Vulnerabilities > Debian > Critical

DATE CVE VULNERABILITY TITLE RISK
2022-01-26 CVE-2022-23959 HTTP Request Smuggling vulnerability in multiple products
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.
9.1
2022-01-25 CVE-2021-3850 Improper Authentication vulnerability in multiple products
Authentication Bypass by Primary Weakness in GitHub repository adodb/adodb prior to 5.20.21.
network
low complexity
adodb-project debian CWE-287
critical
9.1
2022-01-24 CVE-2022-23852 Integer Overflow or Wraparound vulnerability in multiple products
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
network
low complexity
libexpat-project netapp tenable debian oracle siemens CWE-190
critical
9.8
2022-01-21 CVE-2021-23518 The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path.
network
low complexity
cached-path-relative-project debian
critical
9.8
2022-01-21 CVE-2022-0318 Out-of-bounds Write vulnerability in multiple products
Heap-based Buffer Overflow in vim/vim prior to 8.2.
network
low complexity
vim apple debian CWE-787
critical
9.8
2022-01-19 CVE-2021-33912 Out-of-bounds Write vulnerability in multiple products
libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c.
network
low complexity
libspf2-project debian CWE-787
critical
9.8
2022-01-19 CVE-2022-23221 Argument Injection or Modification vulnerability in multiple products
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
network
low complexity
h2database debian oracle CWE-88
critical
9.8
2022-01-14 CVE-2022-23218 Classic Buffer Overflow vulnerability in multiple products
The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
network
low complexity
gnu oracle debian CWE-120
critical
9.8
2022-01-14 CVE-2022-23219 Classic Buffer Overflow vulnerability in multiple products
The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
network
low complexity
gnu oracle debian CWE-120
critical
9.8
2022-01-10 CVE-2022-22817 PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.
network
low complexity
python debian
critical
9.8