SB16-347: Vulnerability Summary for the Week of December 5, 2016

Original release date: December 12, 2016

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
alcatel-lucent — omnivista_8770_network_management_system Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different ORBs interfaces, which can be queried using the GIOP protocol on TCP port 30024. An attacker can bypass authentication, and OmniVista invokes methods (AddJobSet, AddJob, and ExecuteNow) that can be used to run arbitrary commands on the server, with the privilege of NT AUTHORITYSYSTEM on the server. NOTE: The discoverer states “The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue, which means applying proper firewall rules to prevent unauthorised clients to connect to the OmniVista server.” 2016-12-03 10.0 CVE-2016-9796
MISC
BID
MISC
MISC
google — android arch/arm64/kernel/sys.c in the Linux kernel before 4.0 allows local users to bypass the “strict page permissions” protection mechanism and modify the system-call table, and consequently gain privileges, by leveraging write access. 2016-12-08 9.3 CVE-2015-8967
CONFIRM
CONFIRM
BID
CONFIRM
google — android The GPS component in Android before 2016-12-05 allows man-in-the-middle attackers to cause a denial of service (GPS signal-acquisition delay) via an incorrect xtra.bin or xtra2.bin file on a spoofed Qualcomm gpsonextra.net or izatcloud.net host, aka internal bug 31470303 and external bug 211602 (and AndroidID-7225554). 2016-12-06 7.1 CVE-2016-5341
CONFIRM
BID
MISC
intel — wireless_bluetooth_drivers Unquoted service path vulnerability in Intel Wireless Bluetooth Drivers 16.x, 17.x, and before 18.1.1607.3129 allows local users to launch processes with elevated privileges. 2016-12-08 7.2 CVE-2016-8102
CONFIRM
joomla — joomla! The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to upload and execute files with the `.php6`, `.php7`, `.phtml`, and `.phpt` extensions. Additionally, JHelperMedia::canUpload() did not blacklist these file extensions as uploadable file types. 2016-12-05 7.5 CVE-2016-9836
BID
MISC
linux — linux_kernel arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 4.4 allows local users to gain privileges via a crafted (1) F_OFD_GETLK, (2) F_OFD_SETLK, or (3) F_OFD_SETLKW command in an fcntl64 system call. 2016-12-08 7.2 CVE-2015-8966
CONFIRM
BID
CONFIRM
CONFIRM
linux — linux_kernel Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions. 2016-12-08 7.2 CVE-2016-8655
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
linux — linux_kernel Race condition in the ion_ioctl function in drivers/staging/android/ion/ion.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) by calling ION_IOC_FREE on two CPUs at the same time. 2016-12-08 9.3 CVE-2016-9120
CONFIRM
CONFIRM
BID
CONFIRM
linux — linux_kernel The icmp6_send function in net/ipv6/icmp.c in the Linux kernel through 4.8.12 omits a certain check of the dst data structure, which allows remote attackers to cause a denial of service (panic) via a fragmented IPv6 packet. 2016-12-08 7.8 CVE-2016-9919
CONFIRM
MLIST
CONFIRM
siemens — sicam_pas A vulnerability in Siemens SICAM PAS (all versions including V8.08) could allow a remote attacker to upload, download, or delete files in certain parts of the file system by sending specially crafted packets to port 19235/TCP. 2016-12-05 7.5 CVE-2016-9156
BID
CONFIRM
siemens — sicam_pas A vulnerability in Siemens SICAM PAS (all versions including V8.08) could allow a remote attacker to cause a Denial of Service condition and potentially lead to unauthenticated remote code execution by sending specially crafted packets sent to port 19234/TCP. 2016-12-05 7.5 CVE-2016-9157
BID
CONFIRM
zikula — zikula_application_framework Directory traversal vulnerability in file “jcss.php” in Zikula 1.3.x before 1.3.11 and 1.4.x before 1.4.4 on Windows allows a remote attacker to launch a PHP object injection by uploading a serialized file. 2016-12-05 7.5 CVE-2016-9835
CONFIRM
CONFIRM
CONFIRM

Back to top

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
apache — http_server The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request. 2016-12-05 5.0 CVE-2016-8740
BID
CONFIRM
bluez — bluez In BlueZ 5.42, a buffer over-read was observed in “l2cap_dump” function in “tools/parser/l2cap.c” source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. 2016-12-03 5.0 CVE-2016-9797
BID
MISC
bluez — bluez In BlueZ 5.42, a use-after-free was identified in “conf_opt” function in “tools/parser/l2cap.c” source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. 2016-12-03 5.0 CVE-2016-9798
BID
MISC
bluez — bluez In BlueZ 5.42, a buffer overflow was observed in “pklg_read_hci” function in “btsnoop.c” source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash. 2016-12-03 5.0 CVE-2016-9799
BID
MISC
bluez — bluez In BlueZ 5.42, a buffer overflow was observed in “pin_code_reply_dump” function in “tools/parser/hci.c” source file. The issue exists because “pin” array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame “pin_code_reply_cp *cp” parameter. 2016-12-03 5.0 CVE-2016-9800
BID
MISC
bluez — bluez In BlueZ 5.42, a buffer overflow was observed in “set_ext_ctrl” function in “tools/parser/l2cap.c” source file when processing corrupted dump file. 2016-12-03 5.0 CVE-2016-9801
BID
MISC
bluez — bluez In BlueZ 5.42, a buffer over-read was identified in “l2cap_packet” function in “monitor/packet.c” source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash. 2016-12-03 5.0 CVE-2016-9802
BID
MISC
bluez — bluez In BlueZ 5.42, an out-of-bounds read was observed in “le_meta_ev_dump” function in “tools/parser/hci.c” source file. This issue exists because ‘subevent’ (which is used to read correct element from ‘ev_le_meta_str’ array) is overflowed. 2016-12-03 5.0 CVE-2016-9803
BID
MISC
bluez — bluez In BlueZ 5.42, a buffer overflow was observed in “commands_dump” function in “tools/parser/csr.c” source file. The issue exists because “commands” array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame “frm->ptr” parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. 2016-12-03 5.0 CVE-2016-9804
BID
MISC
bluez_project — bluez In BlueZ 5.42, a buffer overflow was observed in “read_n” function in “tools/hcidump.c” source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. 2016-12-08 5.0 CVE-2016-9917
MISC
bluez_project — bluez In BlueZ 5.42, an out-of-bounds read was identified in “packet_hexdump” function in “monitor/packet.c” source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash. 2016-12-08 5.0 CVE-2016-9918
MISC
gnome — libgsf An error within the “tar_directory_for_file()” function (gsf-infile-tar.c) in GNOME Structured File Library before 1.14.41 can be exploited to trigger a Null pointer dereference and subsequently cause a crash via a crafted TAR file. 2016-12-08 4.3 CVE-2016-9888
MISC
libtiff — libtiff Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows remote attackers to cause a denial of service (heap-based buffer over-read), or possibly obtain sensitive information from process memory, via crafted width and length values in RLE4 or RLE8 data in a BMP file. 2016-12-06 5.8 CVE-2015-8870
CONFIRM
MISC
BID
netapp — netapp_plug-in NetApp Plug-in for Symantec NetBackup prior to version 2.0.1 makes use of a non-unique server certificate, making it vulnerable to impersonation. 2016-12-05 6.8 CVE-2016-7171
BID
CONFIRM
roundcube — webmail steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message. 2016-12-08 6.0 CVE-2016-9920
MLIST
MISC
CONFIRM
spip — spip Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php in SPIP 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the rac parameter. 2016-12-05 4.3 CVE-2016-9152
BID
CONFIRM
umn — mapserver In MapServer before 7.0.3, OGR driver error messages are too verbose and may leak sensitive information if data connection fails. 2016-12-08 5.0 CVE-2016-9839
CONFIRM

Back to top

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
intel — proset/wireless_software_and_drivers Buffer overflow in Intel PROSet/Wireless Software and Drivers in versions before 19.20.3 allows a local user to crash iframewrk.exe causing a potential denial of service. 2016-12-08 2.1 CVE-2016-8104
CONFIRM

Back to top

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
atlassian_crowd — ldap The LDAP directory connector in Atlassian Crowd before 2.8.8 and 2.9.x before 2.9.5 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning. 2016-12-09 not yet calculated CVE-2016-6496
BUGTRAQ
BID
CONFIRM
CONFIRM
MISC
busybox — busybox The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. 2016-12-09 not yet calculated CVE-2016-6301
MLIST
BID
CONFIRM
CONFIRM
crowbar_framework — openstack_and_trove_barclamp The trove service user in (1) Openstack deployment (aka crowbar-openstack) and (2) Trove Barclamp (aka barclamp-trove and crowbar-barclamp-trove) in the Crowbar Framework has a default password, which makes it easier for remote attackers to obtain access via unspecified vectors. 2016-12-09 not yet calculated CVE-2016-6829
MLIST
MLIST
BID
CONFIRM
CONFIRM
CONFIRM
django — django Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary. 2016-12-09 not yet calculated CVE-2016-9013
SECTRACK
UBUNTU
FEDORA
FEDORA
CONFIRM
django — django Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS. 2016-12-09 not yet calculated CVE-2016-9014
SECTRACK
UBUNTU
FEDORA
FEDORA
CONFIRM
dotclear — dotclear Multiple cross-site scripting (XSS) vulnerabilities in the media manager in Dotclear before 2.10 allow remote attackers to inject arbitrary web script or HTML via the (1) q or (2) link_type parameter to admin/media.php. 2016-12-09 not yet calculated CVE-2016-6523
MLIST
MLIST
BID
CONFIRM
CONFIRM
gnu — gnutar Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. 2016-12-09 not yet calculated CVE-2016-6321
CONFIRM
MLIST
MISC
FULLDISC
FULLDISC
BID
MISC
intel — nuc_kits SMM call out in all Intel Branded NUC Kits allows a local privileged user to access the System Management Mode and take full control of the platform. 2016-12-08 not yet calculated CVE-2016-8103
CONFIRM
jfrog — artifactory JFrog Artifactory before 4.11 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning. 2016-12-09 not yet calculated CVE-2016-6501
MISC
CONFIRM
phpmyadmin — phpmyadmin A full path disclosure vulnerability was discovered in phpMyAdmin where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6610
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user’s browser cookie file to decrypt the username and password. Furthermore, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same – but the attacker can not directly decode these values from the cookie as it is still hashed. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6606
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6624
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin involving the $cfg[‘ArbitraryServerRegexp’] configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6629
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin involving the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6614
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6632
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4) are affected. 2016-12-10 not yet calculated CVE-2016-6617
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6611
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6609
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user’s valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are affected. 2016-12-10 not yet calculated CVE-2016-4412
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. A user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by the file generator_plugin.sh. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6631
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. A user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6612
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. A user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6613
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. An attacker can determine the phpMyAdmin host location through the file url.php. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6627
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user’s session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6625
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. An attacker could redirect a user to a malicious web page. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6626
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. An attacker may be able to trigger a user to download a specially crafted malicious SVG file. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6628
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. An authenticated user can trigger a denial-of-service (DoS) attack by entering a very long password at the change password dialog. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6630
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. An authorized user can cause a denial-of-service (DoS) attack on a server by passing large values to a loop. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6623
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg[‘AllowArbitraryServer’]=true. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9860
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with $cfg[‘AllowArbitraryServer’]=true. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6622
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the curl wrapper issue. 2016-12-10 not yet calculated CVE-2016-9852
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the fopen wrapper issue. 2016-12-10 not yet calculated CVE-2016-9853
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the json_decode issue. 2016-12-10 not yet calculated CVE-2016-9854
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin are written to the export file. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. This CVE is for the PMA_shutdownDuringExport issue. 2016-12-10 not yet calculated CVE-2016-9855
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9865
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9861
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. In the “User group” and “Designer” features, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. 2016-12-10 not yet calculated CVE-2016-6616
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. In the user interface preference feature, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6619
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction ($cfg[‘Servers’][$i][‘AllowRoot’]) and deny rules for username by using Null Byte in the username. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9849
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9848
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. phpMyAdmin can be used to trigger a remote code execution attack against certain PHP installations that are running with the dbase extension. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6633
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it’s valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6620
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. The transformation feature allows a user to trigger a denial-of-service (DoS) attack against the server. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6618
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. Username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9850
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9866
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user’s blowfish_secret and potentially decrypt their cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9847
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. With a crafted login request it is possible to inject BBCode in the login page. All 4.6.x versions (prior to 4.6.5) are affected. 2016-12-10 not yet calculated CVE-2016-9862
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. 2016-12-10 not yet calculated CVE-2016-9851
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in import feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9859
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9858
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9864
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DoS) attack. All 4.6.x versions (prior to 4.6.5) are affected. 2016-12-10 not yet calculated CVE-2016-9863
CONFIRM
phpmyadmin — phpmyadmin An issue was discovered in phpMyAdmin. XSS is possible because of a weakness in a regular expression used in some JavaScript processing. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9857
CONFIRM
phpmyadmin — phpmyadmin An XSS issue was discovered in phpMyAdmin because of an improper fix for CVE-2016-2559 in PMASA-2016-10. This issue is resolved by using a copy of a hash to avoid a race condition. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. 2016-12-10 not yet calculated CVE-2016-9856
CONFIRM
phpmyadmin — phpmyadmin XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the “Tracking” feature (a specially-crafted query can be used to trigger an XSS attack); and GIS visualization feature. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. 2016-12-10 not yet calculated CVE-2016-6615
CONFIRM
phpmyadmin — phpmyadmin XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the “Remove partitioning” functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected. 2016-12-10 not yet calculated CVE-2016-6608
CONFIRM
phpmyadmin — phpmyadmin XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view; the following Transformations: Formatted, Imagelink, JPEG: Upload, RegexValidation, JPEG inline, PNG inline, and transformation wrapper; XML export; MediaWiki export; Designer; When the MySQL server is running with a specially-crafted log_bin directive; Database tab; Replication feature; and Database search. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. 2016-12-10 not yet calculated CVE-2016-6607
CONFIRM
postgresql — postgresql PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types. 2016-12-09 not yet calculated CVE-2016-5423
DEBIAN
BID
SECTRACK
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
postgresql — postgresql PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) ” (double quote), (2) (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation. 2016-12-09 not yet calculated CVE-2016-5424
DEBIAN
SECTRACK
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
pricewaterhouse — ace-abap PricewaterhouseCoopers (PwC) ACE-ABAP 8.10.304 for SAP Security allows remote authenticated users to conduct ABAP injection attacks and execute arbitrary code via (1) SAPGUI or (2) Internet Communication Framework (ICF) over HTTP or HTTPS, as demonstrated by WEBGUI or Report. 2016-12-09 not yet calculated CVE-2016-9832
MISC
BID
MISC
qemu — qemu Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string. 2016-12-09 not yet calculated CVE-2016-7116
CONFIRM
MLIST
MLIST
BID
MLIST
MLIST
qemu — qemu hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings. 2016-12-09 not yet calculated CVE-2016-7155
CONFIRM
MLIST
MLIST
BID
MLIST
qemu — qemu Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference. 2016-12-09 not yet calculated CVE-2016-6888
CONFIRM
MLIST
MLIST
BID
MLIST
qemu — qemu Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device. 2016-12-09 not yet calculated CVE-2016-9101
MLIST
MLIST
MLIST
qemu — qemu Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of crafted buffer page select (PG) indexes. 2016-12-09 not yet calculated CVE-2016-7995
CONFIRM
MLIST
MLIST
BID
MLIST
qemu — qemu Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device. 2016-12-09 not yet calculated CVE-2016-7466
CONFIRM
MLIST
MLIST
BID
MLIST
qemu — qemu Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object. 2016-12-09 not yet calculated CVE-2016-9105
CONFIRM
MLIST
MLIST
MLIST
qemu — qemu Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector. 2016-12-09 not yet calculated CVE-2016-9106
CONFIRM
MLIST
MLIST
MLIST
qemu — qemu Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number. 2016-12-09 not yet calculated CVE-2016-9102
CONFIRM
MLIST
MLIST
MLIST
qemu — qemu Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_CREATE_2D commands. 2016-12-09 not yet calculated CVE-2016-7994
MLIST
MLIST
BID
MLIST
qemu — qemu Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access. 2016-12-09 not yet calculated CVE-2016-9104
MLIST
MLIST
MLIST
qemu — qemu The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK. 2016-12-09 not yet calculated CVE-2016-7157
CONFIRM
MLIST
MLIST
BID
MLIST
MLIST
qemu — qemu The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state. 2016-12-09 not yet calculated CVE-2016-4964
CONFIRM
MLIST
MLIST
MLIST
qemu — qemu The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length. 2016-12-09 not yet calculated CVE-2016-6834
CONFIRM
MLIST
MLIST
BID
MLIST
qemu — qemu The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast. 2016-12-09 not yet calculated CVE-2016-7156
CONFIRM
MLIST
MLIST
BID
MLIST
MLIST
qemu — qemu The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size. 2016-12-09 not yet calculated CVE-2016-7421
CONFIRM
MLIST
MLIST
BID
MLIST
qemu — qemu The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them. 2016-12-09 not yet calculated CVE-2016-9103
CONFIRM
MLIST
MLIST
MLIST
qemu — qemu The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer. 2016-12-09 not yet calculated CVE-2016-6490
CONFIRM
MLIST
MLIST
MLIST
qemu — qemu The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value. 2016-12-09 not yet calculated CVE-2016-7422
CONFIRM
MLIST
MLIST
BID
MLIST
qemu — qemu The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command. 2016-12-09 not yet calculated CVE-2016-7170
CONFIRM
MLIST
MLIST
BID
MLIST
qemu — qemu The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object. 2016-12-09 not yet calculated CVE-2016-6836
CONFIRM
MLIST
MLIST
BID
MLIST
qemu — qemu The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length. 2016-12-09 not yet calculated CVE-2016-6835
CONFIRM
MLIST
MLIST
MLIST
qemu — qemu Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active. 2016-12-09 not yet calculated CVE-2016-6833
CONFIRM
MLIST
MLIST
BID
MLIST
rabbitmq — rmanagement_plugin The Management plugin in RabbitMQ before 3.6.1 allows remote authenticated users with certain privileges to cause a denial of service (resource consumption) via the (1) lengths_age or (2) lengths_incr parameter. 2016-12-09 not yet calculated CVE-2015-8786
CONFIRM
BID
CONFIRM
CONFIRM

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

Powered by WPeMatico

This entry was posted in Alerts. Bookmark the permalink.