CVE Number

CVE-2017-5715

CVE-2018-3639

CVE-2018-3640

CVE-2017-17562
 Description
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized
disclosure of information to an attacker with local user access via a side-channel analysis.

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the
addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local
user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.

Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may
allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis, aka
Rogue System Register Read (RSRE), Variant 3a.

Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the
cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code
execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the
body of the request, and reference it using /proc/self/fd/0.
 CVE Number

CVE-2018-12126

CVE-2018-12127

CVE-2018-12130

CVE-2019-11091
 Description

Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative
execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.
A list of impacted products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-
guidance_05132019.pdf

Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution
may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of
impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-
information/SA00233-microcode-update-guidance_05132019.pdf

Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution
may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of
impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-
information/SA00233-microcode-update-guidance_05132019.pdf

Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors
utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side
channel with local access. A list of impacted products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-
guidance_05132019.pdf
 CVE Number

CVE-2019-3862

CVE-2019-3863

CVE-2019-3855

CVE-2019-3856

CVE-2019-3857

CVE-2016-0787

CVE-2018-20169

CVE-2019-11833

CVE-2019-12378

CVE-2019-12381

CVE-2018-5750

CVE-2017-18203

CVE-2019-11477
CVE-2019-11479

CVE-2019-11478
 Description

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with
an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause
a Denial of Service or read data in the client memory.

A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose
total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out
of bounds memory write error.

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way
packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the
client system when a user connects to the server.

An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way
keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on
the client system when a user connects to the server.

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way
SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server
may be able to execute code on the client system when a user connects to the server.

The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which
makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a
"bits/bytes confusion bug."
An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of
an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.

fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block,
which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem.

** DISPUTED ** An issue was discovered in ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux kernel through 5.1.5.
There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer
dereference and system crash). NOTE: This has been disputed as not an issue.

** DISPUTED ** An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5. There
is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference
and system crash). NOTE: this is disputed because new_ra is never used if it is NULL.
The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain
sensitive address information by reading dmesg data from an SBS HC printk call.

The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial
of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices.

Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux
kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of
service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit
3b4929f65b0d8249f19a50245cd88ed1a2f78cff.
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to
fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to
cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is
fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could
be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this
to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is
fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.