Weekly Vulnerabilities Reports > August 10 to 16, 2009
Overview
4 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 2 high severity vulnerabilities. This weekly summary report vulnerabilities in 31 products from 13 vendors including Debian, Linux, Redhat, Suse, and Apple. Vulnerabilities are notably categorized as "Use of Uninitialized Resource", "Use After Free", "NULL Pointer Dereference", and "Authentication Bypass by Spoofing".
- 2 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 2 reported vulnerabilities are exploitable by an anonymous user.
- Debian has the most reported vulnerabilities, with 2 reported vulnerabilities.
- Snom has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
1 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2009-08-14 | CVE-2009-1048 | Snom | Authentication Bypass by Spoofing vulnerability in Snom products The web interface on the snom VoIP phones snom 300, snom 320, snom 360, snom 370, and snom 820 with firmware 6.5 before 6.5.20, 7.1 before 7.1.39, and 7.3 before 7.3.14 allows remote attackers to bypass authentication, and reconfigure the phone or make arbitrary use of the phone, via a (1) http or (2) https request with 127.0.0.1 in the Host header. | 9.8 |
2 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2009-08-14 | CVE-2009-2768 | Linux | NULL Pointer Dereference vulnerability in Linux Kernel The load_flat_shared_library function in fs/binfmt_flat.c in the flat subsystem in the Linux kernel before 2.6.31-rc6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by executing a shared flat binary, which triggers an access of an "uninitialized cred pointer." | 7.8 |
| 2009-08-14 | CVE-2009-2692 | Linux Debian Suse Redhat | Use of Uninitialized Resource vulnerability in multiple products The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket. | 7.8 |
1 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2009-08-11 | CVE-2009-2416 | Xmlsoft Fedoraproject Debian Redhat Canonical Apple Suse Opensuse Vmware SUN | Use After Free vulnerability in multiple products Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework. | 6.5 |
0 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|