Vulnerabilities > Debian > High

DATE CVE VULNERABILITY TITLE RISK
2017-08-29 CVE-2017-13748 Missing Release of Resource after Effective Lifetime vulnerability in multiple products
There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a remote denial of service attack.
network
low complexity
jasper-project fedoraproject debian CWE-772
7.5
2017-08-24 CVE-2017-11424 In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys.
network
low complexity
pyjwt-project debian
7.5
2017-08-24 CVE-2017-12836 CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
network
high complexity
gnu canonical debian
7.5
2017-08-24 CVE-2017-12137 Classic Buffer Overflow vulnerability in multiple products
arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref.
local
low complexity
xen citrix debian CWE-120
8.8
2017-08-24 CVE-2017-12136 Race Condition vulnerability in multiple products
Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling.
local
high complexity
xen citrix debian CWE-362
7.8
2017-08-24 CVE-2017-12135 Incorrect Calculation vulnerability in multiple products
Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants.
local
low complexity
xen citrix debian CWE-682
8.8
2017-08-23 CVE-2017-12904 Improper Neutralization of Special Elements in Data Query Logic vulnerability in multiple products
Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL.
network
low complexity
newsbeuter debian CWE-943
8.8
2017-08-23 CVE-2017-11610 Incorrect Default Permissions vulnerability in multiple products
The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.
network
low complexity
supervisord fedoraproject debian redhat CWE-276
8.8
2017-08-22 CVE-2017-5208 Integer Overflow or Wraparound vulnerability in multiple products
Integer overflow in the wrestool program in icoutils before 0.31.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted executable, which triggers a denial of service (application crash) or the possibility of execution of arbitrary code.
network
low complexity
icoutils-project debian redhat CWE-190
8.8
2017-08-19 CVE-2017-10661 Use After Free vulnerability in multiple products
Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing.
local
high complexity
linux redhat debian CWE-416
7.0