Vulnerabilities > Fedoraproject > Fedora > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-02-24 CVE-2020-1938 When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat.
network
low complexity
apache fedoraproject oracle debian opensuse blackberry
critical
 9.8
9.8
2020-02-24 CVE-2019-18183 OS Command Injection vulnerability in multiple products
pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function.
network
low complexity
pacman-project fedoraproject CWE-78
critical
 9.8
9.8
2020-02-24 CVE-2019-18182 OS Command Injection vulnerability in multiple products
pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function.
network
low complexity
pacman-project fedoraproject CWE-78
critical
 9.8
9.8
2020-02-19 CVE-2020-6061 Out-of-bounds Read vulnerability in multiple products
An exploitable heap out-of-bounds read vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests.
network
low complexity
coturn-project fedoraproject debian canonical CWE-125
critical
 9.8
9.8
2020-02-19 CVE-2019-20477 Deserialization of Untrusted Data vulnerability in multiple products
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module.
network
low complexity
pyyaml fedoraproject CWE-502
critical
 9.8
9.8
2020-02-17 CVE-2020-8518 Code Injection vulnerability in multiple products
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
network
low complexity
horde fedoraproject debian CWE-94
critical
 9.8
9.8
2020-02-12 CVE-2020-8955 Classic Buffer Overflow vulnerability in multiple products
irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a malformed IRC message 324 (channel mode).
network
low complexity
weechat fedoraproject opensuse debian CWE-120
critical
 9.8
9.8
2020-02-07 CVE-2019-15605 HTTP Request Smuggling vulnerability in multiple products
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
network
low complexity
nodejs debian fedoraproject opensuse redhat oracle CWE-444
critical
 9.8
9.8
2020-01-29 CVE-2019-20445 HTTP Request Smuggling vulnerability in multiple products
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
network
low complexity
netty debian fedoraproject canonical redhat apache CWE-444
critical
 9.1
9.1
2020-01-29 CVE-2019-20444 HTTP Request Smuggling vulnerability in multiple products
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
network
low complexity
netty debian fedoraproject canonical redhat CWE-444
critical
 9.1
9.1