0002

2013-01-09T13:09:39.977-05:00

2013-02-25T23:53:02.910-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-01-09T13:53:00.000-05:00

CERT TA13-008A MS MS13-004 Buffer overflow in the Windows Forms (aka WinForms) component in Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4, and 4.5 allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application that leverages improper counting of objects during a memory copy operation, aka "WinForms Buffer Overflow Vulnerability."

cpe:/a:microsoft:.net_framework:3.5.1 cpe:/a:microsoft:.net_framework:4.5 cpe:/a:microsoft:.net_framework:2.0:sp2 cpe:/a:microsoft:.net_framework:3.5 cpe:/a:microsoft:.net_framework:4.0

CVE-2013-0003

2013-01-09T13:09:40.040-05:00

2013-02-25T23:53:03.393-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-01-09T14:16:00.000-05:00

CERT TA13-008A MS MS13-004 Buffer overflow in a System.DirectoryServices.Protocols (S.DS.P) namespace method in Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4, and 4.5 allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application that leverages a missing array-size check during a memory copy operation, aka "S.DS.P Buffer Overflow Vulnerability."

CVE-2013-0004

2013-01-09T13:09:40.087-05:00

2013-02-25T23:53:03.690-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-01-09T14:24:00.000-05:00

CERT TA13-008A MS MS13-004 Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not properly validate the permissions of objects in memory, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application, aka "Double Construction Vulnerability."

cpe:/a:microsoft:.net_framework:3.5.1 cpe:/a:microsoft:management_odata_iis_extension:- cpe:/a:microsoft:.net_framework:3.5:sp1 cpe:/a:microsoft:.net_framework:3.5 cpe:/a:microsoft:.net_framework:4.0

CVE-2013-0005

2013-01-09T13:09:40.133-05:00

2013-02-25T23:53:03.970-05:00

7.8

NETWORK

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-01-09T14:40:00.000-05:00

CERT TA13-008A MS MS13-007 The WCF Replace function in the Open Data (aka OData) protocol implementation in Microsoft .NET Framework 3.5, 3.5 SP1, 3.5.1, and 4, and the Management OData IIS Extension on Windows Server 2012, allows remote attackers to cause a denial of service (resource consumption and daemon restart) via crafted values in HTTP requests, aka "Replace Denial of Service Vulnerability."

cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2008:r2:sp1:x64 cpe:/o:microsoft:windows_8:-:-:x64 cpe:/o:microsoft:windows_server_2008:r2:-:x64 cpe:/o:microsoft:windows_xp:-:sp2:x64 cpe:/o:microsoft:windows_server_2008:r2:sp1:itanium cpe:/a:microsoft:xml_core_services:6.0 cpe:/a:microsoft:groove_server:2007:sp2 cpe:/o:microsoft:windows_server_2003::sp2:itanium cpe:/a:microsoft:word_viewer cpe:/o:microsoft:windows_server_2008:-:sp2:itanium cpe:/o:microsoft:windows_server_2008::sp2:x86 cpe:/a:microsoft:office:2007:sp3 cpe:/a:microsoft:xml_core_services:4.0 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/a:microsoft:expression_web:2 cpe:/a:microsoft:office_compatibility_pack::sp2 cpe:/o:microsoft:windows_vista::sp2:x64 cpe:/a:microsoft:expression_web::sp1 cpe:/a:microsoft:xml_core_services:3.0 cpe:/o:microsoft:windows_server_2012:- cpe:/a:microsoft:office:2007:sp2 cpe:/a:microsoft:office_compatibility_pack::sp3 cpe:/o:microsoft:windows_server_2008:-:sp2:x64 cpe:/a:microsoft:office:2003:sp3 cpe:/o:microsoft:windows_rt:- cpe:/a:microsoft:groove_server:2007:sp3 cpe:/a:microsoft:xml_core_services:5.0 cpe:/o:microsoft:windows_7:-:-:x86 cpe:/a:microsoft:sharepoint_server:2007:sp2 cpe:/o:microsoft:windows_server_2003::sp2:x64 cpe:/o:microsoft:windows_7:-:-:x64 cpe:/o:microsoft:windows_vista::sp2 cpe:/o:microsoft:windows_7:-:sp1:x64 cpe:/a:microsoft:sharepoint_server:2007:sp3

CVE-2013-0006

2013-01-09T13:09:40.163-05:00

2013-02-25T23:53:04.143-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-01-10T08:27:00.000-05:00

CERT TA13-008A MS MS13-002 Microsoft XML Core Services (aka MSXML) 3.0, 5.0, and 6.0 does not properly parse XML content, which allows remote attackers to execute arbitrary code via a crafted web page, aka "MSXML Integer Truncation Vulnerability."

CVE-2013-0007

2013-01-09T13:09:40.227-05:00

2013-02-25T23:53:04.317-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-01-10T09:32:00.000-05:00

CERT TA13-008A MS MS13-002 Microsoft XML Core Services (aka MSXML) 4.0, 5.0, and 6.0 does not properly parse XML content, which allows remote attackers to execute arbitrary code via a crafted web page, aka "MSXML XSLT Vulnerability."

cpe:/o:microsoft:windows_vista::sp2:x64 cpe:/o:microsoft:windows_server_2008:r2:sp1:x64 cpe:/o:microsoft:windows_7:::x86 cpe:/o:microsoft:windows_server_2012:- cpe:/o:microsoft:windows_server_2008::sp2:x64 cpe:/o:microsoft:windows_8:-:-:x64 cpe:/o:microsoft:windows_server_2008:r2:sp1:itanium cpe:/o:microsoft:windows_rt:- cpe:/o:microsoft:windows_7:::x64 cpe:/o:microsoft:windows_server_2008:r2::x64 cpe:/o:microsoft:windows_8:-:-:x86 cpe:/o:microsoft:windows_server_2008:-:sp2:itanium cpe:/o:microsoft:windows_server_2008:r2::itanium cpe:/o:microsoft:windows_server_2008::sp2:x86 cpe:/o:microsoft:windows_vista::sp2 cpe:/o:microsoft:windows_7::sp1:x86 cpe:/o:microsoft:windows_7:-:sp1:x64

CVE-2013-0008

2013-01-09T13:09:40.320-05:00

2013-02-25T23:53:04.567-05:00

7.2

LOCAL

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-01-10T09:44:00.000-05:00

CERT TA13-008A MS MS13-005 win32k.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle window broadcast messages, which allows local users to gain privileges via a crafted application, aka "Win32k Improper Message Handling Vulnerability."

cpe:/a:microsoft:system_center_operations_manager:2007:sp1 cpe:/a:microsoft:system_center_operations_manager:2007:r2

CVE-2013-0009

2013-01-09T13:09:40.397-05:00

2013-02-25T23:53:04.767-05:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-01-10T09:49:00.000-05:00

CERT TA13-008A MS MS13-003 Cross-site scripting (XSS) vulnerability in Microsoft System Center Operations Manager 2007 SP1 and R2 allows remote attackers to inject arbitrary web script or HTML via crafted input, aka "System Center Operations Manager Web Console XSS Vulnerability," a different vulnerability than CVE-2013-0010.

cpe:/a:microsoft:system_center_operations_manager:2007:sp1 cpe:/a:microsoft:system_center_operations_manager:2007:r2

CVE-2013-0010

2013-01-09T13:09:40.460-05:00

2013-02-25T23:53:04.957-05:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-01-10T09:57:00.000-05:00

cpe:/o:microsoft:windows_server_2008:r2:sp1:x64 cpe:/o:microsoft:windows_server_2008::r2:x64 cpe:/o:microsoft:windows_7:::x64 cpe:/o:microsoft:windows_7:::x86 cpe:/o:microsoft:windows_server_2008::r2:itanium cpe:/o:microsoft:windows_7::sp1:x86 cpe:/o:microsoft:windows_7::sp1:x64 cpe:/o:microsoft:windows_server_2008:r2:sp1:itanium

CVE-2013-0011

2013-01-09T13:09:40.493-05:00

2013-02-25T23:53:05.173-05:00

10.0

NETWORK

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-01-10T10:01:00.000-05:00

CERT TA13-008A MS MS13-001 The Print Spooler in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted print job, aka "Windows Print Spooler Components Vulnerability."

cpe:/o:microsoft:windows_vista::sp2:x64 cpe:/o:microsoft:windows_server_2008::r2:x64 cpe:/o:microsoft:windows_server_2008:r2:sp1:x64 cpe:/o:microsoft:windows_7:::x86 cpe:/o:microsoft:windows_server_2012:- cpe:/o:microsoft:windows_server_2008::sp2:x64 cpe:/o:microsoft:windows_8:-:-:x64 cpe:/o:microsoft:windows_server_2008:r2:sp1:itanium cpe:/o:microsoft:windows_rt:- cpe:/o:microsoft:windows_server_2008::sp2:itanium cpe:/o:microsoft:windows_7:::x64 cpe:/o:microsoft:windows_8:-:-:x86 cpe:/o:microsoft:windows_server_2008::sp2:x86 cpe:/o:microsoft:windows_vista::sp2 cpe:/o:microsoft:windows_7::sp1:x86 cpe:/o:microsoft:windows_server_2008::r2:itanium cpe:/o:microsoft:windows_7::sp1:x64

CVE-2013-0013

2013-01-09T13:09:40.540-05:00

2013-02-25T23:53:05.347-05:00

5.8

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-01-10T10:05:00.000-05:00

CERT TA13-008A MS MS13-006 The SSL provider component in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle encrypted packets, which allows man-in-the-middle attackers to conduct SSLv2 downgrade attacks against (1) SSLv3 sessions or (2) TLS sessions by intercepting handshakes and injecting content, aka "Microsoft SSL Version 3 and TLS Protocol Security Feature Bypass Vulnerability."

cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0015

2013-02-13T07:04:11.697-05:00

2013-02-13T00:00:00.000-05:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-02-13T12:58:00.000-05:00

MS MS13-009 Microsoft Internet Explorer 6 through 9 does not properly perform auto-selection of the Shift JIS encoding, which allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site that triggers cross-domain scrolling events, aka "Shift JIS Character Encoding Vulnerability."

cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0018

2013-02-13T07:04:11.743-05:00

2013-02-15T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:56:00.000-05:00

MS MS13-009 Use-after-free vulnerability in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer SetCapture Use After Free Vulnerability."

cpe:/a:microsoft:internet_explorer:10 cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0019

2013-02-13T07:04:11.773-05:00

2013-02-15T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:04:00.000-05:00

MS MS13-009 Use-after-free vulnerability in Microsoft Internet Explorer 7 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer COmWindowProxy Use After Free Vulnerability."

cpe:/a:microsoft:internet_explorer:9

CVE-2013-0020

2013-02-13T07:04:11.820-05:00

2013-02-15T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:51:00.000-05:00

MS MS13-009 Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer CMarkup Use After Free Vulnerability."

cpe:/a:microsoft:internet_explorer:10 cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0021

2013-02-13T07:04:11.867-05:00

2013-02-15T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T09:24:00.000-05:00

MS MS13-009 Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer vtable Use After Free Vulnerability."

cpe:/a:microsoft:internet_explorer:9

CVE-2013-0022

2013-02-13T07:04:11.900-05:00

2013-02-15T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:53:00.000-05:00

cpe:/a:microsoft:internet_explorer:10 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0023

2013-02-13T07:04:11.947-05:00

2013-02-15T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T09:52:00.000-05:00

MS MS13-009 Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer CDispNode Use After Free Vulnerability."

cpe:/o:microsoft:windows_vista::sp2:x64 cpe:/o:microsoft:windows_server_2008:r2:sp1:x64 cpe:/o:microsoft:windows_server_2008::r2:x64 cpe:/o:microsoft:windows_server_2008::sp2:x64 cpe:/o:microsoft:windows_server_2008::sp2:x86 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0024

2013-02-13T07:04:11.993-05:00

2013-02-15T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T09:55:00.000-05:00

MS MS13-009 Use-after-free vulnerability in Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer pasteHTML Use After Free Vulnerability."

cpe:/a:microsoft:internet_explorer:8

CVE-2013-0025

2013-02-13T07:04:12.040-05:00

2013-02-15T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:13:00.000-05:00

MS MS13-009 Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer SLayoutRun Use After Free Vulnerability."

cpe:/a:microsoft:internet_explorer:9

CVE-2013-0026

2013-02-13T07:04:12.087-05:00

2013-02-15T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:15:00.000-05:00

cpe:/a:microsoft:internet_explorer:10 cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0027

2013-02-13T07:04:12.117-05:00

2013-02-15T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:20:00.000-05:00

cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2008::r2:x64 cpe:/o:microsoft:windows_server_2008:r2:sp1:x64 cpe:/o:microsoft:windows_server_2008::sp2:x64 cpe:/a:microsoft:internet_explorer:7 cpe:/o:microsoft:windows_xp:-:sp2:x64 cpe:/o:microsoft:windows_server_2008:r2:sp1:itanium cpe:/o:microsoft:windows_server_2003::sp2:itanium cpe:/o:microsoft:windows_server_2008:-:sp2:itanium cpe:/o:microsoft:windows_server_2008::sp2:x86 cpe:/o:microsoft:windows_7::sp1:x64 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_vista::sp2:x64 cpe:/o:microsoft:windows_7:::x86 cpe:/a:microsoft:internet_explorer:8 cpe:/o:microsoft:windows_vista:-:sp2 cpe:/o:microsoft:windows_7:-:sp1:x86 cpe:/o:microsoft:windows_7:::x64 cpe:/o:microsoft:windows_7:-:-:x86 cpe:/o:microsoft:windows_server_2003::sp2:x64 cpe:/o:microsoft:windows_7::sp1:x86 cpe:/a:microsoft:internet_explorer:6 cpe:/o:microsoft:windows_7:-:-:x64 cpe:/o:microsoft:windows_server_2008::r2:itanium cpe:/o:microsoft:windows_vista::sp2 cpe:/o:microsoft:windows_7:-:sp1:x64 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0028

2013-02-13T07:04:12.167-05:00

2013-02-15T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:34:00.000-05:00

cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0029

2013-02-13T07:04:12.197-05:00

2013-02-15T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:38:00.000-05:00

cpe:/a:microsoft:internet_explorer:10 cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0030

2013-02-13T07:04:12.243-05:00

2013-03-08T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T13:14:00.000-05:00

MS MS13-010 The Vector Markup Language (VML) implementation in Microsoft Internet Explorer 6 through 10 does not properly allocate buffers, which allows remote attackers to execute arbitrary code via a crafted web site, aka "VML Memory Corruption Vulnerability."

cpe:/a:microsoft:.net_framework:3.5.1 cpe:/a:microsoft:.net_framework:4.5 cpe:/a:microsoft:.net_framework:2.0:sp2 cpe:/a:microsoft:.net_framework:3.5 cpe:/a:microsoft:.net_framework:4.0

CVE-2013-0073

2013-02-13T07:04:12.290-05:00

2013-02-13T00:00:00.000-05:00

10.0

NETWORK

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T13:14:00.000-05:00

MS MS13-015 The Windows Forms (aka WinForms) component in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not properly restrict the privileges of a callback function during object creation, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application, aka "WinForms Callback Elevation Vulnerability."

cpe:/a:microsoft:silverlight:5.0.60818.0:rc cpe:/a:microsoft:silverlight:5.0.61118.0 cpe:/a:microsoft:silverlight:5.0.60401.0

CVE-2013-0074

2013-03-12T20:55:01.137-04:00

2013-05-03T23:22:42.507-04:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-03-16T09:41:00.000-04:00

CERT TA13-071A MS MS13-022 Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability."

CVE-2013-0075

2013-02-13T07:04:12.320-05:00

2013-02-13T00:00:00.000-05:00

7.8

NETWORK

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T13:25:00.000-05:00

MS MS13-018 The TCP/IP implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT allows remote attackers to cause a denial of service (reboot) via a crafted packet that terminates a TCP connection, aka "TCP FIN WAIT Vulnerability."

CVE-2013-0076

2013-02-13T07:04:12.367-05:00

2013-02-13T00:00:00.000-05:00

7.2

LOCAL

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T13:33:00.000-05:00

MS MS13-019 The Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 does not properly handle objects in memory, which allows local users to gain privileges via a crafted application, aka "Reference Count Vulnerability."

cpe:/o:microsoft:windows_vista::sp2:x64 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2008::sp2:itanium cpe:/o:microsoft:windows_server_2003::sp2:itanium cpe:/o:microsoft:windows_server_2008::sp2:x64 cpe:/o:microsoft:windows_server_2008::sp2:x86 cpe:/o:microsoft:windows_server_2003::sp2:x64 cpe:/o:microsoft:windows_vista::sp2 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_xp:-:sp2:x64 cpe:/o:microsoft:windows_server_2008::sp2

CVE-2013-0077

2013-02-13T07:04:12.417-05:00

2013-03-04T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T13:48:00.000-05:00

MS MS13-011 Quartz.dll in DirectShow in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via crafted media content in (1) a media file, (2) a media stream, or (3) a Microsoft Office document, aka "Media Decompression Vulnerability."

cpe:/a:microsoft:windows_defender

CVE-2013-0078

2013-04-09T18:55:01.063-04:00

2013-04-10T00:00:00.000-04:00

7.2

LOCAL

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-04-10T11:01:00.000-04:00

MS MS13-034 The Microsoft Antimalware Client in Windows Defender on Windows 8 and Windows RT uses an incorrect pathname for MsMpEng.exe, which allows local users to gain privileges via a crafted application, aka "Microsoft Antimalware Improper Pathname Vulnerability."

cpe:/a:microsoft:office_filter_pack:2010:sp1:x86 cpe:/a:microsoft:visio:2010:sp1:x64 cpe:/a:microsoft:visio_viewer:2010:sp1:x86 cpe:/a:microsoft:visio_viewer:2010:sp1:x64 cpe:/a:microsoft:office_filter_pack:2010:sp1:x64 cpe:/a:microsoft:visio:2010:sp1:x86

CVE-2013-0079

2013-03-12T20:55:01.167-04:00

2013-05-03T23:22:42.843-04:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-03-16T10:15:00.000-04:00

CERT TA13-071A MS MS13-023 Microsoft Visio Viewer 2010 SP1 allows remote attackers to execute arbitrary code via a crafted Visio file that triggers incorrect memory allocation, aka "Visio Viewer Tree Object Type Confusion Vulnerability."

cpe:/a:microsoft:sharepoint_server:2010:sp1 cpe:/a:microsoft:sharepoint_foundation:2010:sp1

CVE-2013-0080

2013-03-12T20:55:01.183-04:00

2013-05-03T23:22:42.913-04:00

7.5

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-03-16T10:23:00.000-04:00

CERT TA13-071A MS MS13-024 Microsoft SharePoint Server 2010 SP1 and SharePoint Foundation 2010 SP1 allow remote attackers to bypass intended read restrictions for content, and hijack user accounts, via a crafted URL, aka "Callback Function Vulnerability."

cpe:/a:microsoft:sharepoint_server:2010:sp1 cpe:/a:microsoft:sharepoint_foundation:2010:sp1

CVE-2013-0083

2013-03-12T20:55:01.200-04:00

2013-05-03T23:22:42.983-04:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-16T10:27:00.000-04:00

CERT TA13-071A MS MS13-024 Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server 2010 SP1 allows remote attackers to inject arbitrary web script or HTML via crafted content, leading to administrative command execution, aka "SharePoint XSS Vulnerability."

cpe:/a:microsoft:sharepoint_server:2010:sp1 cpe:/a:microsoft:sharepoint_foundation:2010:sp1

CVE-2013-0084

2013-03-12T20:55:01.217-04:00

2013-05-03T23:22:43.057-04:00

7.5

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-03-16T10:30:00.000-04:00

CERT TA13-071A MS MS13-024 Directory traversal vulnerability in Microsoft SharePoint Server 2010 SP1 and SharePoint Foundation 2010 SP1 allows remote attackers to bypass intended read restrictions for content, and hijack user accounts, via a crafted URL, aka "SharePoint Directory Traversal Vulnerability."

cpe:/a:microsoft:sharepoint_server:2010:sp1 cpe:/a:microsoft:sharepoint_foundation:2010:sp1

CVE-2013-0085

2013-03-12T20:55:01.230-04:00

2013-05-03T23:22:43.127-04:00

7.8

NETWORK

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-03-16T10:33:00.000-04:00

CERT TA13-071A MS MS13-024 Buffer overflow in Microsoft SharePoint Server 2010 SP1 and SharePoint Foundation 2010 SP1 allows remote attackers to cause a denial of service (W3WP process crash and site outage) via a crafted URL, aka "Buffer Overflow Vulnerability."

cpe:/a:microsoft:sharepoint_server:2010:sp1 cpe:/a:microsoft:sharepoint_foundation:2010:sp1

CVE-2013-0086

2013-03-12T20:55:01.247-04:00

2013-05-03T23:22:43.197-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-16T10:34:00.000-04:00

CERT TA13-071A MS MS13-025 Microsoft OneNote 2010 SP1 does not properly determine buffer sizes during memory allocation, which allows remote attackers to obtain sensitive information via a crafted OneNote file, aka "Buffer Size Validation Vulnerability."

cpe:/a:microsoft:internet_explorer:10 cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0087

2013-03-12T20:55:01.263-04:00

2013-05-03T23:22:43.263-04:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-03-16T10:36:00.000-04:00

CERT TA13-071A MS MS13-021 Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer OnResize Use After Free Vulnerability."

cpe:/a:microsoft:internet_explorer:10 cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0088

2013-03-12T20:55:01.277-04:00

2013-05-03T23:22:43.333-04:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-03-16T11:21:00.000-04:00

cpe:/a:microsoft:internet_explorer:10 cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0089

2013-03-12T20:55:01.293-04:00

2013-05-03T23:22:43.400-04:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-03-16T11:24:00.000-04:00

cpe:/a:microsoft:internet_explorer:10 cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0090

2013-03-12T20:55:01.310-04:00

2013-05-03T23:22:44.210-04:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-03-16T11:25:00.000-04:00

cpe:/a:microsoft:internet_explorer:8

CVE-2013-0091

2013-03-12T20:55:01.327-04:00

2013-05-03T23:22:44.280-04:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-03-16T11:28:00.000-04:00

CERT TA13-071A MS MS13-021 Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer CElement Use After Free Vulnerability."

cpe:/a:microsoft:internet_explorer:10 cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0092

2013-03-12T20:55:01.357-04:00

2013-05-03T23:22:44.347-04:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-03-16T11:31:00.000-04:00

cpe:/a:microsoft:internet_explorer:10 cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0093

2013-03-12T20:55:01.370-04:00

2013-05-03T23:22:44.417-04:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-03-16T11:33:00.000-04:00

cpe:/a:microsoft:internet_explorer:10 cpe:/a:microsoft:internet_explorer:7 cpe:/a:microsoft:internet_explorer:6 cpe:/a:microsoft:internet_explorer:8 cpe:/a:microsoft:internet_explorer:9

CVE-2013-0094

2013-03-12T20:55:01.387-04:00

2013-05-03T23:22:44.487-04:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-03-16T11:34:00.000-04:00

cpe:/a:microsoft:office:2011::mac cpe:/a:microsoft:office:2008::mac

CVE-2013-0095

2013-03-12T20:55:01.403-04:00

2013-05-03T23:22:44.557-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-16T11:38:00.000-04:00

CERT TA13-071A MS MS13-026 Outlook in Microsoft Office for Mac 2008 before 12.3.6 and Office for Mac 2011 before 14.3.2 allows remote attackers to trigger access to a remote URL and consequently confirm the rendering of an HTML e-mail message by including unspecified HTML5 elements and leveraging the installation of a WebKit browser on the victim's machine, aka "Unintended Content Loading Vulnerability."

cpe:/a:microsoft:windows_essentials:2011 cpe:/a:microsoft:windows_essentials:2012

CVE-2013-0096

2013-05-14T23:36:33.357-04:00

2013-05-15T00:00:00.000-04:00

6.8

NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-05-15T09:26:00.000-04:00

MS MS13-045 Writer in Microsoft Windows Essentials 2011 and 2012 allows remote attackers to bypass proxy settings and overwrite arbitrary files via crafted URL parameters, aka "Windows Essentials Improper URI Handling Vulnerability."

cpe:/a:foxitsoftware:foxit_advanced_pdf_editor:3.0

CVE-2013-0107

2013-01-26T16:55:01.007-05:00

2013-01-30T00:00:00.000-05:00

7.6

NETWORK

HIGH

NONE

COMPLETE

http://nvd.nist.gov

2013-01-28T10:13:00.000-05:00

CERT-VN VU#275219 Stack-based buffer overflow in Foxit Advanced PDF Editor 3 before 3.04 might allow remote attackers to execute arbitrary code via a crafted document containing instructions that reconstruct a certain security cookie.

cpe:/a:honeywell:enterprise_buildings_integrator:r400.2 cpe:/a:honeywell:symmetre:r410.1 cpe:/a:honeywell:enterprise_buildings_integrator:r410.2 cpe:/a:honeywell:comfortpoint_open_manager_station:r100 cpe:/a:honeywell:symmetre:r310 cpe:/a:honeywell:enterprise_buildings_integrator:r410.1 cpe:/a:honeywell:enterprise_buildings_integrator:r310 cpe:/a:honeywell:symmetre:r400.2

CVE-2013-0108

2013-02-24T06:48:21.407-05:00

2013-02-25T00:00:00.000-05:00

6.8

NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-02-25T13:40:00.000-05:00

MISC http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2; SymmetrE R310, R410.1, and R410.2; ComfortPoint Open Manager (aka CPO-M) Station R100; and HMIWeb Browser client packages allows remote attackers to execute arbitrary code via a crafted HTML document.

cpe:/a:nvidia:display_driver:307.00:-:%7E%7E%7Ewindows%7E%7E cpe:/a:nvidia:display_driver:310.00:-:%7E%7E%7Ewindows%7E%7E

CVE-2013-0109

2013-04-08T12:55:01.977-04:00

2013-04-09T00:00:00.000-04:00

7.2

LOCAL

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-04-09T10:02:00.000-04:00

CERT-VN VU#957036 CONFIRM http://www.nvidia.com/object/product-security.html The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not properly handle exceptions, which allows local users to gain privileges or cause a denial of service (memory overwrite) via a crafted application.

cpe:/a:nvidia:driver:310.00:-:%7E%7E%7Ewindows%7E%7E cpe:/a:nvidia:driver:307.00:-:%7E%7E%7Ewindows%7E%7E

CVE-2013-0110

2013-04-08T12:55:02.010-04:00

2013-04-09T10:19:41.337-04:00

6.8

LOCAL

LOW

SINGLE_INSTANCE

COMPLETE

http://nvd.nist.gov

2013-04-09T10:14:00.000-04:00

CERT-VN VU#957036 CONFIRM http://www.nvidia.com/object/product-security.html nvSCPAPISvr.exe in the NVIDIA Stereoscopic 3D Driver service, as distributed with the NVIDIA driver before 307.78, and Release 310 before 311.00, on Windows, lacks " (double quote) characters in the service path, which allows local users to gain privileges via a Trojan horse program.

cpe:/a:nvidia:driver:310.00:-:%7E%7E%7Ewindows%7E%7E cpe:/a:nvidia:driver:307.00:-:%7E%7E%7Ewindows%7E%7E

CVE-2013-0111

2013-04-08T12:55:02.073-04:00

2013-04-09T10:24:19.733-04:00

6.8

LOCAL

LOW

SINGLE_INSTANCE

COMPLETE

http://nvd.nist.gov

2013-04-09T10:21:00.000-04:00

CERT-VN VU#957036 CONFIRM http://www.nvidia.com/object/product-security.html daemonu.exe (aka the NVIDIA Update Service Daemon), as distributed with the NVIDIA driver before 307.78, and Release 310 before 311.00, on Windows, lacks " (double quote) characters in the service path, which allows local users to gain privileges via a Trojan horse program.

cpe:/a:nuance:pdf_reader:7.0 cpe:/a:nuance:pdf_reader_plus:7.1

CVE-2013-0113

2013-02-24T06:48:21.457-05:00

2013-02-26T00:00:00.000-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-25T12:54:00.000-05:00

CERT-VN VU#248449 Nuance PDF Reader 7.0 and PDF Viewer Plus 7.1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document.

cpe:/a:cs-cart:cs-cart:3.0.4 cpe:/a:cs-cart:cs-cart:3.0.3 cpe:/a:cs-cart:cs-cart:3.0 cpe:/a:cs-cart:cs-cart:3.0.5 cpe:/a:cs-cart:cs-cart:3.0.2

CVE-2013-0118

2013-02-24T06:48:21.487-05:00

2013-02-25T00:00:00.000-05:00

5.0

NETWORK

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-02-25T13:43:00.000-05:00

CERT-VN VU#583564 CONFIRM http://www.kb.cert.org/vuls/id/BLUU-949PQL CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self.

cpe:/h:dell:powerconnect_6248p:-

CVE-2013-0120

2013-02-24T06:48:21.533-05:00

2013-02-25T00:00:00.000-05:00

7.8

NETWORK

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-02-25T13:35:00.000-05:00

CERT-VN VU#160460 The web interface on Dell PowerConnect 6248P switches allows remote attackers to cause a denial of service (device crash) via a malformed request.

cpe:/a:avas%21t:avast%21_mobile_security:2.0.4304:-:%7E%7E%7Eandroid%7E%7E

CVE-2013-0122

2013-04-21T23:27:12.987-04:00

2013-04-22T00:00:00.000-04:00

1.9

LOCAL

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-04-22T10:14:00.000-04:00

CERT-VN VU#131263 The avast! Mobile Security application before 2.0.4400 for Android allows attackers to cause a denial of service (application crash) via a crafted application that sends an intent to com.avast.android.mobilesecurity.app.scanner.DeleteFileActivity with zero arguments.

cpe:/a:askia:askiaweb:-

CVE-2013-0123

2013-03-21T17:55:00.887-04:00

2013-03-22T00:00:00.000-04:00

7.5

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-03-22T11:47:00.000-04:00

CERT-VN VU#406596 Multiple SQL injection vulnerabilities in the administration interface in ASKIA askiaweb allow remote attackers to execute arbitrary SQL commands via (1) the nHistoryId parameter to WebProd/pages/pgHistory.asp or (2) the OrderBy parameter to WebProd/pages/pgadmin.asp.

cpe:/a:askia:askiaweb:-

CVE-2013-0124

2013-03-21T17:55:00.910-04:00

2013-03-22T00:00:00.000-04:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-22T11:51:00.000-04:00

CERT-VN VU#406596 Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in ASKIA askiaweb allow remote attackers to inject arbitrary web script or HTML via the (1) Number or (2) UpdatePage parameter to WebProd/cgi-bin/AskiaExt.dll.

cpe:/a:c2enterprise:c2_webresource:-

CVE-2013-0125

2013-04-04T15:55:01.150-04:00

2013-04-05T00:00:00.000-04:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-04-05T08:39:00.000-04:00

CERT-VN VU#418923 Cross-site scripting (XSS) vulnerability in fileview.asp in C2 WebResource allows remote attackers to inject arbitrary web script or HTML via the File parameter.

cpe:/h:verizon:fios_actiontec_mi424wr-gen31_router:- cpe:/o:verizon:fios_actiontec_mi424wr-gen31_router_firmware:40.19.36

CVE-2013-0126

2013-03-21T16:55:01.910-04:00

2013-03-22T23:15:03.973-04:00

6.8

NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-03-22T11:13:00.000-04:00

CERT-VN VU#278204 EXPLOIT-DB 24860 MISC http://infosec42.blogspot.com/2013/03/verizon-fios-router-csrf-cve-2013-0126.html Multiple cross-site request forgery (CSRF) vulnerabilities in index.cgi on the Verizon FIOS Actiontec MI424WR-GEN3I router with firmware 40.19.36 allow remote attackers to hijack the authentication of administrators for requests that (1) add administrative accounts via the username and user_level parameters or (2) enable remote administration via the is_telnet_primary and is_telnet_secondary parameters.

cpe:/a:ibm:lotus_notes:8.0.1 cpe:/a:ibm:lotus_notes:8.5.1.3 cpe:/a:ibm:lotus_notes:8.0.2.6 cpe:/a:ibm:lotus_notes:8.0.2.0 cpe:/a:ibm:lotus_notes:8.5.3.2 cpe:/a:ibm:lotus_notes:8.0 cpe:/a:ibm:lotus_notes:8.5.1.0 cpe:/a:ibm:lotus_notes:8.0.2.5 cpe:/a:ibm:lotus_notes:8.5.3 cpe:/a:ibm:lotus_notes:8.5.1.1 cpe:/a:ibm:lotus_notes:9.0.0.0 cpe:/a:ibm:lotus_notes:8.5.2.2 cpe:/a:ibm:lotus_notes:8.5.2.1 cpe:/a:ibm:lotus_notes:8.0.0 cpe:/a:ibm:lotus_notes:8.5.2.3 cpe:/a:ibm:lotus_notes:8.0.2.4 cpe:/a:ibm:lotus_notes:8.0.2.2 cpe:/a:ibm:lotus_notes:8.5.1.5 cpe:/a:ibm:lotus_notes:8.0.2.3 cpe:/a:ibm:lotus_notes:8.0.2 cpe:/a:ibm:lotus_notes:8.5.1 cpe:/a:ibm:lotus_notes:8.5.3.1 cpe:/a:ibm:lotus_notes:8.5.0.0 cpe:/a:ibm:lotus_notes:8.5.1.2 cpe:/a:ibm:lotus_notes:8.5.0.1 cpe:/a:ibm:lotus_notes:8.5.3.3 cpe:/a:ibm:lotus_notes:8.0.2.1 cpe:/a:ibm:lotus_notes:8.5.2.0 cpe:/a:ibm:lotus_notes:8.5 cpe:/a:ibm:lotus_notes:8.5.1.4

CVE-2013-0127

2013-05-01T08:00:07.730-04:00

2013-05-01T00:00:00.000-04:00

5.8

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-05-01T08:47:00.000-04:00

CERT-VN VU#912420 XF ibm-notes-applet-tags(83775) CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21633819 FULLDISC 20130501 n.runs-SA-2013.005 - IBM Lotus Notes - arbitrary code execution IBM Lotus Notes 8.x before 8.5.3 FP4 Interim Fix 1 and 9.0 before Interim Fix 1 does not block APPLET elements in HTML e-mail, which allows remote attackers to bypass intended restrictions on Java code execution and X-Confirm-Reading-To functionality via a crafted message, aka SPRs JMOY95BLM6 and JMOY95BN49.

cpe:/a:tigertext:tigertext:3.1:-:%7E%7E%7Eiphone_os%7E%7E

CVE-2013-0128

2013-04-04T15:55:01.170-04:00

2013-04-05T00:00:00.000-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-04-05T09:01:00.000-04:00

CERT-VN VU#704916 The Contact Customer Support feature in the TigerText Free Private Texting app before 3.1.402 for iOS sends a log-file e-mail message with unencrypted credentials, which allows remote attackers to obtain sensitive information by sniffing the network or leveraging access to an e-mail endpoint.

cpe:/a:pd-admin:pd-admin:4.16

CVE-2013-0129

2013-04-19T07:44:10.950-04:00

2013-04-22T00:00:00.000-04:00

3.5

NETWORK

MEDIUM

SINGLE_INSTANCE

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-04-22T08:36:00.000-04:00

CERT-VN VU#311644 CONFIRM http://www.pdadmin-forum.de/thread.php?threadid=4051 Multiple cross-site scripting (XSS) vulnerabilities in pd-admin before 4.17 allow remote authenticated users to inject arbitrary web script or HTML via (1) the WebFTP Overview "Create new directory" field or (2) the body of an e-mail autoresponder message.

cpe:/a:coreftp:coreftp:2.2

CVE-2013-0130

2013-03-29T13:42:29.747-04:00

2013-03-29T00:00:00.000-04:00

5.1

NETWORK

HIGH

NONE

PARTIAL

http://nvd.nist.gov

2013-03-29T13:44:00.000-04:00

CERT-VN VU#370868 CONFIRM http://www.coreftp.com/forums/viewtopic.php?t=222102 Multiple buffer overflows in Core FTP before 2.2 build 1769 allow remote FTP servers to execute arbitrary code or cause a denial of service (application crash) via a long directory name in a (1) DELE, (2) LIST, or (3) VIEW command.

cpe:/a:nvidia:gpu_driver:304.00:-:%7E%7Eesx%7E%7E%7E cpe:/a:nvidia:gpu_driver:310.00:-:%7E%7Efreebsd%7E%7E%7E cpe:/a:nvidia:gpu_driver:195.22:-:%7E%7Elinux_kernel%7E%7E%7E cpe:/a:nvidia:gpu_driver:313.00:-:%7E%7Efreebsd%7E%7E%7E cpe:/a:nvidia:gpu_driver:304.00:-:%7E%7Efreebsd%7E%7E%7E cpe:/a:nvidia:gpu_driver:310.00:-:%7E%7Eesx%7E%7E%7E cpe:/a:nvidia:gpu_driver:313.00:-:%7E%7Eesx%7E%7E%7E cpe:/a:nvidia:gpu_driver:310.00:-:%7E%7Esunos%7E%7E%7E cpe:/a:nvidia:gpu_driver:313.00:-:%7E%7Esunos%7E%7E%7E cpe:/a:nvidia:gpu_driver:304.00:-:%7E%7Elinux_kernel%7E%7E%7E cpe:/a:nvidia:gpu_driver:304.00:-:%7E%7Esunos%7E%7E%7E cpe:/a:nvidia:gpu_driver:310.00:-:%7E%7Elinux_kernel%7E%7E%7E cpe:/a:nvidia:gpu_driver:195.22:-:%7E%7Esunos%7E%7E%7E cpe:/a:nvidia:gpu_driver:195.22:-:%7E%7Efreebsd%7E%7E%7E cpe:/a:nvidia:gpu_driver:195.22:-:%7E%7Eesx%7E%7E%7E cpe:/a:nvidia:gpu_driver:313.00:-:%7E%7Elinux_kernel%7E%7E%7E

CVE-2013-0131

2013-04-08T12:55:02.127-04:00

2013-04-09T00:00:00.000-04:00

7.1

NETWORK

HIGH

SINGLE_INSTANCE

COMPLETE

http://nvd.nist.gov

2013-04-09T10:31:00.000-04:00

CERT-VN VU#771620 CONFIRM http://www.nvidia.com/object/product-security.html CONFIRM http://nvidia.custhelp.com/app/answers/detail/a_id/3290 Buffer overflow in the NVIDIA GPU driver before 304.88, 310.x before 310.44, and 313.x before 313.30 for the X Window System on UNIX, when NoScanout mode is enabled, allows remote authenticated users to execute arbitrary code via a large ARGB cursor.

cpe:/a:parallels:parallels_plesk_panel:11.0.9

CVE-2013-0132

2013-04-18T14:55:01.583-04:00

2013-04-19T00:00:00.000-04:00

6.8

NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-04-19T08:05:00.000-04:00

CERT-VN VU#310500 The suexec implementation in Parallels Plesk Panel 11.0.9 contains a cgi-wrapper whitelist entry, which allows user-assisted remote attackers to execute arbitrary PHP code via a request containing crafted environment variables.

cpe:/a:parallels:parallels_plesk_panel:11.0.9

CVE-2013-0133

2013-04-18T14:55:03.803-04:00

2013-04-19T00:00:00.000-04:00

7.2

LOCAL

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-04-19T08:11:00.000-04:00

CERT-VN VU#310500 Untrusted search path vulnerability in /usr/local/psa/admin/sbin/wrapper in Parallels Plesk Panel 11.0.9 allows local users to gain privileges via a crafted PATH environment variable.

cpe:/a:airdroid:airdroid:-

CVE-2013-0134

2013-04-08T23:34:53.260-04:00

2013-04-09T11:22:47.260-04:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-04-09T11:21:00.000-04:00

CERT-VN VU#557252 Cross-site scripting (XSS) vulnerability in the web interface in AirDroid allows remote attackers to inject arbitrary web script or HTML via a crafted text message that is transmitted by a managed phone.

cpe:/a:chatelao:php_address_book:8.2.5

CVE-2013-0135

2013-04-08T23:34:53.650-04:00

2013-04-09T23:46:32.707-04:00

7.5

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-04-09T11:21:00.000-04:00

CERT-VN VU#183692 MISC http://www.acadion.nl/labs/advisory/20130203-phpaddressbook.html Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) addressbook/register/edit_user_save.php; the email parameter to (4) addressbook/register/edit_user_save.php, (5) addressbook/register/reset_password.php, (6) addressbook/register/reset_password_save.php, or (7) addressbook/register/user_add_save.php; the username parameter to (8) addressbook/register/checklogin.php or (9) addressbook/register/reset_password_save.php; the (10) lastname, (11) firstname, (12) phone, (13) permissions, or (14) notes parameter to addressbook/register/edit_user_save.php; the (15) q parameter to addressbook/register/admin_index.php; the (16) site parameter to addressbook/register/linktick.php; the (17) password parameter to addressbook/register/reset_password.php; the (18) password_hint parameter to addressbook/register/reset_password_save.php; the (19) var parameter to addressbook/register/traffic.php; or a (20) BasicLogin cookie to addressbook/register/router.php.

cpe:/a:mutiny:mutiny_virtual_appliance:- cpe:/a:mutiny:mutiny:5.0-1.00 cpe:/a:mutiny:mutiny:5.0-1.10 cpe:/h:mutiny:mutiny_appliance:-

CVE-2013-0136

2013-06-01T10:21:05.813-04:00

2013-06-03T00:00:00.000-04:00

8.5

NETWORK

MEDIUM

SINGLE_INSTANCE

COMPLETE

http://nvd.nist.gov

2013-06-03T10:36:00.000-04:00

CERT-VN VU#701572 MISC https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities Multiple directory traversal vulnerabilities in the EditDocument servlet in the Frontend in Mutiny before 5.0-1.11 allow remote authenticated users to upload and execute arbitrary programs, read arbitrary files, or cause a denial of service (file deletion or renaming) via (1) the uploadPath parameter in an UPLOAD operation; the paths[] parameter in a (2) DELETE, (3) CUT, or (4) COPY operation; or the newPath parameter in a (5) CUT or (6) COPY operation.

cpe:/a:bitberry_software:bitzipper:2013

CVE-2013-0138

2013-04-21T23:27:13.010-04:00

2013-04-22T00:00:00.000-04:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-04-22T10:32:00.000-04:00

CONFIRM http://www.kb.cert.org/vuls/id/BLUU-95GP23 CERT-VN VU#880916 BitZipper 2013 before Update 1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted ZIP archive.

cpe:/h:arecont:vision_av1355dn_megadome_camera:-

CVE-2013-0139

2013-04-18T14:55:03.827-04:00

2013-04-19T00:00:00.000-04:00

7.8

NETWORK

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-04-19T08:19:00.000-04:00

CERT-VN VU#375180 The Arecont Vision AV1355DN MegaDome camera allows remote attackers to cause a denial of service (video-capture outage) via a packet to UDP port 69.

cpe:/a:mcafee:epolicy_orchestrator:3.5.0 cpe:/a:mcafee:epolicy_orchestrator:4.6.3 cpe:/a:mcafee:epolicy_orchestrator:3.6.1 cpe:/a:mcafee:epolicy_orchestrator:3.6.0 cpe:/a:mcafee:epolicy_orchestrator:3.0 cpe:/a:mcafee:epolicy_orchestrator:2.5.1 cpe:/a:mcafee:epolicy_orchestrator:2.5:sp1 cpe:/a:mcafee:epolicy_orchestrator:4.6.5 cpe:/a:mcafee:epolicy_orchestrator:4.6.2 cpe:/a:mcafee:epolicy_orchestrator:4.6.1 cpe:/a:mcafee:epolicy_orchestrator:4.5.0 cpe:/a:mcafee:epolicy_orchestrator:2.0 cpe:/a:mcafee:epolicy_orchestrator:4.5.5 cpe:/a:mcafee:epolicy_orchestrator:4.6.0 cpe:/a:mcafee:epolicy_orchestrator:4.5.3 cpe:/a:mcafee:epolicy_orchestrator:4.5.4 cpe:/a:mcafee:epolicy_orchestrator:4.6.4 cpe:/a:mcafee:epolicy_orchestrator:4.5.6 cpe:/a:mcafee:epolicy_orchestrator:2.5 cpe:/a:mcafee:epolicy_orchestrator:3.0:sp2a cpe:/a:mcafee:epolicy_orchestrator:4.0

CVE-2013-0140

2013-05-01T08:00:07.827-04:00

2013-05-01T12:47:41.977-04:00

7.9

ADJACENT_NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-05-01T08:53:00.000-04:00

CERT-VN VU#209131 CONFIRM https://kc.mcafee.com/corporate/index?page=content&id=SB10042 SQL injection vulnerability in the Agent-Handler component in McAfee ePolicy Orchestrator (ePO) before 4.5.7 and 4.6.x before 4.6.6 allows remote attackers to execute arbitrary SQL commands via a crafted request over the Agent-Server communication channel.

CVE-2013-0141

2013-05-01T08:00:07.850-04:00

2013-05-01T00:00:00.000-04:00

4.3

ADJACENT_NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-05-01T08:57:00.000-04:00

CERT-VN VU#209131 CONFIRM https://kc.mcafee.com/corporate/index?page=content&id=SB10042 Directory traversal vulnerability in McAfee ePolicy Orchestrator (ePO) before 4.5.7 and 4.6.x before 4.6.6 allows remote attackers to upload arbitrary files via a crafted request over the Agent-Server communication channel, as demonstrated by writing to the Software/ directory.

cpe:/a:qnap:surveillance_station_pro:- cpe:/h:qnap:viostor_network_video_recorder:- cpe:/o:qnap:viostor_network_video_recorder:4.0.3 cpe:/h:qnap:nas:-

CVE-2013-0142

2013-06-07T16:55:01.317-04:00

2013-06-10T00:00:00.000-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-06-10T09:03:00.000-04:00

CERT-VN VU#927644 QNAP VioStor NVR devices with firmware 4.0.3, and the Surveillance Station Pro component in QNAP NAS, have a hardcoded guest account, which allows remote attackers to obtain web-server login access via unspecified vectors.

cpe:/a:qnap:surveillance_station_pro:- cpe:/h:qnap:viostor_network_video_recorder:- cpe:/o:qnap:viostor_network_video_recorder:4.0.3 cpe:/h:qnap:nas:-

CVE-2013-0143

2013-06-07T16:55:01.347-04:00

2013-06-10T00:00:00.000-04:00

6.5

NETWORK

LOW

SINGLE_INSTANCE

PARTIAL

http://nvd.nist.gov

2013-06-10T09:13:00.000-04:00

CERT-VN VU#927644 cgi-bin/pingping.cgi on QNAP VioStor NVR devices with firmware 4.0.3, and in the Surveillance Station Pro component in QNAP NAS, allows remote authenticated users to execute arbitrary commands by leveraging guest access and placing shell metacharacters in the query string.

cpe:/h:qnap:viostor_network_video_recorder:- cpe:/o:qnap:viostor_network_video_recorder:4.0.3

CVE-2013-0144

2013-06-07T16:55:01.370-04:00

2013-06-10T09:19:57.060-04:00

6.8

NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-06-10T09:16:00.000-04:00

CERT-VN VU#927644 Cross-site request forgery (CSRF) vulnerability in cgi-bin/create_user.cgi on QNAP VioStor NVR devices with firmware 4.0.3 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts via a NEW USER action.

cpe:/a:vercot:serva32:2.1.0

CVE-2013-0145

2013-05-20T10:44:34.263-04:00

2013-05-23T00:00:00.000-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-05-20T11:22:00.000-04:00

CERT-VN VU#127108 Buffer overflow in the TFTPD service in Serva32 2.1.0 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long string in a read request.

CVE-2013-0148

2013-06-16T13:55:00.987-04:00

CERT-VN VU#900031 The Data Camouflage (aka Faircom Standard Encryption) algorithm in Faircom c-treeACE does not ensure that a decryption key is needed for accessing database contents, which allows context-dependent attackers to read cleartext database records by copying a database to another system that has a certain default configuration.

cpe:/o:xen:xen:4.2.0:-:%7E%7E%7E%7Ex86%7E cpe:/o:xen:xen:4.2.1:-:%7E%7E%7E%7Ex86%7E

CVE-2013-0151

2013-03-07T00:04:42.060-05:00

2013-03-07T00:00:00.000-05:00

4.6

ADJACENT_NETWORK

HIGH

NONE

COMPLETE

http://nvd.nist.gov

2013-03-07T10:32:00.000-05:00

CONFIRM http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=d60d7082289a74e44b3dc8f67df46c3404ca08bf MLIST [oss-security] 20130122 Xen Security Advisory 34 (CVE-2013-0151) - nested virtualization on 32-bit exposes host crash The do_hvm_op function in xen/arch/x86/hvm/hvm.c in Xen 4.2.x on the x86_32 platform does not prevent HVM_PARAM_NESTEDHVM (aka nested virtualization) operations, which allows guest OS users to cause a denial of service (long-duration page mappings and host OS crash) by leveraging administrative access to an HVM guest in a domain with a large number of VCPUs.

cpe:/o:xen:xen:4.2.0

CVE-2013-0152

2013-02-12T20:55:03.247-05:00

2013-02-13T00:00:00.000-05:00

4.7

LOCAL

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:02:00.000-05:00

SECTRACK 1028032 MLIST [oss-security] 20130123 Xen Security Advisory 35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest Memory leak in Xen 4.2 and unstable allows local HVM guests to cause a denial of service (host memory consumption) by performing nested virtualization in a way that triggers errors that are not properly handled.

cpe:/o:xen:xen:4.2.0 cpe:/o:xen:xen:4.2.1 cpe:/o:xen:xen:4.1.4 cpe:/o:xen:xen:4.1.3 cpe:/o:xen:xen:4.1.2 cpe:/o:xen:xen:3.3.0 cpe:/o:xen:xen:4.1.1 cpe:/o:xen:xen:4.1.0

CVE-2013-0153

2013-02-14T17:55:02.653-05:00

2013-06-04T23:40:32.490-04:00

4.7

LOCAL

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-15T09:20:00.000-05:00

XF xen-amdiommu-dos(81831) BID 57745 MLIST [oss-security] 20130205 Xen Security Advisory 36 (CVE-2013-0153) - interrupt remap entries shared and old ones not cleared on AMD IOMMUs DEBIAN DSA-2636 SECUNIA 51881 REDHAT RHSA-2013:0847 OSVDB 89867 SUSE openSUSE-SU-2013:0637 SUSE openSUSE-SU-2013:0636 The AMD IOMMU support in Xen 4.2.x, 4.1.x, 3.3, and other versions, when using AMD-Vi for PCI passthrough, uses the same interrupt remapping table for the host and all guests, which allows guests to cause a denial of service by injecting an interrupt into other guests.

cpe:/o:xen:xen:4.2.0

CVE-2013-0154

2013-01-11T23:33:49.337-05:00

2013-05-14T23:33:51.427-04:00

1.9

LOCAL

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-01-14T13:06:00.000-05:00

XF xen-hypercall-dos(80977) SECTRACK 1027937 BID 57159 MLIST [oss-security] 20130104 Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only) CONFIRM http://seclists.org/oss-sec/2013/q1/att-17/xsa37-4_2.patch OSVDB 88913 SUSE openSUSE-SU-2013:0637 SUSE openSUSE-SU-2013:0636 The get_page_type function in xen/arch/x86/mm.c in Xen 4.2, when debugging is enabled, allows local PV or HVM guest administrators to cause a denial of service (assertion failure and hypervisor crash) via unspecified vectors related to a hypercall.

cpe:/a:rubyonrails:ruby_on_rails:3.0.7:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.2.9 cpe:/a:rubyonrails:ruby_on_rails:3.0.17 cpe:/a:rubyonrails:ruby_on_rails:3.0.0:rc cpe:/a:rubyonrails:ruby_on_rails:3.2.2 cpe:/a:rubyonrails:ruby_on_rails:3.0.7 cpe:/a:rubyonrails:ruby_on_rails:3.1.7 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc4 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:beta1 cpe:/a:rubyonrails:ruby_on_rails:3.1.4 cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.1.2:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.0.1:pre cpe:/a:rubyonrails:ruby_on_rails:3.0.9 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc3 cpe:/a:rubyonrails:ruby_on_rails:3.0.6:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.1.6 cpe:/a:rubyonrails:ruby_on_rails:3.1.5 cpe:/a:rubyonrails:ruby_on_rails:3.0.13 cpe:/a:rubyonrails:ruby_on_rails:3.0.7:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.0.5:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc4 cpe:/a:rubyonrails:ruby_on_rails:3.0.4 cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc3 cpe:/a:rubyonrails:ruby_on_rails:3.0.16 cpe:/a:rubyonrails:ruby_on_rails:3.0.1 cpe:/a:rubyonrails:ruby_on_rails:3.1.9 cpe:/a:rubyonrails:ruby_on_rails:3.2.8 cpe:/a:rubyonrails:ruby_on_rails:3.2.6 cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc4 cpe:/a:rubyonrails:ruby_on_rails:3.2.4 cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc3 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc7 cpe:/a:rubyonrails:ruby_on_rails:3.1.2:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.0.13:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.2.3:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.0.14 cpe:/a:rubyonrails:ruby_on_rails:3.2.0 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc6 cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.1.5:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.0.6:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.0.0:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.1.0 cpe:/a:rubyonrails:ruby_on_rails:3.1.4:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.1.2 cpe:/a:rubyonrails:ruby_on_rails:3.0.10 cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta2 cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.0.5 cpe:/a:rubyonrails:ruby_on_rails:3.0.12 cpe:/a:rubyonrails:ruby_on_rails:3.2.5 cpe:/a:rubyonrails:ruby_on_rails:3.0.18 cpe:/a:rubyonrails:ruby_on_rails:3.1.1 cpe:/a:rubyonrails:ruby_on_rails:3.2.2:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.0.0 cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta3 cpe:/a:rubyonrails:ruby_on_rails:3.0.2:pre cpe:/a:rubyonrails:ruby_on_rails:3.1.8 cpe:/a:rubyonrails:ruby_on_rails:3.2.3:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc5 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc8 cpe:/a:rubyonrails:ruby_on_rails:3.0.4:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.0.12:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.2.0:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.2.3 cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc3 cpe:/a:rubyonrails:ruby_on_rails:3.1.3 cpe:/a:rubyonrails:ruby_on_rails:3.0.8 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.0.10:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.2.0:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.2.1 cpe:/a:rubyonrails:ruby_on_rails:3.0.11 cpe:/a:rubyonrails:ruby_on_rails:3.0.2 cpe:/a:rubyonrails:ruby_on_rails:3.0.6 cpe:/a:rubyonrails:ruby_on_rails:3.2.10 cpe:/a:rubyonrails:ruby_on_rails:3.2.7 cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta4 cpe:/a:rubyonrails:ruby_on_rails:3.0.3 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc5 cpe:/a:rubyonrails:ruby_on_rails:3.0.4:rc cpe:/a:rubyonrails:ruby_on_rails:3.2.4:rc1

CVE-2013-0155

2013-01-13T17:55:00.900-05:00

2013-06-05T23:24:21.297-04:00

6.4

NETWORK

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-01-14T13:58:00.000-05:00

MLIST [rubyonrails-security] 20130108 Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155) DEBIAN DSA-2609 CONFIRM http://support.apple.com/kb/HT5784 REDHAT RHSA-2013:0155 REDHAT RHSA-2013:0154 APPLE APPLE-SA-2013-06-04-1 MISC http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.

cpe:/a:rubyonrails:ruby_on_rails:1.2.2 cpe:/a:rubyonrails:ruby_on_rails:3.2.9 cpe:/a:rubyonrails:ruby_on_rails:2.1.0 cpe:/a:rubyonrails:ruby_on_rails:0.11.1 cpe:/a:rubyonrails:ruby_on_rails:3.0.0:rc cpe:/a:rubyonrails:ruby_on_rails:0.6.5 cpe:/a:rubyonrails:ruby_on_rails:2.3.14 cpe:/a:rubyonrails:ruby_on_rails:0.10.1 cpe:/a:rubyonrails:ruby_on_rails:3.1.4 cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.1.2:rc2 cpe:/a:rubyonrails:ruby_on_rails:2.3.10 cpe:/a:rubyonrails:ruby_on_rails:3.0.9 cpe:/a:rubyonrails:ruby_on_rails:2.2.2 cpe:/a:rubyonrails:ruby_on_rails:0.5.7 cpe:/a:rubyonrails:ruby_on_rails:0.14.2 cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc3 cpe:/a:rubyonrails:ruby_on_rails:0.8.0 cpe:/a:rubyonrails:ruby_on_rails:1.2.4 cpe:/a:rubyonrails:ruby_on_rails:1.2.1 cpe:/a:rubyonrails:ruby_on_rails:3.0.16 cpe:/a:rubyonrails:ruby_on_rails:3.1.9 cpe:/a:rubyonrails:ruby_on_rails:3.2.8 cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc4 cpe:/a:rubyonrails:ruby_on_rails:0.9.0 cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc3 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc7 cpe:/a:rubyonrails:ruby_on_rails:3.1.2:rc1 cpe:/a:rubyonrails:ruby_on_rails:2.3.9 cpe:/a:rubyonrails:ruby_on_rails:3.0.14 cpe:/a:rubyonrails:ruby_on_rails:3.2.0 cpe:/a:rubyonrails:ruby_on_rails:0.13.0 cpe:/a:rubyonrails:ruby_on_rails:0.14.3 cpe:/a:rubyonrails:ruby_on_rails:3.1.4:rc1 cpe:/a:rubyonrails:ruby_on_rails:1.1.3 cpe:/a:rubyonrails:ruby_on_rails:0.9.1 cpe:/a:rubyonrails:ruby_on_rails:1.2.3 cpe:/a:rubyonrails:ruby_on_rails:3.0.10 cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta cpe:/a:rubyonrails:ruby_on_rails:2.2.0 cpe:/a:rubyonrails:ruby_on_rails:0.14.4 cpe:/a:rubyonrails:ruby_on_rails:2.2.1 cpe:/a:rubyonrails:ruby_on_rails:3.0.12 cpe:/a:rubyonrails:ruby_on_rails:0.9.3 cpe:/a:rubyonrails:ruby_on_rails:2.0.0 cpe:/a:rubyonrails:ruby_on_rails:3.1.1 cpe:/a:rubyonrails:ruby_on_rails:1.1.4 cpe:/a:rubyonrails:ruby_on_rails:0.12.1 cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta3 cpe:/a:rubyonrails:ruby_on_rails:3.1.8 cpe:/a:rubyonrails:ruby_on_rails:3.0.2:pre cpe:/a:rubyonrails:ruby_on_rails:3.2.3:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc5 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc8 cpe:/a:rubyonrails:ruby_on_rails:3.0.4:rc1 cpe:/a:rubyonrails:ruby_on_rails:1.1.6 cpe:/a:rubyonrails:ruby_on_rails:0.14.1 cpe:/a:rubyonrails:ruby_on_rails:0.13.1 cpe:/a:rubyonrails:ruby_on_rails:3.0.12:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.2.0:rc1 cpe:/a:rubyonrails:ruby_on_rails:0.7.0 cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc3 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.0.10:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.2.0:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.0.11 cpe:/a:rubyonrails:ruby_on_rails:3.0.2 cpe:/a:rubyonrails:ruby_on_rails:3.0.6 cpe:/a:rubyonrails:ruby_on_rails:3.2.10 cpe:/a:rubyonrails:ruby_on_rails:3.2.7 cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta4 cpe:/a:rubyonrails:ruby_on_rails:1.1.5 cpe:/a:rubyonrails:ruby_on_rails:2.0.0:rc2 cpe:/a:rubyonrails:ruby_on_rails:1.2.6 cpe:/a:rubyonrails:ruby_on_rails:0.11.0 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc5 cpe:/a:rubyonrails:ruby_on_rails:1.2.0 cpe:/a:rubyonrails:ruby_on_rails:3.0.4:rc cpe:/a:rubyonrails:ruby_on_rails:1.1.0 cpe:/a:rubyonrails:ruby_on_rails:3.0.7:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc1 cpe:/a:rubyonrails:ruby_on_rails:0.9.4.1 cpe:/a:rubyonrails:ruby_on_rails:2.0.4 cpe:/a:rubyonrails:ruby_on_rails:3.0.17 cpe:/a:rubyonrails:ruby_on_rails:3.2.2 cpe:/a:rubyonrails:ruby_on_rails:3.1.7 cpe:/a:rubyonrails:ruby_on_rails:3.0.7 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc4 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:beta1 cpe:/a:rubyonrails:ruby_on_rails:1.1.1 cpe:/a:rubyonrails:ruby_on_rails:2.3.4 cpe:/a:rubyonrails:ruby_on_rails:3.0.1:pre cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc3 cpe:/a:rubyonrails:ruby_on_rails:2.0.2 cpe:/a:rubyonrails:ruby_on_rails:3.0.6:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.1.6 cpe:/a:rubyonrails:ruby_on_rails:1.2.5 cpe:/a:rubyonrails:ruby_on_rails:3.1.5 cpe:/a:rubyonrails:ruby_on_rails:0.9.2 cpe:/a:rubyonrails:ruby_on_rails:3.0.13 cpe:/a:rubyonrails:ruby_on_rails:0.12.0 cpe:/a:rubyonrails:ruby_on_rails:3.0.7:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.0.5:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc4 cpe:/a:rubyonrails:ruby_on_rails:3.0.4 cpe:/a:rubyonrails:ruby_on_rails:2.3.12 cpe:/a:rubyonrails:ruby_on_rails:3.0.1 cpe:/a:rubyonrails:ruby_on_rails:2.1.2 cpe:/a:rubyonrails:ruby_on_rails:3.2.6 cpe:/a:rubyonrails:ruby_on_rails:2.0.0:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.2.4 cpe:/a:rubyonrails:ruby_on_rails:3.0.13:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.2.3:rc1 cpe:/a:rubyonrails:ruby_on_rails:0.8.5 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc6 cpe:/a:rubyonrails:ruby_on_rails:0.5.6 cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc1 cpe:/a:rubyonrails:ruby_on_rails:2.3.13 cpe:/a:rubyonrails:ruby_on_rails:3.1.5:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.0.6:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.0.0:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.1.0 cpe:/a:rubyonrails:ruby_on_rails:0.5.5 cpe:/a:rubyonrails:ruby_on_rails:1.0.0 cpe:/a:rubyonrails:ruby_on_rails:2.1 cpe:/a:rubyonrails:ruby_on_rails:3.1.2 cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta2 cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.0.5 cpe:/a:rubyonrails:ruby_on_rails:2.3.11 cpe:/a:rubyonrails:ruby_on_rails:3.2.5 cpe:/a:rubyonrails:ruby_on_rails:0.9.4 cpe:/a:rubyonrails:ruby_on_rails:3.0.18 cpe:/a:rubyonrails:ruby_on_rails:3.2.2:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.0.0 cpe:/a:rubyonrails:ruby_on_rails:1.1.2 cpe:/a:rubyonrails:ruby_on_rails:2.0.1 cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.2.3 cpe:/a:rubyonrails:ruby_on_rails:2.3.2 cpe:/a:rubyonrails:ruby_on_rails:3.1.3 cpe:/a:rubyonrails:ruby_on_rails:3.0.8 cpe:/a:rubyonrails:rails:1.2.4 cpe:/a:rubyonrails:ruby_on_rails:2.3.3 cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.2.1 cpe:/a:rubyonrails:ruby_on_rails:1.9.5 cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc1 cpe:/a:rubyonrails:ruby_on_rails:0.5.0 cpe:/a:rubyonrails:ruby_on_rails:3.0.3 cpe:/a:rubyonrails:ruby_on_rails:0.10.0 cpe:/a:rubyonrails:ruby_on_rails:0.6.0 cpe:/a:rubyonrails:ruby_on_rails:2.1.1 cpe:/a:rubyonrails:ruby_on_rails:3.2.4:rc1

CVE-2013-0156

2013-01-13T17:55:00.947-05:00

2013-05-20T23:22:30.360-04:00

7.5

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-01-14T13:36:00.000-05:00

CERT-VN VU#628463 CERT-VN VU#380039 MLIST [rubyonrails-security] 20130108 Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156) MISC https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156 MISC http://www.insinuator.net/2013/01/rails-yaml/ DEBIAN DSA-2604 CONFIRM http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/ REDHAT RHSA-2013:0155 REDHAT RHSA-2013:0154 REDHAT RHSA-2013:0153 APPLE APPLE-SA-2013-03-14-1 MISC http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

cpe:/a:cloudbees:jenkins:1.428 cpe:/a:cloudbees:jenkins:1.447.2.2:-:enterprise cpe:/a:cloudbees:jenkins:1.421 cpe:/a:cloudbees:jenkins:1.425 cpe:/a:cloudbees:jenkins:1.447.1.1:-:enterprise cpe:/a:cloudbees:jenkins:1.447:-:lts cpe:/a:cloudbees:jenkins:1.424.1:-:lts cpe:/a:cloudbees:jenkins:1.427 cpe:/a:cloudbees:jenkins:1.424:-:lts cpe:/a:cloudbees:jenkins:1.408 cpe:/a:cloudbees:jenkins:1.424.4:-:lts cpe:/a:cloudbees:jenkins:1.466.2.1:-:enterprise cpe:/a:cloudbees:jenkins:1.436 cpe:/a:cloudbees:jenkins:1.416 cpe:/a:cloudbees:jenkins:1.430 cpe:/a:cloudbees:jenkins:1.419 cpe:/a:cloudbees:jenkins:1.424.6:-:lts cpe:/a:cloudbees:jenkins:1.414 cpe:/a:cloudbees:jenkins:1.424.3:-:lts cpe:/a:cloudbees:jenkins:1.415 cpe:/a:cloudbees:jenkins:1.410 cpe:/a:cloudbees:jenkins:1.418 cpe:/a:cloudbees:jenkins:1.431 cpe:/a:cloudbees:jenkins:1.422 cpe:/a:cloudbees:jenkins:1.424 cpe:/a:cloudbees:jenkins:1.466.1.2:-:enterprise cpe:/a:cloudbees:jenkins:1.434 cpe:/a:cloudbees:jenkins:1.432 cpe:/a:cloudbees:jenkins:1.409.2:-:lts cpe:/a:cloudbees:jenkins:1.406 cpe:/a:cloudbees:jenkins:1.402 cpe:/a:cloudbees:jenkins:1.401 cpe:/a:cloudbees:jenkins:1.433 cpe:/a:cloudbees:jenkins:1.437 cpe:/a:cloudbees:jenkins:1.420 cpe:/a:cloudbees:jenkins:1.423 cpe:/a:cloudbees:jenkins:1.480.3.1 cpe:/a:cloudbees:jenkins:1.429 cpe:/a:cloudbees:jenkins:1.417 cpe:/a:cloudbees:jenkins:1.400 cpe:/a:cloudbees:jenkins:1.466.1:-:lts cpe:/a:cloudbees:jenkins:1.435 cpe:/a:cloudbees:jenkins:1.447.1:-:lts cpe:/a:cloudbees:jenkins:1.409.1::lts cpe:/a:cloudbees:jenkins:1.400:-:lts cpe:/a:cloudbees:jenkins:1.424.2:-:lts cpe:/a:cloudbees:jenkins:1.447.2:-:lts cpe:/a:cloudbees:jenkins:1.409 cpe:/a:cloudbees:jenkins:1.409.3:-:lts cpe:/a:cloudbees:jenkins:1.411 cpe:/a:cloudbees:jenkins:1.405 cpe:/a:cloudbees:jenkins:1.447.3.1:-:enterprise cpe:/a:cloudbees:jenkins:1.404 cpe:/a:cloudbees:jenkins:1.466.2:-:lts cpe:/a:cloudbees:jenkins:1.407 cpe:/a:cloudbees:jenkins:1.424.5:-:lts cpe:/a:cloudbees:jenkins:1.413 cpe:/a:cloudbees:jenkins:1.409.2::lts cpe:/a:cloudbees:jenkins:1.403 cpe:/a:cloudbees:jenkins:1.426 cpe:/a:cloudbees:jenkins:1.412 cpe:/a:cloudbees:jenkins:1.409.1:-:lts

CVE-2013-0158

2013-02-24T17:55:01.253-05:00

2013-02-26T00:00:00.000-05:00

2.6

NETWORK

HIGH

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-02-25T15:17:00.000-05:00

CONFIRM https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04 CONFIRM https://github.com/jenkinsci/jenkins/commit/c3d8e05a1b3d58b6c4dcff97394cb3a79608b4b2 CONFIRM https://github.com/jenkinsci/jenkins/commit/a9aff088f327278a8873aef47fa8f80d3c5932fd CONFIRM https://github.com/jenkinsci/jenkins/commit/94a8789b699132dd706021a6be1b78bc47f19602 CONFIRM https://github.com/jenkinsci/jenkins/commit/4895eaafca468b7f0f1a3166b2fca7414f0d5da5 CONFIRM https://github.com/jenkinsci/jenkins/commit/3dc13b957b14cec649036e8dd517f0f9cb21fb04 MISC https://bugzilla.redhat.com/show_bug.cgi?id=892795 MLIST [oss-security] 20130107 Re: CVE Request: Jenkins possible remote code execution CONFIRM http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-01-04.cb REDHAT RHSA-2013:0220 Unspecified vulnerability in CloudBees Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

cpe:/o:linux:linux_kernel:3.3.5 cpe:/o:linux:linux_kernel:3.0:rc4 cpe:/o:linux:linux_kernel:3.2.7 cpe:/o:linux:linux_kernel:3.0.32 cpe:/o:linux:linux_kernel:3.5.7 cpe:/o:linux:linux_kernel:3.5.4 cpe:/o:linux:linux_kernel:3.2.3 cpe:/o:linux:linux_kernel:3.7.8 cpe:/o:linux:linux_kernel:3.4.23 cpe:/o:linux:linux_kernel:3.2.26 cpe:/o:linux:linux_kernel:3.0.26 cpe:/o:linux:linux_kernel:3.4.13 cpe:/o:linux:linux_kernel:3.0.40 cpe:/o:linux:linux_kernel:3.6.9 cpe:/o:linux:linux_kernel:3.3.2 cpe:/o:linux:linux_kernel:3.7 cpe:/o:linux:linux_kernel:3.3.6 cpe:/o:linux:linux_kernel:3.0.16 cpe:/o:linux:linux_kernel:3.0.24 cpe:/o:linux:linux_kernel:3.4.22 cpe:/o:linux:linux_kernel:3.2.11 cpe:/o:linux:linux_kernel:3.1.4 cpe:/o:linux:linux_kernel:3.3:rc2 cpe:/o:linux:linux_kernel:3.0.39 cpe:/o:linux:linux_kernel:3.7.4 cpe:/o:linux:linux_kernel:3.4.16 cpe:/o:linux:linux_kernel:3.5.2 cpe:/o:linux:linux_kernel:3.3:rc3 cpe:/o:linux:linux_kernel:3.0.17 cpe:/o:linux:linux_kernel:3.0.27 cpe:/o:linux:linux_kernel:3.0.20 cpe:/o:linux:linux_kernel:3.1:rc3 cpe:/o:linux:linux_kernel:3.2.6 cpe:/o:linux:linux_kernel:3.4.9 cpe:/o:linux:linux_kernel:3.4.3 cpe:/o:linux:linux_kernel:3.0:rc1 cpe:/o:linux:linux_kernel:3.0.41 cpe:/o:linux:linux_kernel:3.7.7 cpe:/o:linux:linux_kernel:3.0.37 cpe:/o:linux:linux_kernel:3.1.9 cpe:/o:linux:linux_kernel:3.0.31 cpe:/o:linux:linux_kernel:3.0.38 cpe:/o:linux:linux_kernel:3.1.6 cpe:/o:linux:linux_kernel:3.4.5 cpe:/o:linux:linux_kernel:3.0:rc5 cpe:/o:linux:linux_kernel:3.2.27 cpe:/o:linux:linux_kernel:3.4.19 cpe:/o:linux:linux_kernel:3.2.15 cpe:/o:linux:linux_kernel:3.0.7 cpe:/o:linux:linux_kernel:3.0.1 cpe:/o:linux:linux_kernel:3.2.17 cpe:/o:linux:linux_kernel:3.0.5 cpe:/o:linux:linux_kernel:3.0.9 cpe:/o:linux:linux_kernel:3.7.6 cpe:/o:linux:linux_kernel:3.0.11 cpe:/o:linux:linux_kernel:3.7.1 cpe:/o:linux:linux_kernel:3.4.12 cpe:/o:linux:linux_kernel:3.0.13 cpe:/o:linux:linux_kernel:3.3.3 cpe:/o:linux:linux_kernel:3.0.34 cpe:/o:linux:linux_kernel:3.2.2 cpe:/o:linux:linux_kernel:3.2:rc5 cpe:/o:linux:linux_kernel:3.2.22 cpe:/o:linux:linux_kernel:3.0.8 cpe:/o:linux:linux_kernel:3.0.4 cpe:/o:linux:linux_kernel:3.2.9 cpe:/o:linux:linux_kernel:3.1:rc4 cpe:/o:linux:linux_kernel:3.2 cpe:/o:linux:linux_kernel:3.0.42 cpe:/o:linux:linux_kernel:3.1:rc1 cpe:/o:linux:linux_kernel:3.4:rc1 cpe:/o:linux:linux_kernel:3.3 cpe:/o:linux:linux_kernel:3.4.14 cpe:/o:linux:linux_kernel:3.0.21 cpe:/o:linux:linux_kernel:3.2.14 cpe:/o:linux:linux_kernel:3.1.1 cpe:/o:linux:linux_kernel:3.0.22 cpe:/o:linux:linux_kernel:3.2:rc4 cpe:/o:linux:linux_kernel:3.6.10 cpe:/o:linux:linux_kernel:3.4.21 cpe:/o:linux:linux_kernel:3.1 cpe:/o:linux:linux_kernel:3.4.17 cpe:/o:linux:linux_kernel:3.5.6 cpe:/o:linux:linux_kernel:3.1.3 cpe:/o:linux:linux_kernel:3.0.29 cpe:/o:linux:linux_kernel:3.3:rc1 cpe:/o:linux:linux_kernel:3.0.33 cpe:/o:linux:linux_kernel:3.1.2 cpe:/o:linux:linux_kernel:3.2.13 cpe:/o:linux:linux_kernel:3.3:rc6 cpe:/o:linux:linux_kernel:3.3.4 cpe:/o:linux:linux_kernel:3.2.18 cpe:/o:linux:linux_kernel:3.0.12 cpe:/o:linux:linux_kernel:3.2.29 cpe:/o:linux:linux_kernel:3.2.24 cpe:/o:linux:linux_kernel:3.0:rc3 cpe:/o:linux:linux_kernel:3.2.12 cpe:/o:linux:linux_kernel:3.0.19 cpe:/o:linux:linux_kernel:3.0.3 cpe:/o:linux:linux_kernel:3.7.9 cpe:/o:linux:linux_kernel:3.2.25 cpe:/o:linux:linux_kernel:3.2:rc7 cpe:/o:linux:linux_kernel:3.4:rc7 cpe:/o:linux:linux_kernel:3.0.36 cpe:/o:linux:linux_kernel:3.4.4 cpe:/o:linux:linux_kernel:3.2.23 cpe:/o:linux:linux_kernel:3.4:rc6 cpe:/o:linux:linux_kernel:3.2.16 cpe:/o:linux:linux_kernel:3.0.10 cpe:/o:linux:linux_kernel:3.0.35 cpe:/o:linux:linux_kernel:3.5.3 cpe:/o:linux:linux_kernel:3.2:rc6 cpe:/o:linux:linux_kernel:3.1.7 cpe:/o:linux:linux_kernel:3.0.30 cpe:/o:linux:linux_kernel:3.1.5 cpe:/o:linux:linux_kernel:3.4.11 cpe:/o:linux:linux_kernel:3.5.5 cpe:/o:linux:linux_kernel:3.4.10 cpe:/o:linux:linux_kernel:3.2:rc2 cpe:/o:linux:linux_kernel:3.3.1 cpe:/o:linux:linux_kernel:3.6.11 cpe:/o:linux:linux_kernel:3.3:rc4 cpe:/o:linux:linux_kernel:3.0.28 cpe:/o:linux:linux_kernel:3.3:rc7 cpe:/o:linux:linux_kernel:3.3.7 cpe:/o:linux:linux_kernel:3.1.10 cpe:/o:linux:linux_kernel:3.3:rc5 cpe:/o:linux:linux_kernel:3.4.8 cpe:/o:linux:linux_kernel:3.0.14 cpe:/o:linux:linux_kernel:3.7.2 cpe:/o:linux:linux_kernel:3.2:rc3 cpe:/o:linux:linux_kernel:3.0.23 cpe:/o:linux:linux_kernel:3.0:rc2 cpe:/o:linux:linux_kernel:3.4.20 cpe:/o:linux:linux_kernel:3.3.8 cpe:/o:linux:linux_kernel:3.4.2 cpe:/o:linux:linux_kernel:3.0.2 cpe:/o:linux:linux_kernel:3.7.3 cpe:/o:linux:linux_kernel:3.5.1 cpe:/o:linux:linux_kernel:3.1:rc2 cpe:/o:linux:linux_kernel:3.2.30 cpe:/o:linux:linux_kernel:3.0.6 cpe:/o:linux:linux_kernel:3.0.15 cpe:/o:linux:linux_kernel:3.2.1 cpe:/o:linux:linux_kernel:3.0.44 cpe:/o:linux:linux_kernel:3.2.28 cpe:/o:linux:linux_kernel:3.4:rc2 cpe:/o:linux:linux_kernel:3.4.24 cpe:/o:linux:linux_kernel:3.2.8 cpe:/o:linux:linux_kernel:3.4:rc4 cpe:/o:linux:linux_kernel:3.2.5 cpe:/o:linux:linux_kernel:3.4.15 cpe:/o:linux:linux_kernel:3.2.19 cpe:/o:linux:linux_kernel:3.4 cpe:/o:linux:linux_kernel:3.4.1 cpe:/o:linux:linux_kernel:3.0.43 cpe:/o:linux:linux_kernel:3.0.25 cpe:/o:linux:linux_kernel:3.1.8 cpe:/o:linux:linux_kernel:3.4:rc3 cpe:/o:linux:linux_kernel:3.4.7 cpe:/o:linux:linux_kernel:3.2.4 cpe:/o:linux:linux_kernel:3.2.10 cpe:/o:linux:linux_kernel:3.0.18 cpe:/o:linux:linux_kernel:3.4.6 cpe:/o:linux:linux_kernel:3.4:rc5 cpe:/o:linux:linux_kernel:3.2.20 cpe:/o:linux:linux_kernel:3.2.21 cpe:/o:linux:linux_kernel:3.4.18 cpe:/o:linux:linux_kernel:3.0:rc6 cpe:/o:linux:linux_kernel:3.7.5 cpe:/o:linux:linux_kernel:3.0:rc7

CVE-2013-0160

2013-02-17T23:41:50.277-05:00

2013-06-04T23:40:33.010-04:00

2.1

LOCAL

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-02-18T11:14:00.000-05:00

CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=892983 MLIST [oss-security] 20130107 Re: /dev/ptmx timing SUSE SUSE-SU-2013:0674 SUSE openSUSE-SU-2013:0395 The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.

cpe:/a:ryan_davis:ruby_parser:2.0.2 cpe:/a:ryan_davis:ruby_parser:3.0.1 cpe:/a:ryan_davis:ruby_parser:2.2.0 cpe:/a:ryan_davis:ruby_parser:3.1.0 cpe:/a:ryan_davis:ruby_parser:2.0.0 cpe:/a:ryan_davis:ruby_parser:3.0.4 cpe:/a:ryan_davis:ruby_parser:2.3.0 cpe:/a:ryan_davis:ruby_parser:2.0.1 cpe:/a:ryan_davis:ruby_parser:3.0.0.a6 cpe:/a:ryan_davis:ruby_parser:3.1.1 cpe:/a:ryan_davis:ruby_parser:3.0.0 cpe:/a:ryan_davis:ruby_parser:2.0.5 cpe:/a:ryan_davis:ruby_parser:2.0.4 cpe:/a:ryan_davis:ruby_parser:3.0.0.a5 cpe:/a:ryan_davis:ruby_parser:3.0.0.a10 cpe:/a:ryan_davis:ruby_parser:2.1.0 cpe:/a:ryan_davis:ruby_parser:1.0.0 cpe:/a:ryan_davis:ruby_parser:2.3.1 cpe:/a:ryan_davis:ruby_parser:2.0.3 cpe:/a:ryan_davis:ruby_parser:3.0.3 cpe:/a:ryan_davis:ruby_parser:2.0.6 cpe:/a:ryan_davis:ruby_parser:3.0.0.a3 cpe:/a:ryan_davis:ruby_parser:3.0.0.a7 cpe:/a:ryan_davis:ruby_parser:3.0.2 cpe:/a:ryan_davis:ruby_parser:3.0.0.a2 cpe:/a:ryan_davis:ruby_parser:3.0.0.a8 cpe:/a:ryan_davis:ruby_parser:3.0.0.a4 cpe:/a:ryan_davis:ruby_parser:3.0.0.a9 cpe:/a:ryan_davis:ruby_parser:3.0.0.a1

CVE-2013-0162

2013-03-01T00:40:16.987-05:00

2013-03-01T00:00:00.000-05:00

2.1

LOCAL

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-01T11:32:00.000-05:00

MISC https://bugzilla.redhat.com/show_bug.cgi?id=892806 REDHAT RHSA-2013:0548 REDHAT RHSA-2013:0544 The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.

cpe:/a:redhat:openshift:1.0:-:enterprise cpe:/a:redhat:openshift_origin:1.0.5

CVE-2013-0164

2013-02-24T17:55:01.300-05:00

2013-02-25T00:00:00.000-05:00

3.6

LOCAL

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-02-25T15:24:00.000-05:00

CONFIRM https://github.com/openshift/origin-server/pull/1136 CONFIRM https://github.com/openshift/origin-server/commit/524465f70a32d0eb6bf047e6a05c76c22d52bfa2 MISC https://bugzilla.redhat.com/show_bug.cgi?id=893307 REDHAT RHSA-2013:0220 The lockwrap function in port-proxy/bin/openshift-port-proxy-cfg in Red Hat OpenShift Origin before 1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.

cpe:/a:openssl:openssl:0.9.8m cpe:/a:openssl:openssl:0.9.6a cpe:/a:openssl:openssl:0.9.6:beta2 cpe:/a:openssl:openssl:0.9.8s cpe:/a:openssl:openssl:0.9.8q cpe:/a:openssl:openssl:0.9.6 cpe:/a:openssl:openssl:0.9.7:beta3 cpe:/a:redhat:openssl:0.9.6b-3 cpe:/a:openssl:openssl:0.9.8t cpe:/a:openssl:openssl:0.9.7:beta1 cpe:/a:openssl:openssl:0.9.7k cpe:/a:openssl:openssl:0.9.6h cpe:/a:openssl:openssl:0.9.7 cpe:/a:openssl:openssl:0.9.8r cpe:/a:openssl:openssl:0.9.2b cpe:/a:openssl:openssl:1.0.0e cpe:/a:openssl:openssl:0.9.8h cpe:/a:openssl:openssl:1.0.0 cpe:/a:openssl:openssl:0.9.8f cpe:/a:openssl:openssl:0.9.8o cpe:/a:openssl:openssl:0.9.5:beta1 cpe:/a:openssl:openssl:0.9.8k cpe:/a:openssl:openssl:0.9.7h cpe:/a:openssl:openssl:0.9.7d cpe:/a:openssl:openssl:1.0.1c cpe:/a:openssl:openssl:0.9.6a:beta2 cpe:/a:openssl:openssl:0.9.5a:beta2 cpe:/a:redhat:openssl:0.9.7a-2 cpe:/a:openssl:openssl:0.9.6e cpe:/a:openssl:openssl:0.9.6i cpe:/a:openssl:openssl:0.9.8w cpe:/a:openssl:openssl:0.9.6:beta3 cpe:/a:openssl:openssl:0.9.1c cpe:/a:openssl:openssl:0.9.7e cpe:/a:openssl:openssl:1.0.0c cpe:/a:openssl:openssl:1.0.0h cpe:/a:openssl:openssl:0.9.6d cpe:/a:openssl:openssl:0.9.8e cpe:/a:openssl:openssl:0.9.7f cpe:/a:openssl:openssl:0.9.3 cpe:/a:openssl:openssl:0.9.8v cpe:/a:openssl:openssl:0.9.7i cpe:/a:openssl:openssl:0.9.6a:beta1 cpe:/a:openssl:openssl:1.0.0i cpe:/a:openssl:openssl:1.0.1a cpe:/a:openssl:openssl:0.9.7b cpe:/a:openssl:openssl:1.0.1 cpe:/a:openssl:openssl:0.9.8c cpe:/a:openssl:openssl:0.9.4 cpe:/a:openssl:openssl:1.0.0d cpe:/a:openssl:openssl:0.9.5 cpe:/a:openssl:openssl:0.9.8x cpe:/a:openssl:openssl:0.9.6:beta1 cpe:/a:openssl:openssl:1.0.0a cpe:/a:openssl:openssl:0.9.8l cpe:/a:openssl:openssl:0.9.8m:beta1 cpe:/a:openssl:openssl:0.9.6g cpe:/a:openssl:openssl:0.9.6l cpe:/a:openssl:openssl:0.9.7c cpe:/a:openssl:openssl:0.9.5a:beta1 cpe:/a:openssl:openssl:0.9.8n cpe:/a:openssl:openssl:0.9.6f cpe:/a:openssl:openssl:0.9.8j cpe:/a:openssl:openssl:0.9.6b cpe:/a:openssl:openssl:0.9.6j cpe:/a:openssl:openssl:0.9.6a:beta3 cpe:/a:openssl:openssl:0.9.6c cpe:/a:openssl:openssl:0.9.7:beta5 cpe:/a:openssl:openssl:0.9.8u cpe:/a:openssl:openssl:0.9.8i cpe:/a:openssl:openssl:0.9.5:beta2 cpe:/a:openssl:openssl:0.9.3a cpe:/a:openssl:openssl:0.9.5a cpe:/a:openssl:openssl:0.9.7:beta6 cpe:/a:openssl:openssl:0.9.7g cpe:/a:redhat:openssl:0.9.6-15 cpe:/a:openssl:openssl:0.9.6k cpe:/a:openssl:openssl:0.9.7a cpe:/a:openssl:openssl:1.0.0f cpe:/a:openssl:openssl:0.9.8 cpe:/a:openssl:openssl:0.9.7:beta4 cpe:/a:openssl:openssl:0.9.8p cpe:/a:openssl:openssl:0.9.8a cpe:/a:openssl:openssl:1.0.0g cpe:/a:openssl:openssl:0.9.8b cpe:/a:openssl:openssl:0.9.7l cpe:/a:openssl:openssl:0.9.6m cpe:/a:openssl:openssl:0.9.7j cpe:/a:openssl:openssl:0.9.7m cpe:/a:openssl:openssl:0.9.8g cpe:/a:openssl:openssl:0.9.8d cpe:/a:openssl:openssl:1.0.0j cpe:/a:openssl:openssl:1.0.1b cpe:/a:openssl:openssl:1.0.0b cpe:/a:openssl:openssl:0.9.7:beta2

CVE-2013-0166

2013-02-08T14:55:00.967-05:00

2013-06-04T23:40:33.357-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-02-11T09:38:00.000-05:00

CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=908052 CONFIRM http://www.openssl.org/news/secadv_20130204.txt DEBIAN DSA-2621 REDHAT RHSA-2013:0783 REDHAT RHSA-2013:0782 REDHAT RHSA-2013:0587 HP HPSBUX02856 HP SSRT101104 CONFIRM http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=ebc71865f0506a293242bd4aec97cdc7a8ef24b0 CONFIRM http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=66e8211c0b1347970096e04b18aa52567c325200 CONFIRM http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=62e4506a7d4cec1c8e1ff687f6b220f6a62a57c7 OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.

cpe:/a:redhat:enterprise_virtualization_manager:3.0 cpe:/a:redhat:enterprise_virtualization_manager:2.1 cpe:/a:redhat:enterprise_virtualization_manager:2.2.3 cpe:/a:redhat:enterprise_virtualization_manager:2.2 cpe:/a:redhat:enterprise_virtualization_manager:3.1

CVE-2013-0168

2013-03-12T19:55:01.667-04:00

2013-03-19T00:00:00.000-04:00

4.0

NETWORK

LOW

SINGLE_INSTANCE

NONE

PARTIAL

http://nvd.nist.gov

2013-03-19T10:06:00.000-04:00

CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=893355 XF entreprise-movedisk-dos(81834) SECTRACK 1028076 BID 57750 REDHAT RHSA-2013:0211 The MoveDisk command in Red Hat Enterprise Virtualization Manager (RHEV-M) 3.1 and earlier does not properly check permissions on storage domains, which allows remote authenticated storage admins to cause a denial of service (free space consumption of other storage domains) via unspecified vectors.

cpe:/a:openssl:openssl:0.9.8m cpe:/a:polarssl:polarssl:1.1.0 cpe:/a:openssl:openssl:0.9.8q cpe:/a:openssl:openssl:0.9.8s cpe:/a:polarssl:polarssl:1.1.2 cpe:/a:openssl:openssl:0.9.8t cpe:/a:polarssl:polarssl:1.0.0 cpe:/a:oracle:openjdk:1.8.0 cpe:/a:openssl:openssl:0.9.8r cpe:/a:polarssl:polarssl:1.1.3 cpe:/a:openssl:openssl:0.9.8h cpe:/a:openssl:openssl:1.0.0e cpe:/a:openssl:openssl:1.0.0 cpe:/a:polarssl:polarssl:0.12.0 cpe:/a:openssl:openssl:0.9.8f cpe:/a:openssl:openssl:0.9.8o cpe:/a:polarssl:polarssl:0.99:pre1 cpe:/a:openssl:openssl:0.9.8k cpe:/a:openssl:openssl:1.0.1c cpe:/a:openssl:openssl:0.9.8w cpe:/a:oracle:openjdk:1.7.0 cpe:/a:polarssl:polarssl:0.14.3 cpe:/a:polarssl:polarssl:0.99:pre4 cpe:/a:polarssl:polarssl:0.99:pre5 cpe:/a:openssl:openssl:1.0.0c cpe:/a:openssl:openssl:0.9.8v cpe:/a:openssl:openssl:1.0.0i cpe:/a:openssl:openssl:1.0.1a cpe:/a:openssl:openssl:1.0.1 cpe:/a:polarssl:polarssl:0.14.0 cpe:/a:openssl:openssl:0.9.8c cpe:/a:openssl:openssl:1.0.0d cpe:/a:polarssl:polarssl:0.12.1 cpe:/a:polarssl:polarssl:0.10.1 cpe:/a:openssl:openssl:0.9.8x cpe:/a:polarssl:polarssl:1.1.4 cpe:/a:openssl:openssl:1.0.0a cpe:/a:openssl:openssl:0.9.8l cpe:/a:polarssl:polarssl:0.11.0 cpe:/a:openssl:openssl:0.9.8n cpe:/a:polarssl:polarssl:0.11.1 cpe:/a:openssl:openssl:0.9.8j cpe:/a:polarssl:polarssl:0.13.1 cpe:/a:openssl:openssl:0.9.8u cpe:/a:openssl:openssl:0.9.8i cpe:/a:polarssl:polarssl:1.1.0:rc1 cpe:/a:polarssl:polarssl:0.14.2 cpe:/a:openssl:openssl:0.9.8 cpe:/a:openssl:openssl:1.0.0f cpe:/a:openssl:openssl:0.9.8p cpe:/a:openssl:openssl:0.9.8a cpe:/a:openssl:openssl cpe:/a:polarssl:polarssl:0.99:pre3 cpe:/a:openssl:openssl:1.0.0g cpe:/a:openssl:openssl:0.9.8b cpe:/a:polarssl:polarssl:1.1.0:rc0 cpe:/a:polarssl:polarssl:1.1.1 cpe:/a:polarssl:polarssl:0.10.0 cpe:/a:openssl:openssl:0.9.8g cpe:/a:oracle:openjdk:1.6.0 cpe:/a:openssl:openssl:0.9.8d cpe:/a:openssl:openssl:1.0.0j cpe:/a:oracle:openjdk:- cpe:/a:openssl:openssl:1.0.1b cpe:/a:openssl:openssl:1.0.0b

CVE-2013-0169

2013-02-08T14:55:01.030-05:00

2013-06-04T23:40:33.597-04:00

2.6

NETWORK

HIGH

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-02-11T10:04:00.000-05:00

CERT TA13-051A CONFIRM https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released UBUNTU USN-1735-1 CONFIRM http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html CONFIRM http://www.openssl.org/news/secadv_20130204.txt CONFIRM http://www.matrixssl.org/news.html MISC http://www.isg.rhul.ac.uk/tls/TLStiming.pdf DEBIAN DSA-2622 DEBIAN DSA-2621 REDHAT RHSA-2013:0783 REDHAT RHSA-2013:0782 REDHAT RHSA-2013:0587 MLIST [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations HP SSRT101184 HP HPSBMU02874 HP HPSBUX02857 HP SSRT101103 HP HPSBUX02856 HP SSRT101104 SUSE openSUSE-SU-2013:0378 SUSE openSUSE-SU-2013:0375 SUSE SUSE-SU-2013:0328 The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

cpe:/a:redhat:libvirt:0.10.2.2 cpe:/a:redhat:libvirt::0.9.11.4 cpe:/a:redhat:libvirt:0.10.2.1 cpe:/a:redhat:libvirt::0.9.11 cpe:/a:redhat:libvirt::0.9.11.8 cpe:/a:redhat:libvirt::0.9.11.3 cpe:/a:redhat:libvirt:0.9.6.1 cpe:/a:redhat:libvirt::0.9.11.7 cpe:/a:redhat:libvirt:1.0.0 cpe:/a:redhat:libvirt::0.9.11.2 cpe:/a:redhat:libvirt:0.10.2 cpe:/a:redhat:libvirt::0.9.11.1 cpe:/a:redhat:libvirt:1.0.1 cpe:/a:redhat:libvirt:0.9.6.2 cpe:/a:redhat:libvirt:0.9.6 cpe:/a:redhat:libvirt::0.9.11.5 cpe:/a:redhat:libvirt:0.9.6.3 cpe:/a:redhat:libvirt::0.9.11.6

CVE-2013-0170

2013-02-08T15:55:01.297-05:00

2013-03-07T23:11:31.173-05:00

9.3

NETWORK

MEDIUM

NONE

COMPLETE

http://nvd.nist.gov

2013-02-11T11:26:00.000-05:00

CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=893450 XF libvirt-virnetmessagefree-code-exec(81552) UBUNTU USN-1708-1 SECTRACK 1028047 BID 57578 CONFIRM http://wiki.libvirt.org/page/Maintenance_Releases SECUNIA 52003 SECUNIA 52001 REDHAT RHSA-2013:0199 OSVDB 89644 SUSE SUSE-SU-2013:0320 SUSE openSUSE-SU-2013:0275 SUSE openSUSE-SU-2013:0274 FEDORA FEDORA-2013-1626 FEDORA FEDORA-2013-1642 FEDORA FEDORA-2013-1644 CONFIRM http://libvirt.org/news.html CONFIRM http://libvirt.org/git/?p=libvirt.git;a=commit;h=46532e3e8ed5f5a736a02f67d6c805492f9ca720 Use-after-free vulnerability in the virNetMessageFree function in rpc/virnetserverclient.c in libvirt 1.0.x before 1.0.2, 0.10.2 before 0.10.2.3, 0.9.11 before 0.9.11.9, and 0.9.6 before 0.9.6.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering certain errors during an RPC connection, which causes a message to be freed without being removed from the message queue.

cpe:/a:samba:samba:4.0.0

CVE-2013-0172

2013-01-17T16:55:00.947-05:00

2013-01-18T00:00:00.000-05:00

3.5

NETWORK

MEDIUM

SINGLE_INSTANCE

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-01-18T13:58:00.000-05:00

CONFIRM http://www.samba.org/samba/security/CVE-2013-0172 Samba 4.0.x before 4.0.1, in certain Active Directory domain-controller configurations, does not properly interpret Access Control Entries that are based on an objectClass, which allows remote authenticated users to bypass intended restrictions on modifying LDAP directory objects by leveraging (1) objectClass access by a user, (2) objectClass access by a group, or (3) write access to an attribute.

cpe:/a:grape_project:grape:0.1.5 cpe:/a:grape_project:grape:0.2.3 cpe:/a:grape_project:grape:0.1.3 cpe:/a:grape_project:grape:0.1.1 cpe:/a:grape_project:grape:0.2.0 cpe:/a:grape_project:grape:0.2.5 cpe:/a:erik_michaels-ober:multi_xml:0.5.2 cpe:/a:grape_project:grape:0.1.4 cpe:/a:grape_project:grape:0.2.2 cpe:/a:grape_project:grape:0.2.4 cpe:/a:grape_project:grape:0.1.2 cpe:/a:grape_project:grape:0.1.0 cpe:/a:grape_project:grape:0.2.1

CVE-2013-0175

2013-04-25T19:55:01.410-04:00

2013-04-26T23:15:09.203-04:00

7.5

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-04-26T10:25:00.000-04:00

MISC https://news.ycombinator.com/item?id=5040457 CONFIRM https://groups.google.com/forum/?fromgroups=#!topic/ruby-grape/fthDkMgIOa0 CONFIRM https://github.com/sferik/multi_xml/pull/34 CONFIRM https://gist.github.com/nate/d7f6d9f4925f413621aa MLIST [oss-security] 20130111 Re: CVE request for multi_xml ruby gem (has same problem as CVE-2013-0156) multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

cpe:/a:libssh:libssh:0.4.7 cpe:/a:libssh:libssh:0.4.8 cpe:/a:libssh:libssh:0.5.1 cpe:/a:libssh:libssh:0.5.0 cpe:/a:libssh:libssh:0.5.3 cpe:/a:libssh:libssh:0.5.0:rc1 cpe:/a:libssh:libssh:0.5.2

CVE-2013-0176

2013-02-05T18:55:01.850-05:00

2013-02-07T00:00:00.000-05:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-02-06T13:02:00.000-05:00

CONFIRM http://www.libssh.org/2013/01/22/libssh-0-5-4-security-release/ XF libssh-publickeyfromprivatekey-dos(81595) UBUNTU USN-1707-1 SECUNIA 51982 FEDORA FEDORA-2013-1407 FEDORA FEDORA-2013-1422 The publickey_from_privatekey function in libssh before 0.5.4, when no algorithm is matched during negotiations, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a "Client: Diffie-Hellman Key Exchange Init" packet.

cpe:/a:thomas_seidl:search_api:7.x-1.0:beta4 cpe:/a:thomas_seidl:search_api:7.x-1.0:beta10 cpe:/a:thomas_seidl:search_api:7.x-1.0:beta9 cpe:/a:thomas_seidl:search_api:7.x-1.0:beta2 cpe:/a:thomas_seidl:search_api:7.x-1.3 cpe:/a:thomas_seidl:search_api:7.x-1.0:beta3 cpe:/a:thomas_seidl:search_api:7.x-1.0:beta7 cpe:/a:thomas_seidl:search_api:7.x-1.0 cpe:/a:thomas_seidl:search_api:7.x-1.1 cpe:/a:thomas_seidl:search_api:7.x-1.0:beta5 cpe:/a:thomas_seidl:search_api:7.x-1.0:beta6 cpe:/a:thomas_seidl:search_api:7.x-1.x:dev cpe:/a:thomas_seidl:search_api:7.x-1.2 cpe:/a:thomas_seidl:search_api:7.x-1.0:beta1 cpe:/a:thomas_seidl:search_api:7.x-1.0:rc1 cpe:/a:thomas_seidl:search_api:7.x-1.0:beta8

CVE-2013-0181

2013-03-27T17:55:01.477-04:00

2013-03-28T00:00:00.000-04:00

2.6

NETWORK

HIGH

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-28T09:55:00.000-04:00

MISC https://drupal.org/node/1884332 CONFIRM https://drupal.org/node/1884076 MLIST [oss-security] 20130114 Re: CVE request for Drupal contributed modules CONFIRM http://drupalcode.org/project/search_api.git/commitdiff/35b5728 Cross-site scripting (XSS) vulnerability in Views in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal, when using certain backends and facets, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message.

cpe:/a:bart_feenstra:payment::7.x-1.0:alpha2 cpe:/a:bart_feenstra:payment::7.x-1.0:alpha4 cpe:/a:bart_feenstra:payment::7.x-1.0:beta2 cpe:/a:bart_feenstra:payment::7.x-1.0:alpha1 cpe:/a:bart_feenstra:payment::7.x-1.0:alpha3 cpe:/a:bart_feenstra:payment::7.x-1.x:dev cpe:/a:bart_feenstra:payment::7.x-1.0:alpha6 cpe:/a:bart_feenstra:payment::7.x-1.0:beta1 cpe:/a:bart_feenstra:payment::7.x-1.0:alpha5 cpe:/a:bart_feenstra:payment::7.x-1.0:beta3 cpe:/a:bart_feenstra:payment::7.x-1.1 cpe:/a:bart_feenstra:payment::7.x-1.2 cpe:/a:bart_feenstra:payment::7.x-1.0

CVE-2013-0182

2013-03-27T17:55:02.107-04:00

2013-03-28T00:00:00.000-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-28T10:05:00.000-04:00

MISC https://drupal.org/node/1884360 CONFIRM http://drupal.org/node/1883830 MLIST [oss-security] 20130114 Re: CVE request for Drupal contributed modules CONFIRM http://drupalcode.org/project/payment.git/commitdiff/62c9186 MISC http://drupal.org/node/1871508 The Payment module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to payments, which allows remote attackers to read arbitrary payments.

cpe:/a:rack_project:rack:1.3.4 cpe:/a:rack_project:rack:1.3.6 cpe:/a:rack_project:rack:1.3.2 cpe:/a:rack_project:rack:1.3.1 cpe:/a:rack_project:rack:1.4.1 cpe:/a:rack_project:rack:1.3.5 cpe:/a:rack_project:rack:1.3.7 cpe:/a:rack_project:rack:1.4.0 cpe:/a:rack_project:rack:1.4.2 cpe:/a:rack_project:rack:1.3.3 cpe:/a:rack_project:rack:1.3.0

CVE-2013-0183

2013-03-01T00:40:17.037-05:00

2013-05-14T23:33:53.637-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-03-01T11:49:00.000-05:00

CONFIRM https://groups.google.com/forum/#!topic/rack-devel/7ZKPNAjgRSs CONFIRM https://groups.google.com/forum/#!topic/rack-devel/-MWPHDeGWtI CONFIRM https://github.com/rack/rack/commit/f95113402b7239f225282806673e1b6424522b18 CONFIRM https://github.com/rack/rack/commit/548b9af2dc0059f4c0c19728624448d84de450ff MISC https://bugzilla.redhat.com/show_bug.cgi?id=895282 REDHAT RHSA-2013:0548 REDHAT RHSA-2013:0544 CONFIRM http://rack.github.com/ SUSE openSUSE-SU-2013:0462 multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet.

cpe:/a:rack_project:rack:1.3.4 cpe:/a:rack_project:rack:1.3.6 cpe:/a:rack_project:rack:1.4.3 cpe:/a:rack_project:rack:1.1.0 cpe:/a:rack_project:rack:1.3.1 cpe:/a:rack_project:rack:1.1.2 cpe:/a:rack_project:rack:1.1.4 cpe:/a:rack_project:rack:1.3.5 cpe:/a:rack_project:rack:1.2.6 cpe:/a:rack_project:rack:1.3.8 cpe:/a:rack_project:rack:1.2.2 cpe:/a:rack_project:rack:1.4.2 cpe:/a:rack_project:rack:1.2.4 cpe:/a:rack_project:rack:1.2.3 cpe:/a:rack_project:rack:1.2.0 cpe:/a:rack_project:rack:1.2.1 cpe:/a:rack_project:rack:1.3.2 cpe:/a:rack_project:rack:1.4.1 cpe:/a:rack_project:rack:1.3.7 cpe:/a:rack_project:rack:1.4.0 cpe:/a:rack_project:rack:1.1.3 cpe:/a:rack_project:rack:1.3.3 cpe:/a:rack_project:rack:1.3.0

CVE-2013-0184

2013-03-01T00:40:17.097-05:00

2013-05-14T23:33:53.727-04:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-03-01T11:52:00.000-05:00

MISC https://bugzilla.redhat.com/show_bug.cgi?id=895384 REDHAT RHSA-2013:0548 REDHAT RHSA-2013:0544 SUSE openSUSE-SU-2013:0462 Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings."

cpe:/a:squid-cache:squid:3.1.13 cpe:/a:squid-cache:squid:3.1.0.13 cpe:/a:squid-cache:squid:3.1.11 cpe:/a:squid-cache:squid:3.2.0.4 cpe:/a:squid-cache:squid:3.2.0.10 cpe:/a:squid-cache:squid:3.2.0.2 cpe:/a:squid-cache:squid:3.1.6 cpe:/a:squid-cache:squid:3.1.3 cpe:/a:squid-cache:squid:3.2.0.16 cpe:/a:squid-cache:squid:3.2.4 cpe:/a:squid-cache:squid:3.1.0.14 cpe:/o:canonical:ubuntu_linux:11.10 cpe:/a:squid-cache:squid:3.2.0.17 cpe:/a:squid-cache:squid:3.1.0.17 cpe:/a:squid-cache:squid:3.1.0.18 cpe:/a:squid-cache:squid:3.2.0.9 cpe:/o:canonical:ubuntu_linux:12.04:-:lts cpe:/a:squid-cache:squid:3.1.0.6 cpe:/a:squid-cache:squid:3.1.9 cpe:/o:canonical:ubuntu_linux:10.04:-:lts cpe:/a:squid-cache:squid:3.1.0.7 cpe:/a:squid-cache:squid:3.1.5.1 cpe:/a:squid-cache:squid:3.1.15 cpe:/a:squid-cache:squid:3.2.0.5 cpe:/a:squid-cache:squid:3.1.12 cpe:/a:squid-cache:squid:3.2.0.7 cpe:/a:squid-cache:squid:3.2.0.1 cpe:/a:squid-cache:squid:3.1.0.10 cpe:/a:squid-cache:squid:3.1.0.2 cpe:/a:squid-cache:squid:3.2.3 cpe:/a:squid-cache:squid:3.1.7 cpe:/a:squid-cache:squid:3.2.0.12 cpe:/a:squid-cache:squid:3.1.8 cpe:/a:squid-cache:squid:3.2.0.8 cpe:/a:squid-cache:squid:3.2.0.3 cpe:/a:squid-cache:squid:3.1.0.4 cpe:/a:squid-cache:squid:3.1.0.3 cpe:/a:squid-cache:squid:3.1.0.5 cpe:/a:squid-cache:squid:3.1.0.9 cpe:/o:canonical:ubuntu_linux:12.10 cpe:/a:squid-cache:squid:3.1.2 cpe:/a:squid-cache:squid:3.1.0.1 cpe:/a:squid-cache:squid:3.1.0.15 cpe:/a:squid-cache:squid:3.1.5 cpe:/a:squid-cache:squid:3.1.0.8 cpe:/a:squid-cache:squid:3.2.2 cpe:/a:squid-cache:squid:3.2.0.15 cpe:/a:squid-cache:squid:3.1.22 cpe:/a:squid-cache:squid:3.2.0.11 cpe:/a:squid-cache:squid:3.2.0.18 cpe:/a:squid-cache:squid:3.1.0.16 cpe:/a:squid-cache:squid:3.1.14 cpe:/a:squid-cache:squid:3.1 cpe:/a:squid-cache:squid:3.2.0.13 cpe:/a:squid-cache:squid:3.2.1 cpe:/a:squid-cache:squid:3.1.0.11 cpe:/a:squid-cache:squid:3.1.10 cpe:/a:squid-cache:squid:3.2.0.6 cpe:/a:squid-cache:squid:3.2.0.19 cpe:/a:squid-cache:squid:3.1.0.12 cpe:/a:squid-cache:squid:3.1.1 cpe:/a:squid-cache:squid:3.1.4 cpe:/a:squid-cache:squid:3.2.0.14

CVE-2013-0189

2013-02-08T15:55:01.377-05:00

2013-03-07T23:11:31.483-05:00

5.0

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-02-11T12:38:00.000-05:00

MISC http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2012_1.patch MISC http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2012_1.patch MLIST [scm-commits] 20130125 [squid/f17] CVE-2013-0189: Incomplete fix for the CVE-2012-5643 CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=895972 MISC https://bugzilla.redhat.com/show_bug.cgi?id=887962#c9 UBUNTU USN-1713-1 BID 57646 DEBIAN DSA-2631 SECUNIA 52024 CONFIRM http://bazaar.launchpad.net/~squid/squid/3.2/revision/11744 CONFIRM http://bazaar.launchpad.net/~squid/squid/3.2/revision/11743 cachemgr.cgi in Squid 3.1.x and 3.2.x, possibly 3.1.22, 3.2.4, and other versions, allows remote attackers to cause a denial of service (resource consumption) via a crafted request. NOTE: this issue is due to an incorrect fix for CVE-2012-5643, possibly involving an incorrect order of arguments or incorrect comparison.

cpe:/o:linux:linux_kernel:2.6.23

CVE-2013-0190

2013-02-12T20:55:03.307-05:00

2013-03-07T23:11:31.547-05:00

4.9

LOCAL

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:07:00.000-05:00

CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=896038 UBUNTU USN-1728-1 UBUNTU USN-1725-1 BID 57433 MLIST [oss-security] 20130116 Xen Security Advisory 40 (CVE-2013-0190) - Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests. MLIST [oss-security] 20130116 [PATCH] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. REDHAT RHSA-2013:0496 The xen_failsafe_callback function in Xen for the Linux kernel 2.6.23 and other versions, when running a 32-bit PVOPS guest, allows local users to cause a denial of service (guest crash) by triggering an iret fault, leading to use of an incorrect stack pointer and stack corruption.

cpe:/a:thekelleys:dnsmasq:2.23 cpe:/a:thekelleys:dnsmasq:2.8 cpe:/a:thekelleys:dnsmasq:2.17 cpe:/a:thekelleys:dnsmasq:1.16 cpe:/a:thekelleys:dnsmasq:0.96 cpe:/a:thekelleys:dnsmasq:2.16 cpe:/a:thekelleys:dnsmasq:2.13 cpe:/a:thekelleys:dnsmasq:2.41 cpe:/a:thekelleys:dnsmasq:1.7 cpe:/a:thekelleys:dnsmasq:2.35 cpe:/a:thekelleys:dnsmasq:2.49 cpe:/a:thekelleys:dnsmasq:2.61 cpe:/a:thekelleys:dnsmasq:1.2 cpe:/a:thekelleys:dnsmasq:2.0 cpe:/a:thekelleys:dnsmasq:2.62 cpe:/a:thekelleys:dnsmasq:2.11 cpe:/a:thekelleys:dnsmasq:2.58 cpe:/a:thekelleys:dnsmasq:2.4 cpe:/a:thekelleys:dnsmasq:2.42 cpe:/a:thekelleys:dnsmasq:2.50 cpe:/a:thekelleys:dnsmasq:1.9 cpe:/a:thekelleys:dnsmasq:1.3 cpe:/a:thekelleys:dnsmasq:2.22 cpe:/a:thekelleys:dnsmasq:2.46 cpe:/a:thekelleys:dnsmasq:2.24 cpe:/a:thekelleys:dnsmasq:2.14 cpe:/a:thekelleys:dnsmasq:2.5 cpe:/a:thekelleys:dnsmasq:2.64 cpe:/a:thekelleys:dnsmasq:2.54 cpe:/a:thekelleys:dnsmasq:2.28 cpe:/a:thekelleys:dnsmasq:2.6 cpe:/a:thekelleys:dnsmasq:0.992 cpe:/a:thekelleys:dnsmasq:2.60 cpe:/a:thekelleys:dnsmasq:2.12 cpe:/a:thekelleys:dnsmasq:1.0 cpe:/a:thekelleys:dnsmasq:2.10 cpe:/a:thekelleys:dnsmasq:2.18 cpe:/a:thekelleys:dnsmasq:1.12 cpe:/a:thekelleys:dnsmasq:2.33 cpe:/a:thekelleys:dnsmasq:2.59 cpe:/a:thekelleys:dnsmasq:2.48 cpe:/a:thekelleys:dnsmasq:2.25 cpe:/a:thekelleys:dnsmasq:2.26 cpe:/a:thekelleys:dnsmasq:2.36 cpe:/a:thekelleys:dnsmasq:2.27 cpe:/a:thekelleys:dnsmasq:0.996 cpe:/a:thekelleys:dnsmasq:2.55 cpe:/a:thekelleys:dnsmasq:2.47 cpe:/a:thekelleys:dnsmasq:0.6 cpe:/a:thekelleys:dnsmasq:- cpe:/a:thekelleys:dnsmasq:2.53 cpe:/a:thekelleys:dnsmasq:1.6 cpe:/a:thekelleys:dnsmasq:2.65 cpe:/a:thekelleys:dnsmasq:1.14 cpe:/a:thekelleys:dnsmasq:2.45 cpe:/a:thekelleys:dnsmasq:2.20 cpe:/a:thekelleys:dnsmasq:2.21 cpe:/a:thekelleys:dnsmasq:2.9 cpe:/a:thekelleys:dnsmasq:2.30 cpe:/a:thekelleys:dnsmasq:2.52 cpe:/a:thekelleys:dnsmasq:2.56 cpe:/a:thekelleys:dnsmasq:2.57 cpe:/a:thekelleys:dnsmasq:1.18 cpe:/a:thekelleys:dnsmasq:2.29 cpe:/a:thekelleys:dnsmasq:2.15 cpe:/a:thekelleys:dnsmasq:2.51 cpe:/a:thekelleys:dnsmasq:2.34 cpe:/a:thekelleys:dnsmasq:1.17 cpe:/a:thekelleys:dnsmasq:2.44 cpe:/a:thekelleys:dnsmasq:1.15 cpe:/a:thekelleys:dnsmasq:2.39 cpe:/a:thekelleys:dnsmasq:2.19 cpe:/a:thekelleys:dnsmasq:1.13 cpe:/a:thekelleys:dnsmasq:0.95 cpe:/a:thekelleys:dnsmasq:2.38 cpe:/a:thekelleys:dnsmasq:0.4 cpe:/a:thekelleys:dnsmasq:2.40 cpe:/a:thekelleys:dnsmasq:0.98 cpe:/a:thekelleys:dnsmasq:1.4 cpe:/a:thekelleys:dnsmasq:2.37 cpe:/a:thekelleys:dnsmasq:2.3 cpe:/a:thekelleys:dnsmasq:2.63 cpe:/a:thekelleys:dnsmasq:2.7 cpe:/a:thekelleys:dnsmasq:0.5 cpe:/a:thekelleys:dnsmasq:2.31 cpe:/a:thekelleys:dnsmasq:2.43 cpe:/a:thekelleys:dnsmasq:2.2 cpe:/a:thekelleys:dnsmasq:0.7 cpe:/a:thekelleys:dnsmasq:1.10 cpe:/a:thekelleys:dnsmasq:2.1 cpe:/a:thekelleys:dnsmasq:1.11 cpe:/a:thekelleys:dnsmasq:1.8 cpe:/a:thekelleys:dnsmasq:1.5

CVE-2013-0198

2013-03-05T16:38:54.827-05:00

2013-03-06T00:00:00.000-05:00

5.0

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-03-06T08:58:00.000-05:00

CONFIRM http://www.thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=22ce550e5346947a12a781ed0959a7b1165d0dc6 MISC https://bugzilla.redhat.com/show_bug.cgi?id=894486 MLIST [oss-security] 20130118 Re: CVE Request -- dnsmasq: Incomplete fix for the CVE-2012-3411 issue MLIST [oss-security] 20130118 CVE Request -- dnsmasq: Incomplete fix for the CVE-2012-3411 issue Dnsmasq before 2.66test2, when used with certain libvirt configurations, replies to queries from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via spoofed TCP based DNS queries. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3411.

cpe:/a:hp:linux_imaging_and_printing_project:3.9.10 cpe:/a:hp:linux_imaging_and_printing_project:3.11.7 cpe:/a:hp:linux_imaging_and_printing_project:1.0 cpe:/a:hp:linux_imaging_and_printing_project:3.9.4 cpe:/a:hp:linux_imaging_and_printing_project:3.9.12 cpe:/a:hp:linux_imaging_and_printing_project:3.10.2 cpe:/a:hp:linux_imaging_and_printing_project:3.11.3a cpe:/a:hp:linux_imaging_and_printing_project:2.7.10 cpe:/a:hp:linux_imaging_and_printing_project:3.12.4 cpe:/a:hp:linux_imaging_and_printing_project:3.11.3 cpe:/a:hp:linux_imaging_and_printing_project:3.10.5 cpe:/a:hp:linux_imaging_and_printing_project:3.11.5 cpe:/a:hp:linux_imaging_and_printing_project:3.11.1 cpe:/a:hp:linux_imaging_and_printing_project:3.9.8 cpe:/a:hp:linux_imaging_and_printing_project:3.10.9 cpe:/a:hp:linux_imaging_and_printing_project:2.0 cpe:/a:hp:linux_imaging_and_printing_project:3.11.10 cpe:/a:hp:linux_imaging_and_printing_project:3.10.6 cpe:/o:redhat:enterprise_linux:6 cpe:/a:hp:linux_imaging_and_printing_project:3.9.2 cpe:/a:hp:linux_imaging_and_printing_project:3.9.4b cpe:/a:hp:linux_imaging_and_printing_project:3.9.6

CVE-2013-0200

2013-03-06T15:55:01.293-05:00

2013-03-07T00:00:00.000-05:00

1.9

LOCAL

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-07T09:42:00.000-05:00

CONFIRM ftp://ftp.scientificlinux.org/linux/scientific/6x/SRPMS/vendor/hplip-3.12.4-4.el6.src.rpm CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=902163 MISC http://hplipopensource.com/hplip-web/release_notes.html HP Linux Imaging and Printing (HPLIP) through 3.12.4 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/hpcupsfilterc_#.bmp, (2) /tmp/hpcupsfilterk_#.bmp, (3) /tmp/hpcups_job#.out, (4) /tmp/hpijs_#####.out, or (5) /tmp/hpps_job#.out temporary file, a different vulnerability than CVE-2011-2722.

cpe:/a:restful_web_services_project:restws:7.x-1.0:beta1 cpe:/a:restful_web_services_project:restws:7.x-2.0:alpha1 cpe:/a:restful_web_services_project:restws:7.x-1.0:beta2 cpe:/a:restful_web_services_project:restws:7.x-1.x:dev cpe:/a:restful_web_services_project:restws:7.x-1.0 cpe:/a:restful_web_services_project:restws:7.x-2.x:dev cpe:/a:restful_web_services_project:restws:7.x-2.0:alpha2

CVE-2013-0205

2013-03-19T10:55:01.090-04:00

2013-03-21T00:00:00.000-04:00

6.8

NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-03-21T04:16:00.000-04:00

CONFIRM https://drupal.org/node/1890216 CONFIRM https://drupal.org/node/1890212 MISC https://drupal.org/node/1890222 MLIST [oss-security] 20130121 Re: CVE request for Drupal contributed modules Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vectors.

cpe:/a:guy_bedford:live_css:7.x-2.5 cpe:/a:guy_bedford:live_css:7.x-2.6 cpe:/a:guy_bedford:live_css:7.x-2.2 cpe:/a:guy_bedford:live_css:7.x-2.0-beta1 cpe:/a:guy_bedford:live_css:7.x-2.0 cpe:/a:guy_bedford:live_css:6.x-2.0 cpe:/a:guy_bedford:live_css:7.x-2.3 cpe:/a:guy_bedford:live_css:7.x-2.x-dev cpe:/a:guy_bedford:live_css:7.x-2.4 cpe:/a:guy_bedford:live_css:7.x-2.1

CVE-2013-0206

2013-03-19T10:55:02.620-04:00

2013-03-21T05:26:43.427-04:00

6.0

NETWORK

MEDIUM

SINGLE_INSTANCE

PARTIAL

http://nvd.nist.gov

2013-03-21T05:10:00.000-04:00

MISC https://drupal.org/node/1890318 MLIST [oss-security] 20130121 Re: CVE request for Drupal contributed modules CONFIRM http://drupalcode.org/project/live_css.git/commitdiff/ef323c8 CONFIRM http://drupalcode.org/project/live_css.git/commitdiff/cb7005f CONFIRM http://drupal.org/node/1883978 CONFIRM http://drupal.org/node/1883976 Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x before 6.x-2.1 and 7.x-2.x before 7.x-2.7 for Drupal allows remote authenticated users with the "administer CSS" permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.

cpe:/a:leighton_whiting:mark_complete

CVE-2013-0207

2013-03-19T10:55:02.637-04:00

2013-03-21T10:21:46.953-04:00

6.8

NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-03-21T10:09:00.000-04:00

CONFIRM https://drupal.org/node/1890566 MISC https://drupal.org/node/1890538 MLIST [oss-security] 20130121 Re: CVE request for Drupal contributed modules CONFIRM http://drupalcode.org/project/mark_complete.git/commitdiff/a18c7b2 Cross-site request forgery (CSRF) vulnerability in the Mark Complete module 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

cpe:/o:canonical:ubuntu_linux:11.10 cpe:/o:canonical:ubuntu_linux:12.04:-:lts cpe:/a:openstack:folsom:- cpe:/a:openstack:essex:- cpe:/o:canonical:ubuntu_linux:12.10

CVE-2013-0208

2013-02-13T11:55:01.617-05:00

2013-02-14T00:00:00.000-05:00

6.5

NETWORK

LOW

SINGLE_INSTANCE

PARTIAL

http://nvd.nist.gov

2013-02-14T08:24:00.000-05:00

CONFIRM https://github.com/openstack/nova/commit/317cc0af385536dee43ef2addad50a91357fc1ad CONFIRM https://github.com/openstack/nova/commit/243d516cea9d3caa5a8267b12d2f577dcb24193b MISC https://bugzilla.redhat.com/show_bug.cgi?id=902629 CONFIRM https://bugs.launchpad.net/nova/+bug/1069904 XF nova-volume-security-bypass(81697) UBUNTU USN-1709-1 BID 57613 MLIST [oss-security] 20130129 [OSSA 2013-001] Boot from volume allows access to random volumes (CVE-2013-0208) SECUNIA 51992 SECUNIA 51963 REDHAT RHSA-2013:0208 OSVDB 89661 The boot-from-volume feature in OpenStack Compute (Nova) Folsom and Essex, when using nova-volumes, allows remote authenticated users to boot from other users' volumes via a volume id in the block_device_mapping parameter.

cpe:/a:sixapart:movable_type:4.361::open_source cpe:/a:sixapart:movable_type:4.27 cpe:/a:sixapart:movable_type:4.29 cpe:/a:sixapart:movable_type:4.26 cpe:/a:sixapart:movable_type:4.28 cpe:/a:sixapart:movable_type:4.38 cpe:/a:sixapart:movable_type:4.32 cpe:/a:sixapart:movable_type:4.29::open_source cpe:/a:sixapart:movable_type:4.33 cpe:/a:sixapart:movable_type:4.37 cpe:/a:sixapart:movable_type:4.38::open_source cpe:/a:sixapart:movable_type:4.36::open_source cpe:/a:sixapart:movable_type:4.22 cpe:/a:sixapart:movable_type:4.292 cpe:/a:sixapart:movable_type:4.291 cpe:/a:sixapart:movable_type:4.31 cpe:/a:sixapart:movable_type:4.23 cpe:/a:sixapart:movable_type:4.361 cpe:/a:sixapart:movable_type:4.28::open_source cpe:/a:sixapart:movable_type:4.292::enterprise cpe:/a:sixapart:movable_type:4.36 cpe:/a:sixapart:movable_type:4.261 cpe:/a:sixapart:movable_type:4.37::open_source cpe:/a:sixapart:movable_type:4.292::open_source cpe:/a:sixapart:movable_type:4.35 cpe:/a:sixapart:movable_type:4.21 cpe:/a:sixapart:movable_type:4.28::enterprise cpe:/a:sixapart:movable_type:4.291::open_source cpe:/a:sixapart:movable_type:4.34 cpe:/a:sixapart:movable_type:4.291::enterprise cpe:/a:sixapart:movable_type:4.25 cpe:/a:sixapart:movable_type:4.24 cpe:/a:sixapart:movable_type:4.29::enterprise

CVE-2013-0209

2013-01-22T20:55:01.150-05:00

2013-01-29T00:00:00.000-05:00

7.5

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-01-23T10:47:00.000-05:00

CONFIRM http://www.movabletype.org/2013/01/movable_type_438_patch.html MISC http://www.sec-1.com/blog/wp-content/uploads/2013/01/movabletype_upgrade_exec.rb_.txt MISC http://www.sec-1.com/blog/?p=402 MLIST [oss-security] 20130121 Re: CVE request for Movable Type lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, leading to execution of arbitrary Perl code.

cpe:/o:canonical:ubuntu_linux:11.10 cpe:/o:canonical:ubuntu_linux:12.04:-:lts cpe:/a:openstack:glance:grizzly cpe:/a:openstack:essex:2012.1 cpe:/a:openstack:folsom:2012.2 cpe:/o:canonical:ubuntu_linux:12.10

CVE-2013-0212

2013-02-24T16:55:01.143-05:00

2013-02-26T00:00:00.000-05:00

4.0

NETWORK

LOW

SINGLE_INSTANCE

PARTIAL

NONE

http://nvd.nist.gov

2013-02-25T14:55:00.000-05:00

MISC https://bugzilla.redhat.com/show_bug.cgi?id=902964 UBUNTU USN-1710-1 MLIST [openstack] 20130129 [OSSA 2013-002] Backend password leak in Glance error message (CVE-2013-0212) CONFIRM https://launchpad.net/glance/+milestone/2012.2.3 CONFIRM https://github.com/openstack/glance/commit/e96273112b5b5da58d970796b7cfce04c5030a89 CONFIRM https://github.com/openstack/glance/commit/96a470be64adcef97f235ca96ed3c59ed954a4c1 CONFIRM https://github.com/openstack/glance/commit/37d4d96bf88c2bf3e7e9511b5e321cf4bed364b7 CONFIRM https://bugs.launchpad.net/glance/+bug/1098962 MLIST [oss-security] 20130129 [OSSA 2013-002] Backend password leak in Glance error message (CVE-2013-0212) SECUNIA 51990 SECUNIA 51957 REDHAT RHSA-2013:0209 store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive information by reading the error messages.

cpe:/a:samba:samba:3.4.14 cpe:/a:samba:samba:3.6.11 cpe:/a:samba:samba:3.5.13 cpe:/a:samba:samba:3.2.1 cpe:/a:samba:samba:3.0.6 cpe:/a:samba:samba:3.4.3 cpe:/a:samba:samba:3.0.21c cpe:/a:samba:samba:3.2.0 cpe:/a:samba:samba:3.4.15 cpe:/a:samba:samba:3.0.26a cpe:/a:samba:samba:3.0.11 cpe:/a:samba:samba:3.4.9 cpe:/a:samba:samba:3.3.4 cpe:/a:samba:samba:3.0.23 cpe:/a:samba:samba:3.0.8 cpe:/a:samba:samba:3.0.25:rc2 cpe:/a:samba:samba:3.0.23d cpe:/a:samba:samba:3.0.21 cpe:/a:samba:samba:3.0.25:rc3 cpe:/a:samba:samba:3.4.0 cpe:/a:samba:samba:3.0.26:a cpe:/a:samba:samba:3.5.5 cpe:/a:samba:samba:3.0.25a cpe:/a:samba:samba:3.0.14a cpe:/a:samba:samba:3.0.21a cpe:/a:samba:samba:3.6.1 cpe:/a:samba:samba:3.0.25:pre1 cpe:/a:samba:samba:3.2.3 cpe:/a:samba:samba:3.0.13 cpe:/a:samba:samba:3.3.13 cpe:/a:samba:samba:3.2.15 cpe:/a:samba:samba:3.1 cpe:/a:samba:samba:3.0.10 cpe:/a:samba:samba:3.3.5 cpe:/a:samba:samba:3.6.3 cpe:/a:samba:samba:3.0.33 cpe:/a:samba:samba:3.0.21:a cpe:/a:samba:samba:3.0.4:rc1 cpe:/a:samba:samba:3.5.2 cpe:/a:samba:samba:3.0.23:a cpe:/a:samba:samba:3.2.4 cpe:/a:samba:samba:3.4.13 cpe:/a:samba:samba:3.0.25:rc1 cpe:/a:samba:samba:3.3.6 cpe:/a:samba:samba:3.5.18 cpe:/a:samba:samba:3.0.7 cpe:/a:samba:samba:3.0.21:c cpe:/a:samba:samba:3.0.25 cpe:/a:samba:samba:3.0.4 cpe:/a:samba:samba:3.6.5 cpe:/a:samba:samba:3.0.20:b cpe:/a:samba:samba:3.5.11 cpe:/a:samba:samba:3.3.2 cpe:/a:samba:samba:3.5.7 cpe:/a:samba:samba:3.3.0 cpe:/a:samba:samba:3.4.12 cpe:/a:samba:samba:3.2.8 cpe:/a:samba:samba:3.0.2:a cpe:/a:samba:samba:3.5.19 cpe:/a:samba:samba:3.0.19 cpe:/a:samba:samba:3.0.2 cpe:/a:samba:samba:3.2.6 cpe:/a:samba:samba:3.4.2 cpe:/a:samba:samba:3.6.4 cpe:/a:samba:samba:3.6.0 cpe:/a:samba:samba:3.2.9 cpe:/a:samba:samba:3.0.28 cpe:/a:samba:samba:3.0.20 cpe:/a:samba:samba:3.0.14 cpe:/a:samba:samba:3.6.2 cpe:/a:samba:samba:3.0.20a cpe:/a:samba:samba:3.0.25:a cpe:/a:samba:samba:3.6.10 cpe:/a:samba:samba:3.6.8 cpe:/a:samba:samba:3.3.11 cpe:/a:samba:samba:3.5.16 cpe:/a:samba:samba:3.4.16 cpe:/a:samba:samba:3.0.14:a cpe:/a:samba:samba:3.0.16 cpe:/a:samba:samba:3.0.23:d cpe:/a:samba:samba:3.0.28:a cpe:/a:samba:samba:3.3.12 cpe:/a:samba:samba:3.2.13 cpe:/a:samba:samba:3.0.31 cpe:/a:samba:samba:3.4.11 cpe:/a:samba:samba:3.5.15 cpe:/a:samba:samba:3.0.15 cpe:/a:samba:samba:3.5.1 cpe:/a:samba:samba:3.0 cpe:/a:samba:samba:3.6.9 cpe:/a:samba:samba:3.4.8 cpe:/a:samba:samba:3.0.23:c cpe:/a:samba:samba:3.3.15 cpe:/a:samba:samba:3.0.27 cpe:/a:samba:samba:3.0.9 cpe:/a:samba:samba:3.6.7 cpe:/a:samba:samba:3.5.12 cpe:/a:samba:samba:4.0.0 cpe:/a:samba:samba:3.0.29 cpe:/a:samba:samba:3.0.2a cpe:/a:samba:samba:3.6.6 cpe:/a:samba:samba:3.3.8 cpe:/a:samba:samba:3.0.22 cpe:/a:samba:samba:3.3.1 cpe:/a:samba:samba:3.2.5 cpe:/a:samba:samba:3.4.6 cpe:/a:samba:samba:3.3.9 cpe:/a:samba:samba:3.5.3 cpe:/a:samba:samba:3.0.23a cpe:/a:samba:samba:3.0.25:pre2 cpe:/a:samba:samba:3.5.6 cpe:/a:samba:samba:3.0.25b cpe:/a:samba:samba:3.2.2 cpe:/a:samba:samba:4.0.1 cpe:/a:samba:samba:3.0.25:c cpe:/a:samba:samba:3.4.4 cpe:/a:samba:samba:3.4.17 cpe:/a:samba:samba:3.0.36 cpe:/a:samba:samba:3.3.16 cpe:/a:samba:samba:3.0.1 cpe:/a:samba:samba:3.0.27:a cpe:/a:samba:samba:3.4.5 cpe:/a:samba:samba:3.0.24 cpe:/a:samba:samba:3.0.12 cpe:/a:samba:samba:3.0.5 cpe:/a:samba:samba:3.5.0 cpe:/a:samba:samba:3.0.32 cpe:/a:samba:samba:3.0.34 cpe:/a:samba:samba:3.2.7 cpe:/a:samba:samba:3.3.3 cpe:/a:samba:samba:3.4.7 cpe:/a:samba:samba:3.0.18 cpe:/a:samba:samba:3.5.8 cpe:/a:samba:samba:3.0.0 cpe:/a:samba:samba:3.0.21:b cpe:/a:samba:samba:3.3.14 cpe:/a:samba:samba:3.2.10 cpe:/a:samba:samba:3.5.10 cpe:/a:samba:samba:3.0.23b cpe:/a:samba:samba:3.3.7 cpe:/a:samba:samba:3.5.17 cpe:/a:samba:samba:3.5.20 cpe:/a:samba:samba:3.2.14 cpe:/a:samba:samba:3.0.30 cpe:/a:samba:samba:3.0.20b cpe:/a:samba:samba:3.4.1 cpe:/a:samba:samba:3.5.9 cpe:/a:samba:samba:3.2.11 cpe:/a:samba:samba:3.5.14 cpe:/a:samba:samba:3.0.26 cpe:/a:samba:samba:3.3.10 cpe:/a:samba:samba:3.0.23c cpe:/a:samba:samba:3.0.20:a cpe:/a:samba:samba:3.0.3 cpe:/a:samba:samba:3.4.10 cpe:/a:samba:samba:3.0.35 cpe:/a:samba:samba:3.0.17 cpe:/a:samba:samba:3.0.25:b cpe:/a:samba:samba:3.0.23:b cpe:/a:samba:samba:3.0.25c cpe:/a:samba:samba:3.0.37 cpe:/a:samba:samba:3.0.21b cpe:/a:samba:samba:3.5.4 cpe:/a:samba:samba:3.2.12

CVE-2013-0213

2013-02-02T15:55:03.100-05:00

2013-05-14T23:33:55.797-04:00

5.1

NETWORK

HIGH

NONE

PARTIAL

http://nvd.nist.gov

2013-02-04T12:45:00.000-05:00

CONFIRM http://www.samba.org/samba/security/CVE-2013-0213 DEBIAN DSA-2617 SUSE openSUSE-SU-2013:0281 SUSE openSUSE-SU-2013:0277 SUSE SUSE-SU-2013:0519 SUSE SUSE-SU-2013:0326 The Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to conduct clickjacking attacks via a (1) FRAME or (2) IFRAME element.

CVE-2013-0214

2013-02-02T15:55:03.147-05:00

2013-05-14T23:33:55.890-04:00

5.1

NETWORK

HIGH

NONE

PARTIAL

http://nvd.nist.gov

2013-02-04T12:48:00.000-05:00

CONFIRM http://www.samba.org/samba/security/CVE-2013-0214 DEBIAN DSA-2617 SUSE openSUSE-SU-2013:0281 SUSE openSUSE-SU-2013:0277 SUSE SUSE-SU-2013:0519 SUSE SUSE-SU-2013:0326 Cross-site request forgery (CSRF) vulnerability in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to hijack the authentication of arbitrary users by leveraging knowledge of a password and composing requests that perform SWAT actions.

cpe:/o:xen:xen:4.2.0 cpe:/o:xen:xen:4.2.1 cpe:/o:xen:xen:4.1.4 cpe:/o:xen:xen:4.1.3 cpe:/o:xen:xen:4.1.2 cpe:/o:xen:xen:4.1.1 cpe:/o:xen:xen:4.1.0

CVE-2013-0215

2013-03-07T00:04:44.667-05:00

2013-03-07T23:11:32.090-05:00

4.3

ADJACENT_NETWORK

MEDIUM

NONE

PARTIAL

NONE

PARTIAL

http://nvd.nist.gov

2013-03-07T10:38:00.000-05:00

CONFIRM http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=61401264eb00fae4ee4efc8e9a5067449283207b CONFIRM http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=40f9c5e0a6d15b4ca1f6d4ed3a46f0871520eab5 MLIST [oss-security] 20130205 Xen Security Advisory 38 (CVE-2013-0215) - oxenstored incorrect handling of certain Xenbus ring states oxenstored in Xen 4.1.x, Xen 4.2.x, and xen-unstable does not properly consider the state of the Xenstore ring during read operations, which allows guest OS users to cause a denial of service (daemon crash and host-control outage, or memory consumption) or obtain sensitive control-plane data by leveraging guest administrative access.

cpe:/o:linux:linux_kernel:3.3.5 cpe:/o:linux:linux_kernel:3.0:rc4 cpe:/o:linux:linux_kernel:3.2.7 cpe:/o:linux:linux_kernel:3.0.32 cpe:/o:linux:linux_kernel:3.5.7 cpe:/o:linux:linux_kernel:3.5.4 cpe:/o:linux:linux_kernel:3.2.3 cpe:/o:linux:linux_kernel:3.7.8 cpe:/o:linux:linux_kernel:3.4.23 cpe:/o:linux:linux_kernel:3.2.26 cpe:/o:linux:linux_kernel:3.0.26 cpe:/o:linux:linux_kernel:3.4.13 cpe:/o:linux:linux_kernel:3.0.40 cpe:/o:linux:linux_kernel:3.6.9 cpe:/o:linux:linux_kernel:3.3.2 cpe:/o:linux:linux_kernel:3.7 cpe:/o:linux:linux_kernel:3.3.6 cpe:/o:linux:linux_kernel:3.0.16 cpe:/o:linux:linux_kernel:3.0.24 cpe:/o:linux:linux_kernel:3.4.22 cpe:/o:linux:linux_kernel:3.2.11 cpe:/o:linux:linux_kernel:3.1.4 cpe:/o:linux:linux_kernel:3.3:rc2 cpe:/o:linux:linux_kernel:3.0.39 cpe:/o:linux:linux_kernel:3.7.4 cpe:/o:linux:linux_kernel:3.4.16 cpe:/o:linux:linux_kernel:3.5.2 cpe:/o:linux:linux_kernel:3.3:rc3 cpe:/o:linux:linux_kernel:3.0.17 cpe:/o:linux:linux_kernel:3.0.27 cpe:/o:linux:linux_kernel:3.0.20 cpe:/o:linux:linux_kernel:3.1:rc3 cpe:/o:linux:linux_kernel:3.2.6 cpe:/o:linux:linux_kernel:3.4.9 cpe:/o:linux:linux_kernel:3.4.3 cpe:/o:linux:linux_kernel:3.0:rc1 cpe:/o:linux:linux_kernel:3.0.41 cpe:/o:linux:linux_kernel:3.7.7 cpe:/o:linux:linux_kernel:3.0.37 cpe:/o:linux:linux_kernel:3.1.9 cpe:/o:linux:linux_kernel:3.0.31 cpe:/o:linux:linux_kernel:3.0.38 cpe:/o:linux:linux_kernel:3.1.6 cpe:/o:linux:linux_kernel:3.4.5 cpe:/o:linux:linux_kernel:3.0:rc5 cpe:/o:linux:linux_kernel:3.2.27 cpe:/o:linux:linux_kernel:3.4.19 cpe:/o:linux:linux_kernel:3.2.15 cpe:/o:linux:linux_kernel:3.0.7 cpe:/o:linux:linux_kernel:3.0.1 cpe:/o:linux:linux_kernel:3.2.17 cpe:/o:linux:linux_kernel:3.0.5 cpe:/o:linux:linux_kernel:3.0.9 cpe:/o:linux:linux_kernel:3.7.6 cpe:/o:linux:linux_kernel:3.0.11 cpe:/o:linux:linux_kernel:3.7.1 cpe:/o:linux:linux_kernel:3.4.12 cpe:/o:linux:linux_kernel:3.0.13 cpe:/o:linux:linux_kernel:3.3.3 cpe:/o:linux:linux_kernel:3.0.34 cpe:/o:linux:linux_kernel:3.2.2 cpe:/o:linux:linux_kernel:3.2:rc5 cpe:/o:linux:linux_kernel:3.2.22 cpe:/o:linux:linux_kernel:3.0.8 cpe:/o:linux:linux_kernel:3.0.4 cpe:/o:linux:linux_kernel:3.2.9 cpe:/o:linux:linux_kernel:3.1:rc4 cpe:/o:linux:linux_kernel:3.2 cpe:/o:linux:linux_kernel:3.0.42 cpe:/o:linux:linux_kernel:3.1:rc1 cpe:/o:linux:linux_kernel:3.4:rc1 cpe:/o:linux:linux_kernel:3.3 cpe:/o:linux:linux_kernel:3.4.14 cpe:/o:linux:linux_kernel:3.0.21 cpe:/o:linux:linux_kernel:3.2.14 cpe:/o:linux:linux_kernel:3.1.1 cpe:/o:linux:linux_kernel:3.0.22 cpe:/o:linux:linux_kernel:3.2:rc4 cpe:/o:linux:linux_kernel:3.6.10 cpe:/o:linux:linux_kernel:3.4.21 cpe:/o:linux:linux_kernel:3.1 cpe:/o:linux:linux_kernel:3.4.17 cpe:/o:linux:linux_kernel:3.5.6 cpe:/o:linux:linux_kernel:3.1.3 cpe:/o:linux:linux_kernel:3.0.29 cpe:/o:linux:linux_kernel:3.3:rc1 cpe:/o:linux:linux_kernel:3.0.33 cpe:/o:linux:linux_kernel:3.1.2 cpe:/o:linux:linux_kernel:3.2.13 cpe:/o:linux:linux_kernel:3.3:rc6 cpe:/o:linux:linux_kernel:3.3.4 cpe:/o:linux:linux_kernel:3.2.18 cpe:/o:linux:linux_kernel:3.0.12 cpe:/o:linux:linux_kernel:3.2.29 cpe:/o:linux:linux_kernel:3.2.24 cpe:/o:linux:linux_kernel:3.0:rc3 cpe:/o:linux:linux_kernel:3.2.12 cpe:/o:linux:linux_kernel:3.0.19 cpe:/o:linux:linux_kernel:3.0.3 cpe:/o:linux:linux_kernel:3.2.25 cpe:/o:linux:linux_kernel:3.2:rc7 cpe:/o:linux:linux_kernel:3.4:rc7 cpe:/o:linux:linux_kernel:3.0.36 cpe:/o:linux:linux_kernel:3.4.4 cpe:/o:linux:linux_kernel:3.2.23 cpe:/o:linux:linux_kernel:3.4:rc6 cpe:/o:linux:linux_kernel:3.2.16 cpe:/o:linux:linux_kernel:3.0.10 cpe:/o:linux:linux_kernel:3.0.35 cpe:/o:linux:linux_kernel:3.5.3 cpe:/o:linux:linux_kernel:3.2:rc6 cpe:/o:linux:linux_kernel:3.1.7 cpe:/o:linux:linux_kernel:3.0.30 cpe:/o:linux:linux_kernel:3.1.5 cpe:/o:linux:linux_kernel:3.4.11 cpe:/o:linux:linux_kernel:3.5.5 cpe:/o:linux:linux_kernel:3.4.10 cpe:/o:linux:linux_kernel:3.2:rc2 cpe:/o:linux:linux_kernel:3.3.1 cpe:/o:linux:linux_kernel:3.6.11 cpe:/o:linux:linux_kernel:3.3:rc4 cpe:/o:linux:linux_kernel:3.0.28 cpe:/o:linux:linux_kernel:3.3:rc7 cpe:/o:linux:linux_kernel:3.3.7 cpe:/o:linux:linux_kernel:3.1.10 cpe:/o:linux:linux_kernel:3.3:rc5 cpe:/o:linux:linux_kernel:3.4.8 cpe:/o:linux:linux_kernel:3.0.14 cpe:/o:linux:linux_kernel:3.7.2 cpe:/o:linux:linux_kernel:3.2:rc3 cpe:/o:linux:linux_kernel:3.0.23 cpe:/o:linux:linux_kernel:3.0:rc2 cpe:/o:linux:linux_kernel:3.4.20 cpe:/o:linux:linux_kernel:3.3.8 cpe:/o:linux:linux_kernel:3.4.2 cpe:/o:linux:linux_kernel:3.0.2 cpe:/o:linux:linux_kernel:3.7.3 cpe:/o:linux:linux_kernel:3.5.1 cpe:/o:linux:linux_kernel:3.1:rc2 cpe:/o:linux:linux_kernel:3.2.30 cpe:/o:linux:linux_kernel:3.0.6 cpe:/o:linux:linux_kernel:3.0.15 cpe:/o:linux:linux_kernel:3.2.1 cpe:/o:linux:linux_kernel:3.0.44 cpe:/o:linux:linux_kernel:3.2.28 cpe:/o:linux:linux_kernel:3.4:rc2 cpe:/o:linux:linux_kernel:3.4.24 cpe:/o:linux:linux_kernel:3.2.8 cpe:/o:linux:linux_kernel:3.4:rc4 cpe:/o:linux:linux_kernel:3.2.5 cpe:/o:linux:linux_kernel:3.4.15 cpe:/o:linux:linux_kernel:3.2.19 cpe:/o:linux:linux_kernel:3.4 cpe:/o:linux:linux_kernel:3.4.1 cpe:/o:linux:linux_kernel:3.0.43 cpe:/o:linux:linux_kernel:3.0.25 cpe:/o:linux:linux_kernel:3.1.8 cpe:/o:linux:linux_kernel:3.4:rc3 cpe:/o:linux:linux_kernel:3.4.7 cpe:/o:linux:linux_kernel:3.2.4 cpe:/o:linux:linux_kernel:3.2.10 cpe:/o:linux:linux_kernel:3.0.18 cpe:/o:linux:linux_kernel:3.4.6 cpe:/o:linux:linux_kernel:3.4:rc5 cpe:/o:linux:linux_kernel:3.2.20 cpe:/o:linux:linux_kernel:3.2.21 cpe:/o:linux:linux_kernel:3.4.18 cpe:/o:linux:linux_kernel:3.0:rc6 cpe:/o:linux:linux_kernel:3.7.5 cpe:/o:linux:linux_kernel:3.0:rc7

CVE-2013-0216

2013-02-17T23:41:50.323-05:00

2013-06-04T23:40:35.730-04:00

5.2

ADJACENT_NETWORK

MEDIUM

SINGLE_INSTANCE

NONE

COMPLETE

http://nvd.nist.gov

2013-02-18T11:35:00.000-05:00

CONFIRM https://github.com/torvalds/linux/commit/48856286b64e4b66ec62b94e504d0b29c1ade664 CONFIRM http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=48856286b64e4b66ec62b94e504d0b29c1ade664 CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=910883 MLIST [oss-security] 20130205 Xen Security Advisory 39 (CVE-2013-0216,CVE-2013-0217) - Linux netback DoS via malicious guest ring. CONFIRM http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.7.8 SUSE SUSE-SU-2013:0674 SUSE openSUSE-SU-2013:0395 The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption.

cpe:/o:linux:linux_kernel:3.3.5 cpe:/o:linux:linux_kernel:3.0:rc4 cpe:/o:linux:linux_kernel:3.2.7 cpe:/o:linux:linux_kernel:3.0.32 cpe:/o:linux:linux_kernel:3.5.7 cpe:/o:linux:linux_kernel:3.5.4 cpe:/o:linux:linux_kernel:3.2.3 cpe:/o:linux:linux_kernel:3.7.8 cpe:/o:linux:linux_kernel:3.4.23 cpe:/o:linux:linux_kernel:3.2.26 cpe:/o:linux:linux_kernel:3.0.26 cpe:/o:linux:linux_kernel:3.4.13 cpe:/o:linux:linux_kernel:3.0.40 cpe:/o:linux:linux_kernel:3.6.9 cpe:/o:linux:linux_kernel:3.3.2 cpe:/o:linux:linux_kernel:3.7 cpe:/o:linux:linux_kernel:3.3.6 cpe:/o:linux:linux_kernel:3.0.16 cpe:/o:linux:linux_kernel:3.0.24 cpe:/o:linux:linux_kernel:3.4.22 cpe:/o:linux:linux_kernel:3.2.11 cpe:/o:linux:linux_kernel:3.1.4 cpe:/o:linux:linux_kernel:3.3:rc2 cpe:/o:linux:linux_kernel:3.0.39 cpe:/o:linux:linux_kernel:3.7.4 cpe:/o:linux:linux_kernel:3.4.16 cpe:/o:linux:linux_kernel:3.5.2 cpe:/o:linux:linux_kernel:3.3:rc3 cpe:/o:linux:linux_kernel:3.0.17 cpe:/o:linux:linux_kernel:3.0.27 cpe:/o:linux:linux_kernel:3.0.20 cpe:/o:linux:linux_kernel:3.1:rc3 cpe:/o:linux:linux_kernel:3.2.6 cpe:/o:linux:linux_kernel:3.4.9 cpe:/o:linux:linux_kernel:3.4.3 cpe:/o:linux:linux_kernel:3.0:rc1 cpe:/o:linux:linux_kernel:3.0.41 cpe:/o:linux:linux_kernel:3.7.7 cpe:/o:linux:linux_kernel:3.0.37 cpe:/o:linux:linux_kernel:3.1.9 cpe:/o:linux:linux_kernel:3.0.31 cpe:/o:linux:linux_kernel:3.0.38 cpe:/o:linux:linux_kernel:3.1.6 cpe:/o:linux:linux_kernel:3.4.5 cpe:/o:linux:linux_kernel:3.0:rc5 cpe:/o:linux:linux_kernel:3.2.27 cpe:/o:linux:linux_kernel:3.4.19 cpe:/o:linux:linux_kernel:3.2.15 cpe:/o:linux:linux_kernel:3.0.7 cpe:/o:linux:linux_kernel:3.0.1 cpe:/o:linux:linux_kernel:3.2.17 cpe:/o:linux:linux_kernel:3.0.5 cpe:/o:linux:linux_kernel:3.0.9 cpe:/o:linux:linux_kernel:3.7.6 cpe:/o:linux:linux_kernel:3.0.11 cpe:/o:linux:linux_kernel:3.7.1 cpe:/o:linux:linux_kernel:3.4.12 cpe:/o:linux:linux_kernel:3.0.13 cpe:/o:linux:linux_kernel:3.3.3 cpe:/o:linux:linux_kernel:3.0.34 cpe:/o:linux:linux_kernel:3.2.2 cpe:/o:linux:linux_kernel:3.2:rc5 cpe:/o:linux:linux_kernel:3.2.22 cpe:/o:linux:linux_kernel:3.0.8 cpe:/o:linux:linux_kernel:3.0.4 cpe:/o:linux:linux_kernel:3.2.9 cpe:/o:linux:linux_kernel:3.1:rc4 cpe:/o:linux:linux_kernel:3.2 cpe:/o:linux:linux_kernel:3.0.42 cpe:/o:linux:linux_kernel:3.1:rc1 cpe:/o:linux:linux_kernel:3.4:rc1 cpe:/o:linux:linux_kernel:3.3 cpe:/o:linux:linux_kernel:3.4.14 cpe:/o:linux:linux_kernel:3.0.21 cpe:/o:linux:linux_kernel:3.2.14 cpe:/o:linux:linux_kernel:3.1.1 cpe:/o:linux:linux_kernel:3.0.22 cpe:/o:linux:linux_kernel:3.2:rc4 cpe:/o:linux:linux_kernel:3.6.10 cpe:/o:linux:linux_kernel:3.4.21 cpe:/o:linux:linux_kernel:3.1 cpe:/o:linux:linux_kernel:3.4.17 cpe:/o:linux:linux_kernel:3.5.6 cpe:/o:linux:linux_kernel:3.1.3 cpe:/o:linux:linux_kernel:3.0.29 cpe:/o:linux:linux_kernel:3.3:rc1 cpe:/o:linux:linux_kernel:3.0.33 cpe:/o:linux:linux_kernel:3.1.2 cpe:/o:linux:linux_kernel:3.2.13 cpe:/o:linux:linux_kernel:3.3:rc6 cpe:/o:linux:linux_kernel:3.3.4 cpe:/o:linux:linux_kernel:3.2.18 cpe:/o:linux:linux_kernel:3.0.12 cpe:/o:linux:linux_kernel:3.2.29 cpe:/o:linux:linux_kernel:3.2.24 cpe:/o:linux:linux_kernel:3.0:rc3 cpe:/o:linux:linux_kernel:3.2.12 cpe:/o:linux:linux_kernel:3.0.19 cpe:/o:linux:linux_kernel:3.0.3 cpe:/o:linux:linux_kernel:3.2.25 cpe:/o:linux:linux_kernel:3.2:rc7 cpe:/o:linux:linux_kernel:3.4:rc7 cpe:/o:linux:linux_kernel:3.0.36 cpe:/o:linux:linux_kernel:3.4.4 cpe:/o:linux:linux_kernel:3.2.23 cpe:/o:linux:linux_kernel:3.4:rc6 cpe:/o:linux:linux_kernel:3.2.16 cpe:/o:linux:linux_kernel:3.0.10 cpe:/o:linux:linux_kernel:3.0.35 cpe:/o:linux:linux_kernel:3.5.3 cpe:/o:linux:linux_kernel:3.2:rc6 cpe:/o:linux:linux_kernel:3.1.7 cpe:/o:linux:linux_kernel:3.0.30 cpe:/o:linux:linux_kernel:3.1.5 cpe:/o:linux:linux_kernel:3.4.11 cpe:/o:linux:linux_kernel:3.5.5 cpe:/o:linux:linux_kernel:3.4.10 cpe:/o:linux:linux_kernel:3.2:rc2 cpe:/o:linux:linux_kernel:3.3.1 cpe:/o:linux:linux_kernel:3.6.11 cpe:/o:linux:linux_kernel:3.3:rc4 cpe:/o:linux:linux_kernel:3.0.28 cpe:/o:linux:linux_kernel:3.3:rc7 cpe:/o:linux:linux_kernel:3.3.7 cpe:/o:linux:linux_kernel:3.1.10 cpe:/o:linux:linux_kernel:3.3:rc5 cpe:/o:linux:linux_kernel:3.4.8 cpe:/o:linux:linux_kernel:3.0.14 cpe:/o:linux:linux_kernel:3.7.2 cpe:/o:linux:linux_kernel:3.2:rc3 cpe:/o:linux:linux_kernel:3.0.23 cpe:/o:linux:linux_kernel:3.0:rc2 cpe:/o:linux:linux_kernel:3.4.20 cpe:/o:linux:linux_kernel:3.3.8 cpe:/o:linux:linux_kernel:3.4.2 cpe:/o:linux:linux_kernel:3.0.2 cpe:/o:linux:linux_kernel:3.7.3 cpe:/o:linux:linux_kernel:3.5.1 cpe:/o:linux:linux_kernel:3.1:rc2 cpe:/o:linux:linux_kernel:3.2.30 cpe:/o:linux:linux_kernel:3.0.6 cpe:/o:linux:linux_kernel:3.0.15 cpe:/o:linux:linux_kernel:3.2.1 cpe:/o:linux:linux_kernel:3.0.44 cpe:/o:linux:linux_kernel:3.2.28 cpe:/o:linux:linux_kernel:3.4:rc2 cpe:/o:linux:linux_kernel:3.4.24 cpe:/o:linux:linux_kernel:3.2.8 cpe:/o:linux:linux_kernel:3.4:rc4 cpe:/o:linux:linux_kernel:3.2.5 cpe:/o:linux:linux_kernel:3.4.15 cpe:/o:linux:linux_kernel:3.2.19 cpe:/o:linux:linux_kernel:3.4 cpe:/o:linux:linux_kernel:3.4.1 cpe:/o:linux:linux_kernel:3.0.43 cpe:/o:linux:linux_kernel:3.0.25 cpe:/o:linux:linux_kernel:3.1.8 cpe:/o:linux:linux_kernel:3.4:rc3 cpe:/o:linux:linux_kernel:3.4.7 cpe:/o:linux:linux_kernel:3.2.4 cpe:/o:linux:linux_kernel:3.2.10 cpe:/o:linux:linux_kernel:3.0.18 cpe:/o:linux:linux_kernel:3.4.6 cpe:/o:linux:linux_kernel:3.4:rc5 cpe:/o:linux:linux_kernel:3.2.20 cpe:/o:linux:linux_kernel:3.2.21 cpe:/o:linux:linux_kernel:3.4.18 cpe:/o:linux:linux_kernel:3.0:rc6 cpe:/o:linux:linux_kernel:3.7.5 cpe:/o:linux:linux_kernel:3.0:rc7

CVE-2013-0217

2013-02-17T23:41:50.367-05:00

2013-02-18T00:00:00.000-05:00

5.2

ADJACENT_NETWORK

MEDIUM

SINGLE_INSTANCE

NONE

COMPLETE

http://nvd.nist.gov

2013-02-18T11:39:00.000-05:00

CONFIRM https://github.com/torvalds/linux/commit/7d5145d8eb2b9791533ffe4dc003b129b9696c48 CONFIRM http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7d5145d8eb2b9791533ffe4dc003b129b9696c48 CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=910883 MLIST [oss-security] 20130205 Xen Security Advisory 39 (CVE-2013-0216,CVE-2013-0217) - Linux netback DoS via malicious guest ring. CONFIRM http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.7.8 Memory leak in drivers/net/xen-netback/netback.c in the Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (memory consumption) by triggering certain error conditions.

cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0 cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0 cpe:/a:redhat:jboss_enterprise_web_platform:5.1.2 cpe:/a:redhat:jboss_enterprise_application_platform:5.1.2

CVE-2013-0218

2013-02-05T18:55:01.897-05:00

2013-02-06T00:00:00.000-05:00

2.1

LOCAL

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-02-06T12:44:00.000-05:00

MISC https://bugzilla.redhat.com/show_bug.cgi?id=903073 XF jboss-eap-info-disc(81725) BID 57652 OSVDB 89698 SECUNIA 52041 REDHAT RHSA-2013:0207 REDHAT RHSA-2013:0206 The GUI installer in JBoss Enterprise Application Platform (EAP) and Enterprise Web Platform (EWP) 5.2.0 and possibly 5.1.2 uses world-readable permissions for the auto-install XML file, which allows local users to obtain the administrator password and the sucker password by reading this file.

cpe:/a:fedoraproject:sssd:1.6.3 cpe:/a:fedoraproject:sssd:1.8.6 cpe:/a:fedoraproject:sssd:1.3.1 cpe:/a:fedoraproject:sssd:0.3.1 cpe:/a:fedoraproject:sssd:1.2.3 cpe:/a:fedoraproject:sssd:1.5.2 cpe:/a:fedoraproject:sssd:1.8.0:beta3 cpe:/a:fedoraproject:sssd:1.8.5 cpe:/a:fedoraproject:sssd:1.4.0 cpe:/a:fedoraproject:sssd:1.4.1 cpe:/a:fedoraproject:sssd:1.1.2 cpe:/a:fedoraproject:sssd:1.8.1 cpe:/a:fedoraproject:sssd:1.6.2 cpe:/a:fedoraproject:sssd:1.2.91 cpe:/a:fedoraproject:sssd:1.7.0 cpe:/a:fedoraproject:sssd:1.8.4 cpe:/a:fedoraproject:sssd:1.5.7 cpe:/a:fedoraproject:sssd:1.0.6 cpe:/a:fedoraproject:sssd:1.5.3 cpe:/a:fedoraproject:sssd:0.99.0 cpe:/a:fedoraproject:sssd:1.0.2 cpe:/a:fedoraproject:sssd:1.5.15 cpe:/a:fedoraproject:sssd:1.3.0 cpe:/a:fedoraproject:sssd:1.9.3 cpe:/a:fedoraproject:sssd:1.5.11 cpe:/a:fedoraproject:sssd:0.7.0 cpe:/a:fedoraproject:sssd:1.1.1 cpe:/a:fedoraproject:sssd:1.6.1 cpe:/a:fedoraproject:sssd:1.8.0:beta2 cpe:/a:fedoraproject:sssd:1.0.0 cpe:/o:redhat:enterprise_linux:5 cpe:/a:fedoraproject:sssd:1.5.6 cpe:/a:fedoraproject:sssd:1.5.6.1 cpe:/a:fedoraproject:sssd:1.1.0 cpe:/a:fedoraproject:sssd:1.2.4 cpe:/a:fedoraproject:sssd:0.3.3 cpe:/a:fedoraproject:sssd:1.0.1 cpe:/a:fedoraproject:sssd:1.8.0 cpe:/a:fedoraproject:sssd:1.9.2 cpe:/a:fedoraproject:sssd:1.5.9 cpe:/a:fedoraproject:sssd:1.5.8 cpe:/a:fedoraproject:sssd:1.2.0 cpe:/a:fedoraproject:sssd:0.2.1 cpe:/a:fedoraproject:sssd:1.5.12 cpe:/a:fedoraproject:sssd:1.5.10 cpe:/a:fedoraproject:sssd:0.99.1 cpe:/a:fedoraproject:sssd:1.5.14 cpe:/a:fedoraproject:sssd:1.8.2 cpe:/o:redhat:enterprise_linux:6 cpe:/a:fedoraproject:sssd:1.0.5 cpe:/a:fedoraproject:sssd:1.8.0:beta1 cpe:/a:fedoraproject:sssd:0.4.0 cpe:/a:fedoraproject:sssd:1.5.13 cpe:/a:fedoraproject:sssd:0.6.1 cpe:/a:fedoraproject:sssd:1.5.17 cpe:/a:fedoraproject:sssd:1.6.4 cpe:/a:fedoraproject:sssd:1.9.1 cpe:/a:fedoraproject:sssd:1.8.3 cpe:/a:fedoraproject:sssd:0.4.1 cpe:/a:fedoraproject:sssd:1.9.0 cpe:/a:fedoraproject:sssd:1.5.1 cpe:/a:fedoraproject:sssd:0.6.0 cpe:/a:fedoraproject:sssd:0.3.2 cpe:/a:fedoraproject:sssd:1.5.5 cpe:/a:fedoraproject:sssd:1.2.2 cpe:/a:fedoraproject:sssd:1.0.99 cpe:/a:fedoraproject:sssd:1.1.92 cpe:/a:fedoraproject:sssd:1.5.4 cpe:/a:fedoraproject:sssd:1.5.16 cpe:/a:fedoraproject:sssd:1.0.4 cpe:/a:fedoraproject:sssd:1.1.91 cpe:/a:fedoraproject:sssd:0.7.1 cpe:/a:fedoraproject:sssd:0.5.0 cpe:/a:fedoraproject:sssd:1.5.0 cpe:/a:fedoraproject:sssd:1.2.1 cpe:/a:fedoraproject:sssd:1.0.3 cpe:/a:fedoraproject:sssd:1.6.0 cpe:/a:fedoraproject:sssd:0.3.0

CVE-2013-0219

2013-02-24T14:55:01.237-05:00

2013-02-25T00:00:00.000-05:00

3.7

LOCAL

HIGH

NONE

PARTIAL

http://nvd.nist.gov

2013-02-25T14:18:00.000-05:00

CONFIRM https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.4 CONFIRM https://fedorahosted.org/sssd/ticket/1782 MISC https://bugzilla.redhat.com/show_bug.cgi?id=884254 BID 57539 SECUNIA 52315 SECUNIA 51928 REDHAT RHSA-2013:0508 FEDORA FEDORA-2013-1826 FEDORA FEDORA-2013-1795 CONFIRM http://git.fedorahosted.org/cgit/sssd.git/commit/?id=e864d914a44a37016736554e9257c06b18c57d37 CONFIRM http://git.fedorahosted.org/cgit/sssd.git/commit/?id=94cbf1cfb0f88c967f1fb0a4cf23723148868e4a CONFIRM http://git.fedorahosted.org/cgit/sssd.git/commit/?id=3843b284cd3e8f88327772ebebc7249990fd87b9 CONFIRM http://git.fedorahosted.org/cgit/sssd.git/commit/?id=020bf88fd1c5bdac8fc671b37c7118f5378c7047 System Security Services Daemon (SSSD) before 1.9.4, when (1) creating, (2) copying, or (3) removing a user home directory tree, allows local users to create, modify, or delete arbitrary files via a symlink attack on another user's files.

cpe:/a:fedoraproject:sssd:1.6.3 cpe:/a:fedoraproject:sssd:1.8.6 cpe:/a:fedoraproject:sssd:1.3.1 cpe:/a:fedoraproject:sssd:0.3.1 cpe:/a:fedoraproject:sssd:1.2.3 cpe:/a:fedoraproject:sssd:1.5.2 cpe:/a:fedoraproject:sssd:1.8.0:beta3 cpe:/a:fedoraproject:sssd:1.8.5 cpe:/a:fedoraproject:sssd:1.4.0 cpe:/a:fedoraproject:sssd:1.4.1 cpe:/a:fedoraproject:sssd:1.1.2 cpe:/a:fedoraproject:sssd:1.8.1 cpe:/a:fedoraproject:sssd:1.6.2 cpe:/a:fedoraproject:sssd:1.2.91 cpe:/a:fedoraproject:sssd:1.7.0 cpe:/a:fedoraproject:sssd:1.8.4 cpe:/a:fedoraproject:sssd:1.5.7 cpe:/a:fedoraproject:sssd:1.0.6 cpe:/a:fedoraproject:sssd:1.5.3 cpe:/a:fedoraproject:sssd:0.99.0 cpe:/a:fedoraproject:sssd:1.0.2 cpe:/a:fedoraproject:sssd:1.5.15 cpe:/a:fedoraproject:sssd:1.3.0 cpe:/a:fedoraproject:sssd:1.9.3 cpe:/a:fedoraproject:sssd:1.5.11 cpe:/a:fedoraproject:sssd:0.7.0 cpe:/a:fedoraproject:sssd:1.1.1 cpe:/a:fedoraproject:sssd:1.6.1 cpe:/a:fedoraproject:sssd:1.8.0:beta2 cpe:/a:fedoraproject:sssd:1.0.0 cpe:/a:fedoraproject:sssd:1.5.6 cpe:/a:fedoraproject:sssd:1.5.6.1 cpe:/a:fedoraproject:sssd:1.1.0 cpe:/a:fedoraproject:sssd:1.2.4 cpe:/a:fedoraproject:sssd:0.3.3 cpe:/a:fedoraproject:sssd:1.0.1 cpe:/a:fedoraproject:sssd:1.8.0 cpe:/a:fedoraproject:sssd:1.9.2 cpe:/a:fedoraproject:sssd:1.5.9 cpe:/a:fedoraproject:sssd:1.5.8 cpe:/a:fedoraproject:sssd:1.2.0 cpe:/a:fedoraproject:sssd:0.2.1 cpe:/a:fedoraproject:sssd:1.5.12 cpe:/a:fedoraproject:sssd:1.5.10 cpe:/a:fedoraproject:sssd:0.99.1 cpe:/a:fedoraproject:sssd:1.5.14 cpe:/a:fedoraproject:sssd:1.8.2 cpe:/a:fedoraproject:sssd:1.0.5 cpe:/a:fedoraproject:sssd:1.8.0:beta1 cpe:/a:fedoraproject:sssd:0.4.0 cpe:/a:fedoraproject:sssd:1.5.13 cpe:/a:fedoraproject:sssd:0.6.1 cpe:/a:fedoraproject:sssd:1.5.17 cpe:/a:fedoraproject:sssd:1.6.4 cpe:/a:fedoraproject:sssd:1.9.1 cpe:/a:fedoraproject:sssd:1.8.3 cpe:/a:fedoraproject:sssd:0.4.1 cpe:/a:fedoraproject:sssd:1.9.0 cpe:/a:fedoraproject:sssd:1.5.1 cpe:/a:fedoraproject:sssd:0.6.0 cpe:/a:fedoraproject:sssd:0.3.2 cpe:/a:fedoraproject:sssd:1.5.5 cpe:/a:fedoraproject:sssd:1.2.2 cpe:/a:fedoraproject:sssd:1.0.99 cpe:/a:fedoraproject:sssd:1.1.92 cpe:/a:fedoraproject:sssd:1.5.4 cpe:/a:fedoraproject:sssd:1.5.16 cpe:/a:fedoraproject:sssd:1.0.4 cpe:/a:fedoraproject:sssd:1.1.91 cpe:/a:fedoraproject:sssd:0.7.1 cpe:/a:fedoraproject:sssd:0.5.0 cpe:/a:fedoraproject:sssd:1.5.0 cpe:/a:fedoraproject:sssd:1.2.1 cpe:/a:fedoraproject:sssd:1.0.3 cpe:/a:fedoraproject:sssd:1.6.0 cpe:/a:fedoraproject:sssd:0.3.0

CVE-2013-0220

2013-02-24T14:55:01.300-05:00

2013-02-27T14:50:57.027-05:00

5.0

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-02-25T14:36:00.000-05:00

CONFIRM https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.4 CONFIRM https://fedorahosted.org/sssd/ticket/1781 MISC https://bugzilla.redhat.com/show_bug.cgi?id=884601 BID 57539 SECUNIA 52315 SECUNIA 51928 REDHAT RHSA-2013:0508 FEDORA FEDORA-2013-1826 FEDORA FEDORA-2013-1795 CONFIRM http://git.fedorahosted.org/cgit/sssd.git/commit/?id=30e2585dd46b62aa3a4abdf6de3f40a20e1743ab CONFIRM http://git.fedorahosted.org/cgit/sssd.git/commit/?id=2bd514cfde1938b1e245af11c9b548d58d49b325 The (1) sss_autofs_cmd_getautomntent and (2) sss_autofs_cmd_getautomntbyname function in responder/autofs/autofssrv_cmd.c and the (3) ssh_cmd_parse_request function in responder/ssh/sshsrv_cmd.c in System Security Services Daemon (SSSD) before 1.9.4 allow remote attackers to cause a denial of service (out-of-bounds read, crash, and restart) via a crafted SSSD packet.

cpe:/a:video_project:video:7.x-2.4 cpe:/a:video_project:video:7.x-2.0:alpha6 cpe:/a:video_project:video:7.x-2.3 cpe:/a:video_project:video:7.x-2.2:beta5 cpe:/a:video_project:video:7.x-2.2:beta3 cpe:/a:video_project:video:7.x-2.6 cpe:/a:video_project:video:7.x-2.1:alpha3 cpe:/a:video_project:video:7.x-2.1:alpha2 cpe:/a:video_project:video:7.x-2.2:beta4 cpe:/a:video_project:video:7.x-2.1:alpha1 cpe:/a:video_project:video:7.x-2.2:beta2 cpe:/a:video_project:video:7.x-2.5 cpe:/a:video_project:video:7.x-2.0:alpha2 cpe:/a:video_project:video:7.x-2.2 cpe:/a:video_project:video:7.x-2.0:alpha4 cpe:/a:video_project:video:7.x-2.x:dev cpe:/a:video_project:video:7.x-2.0:alpha1 cpe:/a:video_project:video:7.x-2.7 cpe:/a:video_project:video:7.x-2.0:alpha5 cpe:/a:video_project:video:7.x-2.0:alpha3 cpe:/a:video_project:video:7.x-2.2:beta1 cpe:/a:video_project:video:7.x-2.8

CVE-2013-0224

2013-03-19T10:55:02.657-04:00

2013-03-21T00:00:00.000-04:00

4.4

LOCAL

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-03-21T10:15:00.000-04:00

MISC https://drupal.org/node/1896714 CONFIRM https://drupal.org/node/1895234 MLIST [oss-security] 20130124 Re: CVE request for Drupal contributed modules The Video module 7.x-2.x before 7.x-2.9 for Drupal, when using the FFmpeg transcoder, allows local users to execute arbitrary PHP code by modifying a temporary PHP file.

cpe:/a:user_relationships_project:user_relationships:7.x-1.x:dev cpe:/a:user_relationships_project:user_relationships:6.x-1.0:beta1 cpe:/a:user_relationships_project:user_relationships:6.x-1.x:dev cpe:/a:user_relationships_project:user_relationships:6.x-1.0:beta7 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:beta4 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:rc2 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:beta6 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:rc5 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:beta10 cpe:/a:user_relationships_project:user_relationships:6.x-1.0 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:beta2 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:beta3 cpe:/a:user_relationships_project:user_relationships:7.x-1.0:alpha3 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:rc1 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:rc4 cpe:/a:user_relationships_project:user_relationships:7.x-1.0:alpha2 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:beta9 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:rc6 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:rc3 cpe:/a:user_relationships_project:user_relationships:6.x-1.3 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:beta8 cpe:/a:user_relationships_project:user_relationships:7.x-1.0:alpha1 cpe:/a:user_relationships_project:user_relationships:6.x-1.1 cpe:/a:user_relationships_project:user_relationships:7.x-1.0:alpha4 cpe:/a:user_relationships_project:user_relationships:6.x-1.2 cpe:/a:user_relationships_project:user_relationships:6.x-1.0:beta5

CVE-2013-0225

2013-03-19T10:55:02.673-04:00

2013-03-21T00:00:00.000-04:00

2.1

NETWORK

HIGH

SINGLE_INSTANCE

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-21T10:28:00.000-04:00

MISC https://drupal.org/node/1896720 CONFIRM https://drupal.org/node/1896276 CONFIRM https://drupal.org/node/1896272 MLIST [oss-security] 20130124 Re: CVE request for Drupal contributed modules CONFIRM http://drupalcode.org/project/user_relationships.git/commitdiff/b9a4739 CONFIRM http://drupalcode.org/project/user_relationships.git/commitdiff/17e94b9 Cross-site scripting (XSS) vulnerability in the User Relationships module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-alpha5 for Drupal allows remote authenticated users with the "administer user relationships" permission to inject arbitrary web script or HTML via a relationship name.

cpe:/a:zugec_ivan:keyboard_shortcut_utility:7.x-1.0

CVE-2013-0226

2013-03-19T10:55:02.690-04:00

2013-03-21T10:45:15.390-04:00

6.0

NETWORK

MEDIUM

SINGLE_INSTANCE

PARTIAL

http://nvd.nist.gov

2013-03-21T10:41:00.000-04:00

CONFIRM https://drupal.org/node/1896752 MISC https://drupal.org/node/1896752 MLIST [oss-security] 20130124 Re: CVE request for Drupal contributed modules The Keyboard Shortcut Utility module 7.x-1.x before 7.x-1.1 for Drupal does not properly check node restrictions, which allows (1) remote authenticated users with the "view shortcuts" permission to read nodes or (2) remote authenticated users with the "admin shortcuts" permission to read, edit, or delete nodes via unspecified vectors.

cpe:/a:mathijs_koenraadt:search_api_sorts:7.x-1.x:dev cpe:/a:mathijs_koenraadt:search_api_sorts:7.x-1.3 cpe:/a:mathijs_koenraadt:search_api_sorts:7.x-1.0 cpe:/a:mathijs_koenraadt:search_api_sorts:7.x-1.2 cpe:/a:mathijs_koenraadt:search_api_sorts:7.x-1.1

CVE-2013-0227

2013-03-19T10:55:02.710-04:00

2013-03-21T00:00:00.000-04:00

2.1

NETWORK

HIGH

SINGLE_INSTANCE

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-21T10:39:00.000-04:00

MISC https://drupal.org/node/1896782 CONFIRM https://drupal.org/node/1896756 MLIST [oss-security] 20130124 Re: CVE request for Drupal contributed modules CONFIRM http://drupalcode.org/project/search_api_sorts.git/commitdiff/f6cbf47 Cross-site scripting (XSS) vulnerability in the Search API Sorts module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified field labels.

cpe:/o:linux:linux_kernel:3.3.5 cpe:/o:linux:linux_kernel:3.0:rc4 cpe:/o:linux:linux_kernel:3.2.7 cpe:/o:linux:linux_kernel:3.0.32 cpe:/o:linux:linux_kernel:3.5.7 cpe:/o:linux:linux_kernel:3.5.4 cpe:/o:linux:linux_kernel:3.2.3 cpe:/o:linux:linux_kernel:3.7.8 cpe:/o:linux:linux_kernel:3.4.23 cpe:/o:linux:linux_kernel:3.2.26 cpe:/o:linux:linux_kernel:3.0.26 cpe:/o:linux:linux_kernel:3.4.13 cpe:/o:linux:linux_kernel:3.0.40 cpe:/o:linux:linux_kernel:3.6.9 cpe:/o:linux:linux_kernel:3.3.2 cpe:/o:linux:linux_kernel:3.7 cpe:/o:linux:linux_kernel:3.3.6 cpe:/o:linux:linux_kernel:3.0.16 cpe:/o:linux:linux_kernel:3.0.24 cpe:/o:linux:linux_kernel:3.4.22 cpe:/o:linux:linux_kernel:3.2.11 cpe:/o:linux:linux_kernel:3.1.4 cpe:/o:linux:linux_kernel:3.3:rc2 cpe:/o:linux:linux_kernel:3.0.39 cpe:/o:linux:linux_kernel:3.7.4 cpe:/o:linux:linux_kernel:3.4.16 cpe:/o:linux:linux_kernel:3.5.2 cpe:/o:linux:linux_kernel:3.3:rc3 cpe:/o:linux:linux_kernel:3.0.17 cpe:/o:linux:linux_kernel:3.0.27 cpe:/o:linux:linux_kernel:3.0.20 cpe:/o:linux:linux_kernel:3.1:rc3 cpe:/o:linux:linux_kernel:3.2.6 cpe:/o:linux:linux_kernel:3.4.9 cpe:/o:linux:linux_kernel:3.4.3 cpe:/o:linux:linux_kernel:3.0:rc1 cpe:/o:linux:linux_kernel:3.0.41 cpe:/o:linux:linux_kernel:3.7.7 cpe:/o:linux:linux_kernel:3.0.37 cpe:/o:linux:linux_kernel:3.1.9 cpe:/o:linux:linux_kernel:3.0.31 cpe:/o:linux:linux_kernel:3.0.38 cpe:/o:linux:linux_kernel:3.1.6 cpe:/o:linux:linux_kernel:3.4.5 cpe:/o:linux:linux_kernel:3.0:rc5 cpe:/o:linux:linux_kernel:3.2.27 cpe:/o:linux:linux_kernel:3.4.19 cpe:/o:linux:linux_kernel:3.2.15 cpe:/o:linux:linux_kernel:3.0.7 cpe:/o:linux:linux_kernel:3.0.1 cpe:/o:linux:linux_kernel:3.2.17 cpe:/o:linux:linux_kernel:3.0.5 cpe:/o:linux:linux_kernel:3.0.9 cpe:/o:linux:linux_kernel:3.7.6 cpe:/o:linux:linux_kernel:3.0.11 cpe:/o:linux:linux_kernel:3.7.1 cpe:/o:linux:linux_kernel:3.4.12 cpe:/o:linux:linux_kernel:3.0.13 cpe:/o:linux:linux_kernel:3.3.3 cpe:/o:linux:linux_kernel:3.0.34 cpe:/o:linux:linux_kernel:3.2.2 cpe:/o:linux:linux_kernel:3.2:rc5 cpe:/o:linux:linux_kernel:3.2.22 cpe:/o:linux:linux_kernel:3.0.8 cpe:/o:linux:linux_kernel:3.0.4 cpe:/o:linux:linux_kernel:3.2.9 cpe:/o:linux:linux_kernel:3.1:rc4 cpe:/o:linux:linux_kernel:3.2 cpe:/o:linux:linux_kernel:3.0.42 cpe:/o:linux:linux_kernel:3.1:rc1 cpe:/o:linux:linux_kernel:3.4:rc1 cpe:/o:linux:linux_kernel:3.3 cpe:/o:linux:linux_kernel:3.4.14 cpe:/o:linux:linux_kernel:3.0.21 cpe:/o:linux:linux_kernel:3.2.14 cpe:/o:linux:linux_kernel:3.1.1 cpe:/o:linux:linux_kernel:3.0.22 cpe:/o:linux:linux_kernel:3.2:rc4 cpe:/o:linux:linux_kernel:3.6.10 cpe:/o:linux:linux_kernel:3.4.21 cpe:/o:linux:linux_kernel:3.1 cpe:/o:linux:linux_kernel:3.4.17 cpe:/o:linux:linux_kernel:3.5.6 cpe:/o:linux:linux_kernel:3.1.3 cpe:/o:linux:linux_kernel:3.0.29 cpe:/o:linux:linux_kernel:3.3:rc1 cpe:/o:linux:linux_kernel:3.0.33 cpe:/o:linux:linux_kernel:3.1.2 cpe:/o:linux:linux_kernel:3.2.13 cpe:/o:linux:linux_kernel:3.3:rc6 cpe:/o:linux:linux_kernel:3.3.4 cpe:/o:linux:linux_kernel:3.2.18 cpe:/o:linux:linux_kernel:3.0.12 cpe:/o:linux:linux_kernel:3.2.29 cpe:/o:linux:linux_kernel:3.2.24 cpe:/o:linux:linux_kernel:3.0:rc3 cpe:/o:linux:linux_kernel:3.2.12 cpe:/o:linux:linux_kernel:3.0.19 cpe:/o:linux:linux_kernel:3.0.3 cpe:/o:linux:linux_kernel:3.2.25 cpe:/o:linux:linux_kernel:3.2:rc7 cpe:/o:linux:linux_kernel:3.4:rc7 cpe:/o:linux:linux_kernel:3.0.36 cpe:/o:linux:linux_kernel:3.4.4 cpe:/o:linux:linux_kernel:3.2.23 cpe:/o:linux:linux_kernel:3.4:rc6 cpe:/o:linux:linux_kernel:3.2.16 cpe:/o:linux:linux_kernel:3.0.10 cpe:/o:linux:linux_kernel:3.0.35 cpe:/o:linux:linux_kernel:3.5.3 cpe:/o:linux:linux_kernel:3.2:rc6 cpe:/o:linux:linux_kernel:3.1.7 cpe:/o:linux:linux_kernel:3.0.30 cpe:/o:linux:linux_kernel:3.1.5 cpe:/o:linux:linux_kernel:3.4.11 cpe:/o:linux:linux_kernel:3.5.5 cpe:/o:linux:linux_kernel:3.4.10 cpe:/o:linux:linux_kernel:3.2:rc2 cpe:/o:linux:linux_kernel:3.3.1 cpe:/o:linux:linux_kernel:3.6.11 cpe:/o:linux:linux_kernel:3.3:rc4 cpe:/o:linux:linux_kernel:3.0.28 cpe:/o:linux:linux_kernel:3.3:rc7 cpe:/o:linux:linux_kernel:3.3.7 cpe:/o:linux:linux_kernel:3.1.10 cpe:/o:linux:linux_kernel:3.3:rc5 cpe:/o:linux:linux_kernel:3.4.8 cpe:/o:linux:linux_kernel:3.0.14 cpe:/o:linux:linux_kernel:3.7.2 cpe:/o:linux:linux_kernel:3.2:rc3 cpe:/o:linux:linux_kernel:3.0.23 cpe:/o:linux:linux_kernel:3.0:rc2 cpe:/o:linux:linux_kernel:3.4.20 cpe:/o:linux:linux_kernel:3.3.8 cpe:/o:linux:linux_kernel:3.4.2 cpe:/o:linux:linux_kernel:3.0.2 cpe:/o:linux:linux_kernel:3.7.3 cpe:/o:linux:linux_kernel:3.5.1 cpe:/o:linux:linux_kernel:3.1:rc2 cpe:/o:linux:linux_kernel:3.2.30 cpe:/o:linux:linux_kernel:3.0.6 cpe:/o:linux:linux_kernel:3.0.15 cpe:/o:linux:linux_kernel:3.2.1 cpe:/o:linux:linux_kernel:3.0.44 cpe:/o:linux:linux_kernel:3.2.28 cpe:/o:linux:linux_kernel:3.4:rc2 cpe:/o:linux:linux_kernel:3.4.24 cpe:/o:linux:linux_kernel:3.2.8 cpe:/o:linux:linux_kernel:3.4:rc4 cpe:/o:linux:linux_kernel:3.2.5 cpe:/o:linux:linux_kernel:3.4.15 cpe:/o:linux:linux_kernel:3.2.19 cpe:/o:linux:linux_kernel:3.4 cpe:/o:linux:linux_kernel:3.4.1 cpe:/o:linux:linux_kernel:3.0.43 cpe:/o:linux:linux_kernel:3.0.25 cpe:/o:linux:linux_kernel:3.1.8 cpe:/o:linux:linux_kernel:3.4:rc3 cpe:/o:linux:linux_kernel:3.4.7 cpe:/o:linux:linux_kernel:3.2.4 cpe:/o:linux:linux_kernel:3.2.10 cpe:/o:linux:linux_kernel:3.0.18 cpe:/o:linux:linux_kernel:3.4.6 cpe:/o:linux:linux_kernel:3.4:rc5 cpe:/o:linux:linux_kernel:3.2.20 cpe:/o:linux:linux_kernel:3.2.21 cpe:/o:linux:linux_kernel:3.4.18 cpe:/o:linux:linux_kernel:3.0:rc6 cpe:/o:linux:linux_kernel:3.7.5 cpe:/o:linux:linux_kernel:3.0:rc7

CVE-2013-0228

2013-03-01T07:37:54.100-05:00

2013-06-04T23:40:36.447-04:00

6.2

LOCAL

HIGH

NONE

COMPLETE

http://nvd.nist.gov

2013-03-04T11:04:00.000-05:00

CONFIRM https://github.com/torvalds/linux/commit/13d2b4d11d69a92574a55bfd985cfb0ca77aebdc CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=906309 UBUNTU USN-1808-1 UBUNTU USN-1805-1 UBUNTU USN-1797-1 UBUNTU USN-1796-1 UBUNTU USN-1795-1 MLIST [oss-security] 20130213 Xen Security Advisory 42 (CVE-2013-0228) - Linux kernel hits general protection if %ds is corrupt for 32-bit PVOPS. CONFIRM http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.7.9 CONFIRM http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=13d2b4d11d69a92574a55bfd985cfb0ca77aebdc The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux kernel before 3.7.9 on 32-bit Xen paravirt_ops platforms does not properly handle an invalid value in the DS segment register, which allows guest OS users to gain guest OS privileges via a crafted application.

cpe:/a:miniupnp_project:miniupnpd:1.2 cpe:/a:miniupnp_project:miniupnpd:1.1 cpe:/a:miniupnp_project:miniupnpd:1.3 cpe:/a:miniupnp_project:miniupnpd:1.0

CVE-2013-0229

2013-01-31T16:55:01.490-05:00

2013-02-01T00:00:00.000-05:00

7.8

NETWORK

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-02-01T14:06:00.000-05:00

MISC https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf MISC https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play The ProcessSSDPRequest function in minissdp.c in the SSDP handler in MiniUPnP MiniUPnPd before 1.4 allows remote attackers to cause a denial of service (service crash) via a crafted request that triggers a buffer over-read.

cpe:/a:miniupnp_project:miniupnpd:1.0

CVE-2013-0230

2013-01-31T16:55:01.520-05:00

2013-02-01T14:17:26.863-05:00

10.0

NETWORK

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-02-01T14:16:00.000-05:00

MISC https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf MISC https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to execute arbitrary code via a long quoted method.

cpe:/o:xen:xen:3.0.2 cpe:/o:xen:xen:3.2.2 cpe:/o:xen:xen:3.2.3 cpe:/o:linux:linux_kernel:2.6.18 cpe:/o:xen:xen:3.2.0 cpe:/o:xen:xen:3.0.3 cpe:/o:xen:xen:3.0.4 cpe:/o:linux:linux_kernel:3.8 cpe:/o:xen:xen:3.1.3 cpe:/o:xen:xen:3.2.1 cpe:/o:xen:xen:3.1.4

CVE-2013-0231

2013-02-12T20:55:03.497-05:00

2013-06-04T23:40:36.663-04:00

4.9

LOCAL

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:30:00.000-05:00

XF xen-pcibackenablemsi-dos(81923) BID 57740 MLIST [oss-security] 20130205 Xen Security Advisory 43 (CVE-2013-0231) - Linux pciback DoS via not rate limited log messages. DEBIAN DSA-2632 SECUNIA 52059 OSVDB 89903 SUSE SUSE-SU-2013:0674 SUSE openSUSE-SU-2013:0395 The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third party information.

cpe:/a:zoneminder:zoneminder:1.24.0 cpe:/a:zoneminder:zoneminder:1.24.4 cpe:/a:zoneminder:zoneminder:1.24.1 cpe:/a:zoneminder:zoneminder:1.25.0 cpe:/a:zoneminder:zoneminder:1.24.3 cpe:/a:zoneminder:zoneminder:1.24.2

CVE-2013-0232

2013-03-20T11:55:00.910-04:00

2013-03-21T00:00:00.000-04:00

7.5

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-03-21T12:27:00.000-04:00

MISC http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771 OSVDB 89529 MLIST [oss-security] 20130128 Re: CVE Request: zoneminder: arbitrary command execution vulnerability EXPLOIT-DB 24310 DEBIAN DSA-2640 MISC http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/ MISC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698910 includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.

cpe:/a:plataformatec:devise:1.5.1 cpe:/a:plataformatec:devise:2.0.0 cpe:/a:plataformatec:devise:2.2.2 cpe:/a:plataformatec:devise:2.1.0 cpe:/a:plataformatec:devise:1.5.3 cpe:/a:plataformatec:devise:2.2.0 cpe:/a:plataformatec:devise:2.0.4 cpe:/a:plataformatec:devise:1.5.0 cpe:/a:plataformatec:devise:2.0.1 cpe:/a:plataformatec:devise:2.0.2 cpe:/o:novell:opensuse:12.2 cpe:/a:plataformatec:devise:2.1.1 cpe:/a:plataformatec:devise:1.5.2 cpe:/a:plataformatec:devise:2.0.3 cpe:/a:plataformatec:devise:2.1.2 cpe:/a:plataformatec:devise:2.2.1

CVE-2013-0233

2013-04-25T19:55:01.460-04:00

2013-05-01T00:00:00.000-04:00

6.8

NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-04-26T10:12:00.000-04:00

MISC https://github.com/Snorby/snorby/issues/261 BID 57577 MISC http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html MLIST [oss-security] 20130128 Re: CVE request for 'devise' ruby gem MISC http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset SUSE openSUSE-SU-2013:0374 CONFIRM http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/ Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.

cpe:/a:ircd-hybrid:ircd-hybrid:8.0.0:rc1 cpe:/a:ircd-hybrid:ircd-hybrid:7.3.0 cpe:/a:ircd-hybrid:ircd-hybrid:7.2.2 cpe:/a:ircd-hybrid:ircd-hybrid:8.0.5 cpe:/a:ircd-hybrid:ircd-hybrid:7.2.3 cpe:/a:ircd-hybrid:ircd-hybrid:8.0.0:beta2 cpe:/a:ircd-hybrid:ircd-hybrid:8.0.0:beta1 cpe:/a:ircd-hybrid:ircd-hybrid:7.2.1 cpe:/a:ircd-hybrid:ircd-hybrid:8.0.4 cpe:/a:ircd-hybrid:ircd-hybrid:8.0.0 cpe:/a:ircd-hybrid:ircd-hybrid:7.2.0 cpe:/a:ircd-hybrid:ircd-hybrid:8.0.2 cpe:/a:ircd-hybrid:ircd-hybrid:8.0.0:beta3 cpe:/a:ircd-hybrid:ircd-hybrid:8.0.1 cpe:/a:ircd-hybrid:ircd-hybrid:7.3.1 cpe:/a:ircd-hybrid:ircd-hybrid:7.3.0:rc1 cpe:/a:ircd-hybrid:ircd-hybrid:8.0.3

CVE-2013-0238

2013-02-12T20:55:04.090-05:00

2013-02-13T00:00:00.000-05:00

5.0

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-02-13T10:15:00.000-05:00

XF ircdhybrid-tryparsev4netmask-dos(81695) BID 57610 MLIST [oss-security] 20130129 ircd-hybrid: Denial of service vulnerability in hostmask.c:try_parse_v4_netmask() DEBIAN DSA-2618 CONFIRM http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/trunk/src/hostmask.c?r1=1786&r2=1785&pathrev=1786 SECUNIA 52106 SECUNIA 51948 OSVDB 89623 CONFIRM http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699267 The try_parse_v4_netmask function in hostmask.c in IRCD-Hybrid before 8.0.6 does not properly validate masks, which allows remote attackers to cause a denial of service (crash) via a mask that causes a negative number to be parsed.

cpe:/a:apache:cxf:2.6.5 cpe:/a:apache:cxf:2.5.0 cpe:/a:apache:cxf:2.6.2 cpe:/a:apache:cxf:2.5.5 cpe:/a:apache:cxf:2.5.3 cpe:/a:apache:cxf:2.5.4 cpe:/a:apache:cxf:2.5.8 cpe:/a:apache:cxf:2.6.4 cpe:/a:apache:cxf:2.4.3 cpe:/a:apache:cxf:2.4.7 cpe:/a:apache:cxf:2.7.0 cpe:/a:apache:cxf:2.4.5 cpe:/a:apache:cxf:2.4.6 cpe:/a:apache:cxf:2.7.2 cpe:/a:apache:cxf:2.6.0 cpe:/a:apache:cxf:2.5.1 cpe:/a:apache:cxf:2.5.6 cpe:/a:apache:cxf:2.5.2 cpe:/a:apache:cxf:2.4.1 cpe:/a:apache:cxf:2.4.2 cpe:/a:apache:cxf:2.6.1 cpe:/a:apache:cxf:2.5.7 cpe:/a:apache:cxf:2.4.0 cpe:/a:apache:cxf:2.7.1 cpe:/a:apache:cxf:2.4.4 cpe:/a:apache:cxf:2.6.3

CVE-2013-0239

2013-03-12T19:55:01.690-04:00

2013-06-04T23:40:37.337-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-19T10:22:00.000-04:00

CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1438424 XF apachecxf-username-tokens-sec-bypass(81981) BID 57876 SECUNIA 51988 FULLDISC 20130208 New security advisories for Apache CXF REDHAT RHSA-2013:0749 MISC http://packetstormsecurity.com/files/120214/Apache-CXF-WS-Security-UsernameToken-Bypass.html OSVDB 90078 CONFIRM http://cxf.apache.org/cve-2013-0239.html Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.

cpe:/o:canonical:ubuntu_linux:11.10 cpe:/a:gnome:gnome_online_accounts:3.7.1 cpe:/a:gnome:gnome_online_accounts:3.6.1 cpe:/a:gnome:gnome_online_accounts:3.7.2 cpe:/o:canonical:ubuntu_linux:12.04:-:lts cpe:/a:gnome:gnome_online_accounts:3.4.0 cpe:/a:gnome:gnome_online_accounts:3.7.4 cpe:/a:gnome:gnome_online_accounts:3.6.2 cpe:/a:gnome:gnome_online_accounts:3.7.3 cpe:/a:gnome:gnome_online_accounts:3.4.1 cpe:/o:canonical:ubuntu_linux:12.10 cpe:/a:gnome:gnome_online_accounts:3.6.0

CVE-2013-0240

2013-04-01T23:22:21.037-04:00

2013-04-02T00:00:00.000-04:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-04-02T09:57:00.000-04:00

MLIST [gnome-announce-list] 20130304 GNOME Online Accounts 3.6.3 released CONFIRM https://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e CONFIRM https://git.gnome.org/browse/gnome-online-accounts/commit/?id=bc10fdb68f75f8be84eb698ada08743b9c7c248f CONFIRM https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=ecad8142e9ac519b9fc74b96dcb5531052bbffe1 MISC https://bugzilla.redhat.com/show_bug.cgi?id=894352 CONFIRM https://bugzilla.gnome.org/show_bug.cgi?id=693214 UBUNTU USN-1779-1 SECUNIA 52791 SECUNIA 51976 SUSE openSUSE-SU-2013:0301 Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.5, does not properly validate SSL certificates when creating accounts such as Windows Live and Facebook accounts, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by sniffing the network.

cpe:/o:canonical:ubuntu_linux:11.10 cpe:/o:redhat:enterprise_linux_server:6.0 cpe:/o:canonical:ubuntu_linux:12.04:-:lts cpe:/o:redhat:enterprise_linux_workstation:6.0 cpe:/o:qxl_graphics_driver_project:xf86-video-qxl:0.1.0 cpe:/o:redhat:enterprise_linux_desktop:6.0

CVE-2013-0241

2013-02-12T20:55:04.137-05:00

2013-02-13T00:00:00.000-05:00

2.1

LOCAL

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-02-13T10:35:00.000-05:00

CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=906032 XF qxl-virtual-spice-dos(81704) UBUNTU USN-1714-1 MLIST [oss-security] 20130130 Re: CVE request -- qxl: synchronous io guest DoS MLIST [oss-security] 20130130 CVE request -- qxl: synchronous io guest DoS SECUNIA 52021 REDHAT RHSA-2013:0218 The QXL display driver in QXL Virtual GPU 0.1.0 allows local users to cause a denial of service (guest crash or hang) via a SPICE connection that prevents other threads from obtaining the qemu_mutex mutex. NOTE: some of these details are obtained from third party information.

cpe:/a:gnu:glibc:2.17

CVE-2013-0242

2013-02-08T15:55:01.483-05:00

2013-04-30T23:22:47.443-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-02-11T12:56:00.000-05:00

MISC http://sourceware.org/bugzilla/show_bug.cgi?id=15078 XF glibc-extendbuffers-dos(81707) SECTRACK 1028063 BID 57638 MLIST [oss-security] 20130130 Re: CVE Request -- glibc: DoS due to a buffer overrun in regexp matcher by processing multibyte characters MLIST [libc-alpha] 20130129 [PATCH] Fix buffer overrun in regexp matcher SECUNIA 51951 REDHAT RHSA-2013:0769 OSVDB 89747 Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters.

cpe:/o:canonical:ubuntu_linux:12.04:-:lts cpe:/a:openstack:grizzly:1 cpe:/a:openstack:essex:2012.1 cpe:/a:openstack:essex:2012.1.3 cpe:/a:openstack:grizzly:-:rc1 cpe:/o:canonical:ubuntu_linux:12.10

CVE-2013-0247

2013-02-24T14:55:01.360-05:00

2013-02-26T00:00:00.000-05:00

5.0

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-02-25T14:40:00.000-05:00

MISC https://bugzilla.redhat.com/show_bug.cgi?id=906171 CONFIRM https://bugs.launchpad.net/keystone/+bug/1098307 UBUNTU USN-1715-1 BID 57747 REDHAT RHSA-2013:0253 FEDORA FEDORA-2013-2168 OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attackers to cause a denial of service (disk consumption) via many invalid token requests that trigger excessive generation of log entries.

cpe:/a:apache:commons_fileupload:1.2.1 cpe:/a:apache:commons_fileupload:1.1 cpe:/a:apache:commons_fileupload:1.0 cpe:/a:apache:commons_fileupload:1.2 cpe:/a:apache:commons_fileupload:1.2.2 cpe:/a:apache:commons_fileupload:1.1.1

CVE-2013-0248

2013-03-15T16:55:10.553-04:00

2013-03-18T00:00:00.000-04:00

3.3

LOCAL

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-03-18T13:11:00.000-04:00

OSVDB 90906 BUGTRAQ 20130306 [SECURITY] CVE-2013-0248 Apache Commons FileUpload - Insecure examples The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.

cpe:/a:haxx:curl:7.28.1 cpe:/a:haxx:libcurl:7.28.1 cpe:/a:haxx:libcurl:7.28.0 cpe:/a:haxx:libcurl:7.26.0 cpe:/a:haxx:curl:7.28.0 cpe:/o:ubuntu:ubuntu:12.10 cpe:/a:haxx:libcurl:7.27.0 cpe:/a:haxx:curl:7.27.0 cpe:/a:haxx:curl:7.26.0

CVE-2013-0249

2013-03-08T17:55:01.123-05:00

2013-05-07T00:00:00.000-04:00

7.5

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-03-18T13:23:00.000-04:00

UBUNTU USN-1721-1 SECTRACK 1028093 OSVDB 89988 EXPLOIT-DB 24487 MISC http://packetstormsecurity.com/files/120170/Slackware-Security-Advisory-curl-Updates.html MISC http://packetstormsecurity.com/files/120147/cURL-Buffer-Overflow.html MISC http://nakedsecurity.sophos.com/2013/02/10/anatomy-of-a-vulnerability-curl-web-download-toolkit-holed-by-authentication-bug/ FEDORA FEDORA-2013-2098 CONFIRM http://curl.haxx.se/docs/adv_20130206.html MISC http://blog.volema.com/curl-rce.html Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.

cpe:/a:debian:latd:1.27 cpe:/a:debian:latd:1.26 cpe:/a:debian:latd:1.25 cpe:/a:debian:latd:1.28 cpe:/a:debian:latd:1.30 cpe:/a:debian:latd:1.29

CVE-2013-0251

2013-03-19T10:55:02.730-04:00

2013-03-21T08:00:26.770-04:00

10.0

NETWORK

LOW

NONE

COMPLETE

http://nvd.nist.gov

2013-03-21T07:52:00.000-04:00

MLIST [oss-security] 20130205 Re: CVE id request: latd MLIST [oss-security] 20130203 Re: CVE id request: latd MISC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699625 Stack-based buffer overflow in llogincircuit.cc in latd 1.25 through 1.30 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the llogin version.

cpe:/a:boost:boost:1.51.0 cpe:/a:boost:boost:1.49.0 cpe:/a:boost:boost:1.48.0 cpe:/a:boost:boost:1.52.0 cpe:/a:boost:boost:1.50.0

CVE-2013-0252

2013-03-12T18:55:01.707-04:00

2013-03-18T00:00:00.000-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-18T16:20:00.000-04:00

CONFIRM https://svn.boost.org/trac/boost/ticket/7743 MISC https://bugzilla.redhat.com/show_bug.cgi?id=907481 UBUNTU USN-1727-1 BID 57675 MLIST [oss-security] 20130203 Re: CVE id request: boost CONFIRM http://www.boost.org/users/news/boost_locale_security_notice.html FEDORA FEDORA-2013-2448 FEDORA FEDORA-2013-2420 MISC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699650 MISC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699649 boost::locale::utf::utf_traits in the Boost.Locale library in Boost 1.48 through 1.52 does not properly detect certain invalid UTF-8 sequences, which might allow remote attackers to bypass input validation protection mechanisms via crafted trailing bytes.

cpe:/a:apache:maven:3.0.4

CVE-2013-0253

2013-04-09T16:55:01.617-04:00

2013-04-10T00:00:00.000-04:00

5.8

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-04-10T09:28:00.000-04:00

CONFIRM https://maven.apache.org/security.html CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=917084 REDHAT RHSA-2013:0700 The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack.

cpe:/a:digia:qt:4.5.2 cpe:/a:digia:qt:2.0.0 cpe:/a:digia:qt:5.0.0 cpe:/a:digia:qt:4.7.6 cpe:/a:digia:qt:4.6.1 cpe:/a:digia:qt:4.8.0 cpe:/a:digia:qt:4.2.1 cpe:/a:digia:qt:4.1.5 cpe:/a:digia:qt:4.3.5 cpe:/a:digia:qt:4.1.1 cpe:/a:digia:qt:3.3.2 cpe:/a:digia:qt:5.0.1 cpe:/a:digia:qt:4.8.5 cpe:/a:digia:qt:1.44 cpe:/a:digia:qt:4.5.3 cpe:/a:digia:qt:4.1.4 cpe:/a:digia:qt:4.0.0 cpe:/a:digia:qt:4.7.3 cpe:/a:digia:qt:4.5.0 cpe:/a:digia:qt:4.7.1 cpe:/a:digia:qt:4.6.2 cpe:/a:digia:qt:4.2.3 cpe:/a:digia:qt:4.6.3 cpe:/a:digia:qt:4.1.0 cpe:/a:digia:qt:3.3.6 cpe:/a:digia:qt:3.3.4 cpe:/a:digia:qt:3.3.3 cpe:/a:digia:qt:4.3.0 cpe:/a:digia:qt:1.41 cpe:/a:digia:qt:4.8.3 cpe:/a:digia:qt:4.8.2 cpe:/a:digia:qt:4.7.5 cpe:/a:digia:qt:4.4.1 cpe:/a:digia:qt:4.8.4 cpe:/a:digia:qt:3.3.1 cpe:/a:digia:qt:4.6.0 cpe:/a:digia:qt:4.8.1 cpe:/a:digia:qt:4.5.1 cpe:/a:digia:qt:4.6.4 cpe:/a:digia:qt:4.1.2 cpe:/a:digia:qt:4.4.2 cpe:/a:digia:qt:4.3.4 cpe:/a:digia:qt:4.2.0 cpe:/a:digia:qt:2.0.2 cpe:/a:digia:qt:4.3.3 cpe:/a:digia:qt:2.0.1 cpe:/a:digia:qt:4.4.3 cpe:/a:digia:qt:4.3.2 cpe:/a:digia:qt:4.4.0 cpe:/a:digia:qt:1.42 cpe:/a:digia:qt:4.7.0 cpe:/a:digia:qt:3.3.5 cpe:/a:digia:qt:4.7.4 cpe:/a:digia:qt:4.3.1 cpe:/a:digia:qt:3.3.0 cpe:/a:digia:qt:4.7.2 cpe:/a:digia:qt:4.6.5 cpe:/a:digia:qt:4.1.3 cpe:/a:digia:qt:1.43 cpe:/a:digia:qt:4.0.1 cpe:/a:digia:qt:1.45

CVE-2013-0254

2013-02-06T07:05:43.647-05:00

2013-05-14T23:34:05.970-04:00

3.6

LOCAL

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-02-06T14:03:00.000-05:00

MLIST [qt-announce] 20130205 [Announce] [CVE-2013-0254] Qt Project Security Advisory: System V shared memory segments created world-writeable CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=907425 REDHAT RHSA-2013:0669 SUSE openSUSE-SU-2013:0411 SUSE openSUSE-SU-2013:0404 SUSE openSUSE-SU-2013:0403 The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server.

cpe:/a:postgresql:postgresql:8.3.1 cpe:/a:postgresql:postgresql:9.1.5 cpe:/a:postgresql:postgresql:9.1.7 cpe:/a:postgresql:postgresql:9.0.10 cpe:/a:postgresql:postgresql:8.4.5 cpe:/a:postgresql:postgresql:8.3.2 cpe:/a:postgresql:postgresql:8.3.15 cpe:/a:postgresql:postgresql:8.3.3 cpe:/a:postgresql:postgresql:8.3.17 cpe:/a:postgresql:postgresql:8.3.12 cpe:/a:postgresql:postgresql:8.4.8 cpe:/a:postgresql:postgresql:8.4 cpe:/a:postgresql:postgresql:8.4.11 cpe:/a:postgresql:postgresql:8.4.4 cpe:/a:postgresql:postgresql:9.0.8 cpe:/a:postgresql:postgresql:8.3.5 cpe:/a:postgresql:postgresql:9.0.9 cpe:/a:postgresql:postgresql:8.4.14 cpe:/a:postgresql:postgresql:9.0.2 cpe:/a:postgresql:postgresql:8.3.16 cpe:/a:postgresql:postgresql:9.1 cpe:/a:postgresql:postgresql:8.3.4 cpe:/a:postgresql:postgresql:8.4.7 cpe:/a:postgresql:postgresql:9.0 cpe:/a:postgresql:postgresql:8.3.13 cpe:/a:postgresql:postgresql:8.3 cpe:/a:postgresql:postgresql:8.3.8 cpe:/a:postgresql:postgresql:9.1.1 cpe:/a:postgresql:postgresql:9.0.4 cpe:/a:postgresql:postgresql:9.0.5 cpe:/a:postgresql:postgresql:8.3.21 cpe:/a:postgresql:postgresql:9.0.7 cpe:/a:postgresql:postgresql:8.3.7 cpe:/a:postgresql:postgresql:8.3.19 cpe:/a:postgresql:postgresql:9.0.6 cpe:/a:postgresql:postgresql:8.4.9 cpe:/a:postgresql:postgresql:8.4.12 cpe:/a:postgresql:postgresql:8.4.10 cpe:/a:postgresql:postgresql:9.1.4 cpe:/a:postgresql:postgresql:8.3.11 cpe:/a:postgresql:postgresql:8.3.20 cpe:/a:postgresql:postgresql:8.3.9 cpe:/a:postgresql:postgresql:9.1.2 cpe:/a:postgresql:postgresql:8.4.3 cpe:/a:postgresql:postgresql:8.4.1 cpe:/a:postgresql:postgresql:8.4.15 cpe:/a:postgresql:postgresql:8.3.14 cpe:/a:postgresql:postgresql:9.0.11 cpe:/a:postgresql:postgresql:8.3.18 cpe:/a:postgresql:postgresql:8.4.13 cpe:/a:postgresql:postgresql:8.3.6 cpe:/a:postgresql:postgresql:8.4.2 cpe:/a:postgresql:postgresql:9.0.3 cpe:/a:postgresql:postgresql:8.4.6 cpe:/a:postgresql:postgresql:9.0.1 cpe:/a:postgresql:postgresql:9.1.3 cpe:/a:postgresql:postgresql:8.3.22 cpe:/a:postgresql:postgresql:9.1.6 cpe:/a:postgresql:postgresql:8.3.10

CVE-2013-0255

2013-02-12T20:55:04.590-05:00

2013-04-05T23:13:53.433-04:00

6.8

NETWORK

LOW

SINGLE_INSTANCE

NONE

COMPLETE

http://nvd.nist.gov

2013-02-13T10:59:00.000-05:00

CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=907892 CONFIRM https://blogs.oracle.com/sunsecurity/entry/cve_2013_0255_array_index XF postgresql-enumrecv-dos(81917) UBUNTU USN-1717-1 BID 57844 CONFIRM http://www.postgresql.org/docs/9.2/static/release-9-2-3.html CONFIRM http://www.postgresql.org/docs/9.1/static/release-9-1-8.html CONFIRM http://www.postgresql.org/docs/9.0/static/release-9-0-12.html CONFIRM http://www.postgresql.org/docs/8.4/static/release-8-4-16.html CONFIRM http://www.postgresql.org/docs/8.3/static/release-8-3-23.html DEBIAN DSA-2630 SECUNIA 52819 SECUNIA 51923 OSVDB 89935 SUSE openSUSE-SU-2013:0319 SUSE openSUSE-SU-2013:0318 FEDORA FEDORA-2013-2123 PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read.

cpe:/a:ruby-lang:ruby:1.9.3:p194 cpe:/a:ruby-lang:ruby:1.9.1 cpe:/a:ruby-lang:ruby:1.9.3 cpe:/a:dave_thomas:rdoc:3.12 cpe:/a:ruby-lang:ruby:1.9.3:p0 cpe:/a:ruby-lang:ruby:2.0.0 cpe:/a:ruby-lang:ruby:2.0.0:rc2 cpe:/a:ruby-lang:ruby:1.9.3:p383 cpe:/a:dave_thomas:rdoc:4.0.0 cpe:/a:ruby-lang:ruby:1.9 cpe:/a:ruby-lang:ruby:2.0.0:rc1 cpe:/a:dave_thomas:rdoc:2.3.0 cpe:/a:ruby-lang:ruby:1.9.3:p286 cpe:/a:ruby-lang:ruby:1.9.3:p125 cpe:/a:ruby-lang:ruby:2.0 cpe:/a:ruby-lang:ruby:1.9.2

CVE-2013-0256

2013-03-01T00:40:17.583-05:00

2013-06-04T23:40:39.333-04:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-01T11:57:00.000-05:00

CONFIRM https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60 MISC https://bugzilla.redhat.com/show_bug.cgi?id=907820 UBUNTU USN-1733-1 CONFIRM http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/ SECUNIA 52774 REDHAT RHSA-2013:0728 REDHAT RHSA-2013:0701 REDHAT RHSA-2013:0686 REDHAT RHSA-2013:0548 SUSE openSUSE-SU-2013:0303 SUSE SUSE-SU-2013:0647 MISC http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2 darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.

cpe:/a:david_alkire:email2image:6.x-2.x cpe:/a:david_alkire:email2image:6.x-1.x

CVE-2013-0257

2013-03-27T17:55:02.127-04:00

2013-03-28T00:00:00.000-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-28T10:17:00.000-04:00

MISC http://drupal.org/node/1903264 MLIST [oss-security] 20130204 Re: CVE request for Drupal contributed modules The email2image module 6.x-1.x and 6.x-2.x for Drupal does not properly restrict access to nodes, which allows remote attackers to read images of user email addresses and email fields.

cpe:/a:google_authenticator_login_project:ga_login:7.x-1.1 cpe:/a:google_authenticator_login_project:ga_login:7.x-1.0:dev cpe:/a:google_authenticator_login_project:ga_login:7.x-1.0:beta1 cpe:/a:google_authenticator_login_project:ga_login:7.x-1.0 cpe:/a:google_authenticator_login_project:ga_login:7.x-1.2

CVE-2013-0258

2013-03-27T17:55:02.143-04:00

2013-04-05T00:00:00.000-04:00

6.8

NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-03-28T10:42:00.000-04:00

CONFIRM http://drupalcode.org/project/ga_login.git/commitdiff/50b032d MISC http://drupal.org/node/1903282 CONFIRM http://drupal.org/node/1902102 MLIST [oss-security] 20130204 Re: CVE request for Drupal contributed modules The Google Authenticator login (ga_login) module 7.x before 7.x-1.3 for Drupal, when multi-factor authentication is enabled, allows remote attackers to bypass authentication for accounts without an associated Google Authenticator token by logging in with the username.

cpe:/a:boxes_project:boxes:7.x-1.0:beta2 cpe:/a:boxes_project:boxes:7.x-1.0 cpe:/a:boxes_project:boxes:7.x-1.0:beta3 cpe:/a:boxes_project:boxes:7.x-1.0:beta7 cpe:/a:boxes_project:boxes:7.x-1.0:beta6 cpe:/a:boxes_project:boxes:7.x-1.0:beta4 cpe:/a:boxes_project:boxes:7.x-1.0:beta1 cpe:/a:boxes_project:boxes:7.x-1.0:beta5 cpe:/a:boxes_project:boxes:7.x-1.x:dev cpe:/a:boxes_project:boxes:7.x-1.0:beta8

CVE-2013-0259

2013-03-27T17:55:02.160-04:00

2013-03-28T00:00:00.000-04:00

2.1

NETWORK

HIGH

SINGLE_INSTANCE

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-28T10:42:00.000-04:00

MISC http://drupal.org/node/1903300 MLIST [oss-security] 20130204 Re: CVE request for Drupal contributed modules CONFIRM http://drupalcode.org/project/boxes.git/commitdiff/456ff8e CONFIRM http://drupal.org/node/1897016 Cross-site scripting (XSS) vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with administer or edit boxes permissions to inject arbitrary web script or HTML via the subject parameter.

cpe:/a:elliot_pahl:drush_debian_packaging:-

CVE-2013-0260

2013-03-27T17:55:02.177-04:00

2013-03-28T00:00:00.000-04:00

2.1

LOCAL

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-28T10:48:00.000-04:00

MLIST [oss-security] 20130204 Re: CVE request for Drupal contributed modules MISC http://drupal.org/node/1903324 Unspecified vulnerability in the Drush Debian Packaging module for Drupal allows local users to obtain database credentials via unknown vectors.

cpe:/a:openstack:folsom:- cpe:/a:openstack:essex:-

CVE-2013-0261

2013-03-08T16:55:01.947-05:00

2013-03-18T00:00:00.000-04:00

4.4

LOCAL

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-03-18T11:02:00.000-04:00

MISC https://bugzilla.redhat.com/show_bug.cgi?id=908101 REDHAT RHSA-2013:0595 (1) installer/basedefs.py and (2) modules/ospluginutils.py in PackStack allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.

cpe:/a:rack_project:rack:1.4.3 cpe:/a:rack_project:rack:1.4.4 cpe:/a:rack_project:rack:1.5.0 cpe:/a:rack_project:rack:1.4.1 cpe:/a:rack_project:rack:1.5.1 cpe:/a:rack_project:rack:1.4.0 cpe:/a:rack_project:rack:1.4.2

CVE-2013-0262

2013-02-08T15:55:01.577-05:00

2013-05-14T23:34:06.830-04:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-02-11T12:59:00.000-05:00

CONFIRM https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ CONFIRM https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ CONFIRM https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30 MISC https://github.com/rack/rack/blob/master/lib/rack/file.rb#L56 MISC https://gist.github.com/rentzsch/4736940 CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=909072 MISC https://bugzilla.redhat.com/show_bug.cgi?id=909071 SECUNIA 52033 CONFIRM http://rack.github.com/ SUSE openSUSE-SU-2013:0462 rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals."

cpe:/a:rack_project:rack:1.3.6 cpe:/a:rack_project:rack:1.1.0 cpe:/a:rack_project:rack:1.1.6 cpe:/a:rack_project:rack:1.3.1 cpe:/a:rack_project:rack:1.1.4 cpe:/a:rack_project:rack:1.2.7 cpe:/a:rack_project:rack:1.4.2 cpe:/a:rack_project:rack:1.2.0 cpe:/a:rack_project:rack:1.2.1 cpe:/a:rack_project:rack:1.4.1 cpe:/a:rack_project:rack:1.5.1 cpe:/a:rack_project:rack:1.3.9 cpe:/a:rack_project:rack:1.4.0 cpe:/a:rack_project:rack:1.3.0 cpe:/a:rack_project:rack:1.3.4 cpe:/a:rack_project:rack:1.4.3 cpe:/a:rack_project:rack:1.4.4 cpe:/a:rack_project:rack:1.3.5 cpe:/a:rack_project:rack:1.2.6 cpe:/a:rack_project:rack:1.3.8 cpe:/a:rack_project:rack:1.2.2 cpe:/a:rack_project:rack:1.2.4 cpe:/a:rack_project:rack:1.2.3 cpe:/a:rack_project:rack:1.3.2 cpe:/a:rack_project:rack:1.5.0 cpe:/a:rack_project:rack:1.3.7 cpe:/a:rack_project:rack:1.1.5 cpe:/a:rack_project:rack:1.3.3

CVE-2013-0263

2013-02-08T15:55:01.640-05:00

2013-05-14T23:34:06.907-04:00

5.1

NETWORK

HIGH

NONE

PARTIAL

http://nvd.nist.gov

2013-02-11T13:10:00.000-05:00

MISC https://twitter.com/coda/statuses/299732877745197056 CONFIRM https://groups.google.com/forum/#!msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ CONFIRM https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ CONFIRM https://groups.google.com/forum/#!msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ CONFIRM https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ CONFIRM https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J CONFIRM https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11 CONFIRM https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 MISC https://gist.github.com/codahale/f9f3781f7b54985bee94 MISC https://bugzilla.redhat.com/show_bug.cgi?id=909071 OSVDB 89939 SECUNIA 52774 SECUNIA 52134 SECUNIA 52033 REDHAT RHSA-2013:0686 CONFIRM http://rack.github.com/ SUSE openSUSE-SU-2013:0462 Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving am HMAC comparison function that does not run in constant time.

cpe:/a:bitbucket:xnbd:0.1.0:pre

CVE-2013-0265

2013-02-12T20:55:04.700-05:00

2013-02-13T00:00:00.000-05:00

2.1

LOCAL

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-02-13T11:19:00.000-05:00

MLIST [oss-security] 20130206 CVE request: Insecure default log file path in xNBD OSVDB 90008 MLIST [oss-security] 20130206 Re: CVE request: Insecure default log file path in xNBD The redirect_stderr function in xnbd_common.c in xnbd-server and xndb-wrapper in xNBD 0.1.0 allow local users to overwrite arbitrary files via a symlink attack on /tmp/xnbd.log.

cpe:/a:openstack:folsom:- cpe:/a:openstack:essex:-

CVE-2013-0266

2013-03-08T16:55:01.960-05:00

2013-03-18T00:00:00.000-04:00

2.1

LOCAL

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-18T11:40:00.000-04:00

CONFIRM https://github.com/puppetlabs/puppetlabs-cinder/commit/7da792fbd40c0e6eae1ee093aa00e0b177bd2ebc MISC https://bugzilla.redhat.com/show_bug.cgi?id=908581 REDHAT RHSA-2013:0595 manifests/base.pp in the puppetlabs-cinder module, as used in PackStack, uses world-readable permissions for the (1) cinder.conf and (2) api-paste.ini configuration files, which allows local users to read OpenStack administrative passwords by reading the files.

cpe:/o:linux:linux_kernel:3.3.5 cpe:/o:linux:linux_kernel:3.0:rc4 cpe:/o:linux:linux_kernel:3.2.7 cpe:/o:linux:linux_kernel:3.0.32 cpe:/o:linux:linux_kernel:3.5.7 cpe:/o:linux:linux_kernel:3.5.4 cpe:/o:linux:linux_kernel:3.2.3 cpe:/o:linux:linux_kernel:3.4.23 cpe:/o:linux:linux_kernel:3.2.26 cpe:/o:linux:linux_kernel:3.0.26 cpe:/o:linux:linux_kernel:3.4.13 cpe:/o:linux:linux_kernel:3.0.40 cpe:/o:linux:linux_kernel:3.6.9 cpe:/o:linux:linux_kernel:3.3.2 cpe:/o:linux:linux_kernel:3.7 cpe:/o:linux:linux_kernel:3.3.6 cpe:/o:linux:linux_kernel:3.0.16 cpe:/o:linux:linux_kernel:3.0.24 cpe:/o:linux:linux_kernel:3.4.22 cpe:/o:linux:linux_kernel:3.2.11 cpe:/o:linux:linux_kernel:3.1.4 cpe:/o:linux:linux_kernel:3.3:rc2 cpe:/o:linux:linux_kernel:3.0.39 cpe:/o:linux:linux_kernel:3.7.4 cpe:/o:linux:linux_kernel:3.4.16 cpe:/o:linux:linux_kernel:3.5.2 cpe:/o:linux:linux_kernel:3.3:rc3 cpe:/o:linux:linux_kernel:3.0.17 cpe:/o:linux:linux_kernel:3.0.27 cpe:/o:linux:linux_kernel:3.0.20 cpe:/o:linux:linux_kernel:3.1:rc3 cpe:/o:linux:linux_kernel:3.2.6 cpe:/o:linux:linux_kernel:3.4.9 cpe:/o:linux:linux_kernel:3.4.3 cpe:/o:linux:linux_kernel:3.0:rc1 cpe:/o:linux:linux_kernel:3.0.41 cpe:/o:linux:linux_kernel:3.0.37 cpe:/o:linux:linux_kernel:3.1.9 cpe:/o:linux:linux_kernel:3.0.31 cpe:/o:linux:linux_kernel:3.0.38 cpe:/o:linux:linux_kernel:3.1.6 cpe:/o:linux:linux_kernel:3.4.5 cpe:/o:linux:linux_kernel:3.0:rc5 cpe:/o:linux:linux_kernel:3.2.27 cpe:/o:linux:linux_kernel:3.4.19 cpe:/o:linux:linux_kernel:3.2.15 cpe:/o:linux:linux_kernel:3.0.7 cpe:/o:linux:linux_kernel:3.0.1 cpe:/o:linux:linux_kernel:3.2.17 cpe:/o:linux:linux_kernel:3.0.5 cpe:/o:linux:linux_kernel:3.0.9 cpe:/o:linux:linux_kernel:3.0.11 cpe:/o:linux:linux_kernel:3.7.1 cpe:/o:linux:linux_kernel:3.4.12 cpe:/o:linux:linux_kernel:3.0.13 cpe:/o:linux:linux_kernel:3.3.3 cpe:/o:linux:linux_kernel:3.0.34 cpe:/o:linux:linux_kernel:3.2.2 cpe:/o:linux:linux_kernel:3.2:rc5 cpe:/o:linux:linux_kernel:3.2.22 cpe:/o:linux:linux_kernel:3.0.8 cpe:/o:linux:linux_kernel:3.0.4 cpe:/o:linux:linux_kernel:3.2.9 cpe:/o:linux:linux_kernel:3.1:rc4 cpe:/o:linux:linux_kernel:3.2 cpe:/o:linux:linux_kernel:3.0.42 cpe:/o:linux:linux_kernel:3.1:rc1 cpe:/o:linux:linux_kernel:3.4:rc1 cpe:/o:linux:linux_kernel:3.3 cpe:/o:linux:linux_kernel:3.4.14 cpe:/o:linux:linux_kernel:3.0.21 cpe:/o:linux:linux_kernel:3.2.14 cpe:/o:linux:linux_kernel:3.1.1 cpe:/o:linux:linux_kernel:3.0.22 cpe:/o:linux:linux_kernel:3.2:rc4 cpe:/o:linux:linux_kernel:3.6.10 cpe:/o:linux:linux_kernel:3.4.21 cpe:/o:linux:linux_kernel:3.1 cpe:/o:linux:linux_kernel:3.4.17 cpe:/o:linux:linux_kernel:3.5.6 cpe:/o:linux:linux_kernel:3.1.3 cpe:/o:linux:linux_kernel:3.0.29 cpe:/o:linux:linux_kernel:3.3:rc1 cpe:/o:linux:linux_kernel:3.0.33 cpe:/o:linux:linux_kernel:3.1.2 cpe:/o:linux:linux_kernel:3.2.13 cpe:/o:linux:linux_kernel:3.3:rc6 cpe:/o:linux:linux_kernel:3.3.4 cpe:/o:linux:linux_kernel:3.2.18 cpe:/o:linux:linux_kernel:3.0.12 cpe:/o:linux:linux_kernel:3.2.29 cpe:/o:linux:linux_kernel:3.2.24 cpe:/o:linux:linux_kernel:3.0:rc3 cpe:/o:linux:linux_kernel:3.2.12 cpe:/o:linux:linux_kernel:3.0.19 cpe:/o:linux:linux_kernel:3.0.3 cpe:/o:linux:linux_kernel:3.2.25 cpe:/o:linux:linux_kernel:3.2:rc7 cpe:/o:linux:linux_kernel:3.4:rc7 cpe:/o:linux:linux_kernel:3.0.36 cpe:/o:linux:linux_kernel:3.4.4 cpe:/o:linux:linux_kernel:3.2.23 cpe:/o:linux:linux_kernel:3.4:rc6 cpe:/o:linux:linux_kernel:3.2.16 cpe:/o:linux:linux_kernel:3.0.10 cpe:/o:linux:linux_kernel:3.0.35 cpe:/o:linux:linux_kernel:3.5.3 cpe:/o:linux:linux_kernel:3.2:rc6 cpe:/o:linux:linux_kernel:3.1.7 cpe:/o:linux:linux_kernel:3.0.30 cpe:/o:linux:linux_kernel:3.1.5 cpe:/o:linux:linux_kernel:3.4.11 cpe:/o:linux:linux_kernel:3.5.5 cpe:/o:linux:linux_kernel:3.4.10 cpe:/o:linux:linux_kernel:3.2:rc2 cpe:/o:linux:linux_kernel:3.3.1 cpe:/o:linux:linux_kernel:3.6.11 cpe:/o:linux:linux_kernel:3.3:rc4 cpe:/o:linux:linux_kernel:3.0.28 cpe:/o:linux:linux_kernel:3.3:rc7 cpe:/o:linux:linux_kernel:3.3.7 cpe:/o:linux:linux_kernel:3.1.10 cpe:/o:linux:linux_kernel:3.3:rc5 cpe:/o:linux:linux_kernel:3.4.8 cpe:/o:linux:linux_kernel:3.0.14 cpe:/o:linux:linux_kernel:3.7.2 cpe:/o:linux:linux_kernel:3.2:rc3 cpe:/o:linux:linux_kernel:3.0.23 cpe:/o:linux:linux_kernel:3.0:rc2 cpe:/o:linux:linux_kernel:3.4.20 cpe:/o:linux:linux_kernel:3.3.8 cpe:/o:linux:linux_kernel:3.4.2 cpe:/o:linux:linux_kernel:3.0.2 cpe:/o:linux:linux_kernel:3.7.3 cpe:/o:linux:linux_kernel:3.5.1 cpe:/o:linux:linux_kernel:3.1:rc2 cpe:/o:linux:linux_kernel:3.2.30 cpe:/o:linux:linux_kernel:3.0.6 cpe:/o:linux:linux_kernel:3.0.15 cpe:/o:linux:linux_kernel:3.2.1 cpe:/o:linux:linux_kernel:3.0.44 cpe:/o:linux:linux_kernel:3.2.28 cpe:/o:linux:linux_kernel:3.4:rc2 cpe:/o:linux:linux_kernel:3.4.24 cpe:/o:linux:linux_kernel:3.2.8 cpe:/o:linux:linux_kernel:3.4:rc4 cpe:/o:linux:linux_kernel:3.2.5 cpe:/o:linux:linux_kernel:3.4.15 cpe:/o:linux:linux_kernel:3.2.19 cpe:/o:linux:linux_kernel:3.4 cpe:/o:linux:linux_kernel:3.4.1 cpe:/o:linux:linux_kernel:3.0.43 cpe:/o:linux:linux_kernel:3.0.25 cpe:/o:linux:linux_kernel:3.1.8 cpe:/o:linux:linux_kernel:3.4:rc3 cpe:/o:linux:linux_kernel:3.4.7 cpe:/o:linux:linux_kernel:3.2.4 cpe:/o:linux:linux_kernel:3.2.10 cpe:/o:linux:linux_kernel:3.0.18 cpe:/o:linux:linux_kernel:3.4.6 cpe:/o:linux:linux_kernel:3.4:rc5 cpe:/o:linux:linux_kernel:3.2.20 cpe:/o:linux:linux_kernel:3.2.21 cpe:/o:linux:linux_kernel:3.4.18 cpe:/o:linux:linux_kernel:3.0:rc6 cpe:/o:linux:linux_kernel:3.7.5 cpe:/o:linux:linux_kernel:3.0:rc7

CVE-2013-0268

2013-02-17T23:41:50.417-05:00

2013-06-04T23:40:40.147-04:00

6.2

LOCAL

HIGH

NONE

COMPLETE

http://nvd.nist.gov

2013-02-18T11:44:00.000-05:00

CONFIRM http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c903f0456bc69176912dee6dd25c6a66ee1aed00 CONFIRM https://github.com/torvalds/linux/commit/c903f0456bc69176912dee6dd25c6a66ee1aed00 CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=908693 MLIST [oss-security] 20130207 Re: CVE request -- Linux kernel: x86/msr: /dev/cpu/*/msr local privilege escalation CONFIRM http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.7.6 SUSE SUSE-SU-2013:0674 The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allows local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c.

cpe:/a:rubygems:json_gem:1.5.2 cpe:/a:rubygems:json_gem:1.7.3 cpe:/a:rubygems:json_gem:1.6.6 cpe:/a:rubygems:json_gem:1.5.1 cpe:/a:rubygems:json_gem:1.6.3 cpe:/a:rubygems:json_gem:1.7.1 cpe:/a:rubygems:json_gem:1.6.1 cpe:/a:rubygems:json_gem:1.6.2 cpe:/a:rubygems:json_gem:1.5.3 cpe:/a:rubygems:json_gem:1.7.5 cpe:/a:rubygems:json_gem:1.6.5 cpe:/a:rubygems:json_gem:1.6.4 cpe:/a:rubygems:json_gem:1.7.4 cpe:/a:rubygems:json_gem:1.5.0 cpe:/a:rubygems:json_gem:1.5.4 cpe:/a:rubygems:json_gem:1.7.0 cpe:/a:rubygems:json_gem:1.7.6 cpe:/a:rubygems:json_gem:1.6.7 cpe:/a:rubygems:json_gem:1.7.2 cpe:/a:rubygems:json_gem:1.6.0

CVE-2013-0269

2013-02-12T20:55:05.107-05:00

2013-06-04T23:40:40.373-04:00

7.5

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-02-13T13:03:00.000-05:00

MLIST [rubyonrails-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269] XF json-ruby-security-bypass(82010) MISC http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection UBUNTU USN-1733-1 BID 57899 OSVDB 90074 MLIST [oss-security] 20130211 Patch update for [CVE-2013-0269] MLIST [oss-security] 20130211 Denial of Service and Unsafe Object Creation Vulnerability in JSON [CVE-2013-0269] CONFIRM http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ CONFIRM http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed SECUNIA 52902 SECUNIA 52774 SECUNIA 52075 REDHAT RHSA-2013:0701 REDHAT RHSA-2013:0686 SUSE openSUSE-SU-2013:0603 SUSE SUSE-SU-2013:0647 SUSE SUSE-SU-2013:0609 SLACKWARE SSA:2013-075-01 The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."

cpe:/a:openstack:grizzly:2012.2 cpe:/a:openstack:folsom:2012.2 cpe:/a:openstack:folsom:2012.1.3

CVE-2013-0270

2013-04-12T18:55:01.070-04:00

2013-04-15T00:00:00.000-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-04-15T10:23:00.000-04:00

CONFIRM https://launchpad.net/keystone/grizzly/2013.1 CONFIRM https://github.com/openstack/keystone/commit/82c87e5638ebaf9f166a9b07a0155291276d6fdc CONFIRM https://github.com/openstack/keystone/commit/7691276b869a86c2b75631d5bede9f61e030d9d8 MISC https://bugzilla.redhat.com/show_bug.cgi?id=909012 CONFIRM https://bugs.launchpad.net/keystone/+bug/1099025 REDHAT RHSA-2013:0708 OpenStack Keystone Grizzly before 2013.1, Folsom, and possibly earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via a large HTTP request, as demonstrated by a long tenant_name when requesting a token.

cpe:/a:pidgin:pidgin:2.5.8 cpe:/a:pidgin:pidgin:2.1.1 cpe:/a:pidgin:pidgin:2.5.0 cpe:/a:pidgin:pidgin:2.10.0 cpe:/a:pidgin:pidgin:2.0.0 cpe:/a:pidgin:pidgin:2.7.6 cpe:/a:pidgin:pidgin:2.6.0 cpe:/a:pidgin:pidgin:2.6.4 cpe:/a:pidgin:pidgin:2.3.1 cpe:/a:pidgin:pidgin:2.6.1 cpe:/a:pidgin:pidgin:2.5.4 cpe:/a:pidgin:pidgin:2.2.2 cpe:/a:pidgin:pidgin:2.7.2 cpe:/a:pidgin:pidgin:2.4.0 cpe:/a:pidgin:pidgin:2.7.10 cpe:/a:pidgin:pidgin:2.6.5 cpe:/a:pidgin:pidgin:2.0.1 cpe:/a:pidgin:pidgin:2.6.6 cpe:/a:pidgin:pidgin:2.10.4 cpe:/a:pidgin:pidgin:2.4.1 cpe:/a:pidgin:pidgin:2.7.1 cpe:/a:pidgin:pidgin:2.6.2 cpe:/a:pidgin:pidgin:2.5.2 cpe:/a:pidgin:pidgin:2.10.1 cpe:/a:pidgin:pidgin:2.5.9 cpe:/a:pidgin:pidgin:2.5.6 cpe:/a:pidgin:pidgin:2.7.8 cpe:/a:pidgin:pidgin:2.4.3 cpe:/a:pidgin:pidgin:2.10.6 cpe:/a:pidgin:pidgin:2.7.3 cpe:/a:pidgin:pidgin:2.7.0 cpe:/a:pidgin:pidgin:2.7.11 cpe:/a:pidgin:pidgin:2.3.0 cpe:/a:pidgin:pidgin:2.5.3 cpe:/a:pidgin:pidgin:2.7.5 cpe:/a:pidgin:pidgin:2.10.3 cpe:/a:pidgin:pidgin:2.5.5 cpe:/a:pidgin:pidgin:2.9.0 cpe:/a:pidgin:pidgin:2.2.1 cpe:/a:pidgin:pidgin:2.5.7 cpe:/a:pidgin:pidgin:2.10.5 cpe:/a:pidgin:pidgin:2.7.4 cpe:/a:pidgin:pidgin:2.7.9 cpe:/a:pidgin:pidgin:2.8.0 cpe:/a:pidgin:pidgin:2.4.2 cpe:/a:pidgin:pidgin:2.2.0 cpe:/a:pidgin:pidgin:2.7.7 cpe:/a:pidgin:pidgin:2.0.2 cpe:/a:pidgin:pidgin:2.5.1 cpe:/a:pidgin:pidgin:2.1.0 cpe:/a:pidgin:pidgin:2.10.2

CVE-2013-0271

2013-02-16T16:55:02.093-05:00

2013-03-22T23:15:13.747-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-02-18T10:37:00.000-05:00

UBUNTU USN-1746-1 CONFIRM http://www.pidgin.im/news/security/?id=65 SUSE openSUSE-SU-2013:0405 SUSE SUSE-SU-2013:0388 CONFIRM http://hg.pidgin.im/pidgin/main/rev/a8aef1d340f2 The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow remote attackers to create or overwrite files via a crafted (1) mxit or (2) mxit/imagestrips pathname.

CVE-2013-0272

2013-02-16T16:55:02.153-05:00

2013-03-22T23:15:13.827-04:00

6.8

NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-02-18T10:50:00.000-05:00

UBUNTU USN-1746-1 CONFIRM http://www.pidgin.im/news/security/?id=66 SUSE openSUSE-SU-2013:0407 SUSE openSUSE-SU-2013:0405 SUSE SUSE-SU-2013:0388 CONFIRM http://hg.pidgin.im/pidgin/main/rev/879db2a9a59c Buffer overflow in http.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.7 allows remote servers to execute arbitrary code via a long HTTP header.

CVE-2013-0273

2013-02-16T16:55:02.233-05:00

2013-03-22T23:15:13.903-04:00

5.0

NETWORK

LOW

NONE

PARTIAL

http://nvd.nist.gov

2013-02-18T10:59:00.000-05:00

UBUNTU USN-1746-1 CONFIRM http://www.pidgin.im/news/security/?id=67 SUSE openSUSE-SU-2013:0407 SUSE openSUSE-SU-2013:0405 SUSE SUSE-SU-2013:0388 CONFIRM http://hg.pidgin.im/pidgin/main/rev/c31cf8de31cd sametime.c in the Sametime protocol plugin in libpurple in Pidgin before 2.10.7 does not properly terminate long user IDs, which allows remote servers to cause a denial of service (application crash) via a crafted packet.

CVE-2013-0274

2013-02-16T16:55:02.280-05:00

2013-03-22T23:15:13.983-04:00

2.9

ADJACENT_NETWORK

MEDIUM

NONE

PARTIAL

http://nvd.nist.gov

2013-02-18T11:04:00.000-05:00

UBUNTU USN-1746-1 CONFIRM http://www.pidgin.im/news/security/?id=68 SUSE openSUSE-SU-2013:0407 SUSE openSUSE-SU-2013:0405 SUSE SUSE-SU-2013:0388 CONFIRM http://hg.pidgin.im/pidgin/main/rev/ad7e7fb98db3 upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate long strings in UPnP responses, which allows remote attackers to cause a denial of service (application crash) by leveraging access to the local network.

cpe:/a:ganglia:ganglia-web:3.4.2 cpe:/a:ganglia:ganglia-web:3.5.3 cpe:/a:ganglia:ganglia-web:3.3.0 cpe:/a:ganglia:ganglia-web:2.1.1 cpe:/a:ganglia:ganglia-web:3.3.1 cpe:/a:ganglia:ganglia-web:3.4.1 cpe:/a:ganglia:ganglia-web:3.5.2 cpe:/a:ganglia:ganglia-web:2.1.0 cpe:/a:ganglia:ganglia-web:3.5.4 cpe:/a:ganglia:ganglia-web:2.2.0 cpe:/a:ganglia:ganglia-web:2.1.3 cpe:/a:ganglia:ganglia-web:3.5.1 cpe:/a:ganglia:ganglia-web:2.1.8 cpe:/a:ganglia:ganglia-web:2.1.2 cpe:/a:ganglia:ganglia-web:3.5.5 cpe:/a:ganglia:ganglia-web:2.1.6 cpe:/a:ganglia:ganglia-web:3.5.0 cpe:/a:ganglia:ganglia-web:2.1.5 cpe:/a:ganglia:ganglia-web:2.1.7

CVE-2013-0275

2013-03-13T23:12:47.400-04:00

2013-03-19T00:00:00.000-04:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-03-19T13:18:00.000-04:00

CONFIRM https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e MISC https://bugzilla.redhat.com/show_bug.cgi?id=892823 BID 58204 MLIST [oss-security] 20130208 Re: CVE request: XSS flaws fixed in ganglia CONFIRM http://ganglia.info/?p=566 Multiple cross-site scripting (XSS) vulnerabilities in Ganglia Web before 3.5.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

cpe:/a:rubyonrails:ruby_on_rails:3.1.10 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.2.9 cpe:/a:rubyonrails:ruby_on_rails:2.3.15 cpe:/a:rubyonrails:ruby_on_rails:3.1.7 cpe:/a:rubyonrails:ruby_on_rails:3.2.2 cpe:/a:rubyonrails:ruby_on_rails:2.3.14 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:beta1 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc4 cpe:/a:rubyonrails:ruby_on_rails:3.1.4 cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc2 cpe:/a:rubyonrails:ruby_on_rails:2.3.10 cpe:/a:rubyonrails:ruby_on_rails:2.3.4 cpe:/a:rubyonrails:ruby_on_rails:3.1.2:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc3 cpe:/a:rubyonrails:ruby_on_rails:3.1.6 cpe:/a:rubyonrails:ruby_on_rails:3.1.5 cpe:/a:rubyonrails:ruby_on_rails:2.3.12 cpe:/a:rubyonrails:ruby_on_rails:3.1.9 cpe:/a:rubyonrails:ruby_on_rails:3.2.8 cpe:/a:rubyonrails:ruby_on_rails:3.2.6 cpe:/a:rubyonrails:ruby_on_rails:3.2.4 cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc3 cpe:/a:rubyonrails:ruby_on_rails:2.3.16 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc7 cpe:/a:rubyonrails:ruby_on_rails:3.1.2:rc1 cpe:/a:rubyonrails:ruby_on_rails:2.3.9 cpe:/a:rubyonrails:ruby_on_rails:3.2.3:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.2.0 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc6 cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.1.5:rc1 cpe:/a:rubyonrails:ruby_on_rails:2.3.13 cpe:/a:rubyonrails:ruby_on_rails:3.1.0 cpe:/a:rubyonrails:ruby_on_rails:3.1.4:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.1.2 cpe:/a:rubyonrails:ruby_on_rails:2.3.11 cpe:/a:rubyonrails:ruby_on_rails:3.2.5 cpe:/a:rubyonrails:ruby_on_rails:3.1.1 cpe:/a:rubyonrails:ruby_on_rails:3.2.2:rc1 cpe:/a:rubyonrails:ruby_on_rails:3.1.8 cpe:/a:rubyonrails:ruby_on_rails:3.2.3:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc8 cpe:/a:rubyonrails:ruby_on_rails:2.3.1 cpe:/a:rubyonrails:ruby_on_rails:3.2.11 cpe:/a:rubyonrails:ruby_on_rails:3.2.0:rc1 cpe:/a:rubyonrails:ruby_on_rails:2.3.2 cpe:/a:rubyonrails:ruby_on_rails:3.2.3 cpe:/a:rubyonrails:ruby_on_rails:3.1.3 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc2 cpe:/a:rubyonrails:ruby_on_rails:2.3.3 cpe:/a:rubyonrails:ruby_on_rails:3.2.0:rc2 cpe:/a:rubyonrails:ruby_on_rails:3.2.1 cpe:/a:rubyonrails:ruby_on_rails:3.2.7 cpe:/a:rubyonrails:ruby_on_rails:3.2.10 cpe:/a:rubyonrails:ruby_on_rails:2.3.0 cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc5 cpe:/a:rubyonrails:ruby_on_rails:3.2.4:rc1

CVE-2013-0276

2013-02-12T20:55:05.167-05:00

2013-06-05T23:24:30.627-04:00

4.3

NETWORK

MEDIUM

NONE

PARTIAL

NONE

http://nvd.nist.gov

2013-02-13T12:43:00.000-05:00

MLIST [oss-security] 20130211 Circumvention of attr_protected [CVE-2013-0276] MLIST