LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2006-5876 CVE STATUS: Patched CVE SUMMARY: The soup_headers_parse function in soup-headers.c for libsoup HTTP library before 2.2.99 allows remote attackers to cause a denial of service (crash) via malformed HTTP headers, probably involving missing fields or values. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5876 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2009-0585 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the soup_base64_encode function in soup-misc.c in libsoup 2.x.x before 2.2.x, and 2.x before 2.24, allows context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0585 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2011-2524 CVE STATUS: Patched CVE SUMMARY: Directory traversal vulnerability in soup-uri.c in SoupServer in libsoup before 2.35.4 allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in a URI. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2524 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2012-2132 CVE STATUS: Patched CVE SUMMARY: libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2132 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2017-2885 CVE STATUS: Patched CVE SUMMARY: An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2885 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2018-11713 CVE STATUS: Patched CVE SUMMARY: WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the libsoup network backend of WebKit, as used in WebKitGTK+ prior to version 2.20.0 or without libsoup 2.62.0, unexpectedly failed to use system proxy settings for WebSocket connections. As a result, users could be deanonymized by crafted web sites via a WebSocket connection. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11713 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2018-12910 CVE STATUS: Patched CVE SUMMARY: The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12910 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2019-17266 CVE STATUS: Patched CVE SUMMARY: libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer over-read because soup_ntlm_parse_challenge() in soup-auth-ntlm.c does not properly check an NTLM message's length before proceeding with a memcpy. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17266