Opensuse ProjectCVEs & Vulnerabilities

54 CVEs affecting Opensuse Project products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

leap 35opensuse 22suse linux enterprise software development kit 20suse linux enterprise server 19suse linux enterprise desktop 13suse linux enterprise workstation extension 11suse linux enterprise debuginfo 7suse linux enterprise server for raspberry pi 1
CVE-2017-17806HIGH

The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization.

21 Dec 2017
7.8
CVSS
CVE-2017-17805HIGH

The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.

21 Dec 2017
7.8
CVSS
CVE-2016-1254HIGH

Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden service descriptor.

5 Dec 2017
7.5
CVSS
CVE-2015-3138HIGH

print-wb.c in tcpdump before 4.7.4 allows remote attackers to cause a denial of service (segmentation fault and process crash).

28 Sep 2017
7.5
CVSS
CVE-2014-4616MEDIUM

Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.

24 Aug 2017
5.9
CVSS
CVE-2015-3405HIGH

ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys.

9 Aug 2017
7.5
CVSS
CVE-2015-5203MEDIUM

Double free vulnerability in the jasper_image_stop_load function in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file.

2 Aug 2017
5.5
CVSS
CVE-2015-5221MEDIUM

Use-after-free vulnerability in the mif_process_cmpt function in libjasper/mif/mif_cod.c in the JasPer JPEG-2000 library before 1.900.2 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file.

25 Jul 2017
5.5
CVSS
CVE-2016-9961CRITICAL

game-music-emu before 0.6.1 mishandles unspecified integer values.

6 Jun 2017
9.8
CVSS
CVE-2016-9960MEDIUM

game-music-emu before 0.6.1 allows local users to cause a denial of service (divide by zero and process crash).

6 Jun 2017
5.5
CVSS
CVE-2016-9959HIGH

game-music-emu before 0.6.1 allows remote attackers to generate out of bounds 8-bit values.

12 Apr 2017
7.8
CVSS
CVE-2016-9958HIGH

game-music-emu before 0.6.1 allows remote attackers to write to arbitrary memory locations.

12 Apr 2017
7.8
CVSS
CVE-2016-9957HIGH

Stack-based buffer overflow in game-music-emu before 0.6.1.

12 Apr 2017
7.8
CVSS
CVE-2017-6542CRITICALpoc

The ssh_agent_channel_data function in PuTTY before 0.68 allows remote attackers to have unspecified impact via a large length value in an agent protocol message and leveraging the ability to connect to the Unix-domain socket representing the forwarded agent connection, which trigger a buffer overflow.

27 Mar 2017
9.8
CVSS
CVE-2015-8010MEDIUM

Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the query string to cgi-bin/status.cgi.

27 Mar 2017
6.1
CVSS
CVE-2016-7797HIGH

Pacemaker before 1.1.15, when using pacemaker remote, might allow remote attackers to cause a denial of service (node disconnection) via an unauthenticated connection.

24 Mar 2017
7.5
CVSS
CVE-2016-9556MEDIUM

The IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3-8 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted image file.

23 Mar 2017
5.5
CVSS
CVE-2016-10048HIGH

Directory traversal vulnerability in magick/module.c in ImageMagick 6.9.4-7 allows remote attackers to load arbitrary modules via unspecified vectors.

23 Mar 2017
7.5
CVSS
CVE-2014-9851HIGH

ImageMagick 6.8.9.9 allows remote attackers to cause a denial of service (application crash).

20 Mar 2017
7.5
CVSS
CVE-2014-9850HIGH

Logic error in ImageMagick 6.8.9.9 allows remote attackers to cause a denial of service (resource consumption).

20 Mar 2017
7.5
CVSS
CVE-2014-9849HIGH

The png coder in ImageMagick allows remote attackers to cause a denial of service (crash).

20 Mar 2017
7.5
CVSS
CVE-2014-9848HIGH

Memory leak in ImageMagick allows remote attackers to cause a denial of service (memory consumption).

20 Mar 2017
7.5
CVSS
CVE-2014-9847CRITICAL

The jng decoder in ImageMagick 6.8.9.9 allows remote attackers to have an unspecified impact.

20 Mar 2017
9.8
CVSS
CVE-2014-9846CRITICAL

Buffer overflow in the ReadRLEImage function in coders/rle.c in ImageMagick 6.8.9.9 allows remote attackers to have unspecified impact.

20 Mar 2017
9.8
CVSS
CVE-2014-9845MEDIUM

The ReadDIBImage function in coders/dib.c in ImageMagick allows remote attackers to cause a denial of service (crash) via a corrupted dib file.

20 Mar 2017
5.5
CVSS
CVE-2014-9844MEDIUM

The ReadRLEImage function in coders/rle.c in ImageMagick 6.8.9.9 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image file.

20 Mar 2017
5.5
CVSS
CVE-2014-9843CRITICAL

The DecodePSDPixels function in coders/psd.c in ImageMagick 6.8.9.9 allows remote attackers to have unspecified impact via unknown vectors.

20 Mar 2017
9.8
CVSS
CVE-2014-9842HIGH

Memory leak in the ReadPSDLayers function in coders/psd.c in ImageMagick 6.8.9.9 allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors.

20 Mar 2017
7.5
CVSS
CVE-2014-9841CRITICAL

The ReadPSDLayers function in coders/psd.c in ImageMagick 6.8.9.9 allows remote attackers to have unspecified impact via unknown vectors, related to "throwing of exceptions."

20 Mar 2017
9.8
CVSS
CVE-2014-9853MEDIUM

Memory leak in coders/rle.c in ImageMagick allows remote attackers to cause a denial of service (memory consumption) via a crafted rle file.

17 Mar 2017
5.5
CVSS
CVE-2017-5938MEDIUM

Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.

15 Mar 2017
6.1
CVSS
CVE-2016-10069MEDIUM

coders/mat.c in ImageMagick before 6.9.4-5 allows remote attackers to cause a denial of service (application crash) via a mat file with an invalid number of frames.

3 Mar 2017
5.5
CVSS
CVE-2016-10068MEDIUM

The MSL interpreter in ImageMagick before 6.9.6-4 allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted XML file.

3 Mar 2017
5.5
CVSS
CVE-2016-9436MEDIUM

parsetagx.c in w3m before 0.5.3+git20161009 does not properly initialize values, which allows remote attackers to crash the application via a crafted html file, related to a <i> tag.

20 Jan 2017
6.5
CVSS
CVE-2016-9435MEDIUM

The HTMLtagproc1 function in file.c in w3m before 0.5.3+git20161009 does not properly initialize values, which allows remote attackers to crash the application via a crafted html file, related to <dd> tags.

20 Jan 2017
6.5
CVSS
CVE-2016-5317MEDIUM

Buffer overflow in the PixarLogDecode function in libtiff.so in the PixarLogDecode function in libtiff 4.0.6 and earlier, as used in GNOME nautilus, allows attackers to cause a denial of service attack (crash) via a crafted TIFF file.

20 Jan 2017
6.5
CVSS
CVE-2016-5316MEDIUM

Out-of-bounds read in the PixarLogCleanup function in tif_pixarlog.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application by sending a crafted TIFF image to the rgb2ycbcr tool.

20 Jan 2017
6.5
CVSS
CVE-2015-5218LOW

Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.

9 Nov 2015
2.1
CVSS
CVE-2014-0481MEDIUM

The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name.

26 Aug 2014
4.3
CVSS
CVE-2014-4258MEDIUM

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRINFOSC.

17 Jul 2014
6.5
CVSS
CVE-2014-3004MEDIUMpoc

The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

11 Jun 2014
4.3
CVSS
CVE-2014-1542MEDIUM

Buffer overflow in the Speex resampler in the Web Audio subsystem in Mozilla Firefox before 30.0 allows remote attackers to execute arbitrary code via vectors related to a crafted AudioBuffer channel count and sample rate.

11 Jun 2014
6.8
CVSS
CVE-2014-1528CRITICAL

The sse2_composite_src_x888_8888 function in Pixman, as used in Cairo in Mozilla Firefox 28.0 and SeaMonkey 2.25 on Windows, allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write and application crash) by painting on a CANVAS element.

30 Apr 2014
10.0
CVSS
CVE-2014-1502MEDIUM

The (1) WebGL.compressedTexImage2D and (2) WebGL.compressedTexSubImage2D functions in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to bypass the Same Origin Policy and render content in a different domain via unspecified vectors.

19 Mar 2014
6.8
CVSS
CVE-2014-1500MEDIUM

Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to cause a denial of service (resource consumption and application hang) via onbeforeunload events that trigger background JavaScript execution.

19 Mar 2014
5.0
CVSS
CVE-2014-1499MEDIUM

Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to spoof the domain name in the WebRTC (1) camera or (2) microphone permission prompt by triggering navigation at a certain time during generation of this prompt.

19 Mar 2014
4.3
CVSS
CVE-2014-1498MEDIUM

The crypto.generateCRMFRequest method in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not properly validate a certain key type, which allows remote attackers to cause a denial of service (application crash) via vectors that trigger generation of a key that supports the Elliptic Curve ec-dual-use algorithm.

19 Mar 2014
5.0
CVSS
CVE-2014-1494CRITICAL

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

19 Mar 2014
9.3
CVSS
← PrevPage 1 / 2Next →