Vulnerabilities > Debian > High

DATE CVE VULNERABILITY TITLE RISK
2017-12-20 CVE-2017-17806 Out-of-bounds Write vulnerability in multiple products
The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization.
7.8
2017-12-20 CVE-2017-17805 Improper Input Validation vulnerability in multiple products
The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API.
7.8
2017-12-20 CVE-2017-17783 Out-of-bounds Read vulnerability in multiple products
In GraphicsMagick 1.3.27a, there is a buffer over-read in ReadPALMImage in coders/palm.c when QuantumDepth is 8.
network
high complexity
graphicsmagick debian CWE-125
7.5
2017-12-20 CVE-2017-17782 Out-of-bounds Read vulnerability in multiple products
In GraphicsMagick 1.3.27a, there is a heap-based buffer over-read in ReadOneJNGImage in coders/png.c, related to oFFs chunk allocation.
network
low complexity
graphicsmagick debian CWE-125
8.8
2017-12-14 CVE-2017-17527 Injection vulnerability in multiple products
delphi_gui/WWWBrowserRunnerDM.pas in PasDoc 0.14 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
network
low complexity
pasdoc-project debian CWE-74
8.8
2017-12-14 CVE-2017-17520 Injection vulnerability in Debian TIN 2.4.1
tools/url_handler.pl in TIN 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
network
low complexity
debian CWE-74
8.8
2017-12-14 CVE-2017-17515 Injection vulnerability in multiple products
etc/ObjectList in Metview 4.7.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
network
low complexity
ecmwf debian CWE-74
8.8
2017-12-14 CVE-2017-17514 Injection vulnerability in multiple products
boxes.c in nip2 8.4.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
network
low complexity
nip2-project debian CWE-74
8.8
2017-12-14 CVE-2017-17682 Resource Exhaustion vulnerability in multiple products
In ImageMagick 7.0.7-12 Q16, a large loop vulnerability was found in the function ExtractPostscript in coders/wpg.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted wpg image file that triggers a ReadWPGImage call.
7.1
2017-12-11 CVE-2017-17503 Out-of-bounds Read vulnerability in multiple products
ReadGRAYImage in coders/gray.c in GraphicsMagick 1.3.26 has a magick/import.c ImportGrayQuantumType heap-based buffer over-read via a crafted file.
network
low complexity
graphicsmagick debian CWE-125
8.8