Debian Linux Debian Linux OS

Do you want an email whenever new security vulnerabilities are reported in Debian Linux?

By the Year

In 2022 there have been 241 vulnerabilities in Debian Linux with an average score of 7.2 out of ten. Last year Debian Linux had 956 security vulnerabilities published. Right now, Debian Linux is on track to have less security vulnerabilities in 2022 than it did last year. Last year, the average CVE base score was greater by 0.05

Year Vulnerabilities Average Score
2022 241 7.23
2021 956 7.28
2020 737 6.96
2019 690 7.39
2018 1096 7.33

It may take a day or so for new Debian Linux vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Debian Linux Security Vulnerabilities

Buffer Over-read in function grab_file_name in GitHub repository vim/vim prior to 8.2.4956

CVE-2022-1720 7.8 - High - June 20, 2022

Buffer Over-read in function grab_file_name in GitHub repository vim/vim prior to 8.2.4956. This vulnerability is capable of crashing the software, memory modification, and possible remote execution.

Out-of-bounds Read

Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

CVE-2022-2126 7.8 - High - June 19, 2022

Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

Out-of-bounds Read

Buffer Over-read in GitHub repository vim/vim prior to 8.2.

CVE-2022-2124 7.8 - High - June 19, 2022

Buffer Over-read in GitHub repository vim/vim prior to 8.2.

Buffer Over-read

XFCE 4.16 allows attackers to execute arbitrary code

CVE-2022-32278 8.8 - High - June 13, 2022

XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server.

KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown

CVE-2022-21499 6.7 - Medium - June 09, 2022

KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown. An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. CVSS 3.1 Base Score 6.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

Memory Corruption

containerd is an open source container runtime

CVE-2022-31030 5.5 - Medium - June 09, 2022

containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.

Resource Exhaustion

PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570

CVE-2019-9971 8.8 - High - June 07, 2022

PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an attacker to gain root privileges by using sudo with the tcpdump command, without a password. This occurs because the -z (aka postrotate-command) option to tcpdump can be unsafe when used in conjunction with sudo.

Improper Privilege Management

PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570

CVE-2019-9972 8.8 - High - June 07, 2022

PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an authenticated attacker to run arbitrary commands with the phonesystem user privileges because of "<space><space> followed by <shift><enter>" mishandling.

Command Injection

With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva

CVE-2022-1789 6.8 - Medium - June 02, 2022

With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.

NULL Pointer Dereference

Bottle before 0.12.20 mishandles errors during early request binding.

CVE-2022-31799 9.8 - Critical - June 02, 2022

Bottle before 0.12.20 mishandles errors during early request binding.

Improper Handling of Exceptional Conditions

An issue was discovered in Pidgin before 2.14.9

CVE-2022-26491 5.9 - Medium - June 02, 2022

An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.

Improper Certificate Validation

A logic issue was addressed with improved state management

CVE-2022-26691 6.7 - Medium - May 26, 2022

A logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. An application may be able to gain elevated privileges.

Improper Privilege Management

Dpkg::Source::Archive in dpkg

CVE-2022-1664 9.8 - Critical - May 26, 2022

Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.

Directory traversal

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic

CVE-2022-29221 8.8 - High - May 24, 2022

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.

Code Injection

needrestart 0.8 through 3.5 before 3.6 is prone to local privilege escalation

CVE-2022-30688 7.8 - High - May 17, 2022

needrestart 0.8 through 3.5 before 3.6 is prone to local privilege escalation. Regexes to detect the Perl, Python, and Ruby interpreters are not anchored, allowing a local user to escalate privileges when needrestart tries to detect if interpreters are using old source files.

Improper Privilege Management

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2

CVE-2022-28739 7.5 - High - May 09, 2022

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.

Out-of-bounds Read

There is a vulnerability in htmldoc 1.9.16

CVE-2022-27114 5.5 - Medium - May 09, 2022

There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg function image.cxx when it calls malloc,'img->width' and 'img->height' they are large enough to cause an integer overflow. So, the malloc function may return a heap blosmaller than the expected size, and it will cause a buffer overflow/Address boundary error in the jpeg_read_scanlines function.

Integer Overflow or Wraparound

ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.

CVE-2022-28463 7.8 - High - May 08, 2022

ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.

Classic Buffer Overflow

Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895

CVE-2022-1616 7.8 - High - May 07, 2022

Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

Dangling pointer

ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify)

CVE-2022-24884 7.5 - High - May 06, 2022

ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: `ecdsa_verify_list_legacy()` will accept an arbitrary number of such forged signatures. Both the `ecdsautil verify` CLI command and the libecdsautil library are affected. The issue has been fixed in ecdsautils 0.4.1. All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable.

Improper Verification of Cryptographic Signature

ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow involving buffer+512*3-2

CVE-2021-46790 9.8 - Critical - May 02, 2022

ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow involving buffer+512*3-2. NOTE: the upstream position is that ntfsck is deprecated; however, it is shipped by some Linux distributions.

Memory Corruption

A flaw was found in the QXL display device emulation in QEMU

CVE-2021-4206 8.2 - High - April 29, 2022

A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.

Integer Overflow or Wraparound

A flaw was found in the QXL display device emulation in QEMU

CVE-2021-4207 8.8 - High - April 29, 2022

A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.

Race Condition

A use-after-free flaw was found in the Linux kernels sound subsystem in the way a user triggers concurrent calls of PCM hw_params

CVE-2022-1048 7 - High - April 29, 2022

A use-after-free flaw was found in the Linux kernels sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Race Condition

A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio

CVE-2022-1195 5.5 - Medium - April 29, 2022

A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early.

Dangling pointer

A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel

CVE-2022-1353 7.1 - High - April 29, 2022

A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.

In cifs-utils through 6.14

CVE-2022-27239 7.8 - High - April 27, 2022

In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.

Memory Corruption

Artifex Ghostscript through 9.26 mishandles .completefont

CVE-2019-25059 7.8 - High - April 25, 2022

Artifex Ghostscript through 9.26 mishandles .completefont. NOTE: this issue exists because of an incomplete fix for CVE-2019-3839.

In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts

CVE-2022-29582 7 - High - April 22, 2022

In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.

Dangling pointer

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries)

CVE-2022-21443 3.7 - Low - April 19, 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries)

CVE-2022-21476 7.5 - High - April 19, 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries)

CVE-2022-21449 7.5 - High - April 19, 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files

CVE-2022-24859 5.5 - Medium - April 18, 2022

PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.

Infinite Loop

There is an integer overflow vulnerability in dcraw

CVE-2021-3624 7.8 - High - April 18, 2022

There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system.

Integer Overflow or Wraparound

Buffer Overflow in uudecoder in Mutt affecting all versions starting from 0.94.13 before 2.2.3

CVE-2022-1328 5.3 - Medium - April 14, 2022

Buffer Overflow in uudecoder in Mutt affecting all versions starting from 0.94.13 before 2.2.3 allows read past end of input line

Classic Buffer Overflow

Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths

CVE-2021-28544 4.3 - Medium - April 12, 2022

Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.

AuthZ

Subversion's mod_dav_svn is vulnerable to memory corruption

CVE-2022-24070 7.5 - High - April 12, 2022

Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.

Dangling pointer

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4

CVE-2022-28346 9.8 - Critical - April 12, 2022

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

SQL Injection

IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains

CVE-2022-26360 7.8 - High - April 05, 2022

IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption.

IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains

CVE-2022-26361 7.8 - High - April 05, 2022

IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption.

Twisted is an event-based framework for internet applications, supporting Python 3.6+

CVE-2022-24801 8.1 - High - April 04, 2022

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.

HTTP Request Smuggling

mcba_usb_start_xmit in drivers/net/

CVE-2022-28389 7.8 - High - April 03, 2022

mcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through 5.17.1 has a double free.

Double-free

ems_usb_start_xmit in drivers/net/

CVE-2022-28390 7.8 - High - April 03, 2022

ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.

Double-free

usb_8dev_start_xmit in drivers/net/

CVE-2022-28388 7.8 - High - April 03, 2022

usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free.

Double-free

Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.

CVE-2022-1154 9.8 - Critical - March 30, 2022

Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.

Dangling pointer

A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files

CVE-2022-1122 5.5 - Medium - March 29, 2022

A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service.

Access of Uninitialized Pointer

lrzip v0.641 was discovered to contain a multiple concurrency use-after-free between the functions zpaq_decompress_buf() and clear_rulist()

CVE-2022-26291 5.5 - Medium - March 28, 2022

lrzip v0.641 was discovered to contain a multiple concurrency use-after-free between the functions zpaq_decompress_buf() and clear_rulist(). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted Irz file.

Dangling pointer

zlib before 1.2.12 allows memory corruption when deflating (i.e

CVE-2018-25032 7.5 - High - March 25, 2022

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Memory Corruption

A use-after-free vulnerability was found in the virtio-net device of QEMU

CVE-2021-3748 8.8 - High - March 23, 2022

A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.

Dangling pointer

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could

CVE-2022-24302 5.9 - Medium - March 17, 2022

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Race Condition

A flaw was found in the vhost-vsock device of QEMU

CVE-2022-26354 3.2 - Low - March 16, 2022

A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.

Missing Release of Resource after Effective Lifetime

A flaw was found in the virtio-net device of QEMU

CVE-2022-26353 7.5 - High - March 16, 2022

A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.

Missing Release of Resource after Effective Lifetime

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli

CVE-2022-0778 7.5 - High - March 15, 2022

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

Infinite Loop

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server

CVE-2022-23943 9.8 - Critical - March 14, 2022

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.

Memory Corruption

If LimitXMLRequestBody is set to

CVE-2022-22721 9.8 - Critical - March 14, 2022

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

Integer Overflow or Wraparound

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body

CVE-2022-22720 9.8 - Critical - March 14, 2022

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

HTTP Request Smuggling

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash

CVE-2022-22719 7.5 - High - March 14, 2022

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.

Improper Initialization

PJSIP is a free and open source multimedia communication library written in C language

CVE-2022-24754 9.8 - Critical - March 11, 2022

PJSIP is a free and open source multimedia communication library written in C language. In versions prior to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users who accept hashed digest credentials (credentials with data_type `PJSIP_CRED_DATA_DIGEST`). This issue has been patched in the master branch of the PJSIP repository and will be included with the next release. Users unable to upgrade need to check that the hashed digest data length must be equal to `PJSIP_MD5STRLEN` before passing to PJSIP.

Classic Buffer Overflow

Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file

CVE-2022-0924 5.5 - Medium - March 11, 2022

Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 408976c4.

Out-of-bounds Read

Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file

CVE-2022-0909 5.5 - Medium - March 11, 2022

Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa.

Divide By Zero

Null source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to 4.3.0 could lead to Denial of Service

CVE-2022-0908 5.5 - Medium - March 11, 2022

Null source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to 4.3.0 could lead to Denial of Service via crafted TIFF file.

NULL Pointer Dereference

Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0

CVE-2022-0907 5.5 - Medium - March 11, 2022

Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f2b656e2.

NULL Pointer Dereference

SPIP before 3.2.14 and 4.x before 4.0.5

CVE-2022-26846 8.8 - High - March 10, 2022

SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.

SPIP before 3.2.14 and 4.x before 4.0.5

CVE-2022-26847 5.3 - Medium - March 10, 2022

SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects.

Information Disclosure

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45

CVE-2022-26661 6.5 - Medium - March 10, 2022

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.

XXE

An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45

CVE-2022-26662 7.5 - High - March 10, 2022

An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.

XEE

A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0

CVE-2022-0891 7.1 - High - March 10, 2022

A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact

Memory Corruption

Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file

CVE-2022-0865 6.5 - Medium - March 10, 2022

Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.

assertion failure

A vulnerability was found in kvm_s390_guest_sida_op in the arch/s390/kvm/kvm-s390.c function in KVM for s390 in the Linux kernel

CVE-2022-0516 7.8 - High - March 10, 2022

A vulnerability was found in kvm_s390_guest_sida_op in the arch/s390/kvm/kvm-s390.c function in KVM for s390 in the Linux kernel. This flaw allows a local attacker with a normal user privilege to obtain unauthorized memory write access. This flaw affects Linux kernel versions prior to 5.17-rc4.

Panorama Tools libpano13 v2.9.20 was discovered to contain an out-of-bounds read in the function panoParserFindOLine() in parser.c.

CVE-2021-33293 9.1 - Critical - March 10, 2022

Panorama Tools libpano13 v2.9.20 was discovered to contain an out-of-bounds read in the function panoParserFindOLine() in parser.c.

Out-of-bounds Read

An out-of-bounds read in the function write_title() in subs.c of abcm2ps v8.14.11

CVE-2021-32436 6.5 - Medium - March 10, 2022

An out-of-bounds read in the function write_title() in subs.c of abcm2ps v8.14.11 allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors.

Out-of-bounds Read

Stack-based buffer overflow in the function get_key in parse.c of abcm2ps v8.14.11

CVE-2021-32435 5.5 - Medium - March 10, 2022

Stack-based buffer overflow in the function get_key in parse.c of abcm2ps v8.14.11 allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors.

Memory Corruption

abcm2ps v8.14.11 was discovered to contain an out-of-bounds read in the function calculate_beam at draw.c.

CVE-2021-32434 5.5 - Medium - March 10, 2022

abcm2ps v8.14.11 was discovered to contain an out-of-bounds read in the function calculate_beam at draw.c.

Out-of-bounds Read

An authenticated user can create a link with reflected Javascript code inside it for graphs page and send it to other users

CVE-2022-24919 4.4 - Medium - March 09, 2022

An authenticated user can create a link with reflected Javascript code inside it for graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.

XSS

An authenticated user can create a link with reflected Javascript code inside it for services page and send it to other users

CVE-2022-24917 4.4 - Medium - March 09, 2022

An authenticated user can create a link with reflected Javascript code inside it for services page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.

XSS

An authenticated user can create a link with reflected XSS payload for actions pages, and send it to other users

CVE-2022-24349 4.4 - Medium - March 09, 2022

An authenticated user can create a link with reflected XSS payload for actions pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victims computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel.

XSS

regex is an implementation of regular expressions for the Rust language

CVE-2022-24713 7.5 - High - March 08, 2022

regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.

Resource Exhaustion

A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1

CVE-2022-26505 7.4 - High - March 06, 2022

A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.

Authentication Bypass by Spoofing

In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow

CVE-2022-26495 9.8 - Critical - March 06, 2022

In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages.

Integer Overflow or Wraparound

In nbd-server in nbd before 3.24, there is a stack-based buffer overflow

CVE-2022-26496 9.8 - Critical - March 06, 2022

In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name.

Memory Corruption

regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8

CVE-2022-24921 7.5 - High - March 05, 2022

regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

Resource Exhaustion

A memory leak flaw was found in the Linux kernel in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c, which

CVE-2021-3744 5.5 - Medium - March 04, 2022

A memory leak flaw was found in the Linux kernel in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c, which allows attackers to cause a denial of service (memory consumption). This vulnerability is similar with the older CVE-2019-18808.

Memory Leak

Under certain ldap conditions, Cacti authentication

CVE-2022-0730 9.8 - Critical - March 03, 2022

Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.

authentification

A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page

CVE-2021-3640 7 - High - March 03, 2022

A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system.

Dangling pointer

A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget()

CVE-2021-4002 4.4 - Medium - March 03, 2022

A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.

Memory Leak

Twisted is an event-based framework for internet applications, supporting Python 3.6+

CVE-2022-21716 7.5 - High - March 03, 2022

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.

Classic Buffer Overflow

A vulnerability was found in the Linux kernels cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function

CVE-2022-0492 7.8 - High - March 03, 2022

A vulnerability was found in the Linux kernels cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

authentification

containerd is a container runtime available as a daemon for Linux and Windows

CVE-2022-23648 7.5 - High - March 03, 2022

containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerds CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerds CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.

Information Disclosure

A flaw was found in the Linux SCTP stack

CVE-2021-3772 6.5 - Medium - March 02, 2022

A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.

Improper Validation of Integrity Check Value

A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header

CVE-2022-0711 7.5 - High - March 02, 2022

A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.

Infinite Loop

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.

CVE-2022-0577 6.5 - Medium - March 02, 2022

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.

AuthZ

valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.

CVE-2022-23308 7.5 - High - February 26, 2022

valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.

Dangling pointer

A use-after-free vulnerability was found in usbredir in versions prior to 0.11.0 in the usbredirparser_serialize() in usbredirparser/usbredirparser.c

CVE-2021-3700 6.4 - Medium - February 24, 2022

A use-after-free vulnerability was found in usbredir in versions prior to 0.11.0 in the usbredirparser_serialize() in usbredirparser/usbredirparser.c. This issue occurs when serializing large amounts of buffered write data in the case of a slow or blocked destination.

Dangling pointer

An issue was discovered in USBGuard before 1.1.0

CVE-2019-25058 7.8 - High - February 24, 2022

An issue was discovered in USBGuard before 1.1.0. On systems with the usbguard-dbus daemon running, an unprivileged user could make USBGuard allow all USB devices to be connected in the future.

AuthZ

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28

CVE-2022-24407 8.8 - High - February 24, 2022

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

SQL Injection

net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10

CVE-2022-25636 7.8 - High - February 24, 2022

net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.

Improper Privilege Management

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440.

CVE-2022-0729 8.8 - High - February 23, 2022

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440.

Buffer Overflow

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP

CVE-2022-23608 9.8 - Critical - February 22, 2022

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue.

Dangling pointer

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4436.

CVE-2022-0714 5.5 - Medium - February 22, 2022

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4436.

Memory Corruption

There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion

CVE-2021-4115 5.5 - Medium - February 21, 2022

There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and a new one being spawned

Resource Exhaustion

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Debian Linux or by Debian? Click the Watch button to subscribe.

Debian
Vendor

subscribe