Vulnerabilities > Debian > High

DATE CVE VULNERABILITY TITLE RISK
2017-09-29 CVE-2017-14867 OS Command Injection vulnerability in multiple products
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name.
network
low complexity
git-scm debian CWE-78
8.8
2017-09-28 CVE-2015-1336 Improper Access Control vulnerability in Man-Db Project Man-Db
The daily mandb cleanup job in Man-db before 2.7.6.1-1 as packaged in Ubuntu and Debian allows local users with access to the man account to gain privileges via vectors involving insecure chown use.
local
low complexity
man-db-project canonical debian CWE-284
7.2
2017-09-26 CVE-2014-8156 Permissions, Privileges, and Access Controls vulnerability in multiple products
The D-Bus security policy files in /etc/dbus-1/system.d/*.conf in fso-gsmd 0.12.0-3, fso-frameworkd 0.9.5.9+git20110512-4, and fso-usaged 0.12.0-2 as packaged in Debian, the upstream cornucopia.git (fsoaudiod, fsodatad, fsodeviced, fsogsmd, fsonetworkd, fsotdld, fsousaged) git master on 2015-01-19, the upstream framework.git 0.10.1 and git master on 2015-01-19, phonefsod 0.1+git20121018-1 as packaged in Debian, Ubuntu and potentially other packages, and potentially other fso modules do not properly filter D-Bus message paths, which might allow local users to cause a denial of service (dbus-daemon memory consumption), or execute arbitrary code as root by sending a crafted D-Bus message to any D-Bus system service.
7.2
2017-09-21 CVE-2017-14632 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184.
network
low complexity
xiph-org debian canonical CWE-119
7.5
2017-09-20 CVE-2015-5395 Cross-Site Request Forgery (CSRF) vulnerability in Debian Linux 7.0/8.0/9.0
Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0.
network
low complexity
debian CWE-352
8.8
2017-09-19 CVE-2015-1854 Improper Access Control vulnerability in multiple products
389 Directory Server before 1.3.3.10 allows attackers to bypass intended access restrictions and modify directory entries via a crafted ldapmodrdn call.
network
low complexity
fedoraproject debian CWE-284
7.5
2017-09-18 CVE-2017-9798 Use After Free vulnerability in multiple products
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed.
network
low complexity
apache debian CWE-416
7.5
2017-09-15 CVE-2017-14497 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The tpacket_rcv function in net/packet/af_packet.c in the Linux kernel before 4.13 mishandles vnet headers, which might allow local users to cause a denial of service (buffer overflow, and disk and memory corruption) or possibly have unspecified other impact via crafted system calls.
local
low complexity
linux debian CWE-119
7.8
2017-09-14 CVE-2017-13725 Out-of-bounds Read vulnerability in multiple products
The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer over-read in print-rt6.c:rt6_print().
network
low complexity
tcpdump debian CWE-125
7.5
2017-09-14 CVE-2017-13687 Out-of-bounds Read vulnerability in multiple products
The Cisco HDLC parser in tcpdump before 4.9.2 has a buffer over-read in print-chdlc.c:chdlc_print().
network
low complexity
tcpdump debian CWE-125
7.5