Vulnerabilities > Debian > Critical

DATE CVE VULNERABILITY TITLE RISK
2022-06-21 CVE-2022-2068 OS Command Injection vulnerability in multiple products
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review.
network
low complexity
openssl debian CWE-78
critical
10.0
2022-06-07 CVE-2019-9972 Command Injection vulnerability in multiple products
PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an authenticated attacker to run arbitrary commands with the phonesystem user privileges because of "<space><space> followed by <shift><enter>" mishandling.
network
low complexity
3cx debian CWE-77
critical
9.0
2022-06-07 CVE-2019-9971 Improper Privilege Management vulnerability in multiple products
PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an attacker to gain root privileges by using sudo with the tcpdump command, without a password.
network
low complexity
3cx debian CWE-269
critical
9.0
2022-04-18 CVE-2021-3624 Integer Overflow or Wraparound vulnerability in multiple products
There is an integer overflow vulnerability in dcraw.
network
dcraw-project debian CWE-190
critical
9.3
2022-02-21 CVE-2021-44142 Out-of-bounds Write vulnerability in multiple products
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes.
network
low complexity
samba debian canonical synology fedoraproject redhat CWE-787
critical
9.0
2022-02-18 CVE-2022-0543 It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
network
low complexity
redis debian
critical
10.0
2022-02-18 CVE-2020-25719 Improper Authentication vulnerability in multiple products
A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication.
network
low complexity
samba debian fedoraproject canonical redhat CWE-287
critical
9.0
2022-01-25 CVE-2021-45341 Classic Buffer Overflow vulnerability in multiple products
A buffer overflow vulnerability in CDataMoji of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.
9.3
2022-01-19 CVE-2021-33912 Out-of-bounds Write vulnerability in multiple products
libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c.
network
libspf2-project debian CWE-787
critical
9.3
2022-01-19 CVE-2022-23221 Code Injection vulnerability in multiple products
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
network
low complexity
h2database debian CWE-94
critical
10.0