Difference between revisions of "FLOP:CVE Monitoring"

From Funtoo
Jump to navigation Jump to search
m
Line 90: Line 90:
Once a match is made, the <tt>cve-search</tt> collection and the portage package database (via {{package|app-portage/eix}}) can be combined to produce the data appropriate for a report.
Once a match is made, the <tt>cve-search</tt> collection and the portage package database (via {{package|app-portage/eix}}) can be combined to produce the data appropriate for a report.


The correct pattern for this is probably a <tt>truth table</tt>, with the above exact matching algorithm one example of generalized predicates at are applied to each cve document in the cvedb. A table pairing packages and predicates can they be interpreted via custom logical operations to yields sets of the packages to consider for further discussion or immediate issue creation.  
This is meant to be human in the loop automation: we can just be spamming <tt>jira</tt>, and <tt>dev</tt>s must take ownership of issues.
{{FLOPFooter}}
{{FLOPFooter}}


Line 96: Line 96:
The <tt>cver</tt> tool is currently stateless: it takes some bytes and it makes some bytes. We should probably keep it that way. A disk cache of the LRU memo-ized python function <tt>eix_xml</tt> might be nice. It would have to be wiped when eix was updated, of course.
The <tt>cver</tt> tool is currently stateless: it takes some bytes and it makes some bytes. We should probably keep it that way. A disk cache of the LRU memo-ized python function <tt>eix_xml</tt> might be nice. It would have to be wiped when eix was updated, of course.


== Example Output Fri 31 Jul 2020 02:49:59 PM EDT ==
== Example Output Mon 10 Aug 2020 10:39:01 PM EDT ==
 


Summary:
Summary:
-------
-------
CVE-2020-15953: net-libs/libetpan-1.9.3
CVE-2020-15115: dev-db/etcd-3.3.12
 
Scores:
------
Impact: 2.86
Ability to Exploit: 10.00


Description:
Description:
-----------
-----------
[07/27/2020]
[08/06/2020]
LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products,
etcd before versions 3.3.23 and 3.4.10 does not perform any password length
has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server
validation, which allows for very short passwords, such as those with a length
sends a "begin TLS" response, the client reads additional data (e.g., from a
of one. This may allow an attacker to guess or brute-force users' passwords with
meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response
little computational effort.
injection."


CatPkg:
CatPkg:
------
------
net-libs/libetpan
dev-db/etcd


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
dev-kit/1.4-release


labels:
labels:
Line 125: Line 130:
AffectsVersions:
AffectsVersions:
---------------
---------------
1.9.3
3.3.12


Facts:
Facts:
-----
-----
https://github.com/dinhvh/libetpan/issues/386
https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh
https://security.gentoo.org/glsa/202007-55


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-12460: mail-filter/opendmarc-1.1.3
CVE-2020-15113: dev-db/etcd-3.3.12
 
Scores:
------
Impact: 4.94
Ability to Exploit: 3.95


Description:
Description:
-----------
-----------
[07/27/2020]
[08/05/2020]
OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created
termination in the function opendmarc_xml_parse that can result in a one-byte
(etcd data directory and the directory path when provided to automatically
heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate
generate self-signed certificates for TLS connections with clients) with
report. This can cause remote memory corruption when a '\0' byte overwrites the
restricted access permissions (700) by using the os.MkdirAll. This function does
heap metadata of the next chunk and its PREV_INUSE flag.
not perform any permission checks when a given directory path exists already.
A possible workaround is to ensure the directories have the desired permission
(700).


CatPkg:
CatPkg:
------
------
mail-filter/opendmarc
dev-db/etcd


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
dev-kit/1.4-release


labels:
labels:
Line 160: Line 173:
AffectsVersions:
AffectsVersions:
---------------
---------------
1.1.3
3.3.12


Facts:
Facts:
-----
-----
https://github.com/trusteddomainproject/OpenDMARC/issues/64
https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92
https://sourceforge.net/projects/opendmarc/


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15890: dev-lang/luajit-2.0.2
CVE-2020-15114: dev-db/etcd-3.3.12
 
Scores:
------
Impact: 2.86
Ability to Exploit: _


Description:
Description:
-----------
-----------
[07/21/2020]
[08/06/2020]
LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame
In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP
traversal is mishandled.
proxy to allow for basic service discovery and access. However, it is possible
to include the gateway address as an endpoint. This results in a denial of
service, since the endpoint can become stuck in a loop of requesting itself
until there are no more available file descriptors to accept connections on the
gateway.


CatPkg:
CatPkg:
------
------
dev-lang/luajit
dev-db/etcd


KitBranch:
KitBranch:
---------
---------
lang-kit/1.4-release
dev-kit/1.4-release


labels:
labels:
Line 192: Line 215:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.0.2
3.3.12


Facts:
Facts:
-----
-----
https://github.com/LuaJIT/LuaJIT/issues/601
https://github.com/etcd-io/etcd/security/advisories/GHSA-2xhq-gv6c-p224
https://lists.debian.org/debian-lts-announce/2020/07/msg00026.html


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15890: dev-lang/luajit-2.0.3
CVE-2020-15115: dev-db/etcd-3.3.13
 
Scores:
------
Impact: 2.86
Ability to Exploit: 10.00


Description:
Description:
-----------
-----------
[07/21/2020]
[08/06/2020]
LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame
etcd before versions 3.3.23 and 3.4.10 does not perform any password length
traversal is mishandled.
validation, which allows for very short passwords, such as those with a length
of one. This may allow an attacker to guess or brute-force users' passwords with
little computational effort.


CatPkg:
CatPkg:
------
------
dev-lang/luajit
dev-db/etcd


KitBranch:
KitBranch:
---------
---------
lang-kit/1.4-release
dev-kit/1.4-release


labels:
labels:
Line 224: Line 255:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.0.3
3.3.13


Facts:
Facts:
-----
-----
https://github.com/LuaJIT/LuaJIT/issues/601
https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh
https://lists.debian.org/debian-lts-announce/2020/07/msg00026.html


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15890: dev-lang/luajit-2.0.4
CVE-2020-15113: dev-db/etcd-3.3.13
 
Scores:
------
Impact: 4.94
Ability to Exploit: 3.95


Description:
Description:
-----------
-----------
[07/21/2020]
[08/05/2020]
LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created
traversal is mishandled.
(etcd data directory and the directory path when provided to automatically
generate self-signed certificates for TLS connections with clients) with
restricted access permissions (700) by using the os.MkdirAll. This function does
not perform any permission checks when a given directory path exists already.
A possible workaround is to ensure the directories have the desired permission
(700).


CatPkg:
CatPkg:
------
------
dev-lang/luajit
dev-db/etcd


KitBranch:
KitBranch:
---------
---------
lang-kit/1.4-release
dev-kit/1.4-release


labels:
labels:
Line 256: Line 298:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.0.4
3.3.13


Facts:
Facts:
-----
-----
https://github.com/LuaJIT/LuaJIT/issues/601
https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92
https://lists.debian.org/debian-lts-announce/2020/07/msg00026.html


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15890: dev-lang/luajit-2.0.5
CVE-2020-15114: dev-db/etcd-3.3.13
 
Scores:
------
Impact: 2.86
Ability to Exploit: _


Description:
Description:
-----------
-----------
[07/21/2020]
[08/06/2020]
LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame
In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP
traversal is mishandled.
proxy to allow for basic service discovery and access. However, it is possible
to include the gateway address as an endpoint. This results in a denial of
service, since the endpoint can become stuck in a loop of requesting itself
until there are no more available file descriptors to accept connections on the
gateway.


CatPkg:
CatPkg:
------
------
dev-lang/luajit
dev-db/etcd


KitBranch:
KitBranch:
---------
---------
lang-kit/1.4-release
dev-kit/1.4-release


labels:
labels:
Line 288: Line 340:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.0.5
3.3.13


Facts:
Facts:
-----
-----
https://github.com/LuaJIT/LuaJIT/issues/601
https://github.com/etcd-io/etcd/security/advisories/GHSA-2xhq-gv6c-p224
https://lists.debian.org/debian-lts-announce/2020/07/msg00026.html


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-1776: www-apps/otrs-5.0.25
CVE-2020-16117: gnome-extra/evolution-data-server-3.36.2
 
Scores:
------
Impact: 2.86
Ability to Exploit: 10.00


Description:
Description:
-----------
-----------
[07/20/2020]
[07/29/2020]
When an agent user is renamed or set to invalid the session belonging to the
In GNOME evolution-data-server before 3.35.91, a malicious server can
user is keept active. The session can not be used to access ticket data in the
crash the mail client with a NULL pointer dereference by sending an invalid
case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28
(e.g., minimal) CAPABILITY line on a connection attempt. This is related to
and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
imapx_free_capability and imapx_connect_to_server.


CatPkg:
CatPkg:
------
------
www-apps/otrs
gnome-extra/evolution-data-server


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
gnome-kit/3.36-prime


labels:
labels:
Line 322: Line 380:
AffectsVersions:
AffectsVersions:
---------------
---------------
5.0.25
3.36.2


Facts:
Facts:
-----
-----
https://otrs.com/release-notes/otrs-security-advisory-2020-13/
https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/2cc39592b532cf0dc994fd3694b8e6bf924c9ab5
https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/627c3cdbfd077e59aa288c85ff8272950577f1d7
https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/189
https://lists.debian.org/debian-lts-announce/2020/08/msg00005.html


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-1776: www-apps/otrs-6.0.3
CVE-2020-14928: gnome-extra/evolution-data-server-3.36.2
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
-----------
-----------
[07/20/2020]
[07/17/2020]
When an agent user is renamed or set to invalid the session belonging to the
evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that
user is keept active. The session can not be used to access ticket data in the
affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads
case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28
additional data and evaluates it in a TLS context, aka "response injection."
and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.


CatPkg:
CatPkg:
------
------
www-apps/otrs
gnome-extra/evolution-data-server


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
gnome-kit/3.36-prime


labels:
labels:
Line 355: Line 422:
AffectsVersions:
AffectsVersions:
---------------
---------------
6.0.3
3.36.2


Facts:
Facts:
-----
-----
https://otrs.com/release-notes/otrs-security-advisory-2020-13/
https://bugzilla.suse.com/show_bug.cgi?id=1173910
https://gitlab.gnome.org/GNOME//evolution-data-server/commit/ba82be72cfd427b5d72ff21f929b3a6d8529c4df
https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/f404f33fb01b23903c2bbb16791c7907e457fbac
https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226
https://lists.debian.org/debian-lts-announce/2020/07/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMBEZWA22EAYAZQWUX4KPEBER726KSIG/
https://security-tracker.debian.org/tracker/DLA-2281-1
https://security-tracker.debian.org/tracker/DSA-4725-1
https://usn.ubuntu.com/4429-1/
https://www.debian.org/security/2020/dsa-4725


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-1776: www-apps/otrs-6.0.4
CVE-2020-13699: net-misc/teamviewer-14.1.3399
 
Scores:
------
Impact: 6.44
Ability to Exploit: 8.59


Description:
Description:
-----------
-----------
[07/20/2020]
[07/29/2020]
When an agent user is renamed or set to invalid the session belonging to the
TeamViewer Desktop for Windows before 15.8.3 does not properly quote its
user is keept active. The session can not be used to access ticket data in the
custom URI handlers. A malicious website could launch TeamViewer with arbitrary
case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28
parameters, as demonstrated by a teamviewer10: --play URL. An attacker could
and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
force a victim to send an NTLM authentication request and either relay the
request or capture the hash for offline password cracking. This affects
teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1,
tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1,
and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873,
11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.


CatPkg:
CatPkg:
------
------
www-apps/otrs
net-misc/teamviewer


KitBranch:
KitBranch:
Line 388: Line 476:
AffectsVersions:
AffectsVersions:
---------------
---------------
6.0.4
14.1.3399


Facts:
Facts:
-----
-----
https://otrs.com/release-notes/otrs-security-advisory-2020-13/
https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448
https://jeffs.sh/CVEs/CVE-2020-13699.txt


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-1776: www-apps/otrs-6.0.5
CVE-2020-13699: net-misc/teamviewer-14.1.9025
 
Scores:
------
Impact: 6.44
Ability to Exploit: 8.59


Description:
Description:
-----------
-----------
[07/20/2020]
[07/29/2020]
When an agent user is renamed or set to invalid the session belonging to the
TeamViewer Desktop for Windows before 15.8.3 does not properly quote its
user is keept active. The session can not be used to access ticket data in the
custom URI handlers. A malicious website could launch TeamViewer with arbitrary
case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28
parameters, as demonstrated by a teamviewer10: --play URL. An attacker could
and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
force a victim to send an NTLM authentication request and either relay the
request or capture the hash for offline password cracking. This affects
teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1,
tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1,
and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873,
11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.


CatPkg:
CatPkg:
------
------
www-apps/otrs
net-misc/teamviewer


KitBranch:
KitBranch:
Line 421: Line 522:
AffectsVersions:
AffectsVersions:
---------------
---------------
6.0.5
14.1.9025


Facts:
Facts:
-----
-----
https://otrs.com/release-notes/otrs-security-advisory-2020-13/
https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448
https://jeffs.sh/CVEs/CVE-2020-13699.txt


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-1776: www-apps/otrs-6.0.7
CVE-2020-13699: net-misc/teamviewer-14.1.18533
 
Scores:
------
Impact: 6.44
Ability to Exploit: 8.59


Description:
Description:
-----------
-----------
[07/20/2020]
[07/29/2020]
When an agent user is renamed or set to invalid the session belonging to the
TeamViewer Desktop for Windows before 15.8.3 does not properly quote its
user is keept active. The session can not be used to access ticket data in the
custom URI handlers. A malicious website could launch TeamViewer with arbitrary
case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28
parameters, as demonstrated by a teamviewer10: --play URL. An attacker could
and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
force a victim to send an NTLM authentication request and either relay the
request or capture the hash for offline password cracking. This affects
teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1,
tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1,
and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873,
11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.


CatPkg:
CatPkg:
------
------
www-apps/otrs
net-misc/teamviewer


KitBranch:
KitBranch:
Line 454: Line 568:
AffectsVersions:
AffectsVersions:
---------------
---------------
6.0.7
14.1.18533


Facts:
Facts:
-----
-----
https://otrs.com/release-notes/otrs-security-advisory-2020-13/
https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448
https://jeffs.sh/CVEs/CVE-2020-13699.txt


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-14928: gnome-extra/evolution-data-server-3.36.2
CVE-2020-13699: net-misc/teamviewer-14.2.2558
 
Scores:
------
Impact: 6.44
Ability to Exploit: 8.59


Description:
Description:
-----------
-----------
[07/17/2020]
[07/29/2020]
evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that
TeamViewer Desktop for Windows before 15.8.3 does not properly quote its
affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads
custom URI handlers. A malicious website could launch TeamViewer with arbitrary
additional data and evaluates it in a TLS context, aka "response injection."
parameters, as demonstrated by a teamviewer10: --play URL. An attacker could
force a victim to send an NTLM authentication request and either relay the
request or capture the hash for offline password cracking. This affects
teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1,
tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1,
and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873,
11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.


CatPkg:
CatPkg:
------
------
gnome-extra/evolution-data-server
net-misc/teamviewer


KitBranch:
KitBranch:
---------
---------
gnome-kit/3.36-prime
net-kit/1.4-release


labels:
labels:
Line 486: Line 614:
AffectsVersions:
AffectsVersions:
---------------
---------------
3.36.2
14.2.2558


Facts:
Facts:
-----
-----
https://bugzilla.suse.com/show_bug.cgi?id=1173910
https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448
https://gitlab.gnome.org/GNOME//evolution-data-server/commit/ba82be72cfd427b5d72ff21f929b3a6d8529c4df
https://jeffs.sh/CVEs/CVE-2020-13699.txt
https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/f404f33fb01b23903c2bbb16791c7907e457fbac
https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226
https://lists.debian.org/debian-lts-announce/2020/07/msg00012.html
https://security-tracker.debian.org/tracker/DLA-2281-1
https://security-tracker.debian.org/tracker/DSA-4725-1
https://usn.ubuntu.com/4429-1/
https://www.debian.org/security/2020/dsa-4725


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15852: app-emulation/xen-4.10.3-r1
CVE-2020-13699: net-misc/teamviewer-14.2.8352
 
Scores:
------
Impact: 6.44
Ability to Exploit: 8.59


Description:
Description:
-----------
-----------
[07/20/2020]
[07/29/2020]
An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in
TeamViewer Desktop for Windows before 15.8.3 does not properly quote its
Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port
custom URI handlers. A malicious website could launch TeamViewer with arbitrary
permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap
parameters, as demonstrated by a teamviewer10: --play URL. An attacker could
mishandling causes a loss of synchronization between the I/O bitmaps of TSS and
force a victim to send an NTLM authentication request and either relay the
Xen, aka CID-cadfad870154.
request or capture the hash for offline password cracking. This affects
teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1,
tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1,
and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873,
11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.


CatPkg:
CatPkg:
------
------
app-emulation/xen
net-misc/teamviewer


KitBranch:
KitBranch:
---------
---------
nokit/1.4-release
net-kit/1.4-release


labels:
labels:
Line 528: Line 660:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.10.3-r1
14.2.8352


Facts:
Facts:
-----
-----
http://www.openwall.com/lists/oss-security/2020/07/21/2
https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448
http://xenbits.xen.org/xsa/advisory-329.html
https://jeffs.sh/CVEs/CVE-2020-13699.txt
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cadfad870154e14f745ec845708bc17d166065f2
https://github.com/torvalds/linux/commit/cadfad870154e14f745ec845708bc17d166065f2


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15852: app-emulation/xen-4.11.1-r3
CVE-2020-12460: mail-filter/opendmarc-1.1.3
 
Scores:
------
Impact: 6.44
Ability to Exploit: 10.00


Description:
Description:
-----------
-----------
[07/20/2020]
[07/27/2020]
An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in
OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null
Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port
termination in the function opendmarc_xml_parse that can result in a one-byte
permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap
heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate
mishandling causes a loss of synchronization between the I/O bitmaps of TSS and
report. This can cause remote memory corruption when a '\0' byte overwrites the
Xen, aka CID-cadfad870154.
heap metadata of the next chunk and its PREV_INUSE flag.


CatPkg:
CatPkg:
------
------
app-emulation/xen
mail-filter/opendmarc


KitBranch:
KitBranch:
---------
---------
nokit/1.4-release
net-kit/1.4-release


labels:
labels:
Line 565: Line 702:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.11.1-r3
1.1.3


Facts:
Facts:
-----
-----
http://www.openwall.com/lists/oss-security/2020/07/21/2
https://github.com/trusteddomainproject/OpenDMARC/issues/64
http://xenbits.xen.org/xsa/advisory-329.html
https://sourceforge.net/projects/opendmarc/
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cadfad870154e14f745ec845708bc17d166065f2
https://github.com/torvalds/linux/commit/cadfad870154e14f745ec845708bc17d166065f2


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15852: app-emulation/xen-4.12.0-r1
CVE-2020-15953: net-libs/libetpan-1.9.3
 
Scores:
------
Impact: 4.94
Ability to Exploit: 8.59


Description:
Description:
-----------
-----------
[07/20/2020]
[07/27/2020]
An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in
LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products,
Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port
has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server
permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap
sends a "begin TLS" response, the client reads additional data (e.g., from a
mishandling causes a loss of synchronization between the I/O bitmaps of TSS and
meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response
Xen, aka CID-cadfad870154.
injection."


CatPkg:
CatPkg:
------
------
app-emulation/xen
net-libs/libetpan


KitBranch:
KitBranch:
---------
---------
nokit/1.4-release
net-kit/1.4-release


labels:
labels:
Line 602: Line 744:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.12.0-r1
1.9.3


Facts:
Facts:
-----
-----
http://www.openwall.com/lists/oss-security/2020/07/21/2
https://github.com/dinhvh/libetpan/issues/386
http://xenbits.xen.org/xsa/advisory-329.html
https://security.gentoo.org/glsa/202007-55
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cadfad870154e14f745ec845708bc17d166065f2
https://github.com/torvalds/linux/commit/cadfad870154e14f745ec845708bc17d166065f2


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15121: dev-util/radare2-3.4.1
CVE-2020-1776: www-apps/otrs-5.0.25
 
Scores:
------
Impact: 2.86
Ability to Exploit: _


Description:
Description:
-----------
-----------
[07/20/2020]
[07/20/2020]
In radare2 before version 4.5.0, malformed PDB file names in the PDB server
When an agent user is renamed or set to invalid the session belonging to the
path cause shell injection. To trigger the problem it's required to open the
user is keept active. The session can not be used to access ticket data in the
executable in radare2 and run idpd to trigger the download. The shell code will
case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28
execute, and will create a file called pwned in the current directory.
and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.


CatPkg:
CatPkg:
------
------
dev-util/radare2
www-apps/otrs


KitBranch:
KitBranch:
---------
---------
dev-kit/1.4-release
net-kit/1.4-release


labels:
labels:
Line 638: Line 785:
AffectsVersions:
AffectsVersions:
---------------
---------------
3.4.1
5.0.25


Facts:
Facts:
-----
-----
https://github.com/radareorg/radare2/commit/04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9
https://otrs.com/release-notes/otrs-security-advisory-2020-13/
https://github.com/radareorg/radare2/issues/16945
https://github.com/radareorg/radare2/pull/16966
https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15121: dev-util/radare2-3.5.0
CVE-2020-1776: www-apps/otrs-6.0.3
 
Scores:
------
Impact: 2.86
Ability to Exploit: _


Description:
Description:
-----------
-----------
[07/20/2020]
[07/20/2020]
In radare2 before version 4.5.0, malformed PDB file names in the PDB server
When an agent user is renamed or set to invalid the session belonging to the
path cause shell injection. To trigger the problem it's required to open the
user is keept active. The session can not be used to access ticket data in the
executable in radare2 and run idpd to trigger the download. The shell code will
case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28
execute, and will create a file called pwned in the current directory.
and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.


CatPkg:
CatPkg:
------
------
dev-util/radare2
www-apps/otrs


KitBranch:
KitBranch:
---------
---------
dev-kit/1.4-release
net-kit/1.4-release


labels:
labels:
Line 674: Line 825:
AffectsVersions:
AffectsVersions:
---------------
---------------
3.5.0
6.0.3


Facts:
Facts:
-----
-----
https://github.com/radareorg/radare2/commit/04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9
https://otrs.com/release-notes/otrs-security-advisory-2020-13/
https://github.com/radareorg/radare2/issues/16945
https://github.com/radareorg/radare2/pull/16966
https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15121: dev-util/radare2-3.5.1
CVE-2020-1776: www-apps/otrs-6.0.4
 
Scores:
------
Impact: 2.86
Ability to Exploit: _


Description:
Description:
-----------
-----------
[07/20/2020]
[07/20/2020]
In radare2 before version 4.5.0, malformed PDB file names in the PDB server
When an agent user is renamed or set to invalid the session belonging to the
path cause shell injection. To trigger the problem it's required to open the
user is keept active. The session can not be used to access ticket data in the
executable in radare2 and run idpd to trigger the download. The shell code will
case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28
execute, and will create a file called pwned in the current directory.
and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.


CatPkg:
CatPkg:
------
------
dev-util/radare2
www-apps/otrs


KitBranch:
KitBranch:
---------
---------
dev-kit/1.4-release
net-kit/1.4-release


labels:
labels:
Line 710: Line 865:
AffectsVersions:
AffectsVersions:
---------------
---------------
3.5.1
6.0.4


Facts:
Facts:
-----
-----
https://github.com/radareorg/radare2/commit/04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9
https://otrs.com/release-notes/otrs-security-advisory-2020-13/
https://github.com/radareorg/radare2/issues/16945
https://github.com/radareorg/radare2/pull/16966
https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-14001: dev-ruby/kramdown-1.17.0
CVE-2020-1776: www-apps/otrs-6.0.5
 
Scores:
------
Impact: 2.86
Ability to Exploit: _


Description:
Description:
-----------
-----------
[07/17/2020]
[07/20/2020]
The kramdown gem before 2.3.0 for Ruby processes the template option inside
When an agent user is renamed or set to invalid the session belonging to the
Kramdown documents by default, which allows unintended read access (such as
user is keept active. The session can not be used to access ticket data in the
template="/etc/passwd") or unintended embedded Ruby code execution (such as a
case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28
string that begins with template="string://<%= `). NOTE: kramdown is used in
and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.


CatPkg:
CatPkg:
------
------
dev-ruby/kramdown
www-apps/otrs


KitBranch:
KitBranch:
---------
---------
ruby-kit/2.6-prime
net-kit/1.4-release


labels:
labels:
Line 747: Line 905:
AffectsVersions:
AffectsVersions:
---------------
---------------
1.17.0
6.0.5


Facts:
Facts:
-----
-----
https://github.com/gettalong/kramdown
https://otrs.com/release-notes/otrs-security-advisory-2020-13/
https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde
https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0
https://kramdown.gettalong.org
https://kramdown.gettalong.org/news.html
https://rubygems.org/gems/kramdown


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15586: dev-lang/go-1.12.17
CVE-2020-1776: www-apps/otrs-6.0.7
 
Scores:
------
Impact: 2.86
Ability to Exploit: _


Description:
Description:
-----------
-----------
[07/17/2020]
[07/20/2020]
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http
When an agent user is renamed or set to invalid the session belonging to the
servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads
user is keept active. The session can not be used to access ticket data in the
a request body and writes a response at the same time.
case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28
and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.


CatPkg:
CatPkg:
------
------
dev-lang/go
www-apps/otrs


KitBranch:
KitBranch:
---------
---------
lang-kit/1.4-release
net-kit/1.4-release


labels:
labels:
Line 784: Line 945:
AffectsVersions:
AffectsVersions:
---------------
---------------
1.12.17
6.0.7


Facts:
Facts:
-----
-----
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html
https://otrs.com/release-notes/otrs-security-advisory-2020-13/
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html
 
https://groups.google.com/forum/#!topic/golang-announce/f2c5bqrGH_g
--------------------------------------------------------------------------------
https://groups.google.com/forum/#!topic/golang-announce/XZNfaiwgt2w
--------------------------------------------------------------------------------
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCR6LAKCVKL55KJQPPBBWVQGOP7RL2RW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WIRVUHD7TJIT7JJ33FKHIVTHPYABYPHR/
https://www.cloudfoundry.org/blog/cve-2020-15586/
 


Summary:
Summary:
-------
-------
CVE-2020-14039: dev-lang/go-1.12.17
CVE-2020-15852: app-emulation/xen-4.10.3-r1
 
Scores:
------
Impact: 6.44
Ability to Exploit: 3.95


Description:
Description:
-----------
-----------
[07/17/2020]
[07/20/2020]
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a
An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in
check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots
Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port
equals nil and the installation is on Windows). Thus, X.509 certificate
permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap
verification is incomplete.
mishandling causes a loss of synchronization between the I/O bitmaps of TSS and
Xen, aka CID-cadfad870154.


CatPkg:
CatPkg:
------
------
dev-lang/go
app-emulation/xen


KitBranch:
KitBranch:
---------
---------
lang-kit/1.4-release
nokit/1.4-release


labels:
labels:
Line 823: Line 986:
AffectsVersions:
AffectsVersions:
---------------
---------------
1.12.17
4.10.3-r1


Facts:
Facts:
-----
-----
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html
http://www.openwall.com/lists/oss-security/2020/07/21/2
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html
http://xenbits.xen.org/xsa/advisory-329.html
https://groups.google.com/forum/#!forum/golang-announce
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cadfad870154e14f745ec845708bc17d166065f2
https://groups.google.com/forum/#!topic/golang-announce/XZNfaiwgt2w
https://github.com/torvalds/linux/commit/cadfad870154e14f745ec845708bc17d166065f2


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-2.2.16
CVE-2020-15852: app-emulation/xen-4.11.1-r3
 
Scores:
------
Impact: 6.44
Ability to Exploit: 3.95


Description:
Description:
-----------
-----------
[07/17/2020]
[07/20/2020]
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before
An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in
4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port
permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap
mishandling causes a loss of synchronization between the I/O bitmaps of TSS and
Xen, aka CID-cadfad870154.


CatPkg:
CatPkg:
------
------
net-analyzer/zabbix
app-emulation/xen


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
nokit/1.4-release


labels:
labels:
Line 857: Line 1,030:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.2.16
4.11.1-r3


Facts:
Facts:
-----
-----
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
http://www.openwall.com/lists/oss-security/2020/07/21/2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
http://xenbits.xen.org/xsa/advisory-329.html
https://support.zabbix.com/browse/ZBX-18057
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cadfad870154e14f745ec845708bc17d166065f2
https://github.com/torvalds/linux/commit/cadfad870154e14f745ec845708bc17d166065f2


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-2.2.16
CVE-2020-15852: app-emulation/xen-4.12.0-r1
 
Scores:
------
Impact: 6.44
Ability to Exploit: 3.95


Description:
Description:
-----------
-----------
[07/17/2020]
[07/20/2020]
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before
An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in
4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port
permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap
mishandling causes a loss of synchronization between the I/O bitmaps of TSS and
Xen, aka CID-cadfad870154.


CatPkg:
CatPkg:
------
------
net-analyzer/zabbix
app-emulation/xen


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
nokit/1.4-release


labels:
labels:
Line 890: Line 1,074:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.2.16
4.12.0-r1


Facts:
Facts:
-----
-----
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
http://www.openwall.com/lists/oss-security/2020/07/21/2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
http://xenbits.xen.org/xsa/advisory-329.html
https://support.zabbix.com/browse/ZBX-18057
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cadfad870154e14f745ec845708bc17d166065f2
https://github.com/torvalds/linux/commit/cadfad870154e14f745ec845708bc17d166065f2


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-2.2.16
CVE-2020-15121: dev-util/radare2-3.4.1
 
Scores:
------
Impact: 6.44
Ability to Exploit: 8.59


Description:
Description:
-----------
-----------
[07/17/2020]
[07/20/2020]
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before
In radare2 before version 4.5.0, malformed PDB file names in the PDB server
4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
path cause shell injection. To trigger the problem it's required to open the
executable in radare2 and run idpd to trigger the download. The shell code will
execute, and will create a file called pwned in the current directory.


CatPkg:
CatPkg:
------
------
net-analyzer/zabbix
dev-util/radare2


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
dev-kit/1.4-release


labels:
labels:
Line 923: Line 1,117:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.2.16
3.4.1


Facts:
Facts:
-----
-----
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://github.com/radareorg/radare2/commit/04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://github.com/radareorg/radare2/issues/16945
https://support.zabbix.com/browse/ZBX-18057
https://github.com/radareorg/radare2/pull/16966
https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YE77P5RSE2T7JHEKMWF2ARTSJGMPXCFY/


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-2.2.21
CVE-2020-15121: dev-util/radare2-3.5.0
 
Scores:
------
Impact: 6.44
Ability to Exploit: 8.59


Description:
Description:
-----------
-----------
[07/17/2020]
[07/20/2020]
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before
In radare2 before version 4.5.0, malformed PDB file names in the PDB server
4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
path cause shell injection. To trigger the problem it's required to open the
 
executable in radare2 and run idpd to trigger the download. The shell code will
execute, and will create a file called pwned in the current directory.
 
CatPkg:
CatPkg:
------
------
net-analyzer/zabbix
dev-util/radare2


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
dev-kit/1.4-release


labels:
labels:
Line 956: Line 1,162:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.2.21
3.5.0


Facts:
Facts:
-----
-----
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://github.com/radareorg/radare2/commit/04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://github.com/radareorg/radare2/issues/16945
https://support.zabbix.com/browse/ZBX-18057
https://github.com/radareorg/radare2/pull/16966
https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YE77P5RSE2T7JHEKMWF2ARTSJGMPXCFY/


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-2.2.21
CVE-2020-15121: dev-util/radare2-3.5.1
 
Scores:
------
Impact: 6.44
Ability to Exploit: 8.59


Description:
Description:
-----------
-----------
[07/17/2020]
[07/20/2020]
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before
In radare2 before version 4.5.0, malformed PDB file names in the PDB server
4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
path cause shell injection. To trigger the problem it's required to open the
executable in radare2 and run idpd to trigger the download. The shell code will
execute, and will create a file called pwned in the current directory.


CatPkg:
CatPkg:
------
------
net-analyzer/zabbix
dev-util/radare2


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
dev-kit/1.4-release


labels:
labels:
Line 989: Line 1,207:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.2.21
3.5.1


Facts:
Facts:
-----
-----
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://github.com/radareorg/radare2/commit/04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://github.com/radareorg/radare2/issues/16945
https://support.zabbix.com/browse/ZBX-18057
https://github.com/radareorg/radare2/pull/16966
https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YE77P5RSE2T7JHEKMWF2ARTSJGMPXCFY/


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-2.2.21
CVE-2020-14001: dev-ruby/kramdown-1.17.0
 
Scores:
------
Impact: 6.44
Ability to Exploit: 10.00


Description:
Description:
-----------
-----------
[07/17/2020]
[07/17/2020]
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before
The kramdown gem before 2.3.0 for Ruby processes the template option inside
4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
Kramdown documents by default, which allows unintended read access (such as
template="/etc/passwd") or unintended embedded Ruby code execution (such as a
string that begins with template="string://<%= `). NOTE: kramdown is used in
Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.


CatPkg:
CatPkg:
------
------
net-analyzer/zabbix
dev-ruby/kramdown


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
ruby-kit/2.6-prime


labels:
labels:
Line 1,022: Line 1,253:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.2.21
1.17.0


Facts:
Facts:
-----
-----
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://github.com/gettalong/kramdown
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde
https://support.zabbix.com/browse/ZBX-18057
https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0
https://kramdown.gettalong.org
https://kramdown.gettalong.org/news.html
https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2@%3Cnotifications.fluo.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html
https://rubygems.org/gems/kramdown
https://security.netapp.com/advisory/ntap-20200731-0004/


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-2.2.21
CVE-2020-15586: dev-lang/go-1.12.17
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
-----------
-----------
[07/17/2020]
[07/17/2020]
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http
4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads
a request body and writes a response at the same time.


CatPkg:
CatPkg:
------
------
net-analyzer/zabbix
dev-lang/go


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
lang-kit/1.4-release


labels:
labels:
Line 1,055: Line 1,300:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.2.21
1.12.17


Facts:
Facts:
-----
-----
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html
https://support.zabbix.com/browse/ZBX-18057
https://groups.google.com/forum/#!topic/golang-announce/f2c5bqrGH_g
https://groups.google.com/forum/#!topic/golang-announce/XZNfaiwgt2w
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCR6LAKCVKL55KJQPPBBWVQGOP7RL2RW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WIRVUHD7TJIT7JJ33FKHIVTHPYABYPHR/
https://security.netapp.com/advisory/ntap-20200731-0005/
https://www.cloudfoundry.org/blog/cve-2020-15586/


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-2.2.23
CVE-2020-14039: dev-lang/go-1.12.17
 
Scores:
------
Impact: 2.86
Ability to Exploit: 10.00


Description:
Description:
-----------
-----------
[07/17/2020]
[07/17/2020]
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a
4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots
equals nil and the installation is on Windows). Thus, X.509 certificate
verification is incomplete.


CatPkg:
CatPkg:
------
------
net-analyzer/zabbix
dev-lang/go


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
lang-kit/1.4-release


labels:
labels:
Line 1,088: Line 1,347:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.2.23
1.12.17


Facts:
Facts:
-----
-----
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html
https://support.zabbix.com/browse/ZBX-18057
https://groups.google.com/forum/#!forum/golang-announce
https://groups.google.com/forum/#!topic/golang-announce/XZNfaiwgt2w
https://security.netapp.com/advisory/ntap-20200731-0005/


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-2.2.23
CVE-2020-15803: net-analyzer/zabbix-2.2.16
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,121: Line 1,389:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.2.23
2.2.16


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-2.2.23
CVE-2020-15803: net-analyzer/zabbix-2.2.16
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,154: Line 1,430:
AffectsVersions:
AffectsVersions:
---------------
---------------
2.2.23
2.2.16


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-3.0.26
CVE-2020-15803: net-analyzer/zabbix-2.2.21
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,187: Line 1,471:
AffectsVersions:
AffectsVersions:
---------------
---------------
3.0.26
2.2.21


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-3.0.26
CVE-2020-15803: net-analyzer/zabbix-2.2.21
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,220: Line 1,512:
AffectsVersions:
AffectsVersions:
---------------
---------------
3.0.26
2.2.21


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-3.0.26
CVE-2020-15803: net-analyzer/zabbix-2.2.21
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,253: Line 1,553:
AffectsVersions:
AffectsVersions:
---------------
---------------
3.0.26
2.2.21


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-4.0.6
CVE-2020-15803: net-analyzer/zabbix-2.2.23
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,286: Line 1,594:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.0.6
2.2.23


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-4.0.6
CVE-2020-15803: net-analyzer/zabbix-2.2.23
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,319: Line 1,635:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.0.6
2.2.23


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-4.0.6
CVE-2020-15803: net-analyzer/zabbix-3.0.26
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,352: Line 1,676:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.0.6
3.0.26


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-4.0.6
CVE-2020-15803: net-analyzer/zabbix-3.0.26
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,385: Line 1,717:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.0.6
3.0.26


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-4.0.7
CVE-2020-15803: net-analyzer/zabbix-4.0.6
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,418: Line 1,758:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.0.7
4.0.6


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-4.0.7
CVE-2020-15803: net-analyzer/zabbix-4.0.6
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,451: Line 1,799:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.0.7
4.0.6


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-4.0.7
CVE-2020-15803: net-analyzer/zabbix-4.0.6
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,484: Line 1,840:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.0.7
4.0.6


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-4.0.9
CVE-2020-15803: net-analyzer/zabbix-4.0.7
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,517: Line 1,881:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.0.9
4.0.7


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-4.0.9
CVE-2020-15803: net-analyzer/zabbix-4.0.7
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,550: Line 1,922:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.0.9
4.0.7


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-3.2.11
CVE-2020-15803: net-analyzer/zabbix-4.0.9
 
Scores:
------
Impact: 2.86
Ability to Exploit: 8.59


Description:
Description:
Line 1,583: Line 1,963:
AffectsVersions:
AffectsVersions:
---------------
---------------
3.2.11
4.0.9


Facts:
Facts:
-----
-----
https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://support.zabbix.com/browse/ZBX-18057
https://support.zabbix.com/browse/ZBX-18057


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-3.4.15
CVE-2020-15117: x11-misc/synergy-1.9.1
 
Scores:
------
Impact: 2.86
Ability to Exploit: _


Description:
Description:
-----------
-----------
[07/17/2020]
[07/15/2020]
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before
In Synergy before version 1.12.0, a Synergy server can be crashed by receiving
4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
a kMsgHelloBack packet with a client name length set to 0xffffffff (4294967295)
if the servers memory is less than 4 GB. It was verified that this issue does
not cause a crash through the exception handler if the available memory of the
Server is more than 4GB.
 
CatPkg:
------
x11-misc/synergy
 
KitBranch:
---------
desktop-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
1.9.1
 
Facts:
-----
https://github.com/symless/synergy-core/commit/0a97c2be0da2d0df25cb86dfd642429e7a8bea39
https://github.com/symless/synergy-core/security/advisories/GHSA-chfm-333q-gfpp
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14702: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Security: Privileges). Supported versions that are affected are
8.0.20 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CatPkg:
CatPkg:
------
------
net-analyzer/zabbix
dev-db/mysql


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
core-server-kit/1.4-release


labels:
labels:
Line 1,616: Line 2,052:
AffectsVersions:
AffectsVersions:
---------------
---------------
3.4.15
5.5.61


Facts:
Facts:
-----
-----
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://security.netapp.com/advisory/ntap-20200717-0004/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://usn.ubuntu.com/4441-1/
https://support.zabbix.com/browse/ZBX-18057
https://www.oracle.com/security-alerts/cpujul2020.html


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


Summary:
Summary:
-------
-------
CVE-2020-15803: net-analyzer/zabbix-4.2.3
CVE-2020-14651: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 4.94
Ability to Exploit: _


Description:
Description:
-----------
-----------
[07/17/2020]
[07/15/2020]
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
Security: Roles). Supported versions that are affected are 8.0.20 and prior.
Easily exploitable vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of MySQL Server as well as
unauthorized update, insert or delete access to some of MySQL Server accessible
data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).


CatPkg:
CatPkg:
------
------
net-analyzer/zabbix
dev-db/mysql


KitBranch:
KitBranch:
---------
---------
net-kit/1.4-release
core-server-kit/1.4-release


labels:
labels:
Line 1,649: Line 2,099:
AffectsVersions:
AffectsVersions:
---------------
---------------
4.2.3
5.5.61


Facts:
Facts:
-----
-----
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE/
https://security.netapp.com/advisory/ntap-20200717-0004/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT/
https://usn.ubuntu.com/4441-1/
https://support.zabbix.com/browse/ZBX-18057
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14663: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 6.44
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Privileges). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker with
network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in takeover of MySQL Server. CVSS
3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14624: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: JSON). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14697: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 6.44
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Privileges). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker with
network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in takeover of MySQL Server. CVSS
3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14643: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 4.94
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Roles). Supported versions that are affected are 8.0.20 and prior.
Easily exploitable vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of MySQL Server as well as
unauthorized update, insert or delete access to some of MySQL Server accessible
data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14656: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Locking). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14623: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
Supported versions that are affected are 8.0.20 and prior. Easily exploitable
vulnerability allows high privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14680: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Optimizer). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows low privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14631: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Security: Audit). Supported versions that are affected are 8.0.20
and prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14654: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Optimizer). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14620: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: DML). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14678: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 6.44
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Privileges). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker with
network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in takeover of MySQL Server. CVSS
3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14619: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Parser). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows low privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14597: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Optimizer). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14576: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: UDF). Supported versions that are affected are 5.7.30 and prior and
8.0.20 and prior. Easily exploitable vulnerability allows low privileged
attacker with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14575: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: DML). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14614: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Optimizer). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14591: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Audit Plug-in). Supported versions that are affected are 8.0.20
and prior. Easily exploitable vulnerability allows low privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14568: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
Supported versions that are affected are 8.0.20 and prior. Easily exploitable
vulnerability allows high privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14586: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Security: Privileges). Supported versions that are affected are
8.0.20 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14567: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Replication). Supported versions that are affected are 5.7.29 and prior and
8.0.19 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14559: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Information Schema). Supported versions that are affected are 5.6.48 and
prior, 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability
allows low privileged attacker with network access via multiple protocols
to compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized read access to a subset of MySQL Server accessible
data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14553: dev-db/mysql-5.5.61
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Pluggable Auth). Supported versions that are affected are 5.7.30
and prior and 8.0.20 and prior. Easily exploitable vulnerability allows
low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result
in unauthorized update, insert or delete access to some of MySQL Server
accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.61
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14702: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Security: Privileges). Supported versions that are affected are
8.0.20 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14651: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 4.94
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Roles). Supported versions that are affected are 8.0.20 and prior.
Easily exploitable vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of MySQL Server as well as
unauthorized update, insert or delete access to some of MySQL Server accessible
data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14663: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 6.44
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Privileges). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker with
network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in takeover of MySQL Server. CVSS
3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14624: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: JSON). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14697: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 6.44
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Privileges). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker with
network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in takeover of MySQL Server. CVSS
3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14643: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 4.94
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Roles). Supported versions that are affected are 8.0.20 and prior.
Easily exploitable vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of MySQL Server as well as
unauthorized update, insert or delete access to some of MySQL Server accessible
data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14656: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Locking). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14623: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
Supported versions that are affected are 8.0.20 and prior. Easily exploitable
vulnerability allows high privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14631: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Security: Audit). Supported versions that are affected are 8.0.20
and prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14680: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Optimizer). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows low privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14654: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Optimizer). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14620: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: DML). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14678: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 6.44
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Privileges). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker with
network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in takeover of MySQL Server. CVSS
3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14619: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Parser). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows low privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14597: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Optimizer). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14576: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: UDF). Supported versions that are affected are 5.7.30 and prior and
8.0.20 and prior. Easily exploitable vulnerability allows low privileged
attacker with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14575: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: DML). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14614: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Optimizer). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14591: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Audit Plug-in). Supported versions that are affected are 8.0.20
and prior. Easily exploitable vulnerability allows low privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14568: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
Supported versions that are affected are 8.0.20 and prior. Easily exploitable
vulnerability allows high privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14586: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Security: Privileges). Supported versions that are affected are
8.0.20 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14567: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Replication). Supported versions that are affected are 5.7.29 and prior and
8.0.19 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14559: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Information Schema). Supported versions that are affected are 5.6.48 and
prior, 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability
allows low privileged attacker with network access via multiple protocols
to compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized read access to a subset of MySQL Server accessible
data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14553: dev-db/mysql-5.5.62
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Pluggable Auth). Supported versions that are affected are 5.7.30
and prior and 8.0.20 and prior. Easily exploitable vulnerability allows
low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result
in unauthorized update, insert or delete access to some of MySQL Server
accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.5.62
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14702: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Security: Privileges). Supported versions that are affected are
8.0.20 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14651: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 4.94
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Roles). Supported versions that are affected are 8.0.20 and prior.
Easily exploitable vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of MySQL Server as well as
unauthorized update, insert or delete access to some of MySQL Server accessible
data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14663: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 6.44
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Privileges). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker with
network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in takeover of MySQL Server. CVSS
3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14624: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: JSON). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14697: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 6.44
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Privileges). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker with
network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in takeover of MySQL Server. CVSS
3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14643: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 4.94
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Roles). Supported versions that are affected are 8.0.20 and prior.
Easily exploitable vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of MySQL Server as well as
unauthorized update, insert or delete access to some of MySQL Server accessible
data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14656: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Locking). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14623: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
Supported versions that are affected are 8.0.20 and prior. Easily exploitable
vulnerability allows high privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14631: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Security: Audit). Supported versions that are affected are 8.0.20
and prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14680: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Optimizer). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows low privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14654: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Optimizer). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14620: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: DML). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14678: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 6.44
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Security: Privileges). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker with
network access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in takeover of MySQL Server. CVSS
3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14619: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Parser). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows low privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14597: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Optimizer). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14576: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: UDF). Supported versions that are affected are 5.7.30 and prior and
8.0.20 and prior. Easily exploitable vulnerability allows low privileged
attacker with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14614: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Optimizer). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14575: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: DML). Supported versions that are affected are 8.0.20 and
prior. Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14591: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Audit Plug-in). Supported versions that are affected are 8.0.20
and prior. Easily exploitable vulnerability allows low privileged attacker
with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14568: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
Supported versions that are affected are 8.0.20 and prior. Easily exploitable
vulnerability allows high privileged attacker with network access via multiple
protocols to compromise MySQL Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14586: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Server: Security: Privileges). Supported versions that are affected are
8.0.20 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14567: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Replication). Supported versions that are affected are 5.7.29 and prior and
8.0.19 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14559: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------
[07/15/2020]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server:
Information Schema). Supported versions that are affected are 5.6.48 and
prior, 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability
allows low privileged attacker with network access via multiple protocols
to compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized read access to a subset of MySQL Server accessible
data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
 
CatPkg:
------
dev-db/mysql
 
KitBranch:
---------
core-server-kit/1.4-release
 
labels:
------
security
 
AffectsVersions:
---------------
5.6.42
 
Facts:
-----
https://security.netapp.com/advisory/ntap-20200717-0004/
https://usn.ubuntu.com/4441-1/
https://www.oracle.com/security-alerts/cpujul2020.html
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
 
Summary:
-------
CVE-2020-14553: dev-db/mysql-5.6.42
 
Scores:
------
Impact: 2.86
Ability to Exploit: _
 
Description:
-----------