Red Hat Red Hat Linux OS and other open source products

Do you want an email whenever new security vulnerabilities are reported in any Red Hat product?

Products by Red Hat Sorted by Most Security Vulnerabilities since 2018

Red Hat Enterprise Linux Server1444 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.

Red Hat Enterprise Linux Workstation1418 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.

Red Hat Enterprise Linux Desktop1403 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop

Red Hat Enterprise Linux (RHEL)1134 vulnerabilities

Red Hat Enterprise Linux Eus682 vulnerabilities

Red Hat Openstack189 vulnerabilities

Red Hat Satellite183 vulnerabilities

Red Hat Software Collections115 vulnerabilities

Red Hat Virtualization111 vulnerabilities

Red Hat Openshift83 vulnerabilities

Red Hat Single Sign On79 vulnerabilities

Red Hat Keycloak70 vulnerabilities

Red Hat Enterprise Mrg69 vulnerabilities

Red Hat Ansible Tower65 vulnerabilities

Red Hat Libvirt52 vulnerabilities

Red Hat Virtualization Host51 vulnerabilities

Red Hat Linux Server45 vulnerabilities

Red Hat Linux Desktop45 vulnerabilities

Red Hat Linux Workstation45 vulnerabilities

Red Hat Ceph Storage41 vulnerabilities

Red Hat Enterprise Linux Aus37 vulnerabilities

Red Hat Jboss Fuse33 vulnerabilities

Red Hat Openstack Platform32 vulnerabilities

Red Hat Ansible30 vulnerabilities

Red Hat Cloudforms28 vulnerabilities

Red Hat Linux28 vulnerabilities

Red Hat Ansible Engine27 vulnerabilities

Red Hat Undertow25 vulnerabilities
Java HTTP Server and Servlet Container

Red Hat Storage25 vulnerabilities

Red Hat Quay22 vulnerabilities

Red Hat Build Of Quarkus19 vulnerabilities

Red Hat Integration Camel K19 vulnerabilities

Red Hat Jboss Data Grid19 vulnerabilities

Red Hat Decision Manager19 vulnerabilities

Red Hat Jboss Core Services18 vulnerabilities

Red Hat Enterprise Linux Tus18 vulnerabilities

Red Hat Openshift Service Mesh18 vulnerabilities

Red Hat Process Automation18 vulnerabilities

Red Hat Gluster Storage17 vulnerabilities

Red Hat Fuse17 vulnerabilities

Red Hat Wildfly16 vulnerabilities

Red Hat Jboss A Mq15 vulnerabilities

Red Hat Ceph14 vulnerabilities

Red Hat Developer Tools14 vulnerabilities

Red Hat Virtualization Manager13 vulnerabilities

Red Hat Spacewalk11 vulnerabilities

Red Hat 3scale Api Management10 vulnerabilities

Red Hat Descision Manager10 vulnerabilities

Red Hat Resteasy10 vulnerabilities

Red Hat Network Satellite9 vulnerabilities

Red Hat Mrg Realtime8 vulnerabilities

Red Hat Satellite Capsule8 vulnerabilities

Red Hat Jboss Bpm Suite8 vulnerabilities

Red Hat Spacewalk Java8 vulnerabilities

Red Hat Data Grid8 vulnerabilities

Red Hat Jboss Brms7 vulnerabilities

Red Hat Directory Server7 vulnerabilities

Red Hat Ovirt Engine7 vulnerabilities

Recent Red Hat Security Advisories

Advisory Title Published
RHSA-2023:7656 (RHSA-2023:7656) Important: postgresql:12 security update December 5, 2023
RHSA-2023:7653 (RHSA-2023:7653) Important: Service Registry (container images) release and security update [2.5.4 GA] December 5, 2023
RHSA-2023:7599 (RHSA-2023:7599) Important: OpenShift Container Platform 4.14.5 bug fix and security update December 5, 2023
RHSA-2023:7641 (RHSA-2023:7641) Important: Red Hat JBoss Enterprise Application Platform 7.4.14 security update December 4, 2023
RHSA-2023:7639 (RHSA-2023:7639) Important: Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 9 security update December 4, 2023
RHSA-2023:7638 (RHSA-2023:7638) Important: Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 8 security update December 4, 2023
RHSA-2023:7633 (RHSA-2023:7633) Important: rh-mariadb105-galera and rh-mariadb105-mariadb security update December 4, 2023
RHSA-2023:7617 (RHSA-2023:7617) Important: Red Hat Build of Apache Camel for Quarkus 3.2.0 release (RHBQ 3.2.9.Final) November 30, 2023
RHSA-2023:7616 (RHSA-2023:7616) Important: postgresql security update November 30, 2023
RHSA-2023:7341 (RHSA-2023:7341) Important: Red Hat Quay security update November 30, 2023

By the Year

In 2023 there have been 882 vulnerabilities in Red Hat with an average score of 6.9 out of ten. Last year Red Hat had 1331 security vulnerabilities published. Right now, Red Hat is on track to have less security vulnerabilities in 2023 than it did last year. Last year, the average CVE base score was greater by 0.05

Year Vulnerabilities Average Score
2023 882 6.93
2022 1331 6.98
2021 1084 6.67
2020 631 6.58
2019 746 6.91
2018 707 7.25

It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Security Vulnerabilities

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys

CVE-2023-30590 7.5 - High - November 28, 2023

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates

CVE-2023-30588 5.3 - Medium - November 28, 2023

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20.

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates

CVE-2023-30588 5.3 - Medium - November 28, 2023

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20.

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys

CVE-2023-30590 7.5 - High - November 28, 2023

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates

CVE-2023-30588 5.3 - Medium - November 28, 2023

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20.

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys

CVE-2023-30590 7.5 - High - November 28, 2023

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates

CVE-2023-30588 5.3 - Medium - November 28, 2023

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20.

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys

CVE-2023-30590 7.5 - High - November 28, 2023

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

A vulnerability was found

CVE-2023-5981 5.9 - Medium - November 28, 2023

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

Side Channel Attack

A flaw was found in libnbd

CVE-2023-5871 7.5 - High - November 27, 2023

A flaw was found in libnbd, due to a malicious Network Block Device (NBD), a protocol for accessing Block Devices such as hard disks over a Network. This issue may allow a malicious NBD server to cause a Denial of Service.

assertion failure

The use of __proto__ in process.mainModule

CVE-2023-30581 7.5 - High - November 23, 2023

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

The use of __proto__ in process.mainModule

CVE-2023-30581 7.5 - High - November 23, 2023

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

The use of __proto__ in process.mainModule

CVE-2023-30581 7.5 - High - November 23, 2023

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

The use of __proto__ in process.mainModule

CVE-2023-30581 7.5 - High - November 23, 2023

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120

CVE-2023-6207 8.8 - High - November 21, 2023

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts

CVE-2023-6206 5.4 - Medium - November 21, 2023

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Clickjacking

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120

CVE-2023-6207 8.8 - High - November 21, 2023

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

When using X11

CVE-2023-6208 8.8 - High - November 21, 2023

When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/

CVE-2023-6209 6.5 - Medium - November 21, 2023

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Directory traversal

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4

CVE-2023-6212 8.8 - High - November 21, 2023

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Memory Corruption

When using X11

CVE-2023-6208 8.8 - High - November 21, 2023

When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash

CVE-2023-6205 6.5 - Medium - November 21, 2023

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the

CVE-2023-6204 6.5 - Medium - November 21, 2023

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Out-of-bounds Read

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/

CVE-2023-6209 6.5 - Medium - November 21, 2023

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Directory traversal

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4

CVE-2023-6212 8.8 - High - November 21, 2023

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Memory Corruption

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4

CVE-2023-6212 8.8 - High - November 21, 2023

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Memory Corruption

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/

CVE-2023-6209 6.5 - Medium - November 21, 2023

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Directory traversal

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120

CVE-2023-6207 8.8 - High - November 21, 2023

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts

CVE-2023-6206 5.4 - Medium - November 21, 2023

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Clickjacking

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash

CVE-2023-6205 6.5 - Medium - November 21, 2023

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the

CVE-2023-6204 6.5 - Medium - November 21, 2023

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Out-of-bounds Read

When using X11

CVE-2023-6208 8.8 - High - November 21, 2023

When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120

CVE-2023-6207 8.8 - High - November 21, 2023

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts

CVE-2023-6206 5.4 - Medium - November 21, 2023

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Clickjacking

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash

CVE-2023-6205 6.5 - Medium - November 21, 2023

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the

CVE-2023-6204 6.5 - Medium - November 21, 2023

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Out-of-bounds Read

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4

CVE-2023-6212 8.8 - High - November 21, 2023

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Memory Corruption

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/

CVE-2023-6209 6.5 - Medium - November 21, 2023

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Directory traversal

When using X11

CVE-2023-6208 8.8 - High - November 21, 2023

When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the

CVE-2023-6204 6.5 - Medium - November 21, 2023

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Out-of-bounds Read

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120

CVE-2023-6207 8.8 - High - November 21, 2023

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts

CVE-2023-6206 5.4 - Medium - November 21, 2023

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Clickjacking

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash

CVE-2023-6205 6.5 - Medium - November 21, 2023

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash

CVE-2023-6205 6.5 - Medium - November 21, 2023

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the

CVE-2023-6204 6.5 - Medium - November 21, 2023

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Out-of-bounds Read

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4

CVE-2023-6212 8.8 - High - November 21, 2023

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Memory Corruption

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/

CVE-2023-6209 6.5 - Medium - November 21, 2023

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Directory traversal

When using X11

CVE-2023-6208 8.8 - High - November 21, 2023

When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the

CVE-2023-6204 6.5 - Medium - November 21, 2023

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Out-of-bounds Read

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash

CVE-2023-6205 6.5 - Medium - November 21, 2023

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts

CVE-2023-6206 5.4 - Medium - November 21, 2023

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Clickjacking

When using X11

CVE-2023-6208 8.8 - High - November 21, 2023

When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/

CVE-2023-6209 6.5 - Medium - November 21, 2023

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Directory traversal

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4

CVE-2023-6212 8.8 - High - November 21, 2023

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Memory Corruption

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the

CVE-2023-6204 6.5 - Medium - November 21, 2023

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Out-of-bounds Read

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash

CVE-2023-6205 6.5 - Medium - November 21, 2023

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts

CVE-2023-6206 5.4 - Medium - November 21, 2023

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Clickjacking

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120

CVE-2023-6207 8.8 - High - November 21, 2023

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120

CVE-2023-6207 8.8 - High - November 21, 2023

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120

CVE-2023-6207 8.8 - High - November 21, 2023

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

When using X11

CVE-2023-6208 8.8 - High - November 21, 2023

When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/

CVE-2023-6209 6.5 - Medium - November 21, 2023

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Directory traversal

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4

CVE-2023-6212 8.8 - High - November 21, 2023

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Memory Corruption

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4

CVE-2023-6212 8.8 - High - November 21, 2023

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Memory Corruption

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/

CVE-2023-6209 6.5 - Medium - November 21, 2023

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Directory traversal

When using X11

CVE-2023-6208 8.8 - High - November 21, 2023

When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the

CVE-2023-6204 6.5 - Medium - November 21, 2023

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Out-of-bounds Read

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash

CVE-2023-6205 6.5 - Medium - November 21, 2023

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts

CVE-2023-6206 5.4 - Medium - November 21, 2023

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Clickjacking

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120

CVE-2023-6207 8.8 - High - November 21, 2023

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts

CVE-2023-6206 5.4 - Medium - November 21, 2023

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Clickjacking

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash

CVE-2023-6205 6.5 - Medium - November 21, 2023

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts

CVE-2023-6206 5.4 - Medium - November 21, 2023

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Clickjacking

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120

CVE-2023-6207 8.8 - High - November 21, 2023

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the

CVE-2023-6204 6.5 - Medium - November 21, 2023

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Out-of-bounds Read

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4

CVE-2023-6212 8.8 - High - November 21, 2023

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Memory Corruption

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/

CVE-2023-6209 6.5 - Medium - November 21, 2023

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Directory traversal

When using X11

CVE-2023-6208 8.8 - High - November 21, 2023

When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

When using X11

CVE-2023-6208 8.8 - High - November 21, 2023

When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/

CVE-2023-6209 6.5 - Medium - November 21, 2023

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Directory traversal

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4

CVE-2023-6212 8.8 - High - November 21, 2023

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Memory Corruption

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts

CVE-2023-6206 5.4 - Medium - November 21, 2023

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Clickjacking

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the

CVE-2023-6204 6.5 - Medium - November 21, 2023

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Out-of-bounds Read

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash

CVE-2023-6205 6.5 - Medium - November 21, 2023

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash

CVE-2023-6205 6.5 - Medium - November 21, 2023

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the

CVE-2023-6204 6.5 - Medium - November 21, 2023

On some systemsdepending on the graphics settings and driversit was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Out-of-bounds Read

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts

CVE-2023-6206 5.4 - Medium - November 21, 2023

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Clickjacking

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4

CVE-2023-6212 8.8 - High - November 21, 2023

Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Memory Corruption

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/

CVE-2023-6209 6.5 - Medium - November 21, 2023

Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Directory traversal

When using X11

CVE-2023-6208 8.8 - High - November 21, 2023

When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120

CVE-2023-6207 8.8 - High - November 21, 2023

Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.

Dangling pointer

A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality

CVE-2023-6176 7.8 - High - November 16, 2023

A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system.

NULL Pointer Dereference

An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel

CVE-2023-6121 4.3 - Medium - November 16, 2023

An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This flaw allows a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data to be printed (and potentially leaked) to the kernel ring buffer (dmesg).

Out-of-bounds Read

A path traversal vulnerability exists in Ansible when extracting tarballs

CVE-2023-5189 6.5 - Medium - November 14, 2023

A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.

Directory traversal

ASP.NET Core - Security Feature Bypass Vulnerability

CVE-2023-36558 5.5 - Medium - November 14, 2023

ASP.NET Core - Security Feature Bypass Vulnerability

ASP.NET Core - Security Feature Bypass Vulnerability

CVE-2023-36558 5.5 - Medium - November 14, 2023

ASP.NET Core - Security Feature Bypass Vulnerability

ASP.NET Core - Security Feature Bypass Vulnerability

CVE-2023-36558 5.5 - Medium - November 14, 2023

ASP.NET Core - Security Feature Bypass Vulnerability

ASP.NET Core - Security Feature Bypass Vulnerability

CVE-2023-36558 5.5 - Medium - November 14, 2023

ASP.NET Core - Security Feature Bypass Vulnerability

ASP.NET Core - Security Feature Bypass Vulnerability

CVE-2023-36558 5.5 - Medium - November 14, 2023

ASP.NET Core - Security Feature Bypass Vulnerability

ASP.NET Core - Security Feature Bypass Vulnerability

CVE-2023-36558 5.5 - Medium - November 14, 2023

ASP.NET Core - Security Feature Bypass Vulnerability

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.