Filtered by vendor Redhat
Subscriptions
Filtered by product Rhel Eus
Subscriptions
Total
3013 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-45287 | 2 Golang, Redhat | 11 Go, Enterprise Linux, Migration Toolkit Applications and 8 more | 2025-02-13 | 7.5 High |
| Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels. | ||||
| CVE-2023-45231 | 2 Redhat, Tianocore | 3 Enterprise Linux, Rhel Eus, Edk2 | 2025-02-13 | 6.5 Medium |
| EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. | ||||
| CVE-2023-43804 | 4 Debian, Fedoraproject, Python and 1 more | 12 Debian Linux, Fedora, Urllib3 and 9 more | 2025-02-13 | 5.9 Medium |
| urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. | ||||
| CVE-2023-4056 | 3 Debian, Mozilla, Redhat | 8 Debian Linux, Firefox, Firefox Esr and 5 more | 2025-02-13 | 9.8 Critical |
| Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ESR 102.13, Thunderbird 115.0, and Thunderbird 102.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. | ||||
| CVE-2023-4055 | 3 Debian, Mozilla, Redhat | 8 Debian Linux, Firefox, Firefox Esr and 5 more | 2025-02-13 | 7.5 High |
| When the number of cookies per domain was exceeded in `document.cookie`, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. | ||||
| CVE-2023-4050 | 3 Debian, Mozilla, Redhat | 8 Debian Linux, Firefox, Firefox Esr and 5 more | 2025-02-13 | 7.5 High |
| In some cases, an untrusted input stream was copied to a stack buffer without checking its size. This resulted in a potentially exploitable crash which could have led to a sandbox escape. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. | ||||
| CVE-2023-4049 | 3 Debian, Mozilla, Redhat | 7 Debian Linux, Firefox, Enterprise Linux and 4 more | 2025-02-13 | 5.9 Medium |
| Race conditions in reference counting code were found through code inspection. These could have resulted in potentially exploitable use-after-free vulnerabilities. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. | ||||
| CVE-2023-4048 | 3 Debian, Mozilla, Redhat | 8 Debian Linux, Firefox, Firefox Esr and 5 more | 2025-02-13 | 7.5 High |
| An out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. | ||||
| CVE-2023-4047 | 3 Debian, Mozilla, Redhat | 7 Debian Linux, Firefox, Enterprise Linux and 4 more | 2025-02-13 | 8.8 High |
| A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. | ||||
| CVE-2023-4046 | 3 Debian, Mozilla, Redhat | 7 Debian Linux, Firefox, Enterprise Linux and 4 more | 2025-02-13 | 5.3 Medium |
| In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. | ||||
| CVE-2023-4045 | 3 Debian, Mozilla, Redhat | 7 Debian Linux, Firefox, Enterprise Linux and 4 more | 2025-02-13 | 5.3 Medium |
| Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. | ||||
| CVE-2023-40403 | 2 Apple, Redhat | 7 Ipados, Iphone Os, Macos and 4 more | 2025-02-13 | 6.5 Medium |
| The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.6, tvOS 17, iOS 16.7 and iPadOS 16.7, macOS Monterey 12.7, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. Processing web content may disclose sensitive information. | ||||
| CVE-2023-40397 | 4 Apple, Redhat, Webkitgtk and 1 more | 9 Macos, Enterprise Linux, Rhel Aus and 6 more | 2025-02-13 | 9.8 Critical |
| The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.5. A remote attacker may be able to cause arbitrary javascript code execution. | ||||
| CVE-2023-39325 | 4 Fedoraproject, Golang, Netapp and 1 more | 53 Fedora, Go, Http2 and 50 more | 2025-02-13 | 7.5 High |
| A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. | ||||
| CVE-2023-38497 | 3 Fedoraproject, Redhat, Rust-lang | 5 Fedora, Devtools, Enterprise Linux and 2 more | 2025-02-13 | 7.8 High |
| Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`. | ||||
| CVE-2023-37464 | 2 Cisco, Redhat | 6 Cjose, Enterprise Linux, Rhel Aus and 3 more | 2025-02-13 | 8.6 High |
| OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC). | ||||
| CVE-2023-37211 | 3 Debian, Mozilla, Redhat | 9 Debian Linux, Firefox, Firefox Esr and 6 more | 2025-02-13 | 8.8 High |
| Memory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. | ||||
| CVE-2023-37207 | 3 Debian, Mozilla, Redhat | 9 Debian Linux, Firefox, Firefox Esr and 6 more | 2025-02-13 | 6.5 Medium |
| A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. | ||||
| CVE-2023-37202 | 3 Debian, Mozilla, Redhat | 9 Debian Linux, Firefox, Firefox Esr and 6 more | 2025-02-13 | 8.8 High |
| Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. | ||||
| CVE-2023-37201 | 3 Debian, Mozilla, Redhat | 9 Debian Linux, Firefox, Firefox Esr and 6 more | 2025-02-13 | 8.8 High |
| An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. | ||||