opensuse_project 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk input validation、vendor risk memory corruption, and vendor risk cross-site scripting に関連することが多く、vendor surface production workloads の文脈で vendor impact memory corruption and vendor impact unexpected behavior などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2017-17806 | The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization. | [email protected] | 7.8 | 0.04% | 2017-12-20 | 2026-05-13 |
| CVE-2017-17805 | The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86 | [email protected] | 7.8 | 0.02% | 2017-12-20 | 2026-05-13 |
| CVE-2016-1254 | Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden service descriptor. | [email protected] | 7.5 | 3.04% | 2017-12-05 | 2026-05-13 |
| CVE-2015-3138 | print-wb.c in tcpdump before 4.7.4 allows remote attackers to cause a denial of service (segmentation fault and process crash). | [email protected] | 7.5 | 0.94% | 2017-09-28 | 2026-05-13 |
| CVE-2014-4616 | Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function. | [email protected] | 5.9 | 0.38% | 2017-08-24 | 2026-05-13 |
| CVE-2015-3405 | ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys. | [email protected] | 7.5 | 16.56% | 2017-08-09 | 2026-05-13 |
| CVE-2015-5203 | Double free vulnerability in the jasper_image_stop_load function in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file. | [email protected] | 5.5 | 0.60% | 2017-08-02 | 2026-05-13 |
| CVE-2015-5221 | Use-after-free vulnerability in the mif_process_cmpt function in libjasper/mif/mif_cod.c in the JasPer JPEG-2000 library before 1.900.2 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file. | [email protected] | 5.5 | 0.23% | 2017-07-25 | 2026-05-13 |
| CVE-2016-9961 | game-music-emu before 0.6.1 mishandles unspecified integer values. | [email protected] | 9.8 | 2.85% | 2017-06-06 | 2026-05-13 |
| CVE-2016-9960 | game-music-emu before 0.6.1 allows local users to cause a denial of service (divide by zero and process crash). | [email protected] | 5.5 | 0.10% | 2017-06-06 | 2026-05-13 |
| CVE-2016-9959 | game-music-emu before 0.6.1 allows remote attackers to generate out of bounds 8-bit values. | [email protected] | 7.8 | 0.31% | 2017-04-12 | 2026-05-13 |
| CVE-2016-9958 | game-music-emu before 0.6.1 allows remote attackers to write to arbitrary memory locations. | [email protected] | 7.8 | 0.31% | 2017-04-12 | 2026-05-13 |
| CVE-2016-9957 | Stack-based buffer overflow in game-music-emu before 0.6.1. | [email protected] | 7.8 | 0.29% | 2017-04-12 | 2026-05-13 |
| CVE-2017-6542 | The ssh_agent_channel_data function in PuTTY before 0.68 allows remote attackers to have unspecified impact via a large length value in an agent protocol message and leveraging the ability to connect to the Unix-domain socket representing the forwarded agent connection, which trigger a buffer overflow. | [email protected] | 9.8 | 30.63% | 2017-03-27 | 2026-05-13 |
| CVE-2015-8010 | Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the query string to cgi-bin/status.cgi. | [email protected] | 6.1 | 0.35% | 2017-03-27 | 2026-05-13 |
| CVE-2016-7797 | Pacemaker before 1.1.15, when using pacemaker remote, might allow remote attackers to cause a denial of service (node disconnection) via an unauthenticated connection. | [email protected] | 7.5 | 2.42% | 2017-03-24 | 2026-05-13 |
| CVE-2016-9556 | The IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3-8 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted image file. | [email protected] | 5.5 | 0.30% | 2017-03-23 | 2026-05-13 |
| CVE-2016-10048 | Directory traversal vulnerability in magick/module.c in ImageMagick 6.9.4-7 allows remote attackers to load arbitrary modules via unspecified vectors. | [email protected] | 7.5 | 3.64% | 2017-03-23 | 2026-05-13 |
| CVE-2014-9851 | ImageMagick 6.8.9.9 allows remote attackers to cause a denial of service (application crash). | [email protected] | 7.5 | 1.94% | 2017-03-20 | 2026-05-13 |
| CVE-2014-9850 | Logic error in ImageMagick 6.8.9.9 allows remote attackers to cause a denial of service (resource consumption). | [email protected] | 7.5 | 2.41% | 2017-03-20 | 2026-05-13 |