Tag Id Distro CVE ID Type Severity Packages Source Package Package Version Package License CVSS Fix Status Risk Factors Description Cause Published Vulnerability Link

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-3520

OS

moderate

lz4-libs

1.8.3-2.el8

GPLv2+ and BSD

8.6

fixed in 1.8.3-3.el8_4

Attack complexity: low, Attack vector: network, Has fix, Medium severity, Recent vulnerability

There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.

2021-06-02 13:15:00.000

https://access.redhat.com/security/cve/CVE-2021-3520

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2020-12762

OS

unimportant

json-c

0.13.1-0.4.el8

MIT

7.8

will not fix

Attack complexity: low, Recent vulnerability

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.

2020-05-09 18:15:00.000

https://access.redhat.com/security/cve/CVE-2020-12762

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2019-13057

OS

unimportant

openldap

2.4.46-16.el8

OpenLDAP

6.5

will not fix

Attack complexity: low, Attack vector: network

An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)

2019-07-26 13:15:00.000

https://access.redhat.com/security/cve/CVE-2019-13057

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2020-16135

OS

low

libssh

0.9.4-2.el8

LGPLv2+

5.9

open

Attack vector: network, Recent vulnerability

libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.

2020-07-29 21:15:00.000

https://access.redhat.com/security/cve/cve-2020-16135

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-22876

OS

moderate

curl

7.61.1-18.el8

MIT

3.7

affected

Attack vector: network, Medium severity, Recent vulnerability

curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

2021-04-01 18:15:00.000

https://access.redhat.com/security/cve/CVE-2021-22876

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-22898

OS

low

curl

7.61.1-18.el8

MIT

3.1

affected

Attack vector: network, Recent vulnerability

curl 7.7 through 7.76.1 suffers from an information disclosure when the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.

2021-06-11 16:15:00.000

https://access.redhat.com/security/cve/CVE-2021-22898

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-20271

OS

moderate

rpm-libs

4.14.3-13.el8

GPLv2+ and LGPLv2+ with exceptions

6.7

fixed in 4.14.3-14.el8_4

Has fix, Medium severity, Recent vulnerability

A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

2021-03-26 17:15:00.000

https://access.redhat.com/security/cve/CVE-2021-20271

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-27218

OS

moderate

glib2

2.56.4-10.el8_4

LGPLv2+

7.5

affected

Attack complexity: low, Attack vector: network, Medium severity, Recent vulnerability

An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.

2021-02-15 17:15:00.000

https://access.redhat.com/security/cve/CVE-2021-27218

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-28153

OS

low

glib2

2.56.4-10.el8_4

LGPLv2+

5.3

affected

Attack complexity: low, Attack vector: network, Recent vulnerability

An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)

2021-03-11 22:15:00.000

https://access.redhat.com/security/cve/CVE-2021-28153

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2019-9923

OS

unimportant

tar

1.30-5.el8

GPLv3+

3.3

will not fix

Attack complexity: low

pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

2019-03-22 08:29:00.000

https://access.redhat.com/security/cve/CVE-2019-9923

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-20193

OS

unimportant

tar

1.30-5.el8

GPLv3+

3.3

will not fix

Attack complexity: low, Recent vulnerability

A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.

2021-03-26 17:15:00.000

https://access.redhat.com/security/cve/CVE-2021-20193

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-23840

OS

moderate

openssl

1.1.1g-15.el8_3

OpenSSL and ASL 2.0

7.5

affected

Attack complexity: low, Attack vector: network, Medium severity, Recent vulnerability

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

2021-02-16 17:15:00.000

https://access.redhat.com/security/cve/CVE-2021-23840

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-23841

OS

moderate

openssl

1.1.1g-15.el8_3

OpenSSL and ASL 2.0

5.9

affected

Attack vector: network, DoS, Medium severity, Recent vulnerability

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

2021-02-16 17:15:00.000

https://access.redhat.com/security/cve/CVE-2021-23841

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2019-1010022

OS

unimportant

glibc

2.28-151.el8

LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL

9.8

will not fix

Attack vector: network

DISPUTED GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"

2019-07-15 04:15:00.000

https://access.redhat.com/security/cve/CVE-2019-1010022

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-33574

OS

low

glibc

2.28-151.el8

LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL

5.9

affected

Attack vector: network, DoS, Recent vulnerability

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

2021-05-25 22:15:00.000

https://access.redhat.com/security/cve/CVE-2021-33574

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-3516

OS

moderate

libxml2

2.9.7-9.el8

MIT

7.8

fixed in 2.9.7-9.el8_4.2

Attack complexity: low, Has fix, Medium severity, Recent vulnerability

There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.

2021-06-01 14:15:00.000

https://access.redhat.com/security/cve/CVE-2021-3516

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-3517

OS

moderate

libxml2

2.9.7-9.el8

MIT

8.6

fixed in 2.9.7-9.el8_4.2

Attack complexity: low, Attack vector: network, Has fix, Medium severity, Recent vulnerability

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

2021-05-19 14:15:00.000

https://access.redhat.com/security/cve/CVE-2021-3517

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-3518

OS

moderate

libxml2

2.9.7-9.el8

MIT

8.6

fixed in 2.9.7-9.el8_4.2

Attack complexity: low, Attack vector: network, Has fix, Medium severity, Recent vulnerability

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

2021-05-18 12:15:00.000

https://access.redhat.com/security/cve/CVE-2021-3518

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-3537

OS

moderate

libxml2

2.9.7-9.el8

MIT

7.5

fixed in 2.9.7-9.el8_4.2

Attack complexity: low, Attack vector: network, Has fix, Medium severity, Recent vulnerability

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

2021-05-14 20:15:00.000

https://access.redhat.com/security/cve/CVE-2021-3537

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-3541

OS

moderate

libxml2

2.9.7-9.el8

MIT

6.5

fixed in 2.9.7-9.el8_4.2

Attack complexity: low, Attack vector: network, DoS, Has fix, Medium severity, Recent vulnerability

A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

2021-07-09 17:15:00.000

https://access.redhat.com/security/cve/CVE-2021-3541

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-33560

OS

moderate

libgcrypt

1.8.5-4.el8

LGPLv2+

7.5

affected

Attack complexity: low, Attack vector: network, Medium severity, Recent vulnerability

Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.

2021-06-08 11:15:00.000

https://access.redhat.com/security/cve/CVE-2021-33560

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2019-20838

OS

low

pcre

8.42-4.el8

BSD

7.5

affected

Attack complexity: low, Attack vector: network

libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.

2020-06-15 17:15:00.000

https://access.redhat.com/security/cve/CVE-2019-20838

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2020-14155

OS

low

pcre

8.42-4.el8

BSD

5.3

affected

Attack complexity: low, Attack vector: network, Recent vulnerability

libpcre in PCRE before 8.44 allows an integer overflow via a large number after a

2020-06-15 17:15:00.000

https://access.redhat.com/security/cve/CVE-2020-14155

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2018-1000879

OS

unimportant

libarchive

3.3.3-1.el8

BSD

3.3

will not fix

Attack complexity: low, DoS

libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer Dereference vulnerability in ACL parser - libarchive/archive_acl.c, archive_acl_from_text_l() that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted archive file.

2018-12-20 17:29:00.000

https://access.redhat.com/security/cve/CVE-2018-1000879

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2018-1000880

OS

unimportant

libarchive

3.3.3-1.el8

BSD

3.3

will not fix

Attack complexity: low, DoS

libarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards (release v3.2.0 onwards) contains a CWE-20: Improper Input Validation vulnerability in WARC parser - libarchive/archive_read_support_format_warc.c, _warc_read() that can result in DoS - quasi-infinite run time and disk usage from tiny file. This attack appear to be exploitable via the victim must open a specially crafted WARC file.

2018-12-20 17:29:00.000

https://access.redhat.com/security/cve/CVE-2018-1000880

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-20231

OS

moderate

gnutls

3.6.14-8.el8_3

GPLv3+ and LGPLv2+

3.7

affected

Attack vector: network, Medium severity, Recent vulnerability

A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.

2021-03-12 19:15:00.000

https://access.redhat.com/security/cve/CVE-2021-20231

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-20232

OS

moderate

gnutls

3.6.14-8.el8_3

GPLv3+ and LGPLv2+

3.7

affected

Attack vector: network, Medium severity, Recent vulnerability

A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.

2021-03-12 19:15:00.000

https://access.redhat.com/security/cve/CVE-2021-20232

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-20266

OS

low

rpm

4.14.3-13.el8

GPLv2+

3.1

affected

Attack vector: network, Recent vulnerability

A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.

2021-04-30 12:15:00.000

https://access.redhat.com/security/cve/CVE-2021-20266

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-20271

OS

moderate

rpm

4.14.3-13.el8

GPLv2+

6.7

fixed in 4.14.3-14.el8_4

Has fix, Medium severity, Recent vulnerability

A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

2021-03-26 17:15:00.000

https://access.redhat.com/security/cve/CVE-2021-20271

console_21_04_439

sha256:5f2561fab84792d2aff3e355ed241afe820026f9345de760450dcaf65331a77f

redhat-RHEL8

CVE-2021-3421

OS

moderate

rpm

4.14.3-13.el8

GPLv2+

4.7

affected

Medium severity, Recent vulnerability

A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.

2021-05-19 14:15:00.000

https://access.redhat.com/security/cve/CVE-2021-3421