Docker buildpack-deps:14.04

Vulnerabilities

492 via 1397 paths

Dependencies

467

Source

Group 6 Copy Created with Sketch. Docker

Target OS

ubuntu:14.04
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 3
  • 196
  • 293
Status
  • 492
  • 0
  • 0

high severity

Out-of-bounds Write

  • Vulnerable module: freetype/libfreetype6
  • Introduced through: freetype/libfreetype6@2.5.2-1ubuntu2.8 and freetype/libfreetype6-dev@2.5.2-1ubuntu2.8
  • Fixed in: 2.5.2-1ubuntu2.8+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* freetype/libfreetype6@2.5.2-1ubuntu2.8
  • Introduced through: buildpack-deps:14.04@* freetype/libfreetype6-dev@2.5.2-1ubuntu2.8

NVD Description

Note: Versions mentioned in the description apply to the upstream freetype package. See Remediation section below for Ubuntu:14.04 relevant versions.

Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade Ubuntu:14.04 freetype to version 2.5.2-1ubuntu2.8+esm2 or higher.

References

high severity

NULL Pointer Dereference

  • Vulnerable module: openssl
  • Introduced through: openssl@1.0.1f-1ubuntu2.27, openssl/libssl-dev@1.0.1f-1ubuntu2.27 and others
  • Fixed in: 1.0.1f-1ubuntu2.27+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openssl@1.0.1f-1ubuntu2.27
  • Introduced through: buildpack-deps:14.04@* openssl/libssl-dev@1.0.1f-1ubuntu2.27
  • Introduced through: buildpack-deps:14.04@* openssl/libssl1.0.0@1.0.1f-1ubuntu2.27

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See Remediation section below for Ubuntu:14.04 relevant versions.

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).

Remediation

Upgrade Ubuntu:14.04 openssl to version 1.0.1f-1ubuntu2.27+esm2 or higher.

References

high severity

Off-by-one Error

  • Vulnerable module: sudo
  • Introduced through: sudo@1.8.9p5-1ubuntu1.4
  • Fixed in: 1.8.9p5-1ubuntu1.5+esm6

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sudo@1.8.9p5-1ubuntu1.4

NVD Description

Note: Versions mentioned in the description apply to the upstream sudo package. See Remediation section below for Ubuntu:14.04 relevant versions.

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

Remediation

Upgrade Ubuntu:14.04 sudo to version 1.8.9p5-1ubuntu1.5+esm6 or higher.

References

medium severity

Improper Input Validation

  • Vulnerable module: apt
  • Introduced through: apt@1.0.1ubuntu2.23, apt/apt-utils@1.0.1ubuntu2.23 and others
  • Fixed in: 1.0.1ubuntu2.24+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* apt@1.0.1ubuntu2.23
  • Introduced through: buildpack-deps:14.04@* apt/apt-utils@1.0.1ubuntu2.23
  • Introduced through: buildpack-deps:14.04@* apt/libapt-inst1.5@1.0.1ubuntu2.23
  • Introduced through: buildpack-deps:14.04@* apt/libapt-pkg4.12@1.0.1ubuntu2.23

NVD Description

Note: Versions mentioned in the description apply to the upstream apt package. See Remediation section below for Ubuntu:14.04 relevant versions.

Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.

Remediation

Upgrade Ubuntu:14.04 apt to version 1.0.1ubuntu2.24+esm1 or higher.

References

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: apt
  • Introduced through: apt@1.0.1ubuntu2.23, apt/apt-utils@1.0.1ubuntu2.23 and others
  • Fixed in: 1.0.1ubuntu2.24+esm3

Detailed paths

  • Introduced through: buildpack-deps:14.04@* apt@1.0.1ubuntu2.23
  • Introduced through: buildpack-deps:14.04@* apt/apt-utils@1.0.1ubuntu2.23
  • Introduced through: buildpack-deps:14.04@* apt/libapt-inst1.5@1.0.1ubuntu2.23
  • Introduced through: buildpack-deps:14.04@* apt/libapt-pkg4.12@1.0.1ubuntu2.23

NVD Description

Note: Versions mentioned in the description apply to the upstream apt package. See Remediation section below for Ubuntu:14.04 relevant versions.

APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;

Remediation

Upgrade Ubuntu:14.04 apt to version 1.0.1ubuntu2.24+esm3 or higher.

References

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

  • Vulnerable module: avahi/libavahi-client3
  • Introduced through: avahi/libavahi-client3@0.6.31-4ubuntu1.3, avahi/libavahi-common-data@0.6.31-4ubuntu1.3 and others
  • Fixed in: 0.6.31-4ubuntu1.3+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* avahi/libavahi-client3@0.6.31-4ubuntu1.3
  • Introduced through: buildpack-deps:14.04@* avahi/libavahi-common-data@0.6.31-4ubuntu1.3
  • Introduced through: buildpack-deps:14.04@* avahi/libavahi-common3@0.6.31-4ubuntu1.3

NVD Description

Note: Versions mentioned in the description apply to the upstream avahi package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.

Remediation

Upgrade Ubuntu:14.04 avahi to version 0.6.31-4ubuntu1.3+esm1 or higher.

References

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: binutils
  • Introduced through: binutils@2.24-5ubuntu14.2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* binutils@2.24-5ubuntu14.2

NVD Description

Note: Versions mentioned in the description apply to the upstream binutils package.

apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF file, as demonstrated by readelf.

Remediation

There is no fixed version for Ubuntu:14.04 binutils.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: bzip2
  • Introduced through: bzip2@1.0.6-5, bzip2/libbz2-1.0@1.0.6-5 and others
  • Fixed in: 1.0.6-5ubuntu0.1~esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* bzip2@1.0.6-5
  • Introduced through: buildpack-deps:14.04@* bzip2/libbz2-1.0@1.0.6-5
  • Introduced through: buildpack-deps:14.04@* bzip2/libbz2-dev@1.0.6-5

NVD Description

Note: Versions mentioned in the description apply to the upstream bzip2 package. See Remediation section below for Ubuntu:14.04 relevant versions.

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

Remediation

Upgrade Ubuntu:14.04 bzip2 to version 1.0.6-5ubuntu0.1~esm2 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: cairo/libcairo-gobject2
  • Introduced through: cairo/libcairo-gobject2@1.13.0~20140204-0ubuntu1.1, cairo/libcairo-script-interpreter2@1.13.0~20140204-0ubuntu1.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* cairo/libcairo-gobject2@1.13.0~20140204-0ubuntu1.1
  • Introduced through: buildpack-deps:14.04@* cairo/libcairo-script-interpreter2@1.13.0~20140204-0ubuntu1.1
  • Introduced through: buildpack-deps:14.04@* cairo/libcairo2@1.13.0~20140204-0ubuntu1.1
  • Introduced through: buildpack-deps:14.04@* cairo/libcairo2-dev@1.13.0~20140204-0ubuntu1.1

NVD Description

Note: Versions mentioned in the description apply to the upstream cairo package.

cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).

Remediation

There is no fixed version for Ubuntu:14.04 cairo.

References

medium severity

Improper Input Validation

  • Vulnerable module: cpio
  • Introduced through: cpio@2.11+dfsg-1ubuntu1.2
  • Fixed in: 2.11+dfsg-1ubuntu1.2+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* cpio@2.11+dfsg-1ubuntu1.2

NVD Description

Note: Versions mentioned in the description apply to the upstream cpio package. See Remediation section below for Ubuntu:14.04 relevant versions.

In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.

Remediation

Upgrade Ubuntu:14.04 cpio to version 2.11+dfsg-1ubuntu1.2+esm1 or higher.

References

medium severity

Arbitrary Code Injection

  • Vulnerable module: curl
  • Introduced through: curl@7.35.0-1ubuntu2.20, curl/libcurl3@7.35.0-1ubuntu2.20 and others
  • Fixed in: 7.35.0-1ubuntu2.20+esm4

Detailed paths

  • Introduced through: buildpack-deps:14.04@* curl@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl3@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl3-gnutls@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl4-openssl-dev@7.35.0-1ubuntu2.20

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Ubuntu:14.04 relevant versions.

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.

Remediation

Upgrade Ubuntu:14.04 curl to version 7.35.0-1ubuntu2.20+esm4 or higher.

References

medium severity

Buffer Overflow

  • Vulnerable module: curl
  • Introduced through: curl@7.35.0-1ubuntu2.20, curl/libcurl3@7.35.0-1ubuntu2.20 and others
  • Fixed in: 7.35.0-1ubuntu2.20+esm3

Detailed paths

  • Introduced through: buildpack-deps:14.04@* curl@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl3@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl3-gnutls@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl4-openssl-dev@7.35.0-1ubuntu2.20

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Ubuntu:14.04 relevant versions.

Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.

Remediation

Upgrade Ubuntu:14.04 curl to version 7.35.0-1ubuntu2.20+esm3 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: curl
  • Introduced through: curl@7.35.0-1ubuntu2.20, curl/libcurl3@7.35.0-1ubuntu2.20 and others
  • Fixed in: 7.35.0-1ubuntu2.20+esm7

Detailed paths

  • Introduced through: buildpack-deps:14.04@* curl@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl3@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl3-gnutls@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl4-openssl-dev@7.35.0-1ubuntu2.20

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Ubuntu:14.04 relevant versions.

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Remediation

Upgrade Ubuntu:14.04 curl to version 7.35.0-1ubuntu2.20+esm7 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: curl
  • Introduced through: curl@7.35.0-1ubuntu2.20, curl/libcurl3@7.35.0-1ubuntu2.20 and others
  • Fixed in: 7.35.0-1ubuntu2.20+esm6

Detailed paths

  • Introduced through: buildpack-deps:14.04@* curl@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl3@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl3-gnutls@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl4-openssl-dev@7.35.0-1ubuntu2.20

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Ubuntu:14.04 relevant versions.

curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.

Remediation

Upgrade Ubuntu:14.04 curl to version 7.35.0-1ubuntu2.20+esm6 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: curl
  • Introduced through: curl@7.35.0-1ubuntu2.20, curl/libcurl3@7.35.0-1ubuntu2.20 and others
  • Fixed in: 7.35.0-1ubuntu2.20+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* curl@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl3@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl3-gnutls@7.35.0-1ubuntu2.20
  • Introduced through: buildpack-deps:14.04@* curl/libcurl4-openssl-dev@7.35.0-1ubuntu2.20

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Ubuntu:14.04 relevant versions.

A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.

Remediation

Upgrade Ubuntu:14.04 curl to version 7.35.0-1ubuntu2.20+esm2 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: cyrus-sasl2/libsasl2-2
  • Introduced through: cyrus-sasl2/libsasl2-2@2.1.25.dfsg1-17build1 and cyrus-sasl2/libsasl2-modules-db@2.1.25.dfsg1-17build1
  • Fixed in: 2.1.25.dfsg1-17ubuntu0.1~esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* cyrus-sasl2/libsasl2-2@2.1.25.dfsg1-17build1
  • Introduced through: buildpack-deps:14.04@* cyrus-sasl2/libsasl2-modules-db@2.1.25.dfsg1-17build1

NVD Description

Note: Versions mentioned in the description apply to the upstream cyrus-sasl2 package. See Remediation section below for Ubuntu:14.04 relevant versions.

cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl.

Remediation

Upgrade Ubuntu:14.04 cyrus-sasl2 to version 2.1.25.dfsg1-17ubuntu0.1~esm1 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: db5.3/libdb5.3
  • Introduced through: db5.3/libdb5.3@5.3.28-3ubuntu3.1 and db5.3/libdb5.3-dev@5.3.28-3ubuntu3.1
  • Fixed in: 5.3.28-3ubuntu3.1+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* db5.3/libdb5.3@5.3.28-3ubuntu3.1
  • Introduced through: buildpack-deps:14.04@* db5.3/libdb5.3-dev@5.3.28-3ubuntu3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream db5.3 package. See Remediation section below for Ubuntu:14.04 relevant versions.

SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.

Remediation

Upgrade Ubuntu:14.04 db5.3 to version 5.3.28-3ubuntu3.1+esm1 or higher.

References

medium severity

Improper Resource Shutdown or Release

  • Vulnerable module: dbus/libdbus-1-3
  • Introduced through: dbus/libdbus-1-3@1.6.18-0ubuntu4.5
  • Fixed in: 1.6.18-0ubuntu4.5+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* dbus/libdbus-1-3@1.6.18-0ubuntu4.5

NVD Description

Note: Versions mentioned in the description apply to the upstream dbus package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.

Remediation

Upgrade Ubuntu:14.04 dbus to version 1.6.18-0ubuntu4.5+esm2 or higher.

References

medium severity

Link Following

  • Vulnerable module: dbus/libdbus-1-3
  • Introduced through: dbus/libdbus-1-3@1.6.18-0ubuntu4.5
  • Fixed in: 1.6.18-0ubuntu4.5+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* dbus/libdbus-1-3@1.6.18-0ubuntu4.5

NVD Description

Note: Versions mentioned in the description apply to the upstream dbus package. See Remediation section below for Ubuntu:14.04 relevant versions.

dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.

Remediation

Upgrade Ubuntu:14.04 dbus to version 1.6.18-0ubuntu4.5+esm1 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: e2fsprogs
  • Introduced through: e2fsprogs@1.42.9-3ubuntu1.3, e2fsprogs/e2fslibs@1.42.9-3ubuntu1.3 and others
  • Fixed in: 1.42.9-3ubuntu1.3+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* e2fsprogs@1.42.9-3ubuntu1.3
  • Introduced through: buildpack-deps:14.04@* e2fsprogs/e2fslibs@1.42.9-3ubuntu1.3
  • Introduced through: buildpack-deps:14.04@* e2fsprogs/libcomerr2@1.42.9-3ubuntu1.3
  • Introduced through: buildpack-deps:14.04@* e2fsprogs/libss2@1.42.9-3ubuntu1.3

NVD Description

Note: Versions mentioned in the description apply to the upstream e2fsprogs package. See Remediation section below for Ubuntu:14.04 relevant versions.

An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Remediation

Upgrade Ubuntu:14.04 e2fsprogs to version 1.42.9-3ubuntu1.3+esm1 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: e2fsprogs
  • Introduced through: e2fsprogs@1.42.9-3ubuntu1.3, e2fsprogs/e2fslibs@1.42.9-3ubuntu1.3 and others
  • Fixed in: 1.42.9-3ubuntu1.3+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* e2fsprogs@1.42.9-3ubuntu1.3
  • Introduced through: buildpack-deps:14.04@* e2fsprogs/e2fslibs@1.42.9-3ubuntu1.3
  • Introduced through: buildpack-deps:14.04@* e2fsprogs/libcomerr2@1.42.9-3ubuntu1.3
  • Introduced through: buildpack-deps:14.04@* e2fsprogs/libss2@1.42.9-3ubuntu1.3

NVD Description

Note: Versions mentioned in the description apply to the upstream e2fsprogs package. See Remediation section below for Ubuntu:14.04 relevant versions.

A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Remediation

Upgrade Ubuntu:14.04 e2fsprogs to version 1.42.9-3ubuntu1.3+esm2 or higher.

References

medium severity

Out-of-Bounds

  • Vulnerable module: eglibc/libc-bin
  • Introduced through: eglibc/libc-bin@2.19-0ubuntu6.15, eglibc/libc-dev-bin@2.19-0ubuntu6.15 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* eglibc/libc-bin@2.19-0ubuntu6.15
  • Introduced through: buildpack-deps:14.04@* eglibc/libc-dev-bin@2.19-0ubuntu6.15
  • Introduced through: buildpack-deps:14.04@* eglibc/libc6@2.19-0ubuntu6.15
  • Introduced through: buildpack-deps:14.04@* eglibc/libc6-dev@2.19-0ubuntu6.15
  • Introduced through: buildpack-deps:14.04@* eglibc/multiarch-support@2.19-0ubuntu6.15

NVD Description

Note: Versions mentioned in the description apply to the upstream eglibc package.

nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon crash or code execution as the user running nscd.

Remediation

There is no fixed version for Ubuntu:14.04 eglibc.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: eglibc/libc-bin
  • Introduced through: eglibc/libc-bin@2.19-0ubuntu6.15, eglibc/libc-dev-bin@2.19-0ubuntu6.15 and others
  • Fixed in: 2.19-0ubuntu6.15+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* eglibc/libc-bin@2.19-0ubuntu6.15
  • Introduced through: buildpack-deps:14.04@* eglibc/libc-dev-bin@2.19-0ubuntu6.15
  • Introduced through: buildpack-deps:14.04@* eglibc/libc6@2.19-0ubuntu6.15
  • Introduced through: buildpack-deps:14.04@* eglibc/libc6-dev@2.19-0ubuntu6.15
  • Introduced through: buildpack-deps:14.04@* eglibc/multiarch-support@2.19-0ubuntu6.15

NVD Description

Note: Versions mentioned in the description apply to the upstream eglibc package. See Remediation section below for Ubuntu:14.04 relevant versions.

An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.

Remediation

Upgrade Ubuntu:14.04 eglibc to version 2.19-0ubuntu6.15+esm1 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: eglibc/libc-bin
  • Introduced through: eglibc/libc-bin@2.19-0ubuntu6.15, eglibc/libc-dev-bin@2.19-0ubuntu6.15 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* eglibc/libc-bin@2.19-0ubuntu6.15
  • Introduced through: buildpack-deps:14.04@* eglibc/libc-dev-bin@2.19-0ubuntu6.15
  • Introduced through: buildpack-deps:14.04@* eglibc/libc6@2.19-0ubuntu6.15
  • Introduced through: buildpack-deps:14.04@* eglibc/libc6-dev@2.19-0ubuntu6.15
  • Introduced through: buildpack-deps:14.04@* eglibc/multiarch-support@2.19-0ubuntu6.15

NVD Description

Note: Versions mentioned in the description apply to the upstream eglibc package.

stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.

Remediation

There is no fixed version for Ubuntu:14.04 eglibc.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: expat/libexpat1
  • Introduced through: expat/libexpat1@2.1.0-4ubuntu1.4 and expat/libexpat1-dev@2.1.0-4ubuntu1.4
  • Fixed in: 2.1.0-4ubuntu1.4+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* expat/libexpat1@2.1.0-4ubuntu1.4
  • Introduced through: buildpack-deps:14.04@* expat/libexpat1-dev@2.1.0-4ubuntu1.4

NVD Description

Note: Versions mentioned in the description apply to the upstream expat package. See Remediation section below for Ubuntu:14.04 relevant versions.

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

Remediation

Upgrade Ubuntu:14.04 expat to version 2.1.0-4ubuntu1.4+esm2 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: file
  • Introduced through: file@1:5.14-2ubuntu3.4 and file/libmagic1@1:5.14-2ubuntu3.4
  • Fixed in: 1:5.14-2ubuntu3.4+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* file@1:5.14-2ubuntu3.4
  • Introduced through: buildpack-deps:14.04@* file/libmagic1@1:5.14-2ubuntu3.4

NVD Description

Note: Versions mentioned in the description apply to the upstream file package. See Remediation section below for Ubuntu:14.04 relevant versions.

cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).

Remediation

Upgrade Ubuntu:14.04 file to version 1:5.14-2ubuntu3.4+esm1 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: freetype/libfreetype6
  • Introduced through: freetype/libfreetype6@2.5.2-1ubuntu2.8 and freetype/libfreetype6-dev@2.5.2-1ubuntu2.8
  • Fixed in: 2.5.2-1ubuntu2.8+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* freetype/libfreetype6@2.5.2-1ubuntu2.8
  • Introduced through: buildpack-deps:14.04@* freetype/libfreetype6-dev@2.5.2-1ubuntu2.8

NVD Description

Note: Versions mentioned in the description apply to the upstream freetype package. See Remediation section below for Ubuntu:14.04 relevant versions.

FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.

Remediation

Upgrade Ubuntu:14.04 freetype to version 2.5.2-1ubuntu2.8+esm1 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: freetype/libfreetype6
  • Introduced through: freetype/libfreetype6@2.5.2-1ubuntu2.8 and freetype/libfreetype6-dev@2.5.2-1ubuntu2.8
  • Fixed in: 2.5.2-1ubuntu2.8+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* freetype/libfreetype6@2.5.2-1ubuntu2.8
  • Introduced through: buildpack-deps:14.04@* freetype/libfreetype6-dev@2.5.2-1ubuntu2.8

NVD Description

Note: Versions mentioned in the description apply to the upstream freetype package. See Remediation section below for Ubuntu:14.04 relevant versions.

FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.

Remediation

Upgrade Ubuntu:14.04 freetype to version 2.5.2-1ubuntu2.8+esm1 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: gcc-4.8
  • Introduced through: gcc-4.8@4.8.4-2ubuntu1~14.04.4, gcc-4.8/cpp-4.8@4.8.4-2ubuntu1~14.04.4 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* gcc-4.8@4.8.4-2ubuntu1~14.04.4
  • Introduced through: buildpack-deps:14.04@* gcc-4.8/cpp-4.8@4.8.4-2ubuntu1~14.04.4
  • Introduced through: buildpack-deps:14.04@* gcc-4.8/g++-4.8@4.8.4-2ubuntu1~14.04.4
  • Introduced through: buildpack-deps:14.04@* gcc-4.8/gcc-4.8-base@4.8.4-2ubuntu1~14.04.4
  • Introduced through: buildpack-deps:14.04@* gcc-4.8/libasan0@4.8.4-2ubuntu1~14.04.4
  • Introduced through: buildpack-deps:14.04@* gcc-4.8/libatomic1@4.8.4-2ubuntu1~14.04.4
  • Introduced through: buildpack-deps:14.04@* gcc-4.8/libgcc-4.8-dev@4.8.4-2ubuntu1~14.04.4
  • Introduced through: buildpack-deps:14.04@* gcc-4.8/libgomp1@4.8.4-2ubuntu1~14.04.4
  • Introduced through: buildpack-deps:14.04@* gcc-4.8/libitm1@4.8.4-2ubuntu1~14.04.4
  • Introduced through: buildpack-deps:14.04@* gcc-4.8/libquadmath0@4.8.4-2ubuntu1~14.04.4
  • Introduced through: buildpack-deps:14.04@* gcc-4.8/libstdc++-4.8-dev@4.8.4-2ubuntu1~14.04.4
  • Introduced through: buildpack-deps:14.04@* gcc-4.8/libstdc++6@4.8.4-2ubuntu1~14.04.4
  • Introduced through: buildpack-deps:14.04@* gcc-4.8/libtsan0@4.8.4-2ubuntu1~14.04.4

NVD Description

Note: Versions mentioned in the description apply to the upstream gcc-4.8 package.

Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation."

Remediation

There is no fixed version for Ubuntu:14.04 gcc-4.8.

References

medium severity

Information Exposure

  • Vulnerable module: gcc-defaults/cpp
  • Introduced through: gcc-defaults/cpp@4:4.8.2-1ubuntu6, gcc-defaults/g++@4:4.8.2-1ubuntu6 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* gcc-defaults/cpp@4:4.8.2-1ubuntu6
  • Introduced through: buildpack-deps:14.04@* gcc-defaults/g++@4:4.8.2-1ubuntu6
  • Introduced through: buildpack-deps:14.04@* gcc-defaults/gcc@4:4.8.2-1ubuntu6

NVD Description

Note: Versions mentioned in the description apply to the upstream gcc-defaults package.

Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation."

Remediation

There is no fixed version for Ubuntu:14.04 gcc-defaults.

References

medium severity

Incorrect Permission Assignment for Critical Resource

  • Vulnerable module: glib2.0/libglib2.0-0
  • Introduced through: glib2.0/libglib2.0-0@2.40.2-0ubuntu1.1, glib2.0/libglib2.0-bin@2.40.2-0ubuntu1.1 and others
  • Fixed in: 2.40.2-0ubuntu1.1+esm3

Detailed paths

  • Introduced through: buildpack-deps:14.04@* glib2.0/libglib2.0-0@2.40.2-0ubuntu1.1
  • Introduced through: buildpack-deps:14.04@* glib2.0/libglib2.0-bin@2.40.2-0ubuntu1.1
  • Introduced through: buildpack-deps:14.04@* glib2.0/libglib2.0-data@2.40.2-0ubuntu1.1
  • Introduced through: buildpack-deps:14.04@* glib2.0/libglib2.0-dev@2.40.2-0ubuntu1.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glib2.0 package. See Remediation section below for Ubuntu:14.04 relevant versions.

The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.

Remediation

Upgrade Ubuntu:14.04 glib2.0 to version 2.40.2-0ubuntu1.1+esm3 or higher.

References

medium severity

Race Condition

  • Vulnerable module: glib2.0/libglib2.0-0
  • Introduced through: glib2.0/libglib2.0-0@2.40.2-0ubuntu1.1, glib2.0/libglib2.0-bin@2.40.2-0ubuntu1.1 and others
  • Fixed in: 2.40.2-0ubuntu1.1+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* glib2.0/libglib2.0-0@2.40.2-0ubuntu1.1
  • Introduced through: buildpack-deps:14.04@* glib2.0/libglib2.0-bin@2.40.2-0ubuntu1.1
  • Introduced through: buildpack-deps:14.04@* glib2.0/libglib2.0-data@2.40.2-0ubuntu1.1
  • Introduced through: buildpack-deps:14.04@* glib2.0/libglib2.0-dev@2.40.2-0ubuntu1.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glib2.0 package. See Remediation section below for Ubuntu:14.04 relevant versions.

file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.

Remediation

Upgrade Ubuntu:14.04 glib2.0 to version 2.40.2-0ubuntu1.1+esm1 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: imagemagick
  • Introduced through: imagemagick@8:6.7.7.10-6ubuntu3.13, imagemagick/imagemagick-common@8:6.7.7.10-6ubuntu3.13 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* imagemagick@8:6.7.7.10-6ubuntu3.13
  • Introduced through: buildpack-deps:14.04@* imagemagick/imagemagick-common@8:6.7.7.10-6ubuntu3.13
  • Introduced through: buildpack-deps:14.04@* imagemagick/libmagickcore-dev@8:6.7.7.10-6ubuntu3.13
  • Introduced through: buildpack-deps:14.04@* imagemagick/libmagickcore5@8:6.7.7.10-6ubuntu3.13
  • Introduced through: buildpack-deps:14.04@* imagemagick/libmagickcore5-extra@8:6.7.7.10-6ubuntu3.13
  • Introduced through: buildpack-deps:14.04@* imagemagick/libmagickwand-dev@8:6.7.7.10-6ubuntu3.13
  • Introduced through: buildpack-deps:14.04@* imagemagick/libmagickwand5@8:6.7.7.10-6ubuntu3.13

NVD Description

Note: Versions mentioned in the description apply to the upstream imagemagick package.

In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file.

Remediation

There is no fixed version for Ubuntu:14.04 imagemagick.

References

medium severity

Out-of-Bounds

  • Vulnerable module: isc-dhcp/isc-dhcp-client
  • Introduced through: isc-dhcp/isc-dhcp-client@4.2.4-7ubuntu12.13 and isc-dhcp/isc-dhcp-common@4.2.4-7ubuntu12.13
  • Fixed in: 4.2.4-7ubuntu12.13+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* isc-dhcp/isc-dhcp-client@4.2.4-7ubuntu12.13
  • Introduced through: buildpack-deps:14.04@* isc-dhcp/isc-dhcp-common@4.2.4-7ubuntu12.13

NVD Description

Note: Versions mentioned in the description apply to the upstream isc-dhcp package. See Remediation section below for Ubuntu:14.04 relevant versions.

In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series) are beyond their End-of-Life (EOL) and no longer supported by ISC. From inspection it is clear that the defect is also present in releases from those series, but they have not been officially tested for the vulnerability), The outcome of encountering the defect while reading a lease that will trigger it varies, according to: the component being affected (i.e., dhclient or dhcpd) whether the package was built as a 32-bit or 64-bit binary whether the compiler flag -fstack-protection-strong was used when compiling In dhclient, ISC has not successfully reproduced the error on a 64-bit system. However, on a 32-bit system it is possible to cause dhclient to crash when reading an improper lease, which could cause network connectivity problems for an affected system due to the absence of a running DHCP client process. In dhcpd, when run in DHCPv4 or DHCPv6 mode: if the dhcpd server binary was built for a 32-bit architecture AND the -fstack-protection-strong flag was specified to the compiler, dhcpd may exit while parsing a lease file containing an objectionable lease, resulting in lack of service to clients. Additionally, the offending lease and the lease immediately following it in the lease database may be improperly deleted. if the dhcpd server binary was built for a 64-bit architecture OR if the -fstack-protection-strong compiler flag was NOT specified, the crash will not occur, but it is possible for the offending lease and the lease which immediately followed it to be improperly deleted.

Remediation

Upgrade Ubuntu:14.04 isc-dhcp to version 4.2.4-7ubuntu12.13+esm1 or higher.

References

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

  • Vulnerable module: jasper/libjasper-dev
  • Introduced through: jasper/libjasper-dev@1.900.1-14ubuntu3.5 and jasper/libjasper1@1.900.1-14ubuntu3.5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* jasper/libjasper-dev@1.900.1-14ubuntu3.5
  • Introduced through: buildpack-deps:14.04@* jasper/libjasper1@1.900.1-14ubuntu3.5

NVD Description

Note: Versions mentioned in the description apply to the upstream jasper package.

There is an infinite loop in the jpc_dec_tileinit function in jpc/jpc_dec.c of Jasper 2.0.13. It will lead to a remote denial of service attack.

Remediation

There is no fixed version for Ubuntu:14.04 jasper.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: json-c/libjson-c2
  • Introduced through: json-c/libjson-c2@0.11-3ubuntu1.2 and json-c/libjson0@0.11-3ubuntu1.2
  • Fixed in: 0.11-3ubuntu1.2+esm3

Detailed paths

  • Introduced through: buildpack-deps:14.04@* json-c/libjson-c2@0.11-3ubuntu1.2
  • Introduced through: buildpack-deps:14.04@* json-c/libjson0@0.11-3ubuntu1.2

NVD Description

Note: Versions mentioned in the description apply to the upstream json-c package. See Remediation section below for Ubuntu:14.04 relevant versions.

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.

Remediation

Upgrade Ubuntu:14.04 json-c to version 0.11-3ubuntu1.2+esm3 or higher.

References

medium severity

Reachable Assertion

  • Vulnerable module: krb5/krb5-multidev
  • Introduced through: krb5/krb5-multidev@1.12+dfsg-2ubuntu5.4, krb5/libgssapi-krb5-2@1.12+dfsg-2ubuntu5.4 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* krb5/krb5-multidev@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libgssapi-krb5-2@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libgssrpc4@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libk5crypto3@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libkadm5clnt-mit9@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libkadm5srv-mit9@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libkdb5-7@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libkrb5-3@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libkrb5-dev@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libkrb5support0@1.12+dfsg-2ubuntu5.4

NVD Description

Note: Versions mentioned in the description apply to the upstream krb5 package.

A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

Remediation

There is no fixed version for Ubuntu:14.04 krb5.

References

medium severity

Uncontrolled Recursion

  • Vulnerable module: krb5/krb5-multidev
  • Introduced through: krb5/krb5-multidev@1.12+dfsg-2ubuntu5.4, krb5/libgssapi-krb5-2@1.12+dfsg-2ubuntu5.4 and others
  • Fixed in: 1.12+dfsg-2ubuntu5.4+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* krb5/krb5-multidev@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libgssapi-krb5-2@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libgssrpc4@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libk5crypto3@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libkadm5clnt-mit9@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libkadm5srv-mit9@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libkdb5-7@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libkrb5-3@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libkrb5-dev@1.12+dfsg-2ubuntu5.4
  • Introduced through: buildpack-deps:14.04@* krb5/libkrb5support0@1.12+dfsg-2ubuntu5.4

NVD Description

Note: Versions mentioned in the description apply to the upstream krb5 package. See Remediation section below for Ubuntu:14.04 relevant versions.

MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.

Remediation

Upgrade Ubuntu:14.04 krb5 to version 1.12+dfsg-2ubuntu5.4+esm2 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: libbsd/libbsd0
  • Introduced through: libbsd/libbsd0@0.6.0-2ubuntu1
  • Fixed in: 0.6.0-2ubuntu1+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libbsd/libbsd0@0.6.0-2ubuntu1

NVD Description

Note: Versions mentioned in the description apply to the upstream libbsd package. See Remediation section below for Ubuntu:14.04 relevant versions.

nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab).

Remediation

Upgrade Ubuntu:14.04 libbsd to version 0.6.0-2ubuntu1+esm1 or higher.

References

medium severity

Divide By Zero

  • Vulnerable module: libexif/libexif-dev
  • Introduced through: libexif/libexif-dev@0.6.21-1ubuntu1 and libexif/libexif12@0.6.21-1ubuntu1
  • Fixed in: 0.6.21-1ubuntu1+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libexif/libexif-dev@0.6.21-1ubuntu1
  • Introduced through: buildpack-deps:14.04@* libexif/libexif12@0.6.21-1ubuntu1

NVD Description

Note: Versions mentioned in the description apply to the upstream libexif package. See Remediation section below for Ubuntu:14.04 relevant versions.

exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by-zero error.

Remediation

Upgrade Ubuntu:14.04 libexif to version 0.6.21-1ubuntu1+esm2 or higher.

References

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: libexif/libexif-dev
  • Introduced through: libexif/libexif-dev@0.6.21-1ubuntu1 and libexif/libexif12@0.6.21-1ubuntu1
  • Fixed in: 0.6.21-1ubuntu1+esm6

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libexif/libexif-dev@0.6.21-1ubuntu1
  • Introduced through: buildpack-deps:14.04@* libexif/libexif12@0.6.21-1ubuntu1

NVD Description

Note: Versions mentioned in the description apply to the upstream libexif package. See Remediation section below for Ubuntu:14.04 relevant versions.

In exif_entry_get_value of exif-entry.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if a third party app used this library to process remote image data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-159625731

Remediation

Upgrade Ubuntu:14.04 libexif to version 0.6.21-1ubuntu1+esm6 or higher.

References

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: libexif/libexif-dev
  • Introduced through: libexif/libexif-dev@0.6.21-1ubuntu1 and libexif/libexif12@0.6.21-1ubuntu1
  • Fixed in: 0.6.21-1ubuntu1+esm5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libexif/libexif-dev@0.6.21-1ubuntu1
  • Introduced through: buildpack-deps:14.04@* libexif/libexif12@0.6.21-1ubuntu1

NVD Description

Note: Versions mentioned in the description apply to the upstream libexif package. See Remediation section below for Ubuntu:14.04 relevant versions.

In exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146428941

Remediation

Upgrade Ubuntu:14.04 libexif to version 0.6.21-1ubuntu1+esm5 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: libexif/libexif-dev
  • Introduced through: libexif/libexif-dev@0.6.21-1ubuntu1 and libexif/libexif12@0.6.21-1ubuntu1
  • Fixed in: 0.6.21-1ubuntu1+esm5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libexif/libexif-dev@0.6.21-1ubuntu1
  • Introduced through: buildpack-deps:14.04@* libexif/libexif12@0.6.21-1ubuntu1

NVD Description

Note: Versions mentioned in the description apply to the upstream libexif package. See Remediation section below for Ubuntu:14.04 relevant versions.

In exif_entry_get_value of exif-entry.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-147140917

Remediation

Upgrade Ubuntu:14.04 libexif to version 0.6.21-1ubuntu1+esm5 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: libexif/libexif-dev
  • Introduced through: libexif/libexif-dev@0.6.21-1ubuntu1 and libexif/libexif12@0.6.21-1ubuntu1
  • Fixed in: 0.6.21-1ubuntu1+esm5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libexif/libexif-dev@0.6.21-1ubuntu1
  • Introduced through: buildpack-deps:14.04@* libexif/libexif12@0.6.21-1ubuntu1

NVD Description

Note: Versions mentioned in the description apply to the upstream libexif package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes. This is different from CVE-2020-0093.

Remediation

Upgrade Ubuntu:14.04 libexif to version 0.6.21-1ubuntu1+esm5 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: libexif/libexif-dev
  • Introduced through: libexif/libexif-dev@0.6.21-1ubuntu1 and libexif/libexif12@0.6.21-1ubuntu1
  • Fixed in: 0.6.21-1ubuntu1+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libexif/libexif-dev@0.6.21-1ubuntu1
  • Introduced through: buildpack-deps:14.04@* libexif/libexif12@0.6.21-1ubuntu1

NVD Description

Note: Versions mentioned in the description apply to the upstream libexif package. See Remediation section below for Ubuntu:14.04 relevant versions.

In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774

Remediation

Upgrade Ubuntu:14.04 libexif to version 0.6.21-1ubuntu1+esm1 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: libexif/libexif-dev
  • Introduced through: libexif/libexif-dev@0.6.21-1ubuntu1 and libexif/libexif12@0.6.21-1ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libexif/libexif-dev@0.6.21-1ubuntu1
  • Introduced through: buildpack-deps:14.04@* libexif/libexif12@0.6.21-1ubuntu1

NVD Description

Note: Versions mentioned in the description apply to the upstream libexif package.

In opencv calls that use libpng, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges required. User interaction is not required for exploitation. Product: AndroidVersions: Android-10Android ID: A-110986616

Remediation

There is no fixed version for Ubuntu:14.04 libexif.

References

medium severity

Use After Free

  • Vulnerable module: libexif/libexif-dev
  • Introduced through: libexif/libexif-dev@0.6.21-1ubuntu1 and libexif/libexif12@0.6.21-1ubuntu1
  • Fixed in: 0.6.21-1ubuntu1+esm5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libexif/libexif-dev@0.6.21-1ubuntu1
  • Introduced through: buildpack-deps:14.04@* libexif/libexif12@0.6.21-1ubuntu1

NVD Description

Note: Versions mentioned in the description apply to the upstream libexif package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in libexif before 0.6.22. Use of uninitialized memory in EXIF Makernote handling could lead to crashes and potential use-after-free conditions.

Remediation

Upgrade Ubuntu:14.04 libexif to version 0.6.21-1ubuntu1+esm5 or higher.

References

medium severity

Race Condition

  • Vulnerable module: libgcrypt11
  • Introduced through: libgcrypt11@1.5.3-2ubuntu4.6 and libgcrypt11/libgcrypt11-dev@1.5.3-2ubuntu4.6
  • Fixed in: 1.5.3-2ubuntu4.6+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libgcrypt11@1.5.3-2ubuntu4.6
  • Introduced through: buildpack-deps:14.04@* libgcrypt11/libgcrypt11-dev@1.5.3-2ubuntu4.6

NVD Description

Note: Versions mentioned in the description apply to the upstream libgcrypt11 package. See Remediation section below for Ubuntu:14.04 relevant versions.

It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.

Remediation

Upgrade Ubuntu:14.04 libgcrypt11 to version 1.5.3-2ubuntu4.6+esm1 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: libjpeg-turbo/libjpeg-turbo8
  • Introduced through: libjpeg-turbo/libjpeg-turbo8@1.3.0-0ubuntu2.1 and libjpeg-turbo/libjpeg-turbo8-dev@1.3.0-0ubuntu2.1
  • Fixed in: 1.3.0-0ubuntu2.1+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libjpeg-turbo/libjpeg-turbo8@1.3.0-0ubuntu2.1
  • Introduced through: buildpack-deps:14.04@* libjpeg-turbo/libjpeg-turbo8-dev@1.3.0-0ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply to the upstream libjpeg-turbo package. See Remediation section below for Ubuntu:14.04 relevant versions.

libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

Remediation

Upgrade Ubuntu:14.04 libjpeg-turbo to version 1.3.0-0ubuntu2.1+esm1 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: libwebp/libwebp-dev
  • Introduced through: libwebp/libwebp-dev@0.4.0-4, libwebp/libwebp5@0.4.0-4 and others
  • Fixed in: 0.4.0-4ubuntu0.1~esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp-dev@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp5@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpdemux1@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpmux1@0.4.0-4

NVD Description

Note: Versions mentioned in the description apply to the upstream libwebp package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability.

Remediation

Upgrade Ubuntu:14.04 libwebp to version 0.4.0-4ubuntu0.1~esm1 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: libwebp/libwebp-dev
  • Introduced through: libwebp/libwebp-dev@0.4.0-4, libwebp/libwebp5@0.4.0-4 and others
  • Fixed in: 0.4.0-4ubuntu0.1~esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp-dev@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp5@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpdemux1@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpmux1@0.4.0-4

NVD Description

Note: Versions mentioned in the description apply to the upstream libwebp package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability.

Remediation

Upgrade Ubuntu:14.04 libwebp to version 0.4.0-4ubuntu0.1~esm1 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: libwebp/libwebp-dev
  • Introduced through: libwebp/libwebp-dev@0.4.0-4, libwebp/libwebp5@0.4.0-4 and others
  • Fixed in: 0.4.0-4ubuntu0.1~esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp-dev@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp5@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpdemux1@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpmux1@0.4.0-4

NVD Description

Note: Versions mentioned in the description apply to the upstream libwebp package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.

Remediation

Upgrade Ubuntu:14.04 libwebp to version 0.4.0-4ubuntu0.1~esm1 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: libwebp/libwebp-dev
  • Introduced through: libwebp/libwebp-dev@0.4.0-4, libwebp/libwebp5@0.4.0-4 and others
  • Fixed in: 0.4.0-4ubuntu0.1~esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp-dev@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp5@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpdemux1@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpmux1@0.4.0-4

NVD Description

Note: Versions mentioned in the description apply to the upstream libwebp package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ApplyFilter. The highest threat from this vulnerability is to data confidentiality and to the service availability.

Remediation

Upgrade Ubuntu:14.04 libwebp to version 0.4.0-4ubuntu0.1~esm1 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: libwebp/libwebp-dev
  • Introduced through: libwebp/libwebp-dev@0.4.0-4, libwebp/libwebp5@0.4.0-4 and others
  • Fixed in: 0.4.0-4ubuntu0.1~esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp-dev@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp5@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpdemux1@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpmux1@0.4.0-4

NVD Description

Note: Versions mentioned in the description apply to the upstream libwebp package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ShiftBytes. The highest threat from this vulnerability is to data confidentiality and to the service availability.

Remediation

Upgrade Ubuntu:14.04 libwebp to version 0.4.0-4ubuntu0.1~esm1 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: libwebp/libwebp-dev
  • Introduced through: libwebp/libwebp-dev@0.4.0-4, libwebp/libwebp5@0.4.0-4 and others
  • Fixed in: 0.4.0-4ubuntu0.1~esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp-dev@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp5@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpdemux1@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpmux1@0.4.0-4

NVD Description

Note: Versions mentioned in the description apply to the upstream libwebp package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.

Remediation

Upgrade Ubuntu:14.04 libwebp to version 0.4.0-4ubuntu0.1~esm1 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: libwebp/libwebp-dev
  • Introduced through: libwebp/libwebp-dev@0.4.0-4, libwebp/libwebp5@0.4.0-4 and others
  • Fixed in: 0.4.0-4ubuntu0.1~esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp-dev@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp5@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpdemux1@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpmux1@0.4.0-4

NVD Description

Note: Versions mentioned in the description apply to the upstream libwebp package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

Upgrade Ubuntu:14.04 libwebp to version 0.4.0-4ubuntu0.1~esm1 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: libwebp/libwebp-dev
  • Introduced through: libwebp/libwebp-dev@0.4.0-4, libwebp/libwebp5@0.4.0-4 and others
  • Fixed in: 0.4.0-4ubuntu0.1~esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp-dev@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp5@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpdemux1@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpmux1@0.4.0-4

NVD Description

Note: Versions mentioned in the description apply to the upstream libwebp package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow was found in PutLE16(). The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

Upgrade Ubuntu:14.04 libwebp to version 0.4.0-4ubuntu0.1~esm1 or higher.

References

medium severity

Use After Free

  • Vulnerable module: libwebp/libwebp-dev
  • Introduced through: libwebp/libwebp-dev@0.4.0-4, libwebp/libwebp5@0.4.0-4 and others
  • Fixed in: 0.4.0-4ubuntu0.1~esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp-dev@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp5@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpdemux1@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpmux1@0.4.0-4

NVD Description

Note: Versions mentioned in the description apply to the upstream libwebp package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

Upgrade Ubuntu:14.04 libwebp to version 0.4.0-4ubuntu0.1~esm1 or higher.

References

medium severity

Use of Uninitialized Resource

  • Vulnerable module: libwebp/libwebp-dev
  • Introduced through: libwebp/libwebp-dev@0.4.0-4, libwebp/libwebp5@0.4.0-4 and others
  • Fixed in: 0.4.0-4ubuntu0.1~esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp-dev@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebp5@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpdemux1@0.4.0-4
  • Introduced through: buildpack-deps:14.04@* libwebp/libwebpmux1@0.4.0-4

NVD Description

Note: Versions mentioned in the description apply to the upstream libwebp package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in libwebp in versions before 1.0.1. An unitialized variable is used in function ReadSymbol. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

Upgrade Ubuntu:14.04 libwebp to version 0.4.0-4ubuntu0.1~esm1 or higher.

References

medium severity

Buffer Overflow

  • Vulnerable module: libx11/libx11-6
  • Introduced through: libx11/libx11-6@2:1.6.2-1ubuntu2.1, libx11/libx11-data@2:1.6.2-1ubuntu2.1 and others
  • Fixed in: 2:1.6.2-1ubuntu2.1+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libx11/libx11-6@2:1.6.2-1ubuntu2.1
  • Introduced through: buildpack-deps:14.04@* libx11/libx11-data@2:1.6.2-1ubuntu2.1
  • Introduced through: buildpack-deps:14.04@* libx11/libx11-dev@2:1.6.2-1ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply to the upstream libx11 package. See Remediation section below for Ubuntu:14.04 relevant versions.

LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.

Remediation

Upgrade Ubuntu:14.04 libx11 to version 2:1.6.2-1ubuntu2.1+esm2 or higher.

References

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: libx11/libx11-6
  • Introduced through: libx11/libx11-6@2:1.6.2-1ubuntu2.1, libx11/libx11-data@2:1.6.2-1ubuntu2.1 and others
  • Fixed in: 2:1.6.2-1ubuntu2.1+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libx11/libx11-6@2:1.6.2-1ubuntu2.1
  • Introduced through: buildpack-deps:14.04@* libx11/libx11-data@2:1.6.2-1ubuntu2.1
  • Introduced through: buildpack-deps:14.04@* libx11/libx11-dev@2:1.6.2-1ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply to the upstream libx11 package. See Remediation section below for Ubuntu:14.04 relevant versions.

An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux.

Remediation

Upgrade Ubuntu:14.04 libx11 to version 2:1.6.2-1ubuntu2.1+esm1 or higher.

References

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: libx11/libx11-6
  • Introduced through: libx11/libx11-6@2:1.6.2-1ubuntu2.1, libx11/libx11-data@2:1.6.2-1ubuntu2.1 and others
  • Fixed in: 2:1.6.2-1ubuntu2.1+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libx11/libx11-6@2:1.6.2-1ubuntu2.1
  • Introduced through: buildpack-deps:14.04@* libx11/libx11-data@2:1.6.2-1ubuntu2.1
  • Introduced through: buildpack-deps:14.04@* libx11/libx11-dev@2:1.6.2-1ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply to the upstream libx11 package. See Remediation section below for Ubuntu:14.04 relevant versions.

An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability.

Remediation

Upgrade Ubuntu:14.04 libx11 to version 2:1.6.2-1ubuntu2.1+esm1 or higher.

References

medium severity

NULL Pointer Dereference

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1+dfsg1-3ubuntu4.13 and libxml2/libxml2-dev@2.9.1+dfsg1-3ubuntu4.13
  • Fixed in: 2.9.1+dfsg1-3ubuntu4.13+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libxml2@2.9.1+dfsg1-3ubuntu4.13
  • Introduced through: buildpack-deps:14.04@* libxml2/libxml2-dev@2.9.1+dfsg1-3ubuntu4.13

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Ubuntu:14.04 relevant versions.

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Ubuntu:14.04 libxml2 to version 2.9.1+dfsg1-3ubuntu4.13+esm2 or higher.

References

medium severity

Out-of-Bounds

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1+dfsg1-3ubuntu4.13 and libxml2/libxml2-dev@2.9.1+dfsg1-3ubuntu4.13
  • Fixed in: 2.9.1+dfsg1-3ubuntu4.13+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libxml2@2.9.1+dfsg1-3ubuntu4.13
  • Introduced through: buildpack-deps:14.04@* libxml2/libxml2-dev@2.9.1+dfsg1-3ubuntu4.13

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Ubuntu:14.04 relevant versions.

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Remediation

Upgrade Ubuntu:14.04 libxml2 to version 2.9.1+dfsg1-3ubuntu4.13+esm2 or higher.

References

medium severity

Use After Free

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1+dfsg1-3ubuntu4.13 and libxml2/libxml2-dev@2.9.1+dfsg1-3ubuntu4.13

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libxml2@2.9.1+dfsg1-3ubuntu4.13
  • Introduced through: buildpack-deps:14.04@* libxml2/libxml2-dev@2.9.1+dfsg1-3ubuntu4.13

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package.

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1, iOS 14.2 and iPadOS 14.2, watchOS 7.1, tvOS 14.2. Processing maliciously crafted web content may lead to code execution.

Remediation

There is no fixed version for Ubuntu:14.04 libxml2.

References

medium severity

Use After Free

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1+dfsg1-3ubuntu4.13 and libxml2/libxml2-dev@2.9.1+dfsg1-3ubuntu4.13

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libxml2@2.9.1+dfsg1-3ubuntu4.13
  • Introduced through: buildpack-deps:14.04@* libxml2/libxml2-dev@2.9.1+dfsg1-3ubuntu4.13

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package.

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, iCloud for Windows 7.20, macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra. Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution.

Remediation

There is no fixed version for Ubuntu:14.04 libxml2.

References

medium severity

Use After Free

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1+dfsg1-3ubuntu4.13 and libxml2/libxml2-dev@2.9.1+dfsg1-3ubuntu4.13
  • Fixed in: 2.9.1+dfsg1-3ubuntu4.13+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libxml2@2.9.1+dfsg1-3ubuntu4.13
  • Introduced through: buildpack-deps:14.04@* libxml2/libxml2-dev@2.9.1+dfsg1-3ubuntu4.13

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Ubuntu:14.04 relevant versions.

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

Remediation

Upgrade Ubuntu:14.04 libxml2 to version 2.9.1+dfsg1-3ubuntu4.13+esm2 or higher.

References

medium severity

Use After Free

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1+dfsg1-3ubuntu4.13 and libxml2/libxml2-dev@2.9.1+dfsg1-3ubuntu4.13
  • Fixed in: 2.9.1+dfsg1-3ubuntu4.13+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libxml2@2.9.1+dfsg1-3ubuntu4.13
  • Introduced through: buildpack-deps:14.04@* libxml2/libxml2-dev@2.9.1+dfsg1-3ubuntu4.13

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Ubuntu:14.04 relevant versions.

There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.

Remediation

Upgrade Ubuntu:14.04 libxml2 to version 2.9.1+dfsg1-3ubuntu4.13+esm2 or higher.

References

medium severity

Use After Free

  • Vulnerable module: libxslt/libxslt1-dev
  • Introduced through: libxslt/libxslt1-dev@1.1.28-2ubuntu0.2 and libxslt/libxslt1.1@1.1.28-2ubuntu0.2
  • Fixed in: 1.1.28-2ubuntu0.2+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* libxslt/libxslt1-dev@1.1.28-2ubuntu0.2
  • Introduced through: buildpack-deps:14.04@* libxslt/libxslt1.1@1.1.28-2ubuntu0.2

NVD Description

Note: Versions mentioned in the description apply to the upstream libxslt package. See Remediation section below for Ubuntu:14.04 relevant versions.

In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

Remediation

Upgrade Ubuntu:14.04 libxslt to version 1.1.28-2ubuntu0.2+esm1 or higher.

References

medium severity

Link Following

  • Vulnerable module: mercurial
  • Introduced through: mercurial@2.8.2-1ubuntu1.4 and mercurial/mercurial-common@2.8.2-1ubuntu1.4

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mercurial@2.8.2-1ubuntu1.4
  • Introduced through: buildpack-deps:14.04@* mercurial/mercurial-common@2.8.2-1ubuntu1.4

NVD Description

Note: Versions mentioned in the description apply to the upstream mercurial package.

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

Remediation

There is no fixed version for Ubuntu:14.04 mercurial.

References

medium severity

CVE-2019-2910

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.6.45 and prior and 5.7.27 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2911

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Information Schema). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2914

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2946

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2948

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2950

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2957

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2960

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2963

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2966

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2967

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2968

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2974

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2982

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2991

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.017 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2993

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: C API). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2997

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-2998

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-3003

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-3004

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-3009

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection). Supported versions that are affected are 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-3011

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: C API). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

CVE-2019-3018

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: libmysqld). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: PS). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection Handling). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Difficult to exploit vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.4 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.4 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.7.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.4 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Compiling). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.44 and prior and 5.7.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Audit Log). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Audit Plug-in). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Access Control

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Audit). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Input Validation

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Improper Input Validation

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Incorrect Authorization

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/ODBC). Supported versions that are affected are 5.3.13 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Information Exposure

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.6.45 and prior and 5.7.27 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Information Exposure

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.6.45 and prior and 5.7.27 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Information Exposure

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.6.45 and prior and 5.7.27 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Information Exposure

  • Vulnerable module: mysql-5.5/libmysqlclient-dev
  • Introduced through: mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1, mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient-dev@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/libmysqlclient18@5.5.62-0ubuntu0.14.04.1
  • Introduced through: buildpack-deps:14.04@* mysql-5.5/mysql-common@5.5.62-0ubuntu0.14.04.1

NVD Description

Note: Versions mentioned in the description apply to the upstream mysql-5.5 package.

Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 6.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

There is no fixed version for Ubuntu:14.04 mysql-5.5.

References

medium severity

Access of Resource Using Incompatible Type ('Type Confusion')

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package.

A flaw was discovered in ldap_X509dn2bv in OpenLDAP before 2.4.57 leading to a slapd crash in the X.509 DN parsing in ad_keystring, resulting in denial of service.

Remediation

There is no fixed version for Ubuntu:14.04 openldap.

References

medium severity

CVE-2020-36226

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package.

A flaw was discovered in OpenLDAP before 2.4.57 leading to a memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service.

Remediation

There is no fixed version for Ubuntu:14.04 openldap.

References

medium severity

Double Free

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package.

A flaw was discovered in OpenLDAP before 2.4.57 leading to a double free and slapd crash in the saslAuthzTo processing, resulting in denial of service.

Remediation

There is no fixed version for Ubuntu:14.04 openldap.

References

medium severity

Improper Authentication

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5
  • Fixed in: 2.4.31-1+nmu2ubuntu8.5+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.

Remediation

Upgrade Ubuntu:14.04 openldap to version 2.4.31-1+nmu2ubuntu8.5+esm1 or higher.

References

medium severity

Integer Underflow

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package.

An integer underflow was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Certificate List Exact Assertion processing, resulting in denial of service.

Remediation

There is no fixed version for Ubuntu:14.04 openldap.

References

medium severity

Integer Underflow

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package.

An integer underflow was discovered in OpenLDAP before 2.4.57 leading to slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).

Remediation

There is no fixed version for Ubuntu:14.04 openldap.

References

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package.

A flaw was discovered in OpenLDAP before 2.4.57 leading to an infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service.

Remediation

There is no fixed version for Ubuntu:14.04 openldap.

References

medium severity

NULL Pointer Dereference

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5
  • Fixed in: 2.4.31-1+nmu2ubuntu8.5+esm3

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package. See Remediation section below for Ubuntu:14.04 relevant versions.

A NULL pointer dereference was found in OpenLDAP server and was fixed in openldap 2.4.55, during a request for renaming RDNs. An unauthenticated attacker could remotely crash the slapd process by sending a specially crafted request, causing a Denial of Service.

Remediation

Upgrade Ubuntu:14.04 openldap to version 2.4.31-1+nmu2ubuntu8.5+esm3 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package.

A flaw was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read).

Remediation

There is no fixed version for Ubuntu:14.04 openldap.

References

medium severity

Reachable Assertion

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5
  • Fixed in: 2.4.31-1+nmu2ubuntu8.5+esm4

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Ubuntu:14.04 openldap to version 2.4.31-1+nmu2ubuntu8.5+esm4 or higher.

References

medium severity

Reachable Assertion

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5
  • Fixed in: 2.4.31-1+nmu2ubuntu8.5+esm4

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package. See Remediation section below for Ubuntu:14.04 relevant versions.

A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Ubuntu:14.04 openldap to version 2.4.31-1+nmu2ubuntu8.5+esm4 or higher.

References

medium severity

Reachable Assertion

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package.

A flaw was discovered in OpenLDAP before 2.4.57 leading in an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service.

Remediation

There is no fixed version for Ubuntu:14.04 openldap.

References

medium severity

Reachable Assertion

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package.

A flaw was discovered in OpenLDAP before 2.4.57 leading to an assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service.

Remediation

There is no fixed version for Ubuntu:14.04 openldap.

References

medium severity

Reachable Assertion

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package.

In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.

Remediation

There is no fixed version for Ubuntu:14.04 openldap.

References

medium severity

Release of Invalid Pointer or Reference

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package.

A flaw was discovered in OpenLDAP before 2.4.57 leading to an invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.

Remediation

There is no fixed version for Ubuntu:14.04 openldap.

References

medium severity

Resource Exhaustion

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5 and openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5
  • Fixed in: 2.4.31-1+nmu2ubuntu8.5+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openldap/libldap-2.4-2@2.4.31-1+nmu2ubuntu8.5
  • Introduced through: buildpack-deps:14.04@* openldap/libldap2-dev@2.4.31-1+nmu2ubuntu8.5

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package. See Remediation section below for Ubuntu:14.04 relevant versions.

In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash).

Remediation

Upgrade Ubuntu:14.04 openldap to version 2.4.31-1+nmu2ubuntu8.5+esm2 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: openssl
  • Introduced through: openssl@1.0.1f-1ubuntu2.27, openssl/libssl-dev@1.0.1f-1ubuntu2.27 and others
  • Fixed in: 1.0.1f-1ubuntu2.27+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openssl@1.0.1f-1ubuntu2.27
  • Introduced through: buildpack-deps:14.04@* openssl/libssl-dev@1.0.1f-1ubuntu2.27
  • Introduced through: buildpack-deps:14.04@* openssl/libssl1.0.0@1.0.1f-1ubuntu2.27

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See Remediation section below for Ubuntu:14.04 relevant versions.

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

Remediation

Upgrade Ubuntu:14.04 openssl to version 1.0.1f-1ubuntu2.27+esm1 or higher.

References

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: openssl
  • Introduced through: openssl@1.0.1f-1ubuntu2.27, openssl/libssl-dev@1.0.1f-1ubuntu2.27 and others
  • Fixed in: 1.0.1f-1ubuntu2.27+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* openssl@1.0.1f-1ubuntu2.27
  • Introduced through: buildpack-deps:14.04@* openssl/libssl-dev@1.0.1f-1ubuntu2.27
  • Introduced through: buildpack-deps:14.04@* openssl/libssl1.0.0@1.0.1f-1ubuntu2.27

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See Remediation section below for Ubuntu:14.04 relevant versions.

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Remediation

Upgrade Ubuntu:14.04 openssl to version 1.0.1f-1ubuntu2.27+esm2 or higher.

References

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: p11-kit/libp11-kit-dev
  • Introduced through: p11-kit/libp11-kit-dev@0.20.2-2ubuntu2 and p11-kit/libp11-kit0@0.20.2-2ubuntu2
  • Fixed in: 0.20.2-2ubuntu2+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* p11-kit/libp11-kit-dev@0.20.2-2ubuntu2
  • Introduced through: buildpack-deps:14.04@* p11-kit/libp11-kit0@0.20.2-2ubuntu2

NVD Description

Note: Versions mentioned in the description apply to the upstream p11-kit package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.

Remediation

Upgrade Ubuntu:14.04 p11-kit to version 0.20.2-2ubuntu2+esm1 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: p11-kit/libp11-kit-dev
  • Introduced through: p11-kit/libp11-kit-dev@0.20.2-2ubuntu2 and p11-kit/libp11-kit0@0.20.2-2ubuntu2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* p11-kit/libp11-kit-dev@0.20.2-2ubuntu2
  • Introduced through: buildpack-deps:14.04@* p11-kit/libp11-kit0@0.20.2-2ubuntu2

NVD Description

Note: Versions mentioned in the description apply to the upstream p11-kit package.

An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation.

Remediation

There is no fixed version for Ubuntu:14.04 p11-kit.

References

medium severity

Link Following

  • Vulnerable module: patch
  • Introduced through: patch@2.7.1-4ubuntu2.4
  • Fixed in: 2.7.1-4ubuntu2.4+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* patch@2.7.1-4ubuntu2.4

NVD Description

Note: Versions mentioned in the description apply to the upstream patch package. See Remediation section below for Ubuntu:14.04 relevant versions.

In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.

Remediation

Upgrade Ubuntu:14.04 patch to version 2.7.1-4ubuntu2.4+esm1 or higher.

References

medium severity

OS Command Injection

  • Vulnerable module: patch
  • Introduced through: patch@2.7.1-4ubuntu2.4
  • Fixed in: 2.7.1-4ubuntu2.4+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* patch@2.7.1-4ubuntu2.4

NVD Description

Note: Versions mentioned in the description apply to the upstream patch package. See Remediation section below for Ubuntu:14.04 relevant versions.

GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.

Remediation

Upgrade Ubuntu:14.04 patch to version 2.7.1-4ubuntu2.4+esm1 or higher.

References

medium severity

OS Command Injection

  • Vulnerable module: patch
  • Introduced through: patch@2.7.1-4ubuntu2.4
  • Fixed in: 2.7.1-4ubuntu2.4+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* patch@2.7.1-4ubuntu2.4

NVD Description

Note: Versions mentioned in the description apply to the upstream patch package. See Remediation section below for Ubuntu:14.04 relevant versions.

do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.

Remediation

Upgrade Ubuntu:14.04 patch to version 2.7.1-4ubuntu2.4+esm1 or higher.

References

medium severity

CVE-2021-32028

  • Vulnerable module: postgresql-9.3/libpq-dev
  • Introduced through: postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04 and postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

Detailed paths

  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04
  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

NVD Description

Note: Versions mentioned in the description apply to the upstream postgresql-9.3 package.

Fix mishandling of “junk” columns in INSERT ... ON CONFLICT ... UPDATE target lists

Remediation

There is no fixed version for Ubuntu:14.04 postgresql-9.3.

References

medium severity

CVE-2021-32029

  • Vulnerable module: postgresql-9.3/libpq-dev
  • Introduced through: postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04 and postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

Detailed paths

  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04
  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

NVD Description

Note: Versions mentioned in the description apply to the upstream postgresql-9.3 package.

Fix possibly-incorrect computation of UPDATE ... RETURNING outputs for joined cross-partition updates

Remediation

There is no fixed version for Ubuntu:14.04 postgresql-9.3.

References

medium severity

Out-of-Bounds

  • Vulnerable module: postgresql-9.3/libpq-dev
  • Introduced through: postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04 and postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

Detailed paths

  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04
  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

NVD Description

Note: Versions mentioned in the description apply to the upstream postgresql-9.3 package.

A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

There is no fixed version for Ubuntu:14.04 postgresql-9.3.

References

medium severity

Permissive Whitelist

  • Vulnerable module: postgresql-9.3/libpq-dev
  • Introduced through: postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04 and postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

Detailed paths

  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04
  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

NVD Description

Note: Versions mentioned in the description apply to the upstream postgresql-9.3 package.

A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

There is no fixed version for Ubuntu:14.04 postgresql-9.3.

References

medium severity

SQL Injection

  • Vulnerable module: postgresql-9.3/libpq-dev
  • Introduced through: postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04 and postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

Detailed paths

  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04
  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

NVD Description

Note: Versions mentioned in the description apply to the upstream postgresql-9.3 package.

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

There is no fixed version for Ubuntu:14.04 postgresql-9.3.

References

medium severity

SQL Injection

  • Vulnerable module: postgresql-9.3/libpq-dev
  • Introduced through: postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04 and postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

Detailed paths

  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04
  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

NVD Description

Note: Versions mentioned in the description apply to the upstream postgresql-9.3 package.

A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.

Remediation

There is no fixed version for Ubuntu:14.04 postgresql-9.3.

References

medium severity

Untrusted Search Path

  • Vulnerable module: postgresql-9.3/libpq-dev
  • Introduced through: postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04 and postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

Detailed paths

  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04
  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

NVD Description

Note: Versions mentioned in the description apply to the upstream postgresql-9.3 package.

It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.

Remediation

There is no fixed version for Ubuntu:14.04 postgresql-9.3.

References

medium severity

Use of a Broken or Risky Cryptographic Algorithm

  • Vulnerable module: postgresql-9.3/libpq-dev
  • Introduced through: postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04 and postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

Detailed paths

  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq-dev@9.3.24-0ubuntu0.14.04
  • Introduced through: buildpack-deps:14.04@* postgresql-9.3/libpq5@9.3.24-0ubuntu0.14.04

NVD Description

Note: Versions mentioned in the description apply to the upstream postgresql-9.3 package.

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

There is no fixed version for Ubuntu:14.04 postgresql-9.3.

References

medium severity

Arbitrary Code Injection

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.6-8ubuntu0.5, python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5 and others
  • Fixed in: 2.7.6-8ubuntu0.6+esm5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python2.7@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-stdlib@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/python2.7-minimal@2.7.6-8ubuntu0.5

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.

Remediation

Upgrade Ubuntu:14.04 python2.7 to version 2.7.6-8ubuntu0.6+esm5 or higher.

References

medium severity

Buffer Overflow

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.6-8ubuntu0.5, python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python2.7@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-stdlib@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/python2.7-minimal@2.7.6-8ubuntu0.5

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package.

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

Remediation

There is no fixed version for Ubuntu:14.04 python2.7.

References

medium severity

Credentials Management

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.6-8ubuntu0.5, python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5 and others
  • Fixed in: 2.7.6-8ubuntu0.6+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python2.7@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-stdlib@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/python2.7-minimal@2.7.6-8ubuntu0.5

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package. See Remediation section below for Ubuntu:14.04 relevant versions.

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Remediation

Upgrade Ubuntu:14.04 python2.7 to version 2.7.6-8ubuntu0.6+esm2 or higher.

References

medium severity

Credentials Management

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.6-8ubuntu0.5, python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5 and others
  • Fixed in: 2.7.6-8ubuntu0.6+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python2.7@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-stdlib@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/python2.7-minimal@2.7.6-8ubuntu0.5

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package. See Remediation section below for Ubuntu:14.04 relevant versions.

A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

Remediation

Upgrade Ubuntu:14.04 python2.7 to version 2.7.6-8ubuntu0.6+esm2 or higher.

References

medium severity

CRLF Injection

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.6-8ubuntu0.5, python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5 and others
  • Fixed in: 2.7.6-8ubuntu0.6+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python2.7@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-stdlib@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/python2.7-minimal@2.7.6-8ubuntu0.5

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Remediation

Upgrade Ubuntu:14.04 python2.7 to version 2.7.6-8ubuntu0.6+esm2 or higher.

References

medium severity

CRLF Injection

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.6-8ubuntu0.5, python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5 and others
  • Fixed in: 2.7.6-8ubuntu0.6+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python2.7@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-stdlib@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/python2.7-minimal@2.7.6-8ubuntu0.5

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Remediation

Upgrade Ubuntu:14.04 python2.7 to version 2.7.6-8ubuntu0.6+esm2 or higher.

References

medium severity

Directory Traversal

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.6-8ubuntu0.5, python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5 and others
  • Fixed in: 2.7.6-8ubuntu0.6+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python2.7@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-stdlib@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/python2.7-minimal@2.7.6-8ubuntu0.5

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package. See Remediation section below for Ubuntu:14.04 relevant versions.

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

Remediation

Upgrade Ubuntu:14.04 python2.7 to version 2.7.6-8ubuntu0.6+esm2 or higher.

References

medium severity

Improper Encoding or Escaping of Output

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.6-8ubuntu0.5, python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5 and others
  • Fixed in: 2.7.6-8ubuntu0.6+esm7

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python2.7@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-stdlib@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/python2.7-minimal@2.7.6-8ubuntu0.5

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package. See Remediation section below for Ubuntu:14.04 relevant versions.

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Remediation

Upgrade Ubuntu:14.04 python2.7 to version 2.7.6-8ubuntu0.6+esm7 or higher.

References

medium severity

Improper Input Validation

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.6-8ubuntu0.5, python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5 and others
  • Fixed in: 2.7.6-8ubuntu0.6+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python2.7@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-stdlib@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/python2.7-minimal@2.7.6-8ubuntu0.5

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package. See Remediation section below for Ubuntu:14.04 relevant versions.

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.

Remediation

Upgrade Ubuntu:14.04 python2.7 to version 2.7.6-8ubuntu0.6+esm2 or higher.

References

medium severity

Improper Input Validation

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.6-8ubuntu0.5, python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5 and others
  • Fixed in: 2.7.6-8ubuntu0.6+esm3

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python2.7@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-stdlib@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/python2.7-minimal@2.7.6-8ubuntu0.5

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

Remediation

Upgrade Ubuntu:14.04 python2.7 to version 2.7.6-8ubuntu0.6+esm3 or higher.

References

medium severity

Improper Input Validation

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.6-8ubuntu0.5, python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5 and others
  • Fixed in: 2.7.6-8ubuntu0.6+esm6

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python2.7@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-minimal@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/libpython2.7-stdlib@2.7.6-8ubuntu0.5
  • Introduced through: buildpack-deps:14.04@* python2.7/python2.7-minimal@2.7.6-8ubuntu0.5

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package. See Remediation section below for Ubuntu:14.04 relevant versions.

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

Remediation

Upgrade Ubuntu:14.04 python2.7 to version 2.7.6-8ubuntu0.6+esm6 or higher.

References

medium severity

Arbitrary Code Injection

  • Vulnerable module: python3.4
  • Introduced through: python3.4@3.4.3-1ubuntu1~14.04.7, python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7 and others
  • Fixed in: 3.4.3-1ubuntu1~14.04.7+esm6

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python3.4@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-stdlib@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/python3.4-minimal@3.4.3-1ubuntu1~14.04.7

NVD Description

Note: Versions mentioned in the description apply to the upstream python3.4 package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.

Remediation

Upgrade Ubuntu:14.04 python3.4 to version 3.4.3-1ubuntu1~14.04.7+esm6 or higher.

References

medium severity

Buffer Overflow

  • Vulnerable module: python3.4
  • Introduced through: python3.4@3.4.3-1ubuntu1~14.04.7, python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7 and others
  • Fixed in: 3.4.3-1ubuntu1~14.04.7+esm10

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python3.4@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-stdlib@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/python3.4-minimal@3.4.3-1ubuntu1~14.04.7

NVD Description

Note: Versions mentioned in the description apply to the upstream python3.4 package. See Remediation section below for Ubuntu:14.04 relevant versions.

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

Remediation

Upgrade Ubuntu:14.04 python3.4 to version 3.4.3-1ubuntu1~14.04.7+esm10 or higher.

References

medium severity

Credentials Management

  • Vulnerable module: python3.4
  • Introduced through: python3.4@3.4.3-1ubuntu1~14.04.7, python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7 and others
  • Fixed in: 3.4.3-1ubuntu1~14.04.7+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python3.4@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-stdlib@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/python3.4-minimal@3.4.3-1ubuntu1~14.04.7

NVD Description

Note: Versions mentioned in the description apply to the upstream python3.4 package. See Remediation section below for Ubuntu:14.04 relevant versions.

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Remediation

Upgrade Ubuntu:14.04 python3.4 to version 3.4.3-1ubuntu1~14.04.7+esm2 or higher.

References

medium severity

Credentials Management

  • Vulnerable module: python3.4
  • Introduced through: python3.4@3.4.3-1ubuntu1~14.04.7, python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7 and others
  • Fixed in: 3.4.3-1ubuntu1~14.04.7+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python3.4@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-stdlib@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/python3.4-minimal@3.4.3-1ubuntu1~14.04.7

NVD Description

Note: Versions mentioned in the description apply to the upstream python3.4 package. See Remediation section below for Ubuntu:14.04 relevant versions.

A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

Remediation

Upgrade Ubuntu:14.04 python3.4 to version 3.4.3-1ubuntu1~14.04.7+esm2 or higher.

References

medium severity

CRLF Injection

  • Vulnerable module: python3.4
  • Introduced through: python3.4@3.4.3-1ubuntu1~14.04.7, python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7 and others
  • Fixed in: 3.4.3-1ubuntu1~14.04.7+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python3.4@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-stdlib@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/python3.4-minimal@3.4.3-1ubuntu1~14.04.7

NVD Description

Note: Versions mentioned in the description apply to the upstream python3.4 package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Remediation

Upgrade Ubuntu:14.04 python3.4 to version 3.4.3-1ubuntu1~14.04.7+esm2 or higher.

References

medium severity

CRLF Injection

  • Vulnerable module: python3.4
  • Introduced through: python3.4@3.4.3-1ubuntu1~14.04.7, python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7 and others
  • Fixed in: 3.4.3-1ubuntu1~14.04.7+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python3.4@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-stdlib@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/python3.4-minimal@3.4.3-1ubuntu1~14.04.7

NVD Description

Note: Versions mentioned in the description apply to the upstream python3.4 package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Remediation

Upgrade Ubuntu:14.04 python3.4 to version 3.4.3-1ubuntu1~14.04.7+esm2 or higher.

References

medium severity

Directory Traversal

  • Vulnerable module: python3.4
  • Introduced through: python3.4@3.4.3-1ubuntu1~14.04.7, python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7 and others
  • Fixed in: 3.4.3-1ubuntu1~14.04.7+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python3.4@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-stdlib@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/python3.4-minimal@3.4.3-1ubuntu1~14.04.7

NVD Description

Note: Versions mentioned in the description apply to the upstream python3.4 package. See Remediation section below for Ubuntu:14.04 relevant versions.

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

Remediation

Upgrade Ubuntu:14.04 python3.4 to version 3.4.3-1ubuntu1~14.04.7+esm2 or higher.

References

medium severity

Improper Encoding or Escaping of Output

  • Vulnerable module: python3.4
  • Introduced through: python3.4@3.4.3-1ubuntu1~14.04.7, python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7 and others
  • Fixed in: 3.4.3-1ubuntu1~14.04.7+esm8

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python3.4@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-stdlib@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/python3.4-minimal@3.4.3-1ubuntu1~14.04.7

NVD Description

Note: Versions mentioned in the description apply to the upstream python3.4 package. See Remediation section below for Ubuntu:14.04 relevant versions.

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Remediation

Upgrade Ubuntu:14.04 python3.4 to version 3.4.3-1ubuntu1~14.04.7+esm8 or higher.

References

medium severity

Improper Input Validation

  • Vulnerable module: python3.4
  • Introduced through: python3.4@3.4.3-1ubuntu1~14.04.7, python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7 and others
  • Fixed in: 3.4.3-1ubuntu1~14.04.7+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python3.4@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-stdlib@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/python3.4-minimal@3.4.3-1ubuntu1~14.04.7

NVD Description

Note: Versions mentioned in the description apply to the upstream python3.4 package. See Remediation section below for Ubuntu:14.04 relevant versions.

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.

Remediation

Upgrade Ubuntu:14.04 python3.4 to version 3.4.3-1ubuntu1~14.04.7+esm2 or higher.

References

medium severity

Improper Input Validation

  • Vulnerable module: python3.4
  • Introduced through: python3.4@3.4.3-1ubuntu1~14.04.7, python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7 and others
  • Fixed in: 3.4.3-1ubuntu1~14.04.7+esm4

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python3.4@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-stdlib@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/python3.4-minimal@3.4.3-1ubuntu1~14.04.7

NVD Description

Note: Versions mentioned in the description apply to the upstream python3.4 package. See Remediation section below for Ubuntu:14.04 relevant versions.

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

Remediation

Upgrade Ubuntu:14.04 python3.4 to version 3.4.3-1ubuntu1~14.04.7+esm4 or higher.

References

medium severity

Improper Input Validation

  • Vulnerable module: python3.4
  • Introduced through: python3.4@3.4.3-1ubuntu1~14.04.7, python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7 and others
  • Fixed in: 3.4.3-1ubuntu1~14.04.7+esm7

Detailed paths

  • Introduced through: buildpack-deps:14.04@* python3.4@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/libpython3.4-stdlib@3.4.3-1ubuntu1~14.04.7
  • Introduced through: buildpack-deps:14.04@* python3.4/python3.4-minimal@3.4.3-1ubuntu1~14.04.7

NVD Description

Note: Versions mentioned in the description apply to the upstream python3.4 package. See Remediation section below for Ubuntu:14.04 relevant versions.

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

Remediation

Upgrade Ubuntu:14.04 python3.4 to version 3.4.3-1ubuntu1~14.04.7+esm7 or higher.

References

medium severity

Improper Input Validation

  • Vulnerable module: sqlite3/libsqlite3-0
  • Introduced through: sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2 and sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2
  • Fixed in: 3.8.2-1ubuntu2.2+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2
  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite3 package. See Remediation section below for Ubuntu:14.04 relevant versions.

Insufficient data validation in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass defense-in-depth measures via a crafted HTML page.

Remediation

Upgrade Ubuntu:14.04 sqlite3 to version 3.8.2-1ubuntu2.2+esm2 or higher.

References

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: sqlite3/libsqlite3-0
  • Introduced through: sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2 and sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2
  • Fixed in: 3.8.2-1ubuntu2.2+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2
  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite3 package. See Remediation section below for Ubuntu:14.04 relevant versions.

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.

Remediation

Upgrade Ubuntu:14.04 sqlite3 to version 3.8.2-1ubuntu2.2+esm1 or higher.

References

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: sqlite3/libsqlite3-0
  • Introduced through: sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2 and sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2
  • Fixed in: 3.8.2-1ubuntu2.2+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2
  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite3 package. See Remediation section below for Ubuntu:14.04 relevant versions.

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.

Remediation

Upgrade Ubuntu:14.04 sqlite3 to version 3.8.2-1ubuntu2.2+esm1 or higher.

References

medium severity

NULL Pointer Dereference

  • Vulnerable module: sqlite3/libsqlite3-0
  • Introduced through: sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2 and sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2
  • Fixed in: 3.8.2-1ubuntu2.2+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2
  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite3 package. See Remediation section below for Ubuntu:14.04 relevant versions.

multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.

Remediation

Upgrade Ubuntu:14.04 sqlite3 to version 3.8.2-1ubuntu2.2+esm2 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: sqlite3/libsqlite3-0
  • Introduced through: sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2 and sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2
  • Fixed in: 3.8.2-1ubuntu2.2+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2
  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite3 package. See Remediation section below for Ubuntu:14.04 relevant versions.

SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.

Remediation

Upgrade Ubuntu:14.04 sqlite3 to version 3.8.2-1ubuntu2.2+esm1 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: sqlite3/libsqlite3-0
  • Introduced through: sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2 and sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2
  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite3 package.

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. A malicious application may cause a denial of service or potentially disclose memory contents.

Remediation

There is no fixed version for Ubuntu:14.04 sqlite3.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: sqlite3/libsqlite3-0
  • Introduced through: sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2 and sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2
  • Fixed in: 3.8.2-1ubuntu2.2+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2
  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite3 package. See Remediation section below for Ubuntu:14.04 relevant versions.

Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

Remediation

Upgrade Ubuntu:14.04 sqlite3 to version 3.8.2-1ubuntu2.2+esm2 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: sqlite3/libsqlite3-0
  • Introduced through: sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2 and sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2
  • Fixed in: 3.8.2-1ubuntu2.2+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2
  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite3 package. See Remediation section below for Ubuntu:14.04 relevant versions.

Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

Remediation

Upgrade Ubuntu:14.04 sqlite3 to version 3.8.2-1ubuntu2.2+esm2 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: sqlite3/libsqlite3-0
  • Introduced through: sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2 and sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2
  • Fixed in: 3.8.2-1ubuntu2.2+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2
  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite3 package. See Remediation section below for Ubuntu:14.04 relevant versions.

Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remediation

Upgrade Ubuntu:14.04 sqlite3 to version 3.8.2-1ubuntu2.2+esm2 or higher.

References

medium severity

Use of Uninitialized Resource

  • Vulnerable module: sqlite3/libsqlite3-0
  • Introduced through: sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2 and sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2
  • Fixed in: 3.8.2-1ubuntu2.2+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-0@3.8.2-1ubuntu2.2
  • Introduced through: buildpack-deps:14.04@* sqlite3/libsqlite3-dev@3.8.2-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite3 package. See Remediation section below for Ubuntu:14.04 relevant versions.

Uninitialized data in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

Remediation

Upgrade Ubuntu:14.04 sqlite3 to version 3.8.2-1ubuntu2.2+esm2 or higher.

References

medium severity

Access Restriction Bypass

  • Vulnerable module: sudo
  • Introduced through: sudo@1.8.9p5-1ubuntu1.4

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sudo@1.8.9p5-1ubuntu1.4

NVD Description

Note: Versions mentioned in the description apply to the upstream sudo package.

sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home///file.txt."

Remediation

There is no fixed version for Ubuntu:14.04 sudo.

References

medium severity

Arbitrary Command Injection

  • Vulnerable module: sudo
  • Introduced through: sudo@1.8.9p5-1ubuntu1.4
  • Fixed in: 1.8.9p5-1ubuntu1.5+esm5

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sudo@1.8.9p5-1ubuntu1.4

NVD Description

Note: Versions mentioned in the description apply to the upstream sudo package. See Remediation section below for Ubuntu:14.04 relevant versions.

sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges.

Remediation

Upgrade Ubuntu:14.04 sudo to version 1.8.9p5-1ubuntu1.5+esm5 or higher.

References

medium severity

Improper Handling of Exceptional Conditions

  • Vulnerable module: sudo
  • Introduced through: sudo@1.8.9p5-1ubuntu1.4
  • Fixed in: 1.8.9p5-1ubuntu1.5+esm2

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sudo@1.8.9p5-1ubuntu1.4

NVD Description

Note: Versions mentioned in the description apply to the upstream sudo package. See Remediation section below for Ubuntu:14.04 relevant versions.

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u #$((0xffffffff))" command.

Remediation

Upgrade Ubuntu:14.04 sudo to version 1.8.9p5-1ubuntu1.5+esm2 or higher.

References

medium severity

Improper Input Validation

  • Vulnerable module: sudo
  • Introduced through: sudo@1.8.9p5-1ubuntu1.4
  • Fixed in: 1.8.9p5-1ubuntu1.5+esm1

Detailed paths

  • Introduced through: buildpack-deps:14.04@* sudo@1.8.9p5-1ubuntu1.4

NVD Description

Note: Versions mentioned in the description apply to the upstream sudo package. See Remediation section below for Ubuntu:14.04 relevant versions.

Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.

Remediation

Upgrade Ubuntu:14.04 sudo to version 1.8.9p5-1ubuntu1.5+esm1 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: systemd/libudev1
  • Introduced through: systemd/libudev1@204-5ubuntu20.31 and systemd/udev@204-5ubuntu20.31

Detailed paths

  • Introduced through: buildpack-deps:14.04@* systemd/libudev1@204-5ubuntu20.31
  • Introduced through: buildpack-deps:14.04@* systemd/udev@204-5ubuntu20.31

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd package.

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

Remediation

There is no fixed version for Ubuntu:14.04 systemd.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: tiff/libtiff5
  • Introduced through: tiff/libtiff5@4.0.3-7ubuntu0.11, tiff/libtiff5-dev@4.0.3-7ubuntu0.11 and others

Detailed paths

  • Introduced through: buildpack-deps:14.04@* tiff/libtiff5@4.0.3-7ubuntu0.11
  • Introduced through: buildpack-deps:14.04@* tiff/libtiff5-dev@4.0.3-7ubuntu0.11
  • Introduced through: buildpack-deps:14.04@* tiff/libtiffxx5@4.0.3-7ubuntu0.1