Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
39 vulnerabilities
CVE-2026-10549 (GCVE-0-2026-10549)
Vulnerability from cvelistv5 – Published: 2026-06-02 08:27 – Updated: 2026-06-02 13:30
VLAI
Title
Privilege escalation in Yandex Database
Summary
LDAP filter injection vulnerability in Yandex Database prior to 25.3.1.25 allows a remote attacker with valid LDAP credentials to bypass group membership checks resulting in unauthorized access to the database.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-280 - Improper handling of insufficient permissions or privileges
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Yandex | Yandex Database |
Affected:
0 , < 25.3.1.25
(custom)
|
Date Public
2026-06-02 08:26
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10549",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T13:29:57.773436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:30:02.360Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Yandex Database",
"vendor": "Yandex",
"versions": [
{
"lessThan": "25.3.1.25",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-06-02T08:26:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "LDAP filter injection vulnerability in Yandex Database prior to 25.3.1.25 allows a remote attacker with valid LDAP credentials to bypass group membership checks resulting in unauthorized access to the database."
}
],
"value": "LDAP filter injection vulnerability in Yandex Database prior to 25.3.1.25 allows a remote attacker with valid LDAP credentials to bypass group membership checks resulting in unauthorized access to the database."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280 Improper handling of insufficient permissions or privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T08:27:06.020Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://ydb.tech/docs/ru/security-changelog"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Privilege escalation in Yandex Database",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2026-10549",
"datePublished": "2026-06-02T08:27:06.020Z",
"dateReserved": "2026-06-01T13:30:40.384Z",
"dateUpdated": "2026-06-02T13:30:02.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5469 (GCVE-0-2025-5469)
Vulnerability from cvelistv5 – Published: 2025-12-09 15:55 – Updated: 2025-12-09 16:04
VLAI
Title
Dylib Hijacking in Yandex Messenger
Summary
Uncontrolled Search Path Element vulnerability in Yandex Messenger on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.245
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
1 reference
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T16:04:09.847193Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T16:04:55.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Messenger",
"vendor": "Yandex",
"versions": [
{
"lessThan": "2.245",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Egor Filatov, Positive Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Search Path Element vulnerability in Yandex Messenger on MacOS allows Search Order Hijacking.\u003cp\u003eThis issue affects Telemost: before 2.245\u003c/p\u003e"
}
],
"value": "Uncontrolled Search Path Element vulnerability in Yandex Messenger on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.245"
}
],
"impacts": [
{
"capecId": "CAPEC-471",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-471 Search Order Hijacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/R:A",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T15:55:59.459Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://yandex.com/bugbounty/i/hall-of-fame-products"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Dylib Hijacking in Yandex Messenger",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2025-5469",
"datePublished": "2025-12-09T15:55:59.459Z",
"dateReserved": "2025-06-02T12:52:09.646Z",
"dateUpdated": "2025-12-09T16:04:55.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5471 (GCVE-0-2025-5471)
Vulnerability from cvelistv5 – Published: 2025-12-09 15:53 – Updated: 2025-12-09 16:12
VLAI
Title
Dylib Hijacking in Yandex Telemost
Summary
Uncontrolled Search Path Element vulnerability in Yandex Telemost on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.19.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
1 reference
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5471",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T16:12:07.201918Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T16:12:18.303Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Telemost",
"vendor": "Yandex",
"versions": [
{
"lessThan": "2.19.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Egor Filatov, Positive Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Search Path Element vulnerability in Yandex Telemost on MacOS allows Search Order Hijacking.\u003cp\u003eThis issue affects Telemost: before 2.19.1.\u003c/p\u003e"
}
],
"value": "Uncontrolled Search Path Element vulnerability in Yandex Telemost on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.19.1."
}
],
"impacts": [
{
"capecId": "CAPEC-471",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-471 Search Order Hijacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/R:A/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T15:53:23.306Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://yandex.com/bugbounty/i/hall-of-fame-products"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Dylib Hijacking in Yandex Telemost",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2025-5471",
"datePublished": "2025-12-09T15:53:23.306Z",
"dateReserved": "2025-06-02T12:52:20.730Z",
"dateUpdated": "2025-12-09T16:12:18.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5470 (GCVE-0-2025-5470)
Vulnerability from cvelistv5 – Published: 2025-12-09 15:50 – Updated: 2025-12-09 16:13
VLAI
Title
Dylib Hijacking in Yandex Disk
Summary
Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking.This issue affects Disk: before 3.2.45.3275.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
1 reference
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5470",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T16:12:43.037070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T16:13:33.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Disk",
"vendor": "Yandex",
"versions": [
{
"lessThan": "3.2.45.3275",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Egor Filatov, Positive Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking.\u003cp\u003eThis issue affects Disk: before 3.2.45.3275.\u003c/p\u003e"
}
],
"value": "Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking.This issue affects Disk: before 3.2.45.3275."
}
],
"impacts": [
{
"capecId": "CAPEC-471",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-471 Search Order Hijacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/R:A/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T15:50:39.776Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://yandex.com/bugbounty/i/hall-of-fame-products"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Dylib Hijacking in Yandex Disk",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2025-5470",
"datePublished": "2025-12-09T15:50:39.776Z",
"dateReserved": "2025-06-02T12:52:19.275Z",
"dateUpdated": "2025-12-09T16:13:33.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12168 (GCVE-0-2024-12168)
Vulnerability from cvelistv5 – Published: 2025-06-02 12:44 – Updated: 2025-06-02 13:04
VLAI
Title
DLL Hijacking in Yandex Telemost
Summary
Yandex Telemost for Desktop before 2.7.0 has a DLL Hijacking Vulnerability because an untrusted search path is used.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
1 reference
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T13:04:21.551084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T13:04:26.267Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Telemost",
"vendor": "Yandex",
"versions": [
{
"lessThan": "2.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "PT SWARM experts, Positive Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Yandex Telemost for Desktop before \u003cspan style=\"background-color: var(--wht);\"\u003e2.7.0\u0026nbsp;\u003c/span\u003ehas a DLL Hijacking Vulnerability because an untrusted search path is used.\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Yandex Telemost for Desktop before 2.7.0\u00a0has a DLL Hijacking Vulnerability because an untrusted search path is used."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426 Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T12:44:31.161Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://yandex.com/bugbounty/i/hall-of-fame-products"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DLL Hijacking in Yandex Telemost",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2024-12168",
"datePublished": "2025-06-02T12:44:31.161Z",
"dateReserved": "2024-12-04T14:59:57.771Z",
"dateUpdated": "2025-06-02T13:04:26.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26226 (GCVE-0-2023-26226)
Vulnerability from cvelistv5 – Published: 2025-05-30 17:23 – Updated: 2025-05-30 17:48
VLAI
Title
A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682
Summary
A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T17:48:08.779287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T17:48:16.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS"
],
"product": "Browser",
"vendor": "Yandex",
"versions": [
{
"lessThan": "24.4.0.682",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "khangkito"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682"
}
],
"value": "A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682"
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T17:23:54.571Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2023-26226",
"datePublished": "2025-05-30T17:23:54.571Z",
"dateReserved": "2023-02-20T22:19:35.320Z",
"dateUpdated": "2025-05-30T17:48:16.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16536 (GCVE-0-2019-16536)
Vulnerability from cvelistv5 – Published: 2025-05-21 07:13 – Updated: 2025-05-21 13:49
VLAI
Title
Stack overflow leading to DoS can be triggered by a malicious authenticated client.
Summary
Stack overflow leading to DoS can be triggered by a malicious authenticated client in Clickhouse before 19.14.3.3.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Clickhouse | DB |
Affected:
19.14.3.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-16536",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T13:49:29.127360Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T13:49:34.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "DB",
"vendor": "Clickhouse",
"versions": [
{
"status": "affected",
"version": "19.14.3.3",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eldar Zaitov of Yandex Information Security Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eStack overflow leading to DoS can be triggered by a malicious authenticated client in Clickhouse before 19.14.3.3.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Stack overflow leading to DoS can be triggered by a malicious authenticated client in Clickhouse before 19.14.3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T07:13:15.603Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://clickhouse.com/docs/whats-new/security-changelog"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stack overflow leading to DoS can be triggered by a malicious authenticated client.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2019-16536",
"datePublished": "2025-05-21T07:13:15.603Z",
"dateReserved": "2019-09-19T00:00:00.000Z",
"dateUpdated": "2025-05-21T13:49:34.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25262 (GCVE-0-2021-25262)
Vulnerability from cvelistv5 – Published: 2025-05-21 07:07 – Updated: 2025-05-21 13:51
VLAI
Title
Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.
Summary
Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
1 reference
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-25262",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T13:51:35.327719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T13:51:43.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "Browser",
"vendor": "Yandex",
"versions": [
{
"status": "affected",
"version": "21.3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kirtikumar Anandrao Ramchandani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack."
}
],
"value": "Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack."
}
],
"impacts": [
{
"capecId": "CAPEC-113",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-113 Interface Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T07:07:29.310Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2021-25262",
"datePublished": "2025-05-21T07:07:29.310Z",
"dateReserved": "2021-01-15T16:29:27.870Z",
"dateUpdated": "2025-05-21T13:51:43.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25255 (GCVE-0-2021-25255)
Vulnerability from cvelistv5 – Published: 2025-05-21 07:04 – Updated: 2025-05-21 14:07
VLAI
Title
Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.
Summary
Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Yandex | Browser Lite |
Affected:
21.1.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-25255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T14:07:35.324725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T14:07:41.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "Browser Lite",
"vendor": "Yandex",
"versions": [
{
"status": "affected",
"version": "21.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kirtikumar Anandrao Ramchandani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T07:04:02.436Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2021-25255",
"datePublished": "2025-05-21T07:04:02.436Z",
"dateReserved": "2021-01-15T16:29:27.867Z",
"dateUpdated": "2025-05-21T14:07:41.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25254 (GCVE-0-2021-25254)
Vulnerability from cvelistv5 – Published: 2025-05-21 06:58 – Updated: 2025-05-21 22:09
VLAI
Title
Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.
Summary
Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Yandex | Browser Lite |
Affected:
21.1.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-25254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T22:09:21.003649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T22:09:29.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "Browser Lite",
"vendor": "Yandex",
"versions": [
{
"status": "affected",
"version": "21.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kirtikumar Anandrao Ramchandani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar."
}
],
"value": "Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar."
}
],
"impacts": [
{
"capecId": "CAPEC-113",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-113 Interface Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T06:58:00.753Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2021-25254",
"datePublished": "2025-05-21T06:58:00.753Z",
"dateReserved": "2021-01-15T16:29:27.867Z",
"dateUpdated": "2025-05-21T22:09:29.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6473 (GCVE-0-2024-6473)
Vulnerability from cvelistv5 – Published: 2024-09-03 10:35 – Updated: 2024-09-03 13:55
VLAI
Title
DLL Hijacking in Yandex Browser
Summary
Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Yandex | Browser |
Affected:
0 , < 24.7.1.380
(custom)
|
|
| yandex | yandex_browser |
Affected:
0 , < 24.7.1.380
(custom)
cpe:2.3:a:yandex:yandex_browser:*:*:*:*:*:*:*:* |
Date Public
2024-09-03 09:00
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yandex:yandex_browser:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "yandex_browser",
"vendor": "yandex",
"versions": [
{
"lessThan": "24.7.1.380",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T13:50:44.729657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T13:55:15.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Browser",
"vendor": "Yandex",
"versions": [
{
"lessThan": "24.7.1.380",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Doctor Web, Ltd."
}
],
"datePublic": "2024-09-03T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426 Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T10:35:59.145Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "DLL Hijacking in Yandex Browser",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2024-6473",
"datePublished": "2024-09-03T10:35:59.145Z",
"dateReserved": "2024-07-03T10:56:50.777Z",
"dateUpdated": "2024-09-03T13:55:15.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28228 (GCVE-0-2022-28228)
Vulnerability from cvelistv5 – Published: 2022-12-23 00:00 – Updated: 2025-04-15 15:12
VLAI
Summary
Out-of-bounds read was discovered in YDB server. An attacker could construct a query with insert statement that would allow him to read sensitive information from other memory locations or cause a crash.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Out-of-bounds Read
- CWE-125 - Out-of-bounds Read
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:48:37.596Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://ydb.tech/ru/docs/security-changelog#28-11-2022"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-28228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-15T13:26:37.599068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T15:12:57.634Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "YDB",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 22.4.44"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Out-of-bounds read was discovered in YDB server. An attacker could construct a query with insert statement that would allow him to read sensitive information from other memory locations or cause a crash."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Out-of-bounds Read",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-23T00:00:00.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://ydb.tech/ru/docs/security-changelog#28-11-2022"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2022-28228",
"datePublished": "2022-12-23T00:00:00.000Z",
"dateReserved": "2022-03-30T00:00:00.000Z",
"dateUpdated": "2025-04-15T15:12:57.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28229 (GCVE-0-2022-28229)
Vulnerability from cvelistv5 – Published: 2022-12-23 00:00 – Updated: 2025-04-15 13:25
VLAI
Summary
The hash functionality in userver before 42059b6319661583b3080cab9b595d4f8ac48128 allows attackers to cause a denial of service via crafted HTTP request, involving collisions.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Uncontrolled Resource Consumption
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:48:37.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://userver.tech/df/d3a/md_en_userver_security_changelog.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-28229",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-15T13:24:14.207155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T13:25:11.253Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "userver",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 42059b6319661583b3080cab9b595d4f8ac48128"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The hash functionality in userver before 42059b6319661583b3080cab9b595d4f8ac48128 allows attackers to cause a denial of service via crafted HTTP request, involving collisions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Uncontrolled Resource Consumption",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-23T00:00:00.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"url": "https://userver.tech/df/d3a/md_en_userver_security_changelog.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2022-28229",
"datePublished": "2022-12-23T00:00:00.000Z",
"dateReserved": "2022-03-30T00:00:00.000Z",
"dateUpdated": "2025-04-15T13:25:11.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28225 (GCVE-0-2022-28225)
Vulnerability from cvelistv5 – Published: 2022-06-15 19:10 – Updated: 2024-08-03 05:48
VLAI
Summary
Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.684 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process.
Severity
No CVSS data available.
CWE
- Privilege escalation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://yandex.com/bugbounty/i/hall-of-fame-browser/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Yandex Browser (Desktop) |
Affected:
All versions prior to version 22.3.3.684
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:48:37.339Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Yandex Browser (Desktop)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 22.3.3.684"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.684 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Privilege escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-15T19:10:32.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2022-28225",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Yandex Browser (Desktop)",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 22.3.3.684"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.684 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Privilege escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
"refsource": "MISC",
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2022-28225",
"datePublished": "2022-06-15T19:10:32.000Z",
"dateReserved": "2022-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:48:37.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28226 (GCVE-0-2022-28226)
Vulnerability from cvelistv5 – Published: 2022-06-15 19:06 – Updated: 2024-08-03 05:48
VLAI
Summary
Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update process.
Severity
No CVSS data available.
CWE
- Privilege escalation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://yandex.com/bugbounty/i/hall-of-fame-browser/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Yandex Browser (Desktop) |
Affected:
All versions prior to version 22.3.3.801
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:48:37.380Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Yandex Browser (Desktop)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 22.3.3.801"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Privilege escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-15T19:06:17.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2022-28226",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Yandex Browser (Desktop)",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 22.3.3.801"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Privilege escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
"refsource": "MISC",
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2022-28226",
"datePublished": "2022-06-15T19:06:17.000Z",
"dateReserved": "2022-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:48:37.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25261 (GCVE-0-2021-25261)
Vulnerability from cvelistv5 – Published: 2022-06-15 19:05 – Updated: 2024-08-03 19:56
VLAI
Summary
Local privilege vulnerability in Yandex Browser for Windows prior to 22.5.0.862 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process.
Severity
No CVSS data available.
CWE
- Privilege escalation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://yandex.com/bugbounty/i/hall-of-fame-browser/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Yandex Browser (Desktop) |
Affected:
All versions prior to version 22.5.0.862
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:56:11.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Yandex Browser (Desktop)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 22.5.0.862"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.5.0.862 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Privilege escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-15T19:05:54.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2021-25261",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Yandex Browser (Desktop)",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 22.5.0.862"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.5.0.862 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Privilege escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
"refsource": "MISC",
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2021-25261",
"datePublished": "2022-06-15T19:05:54.000Z",
"dateReserved": "2021-01-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:56:11.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27970 (GCVE-0-2020-27970)
Vulnerability from cvelistv5 – Published: 2021-09-13 11:46 – Updated: 2024-08-04 16:25
VLAI
Summary
Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar
Severity
No CVSS data available.
CWE
- User Interface (UI) Misrepresentation of Critical Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://yandex.com/bugbounty/i/hall-of-fame-browser/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Yandex Browser Lite for Android |
Affected:
All versions prior to version 20.10.0.
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:25:44.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Yandex Browser Lite for Android",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 20.10.0."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-13T11:46:00.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2020-27970",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Yandex Browser Lite for Android",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 20.10.0."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Interface (UI) Misrepresentation of Critical Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
"refsource": "MISC",
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2020-27970",
"datePublished": "2021-09-13T11:46:00.000Z",
"dateReserved": "2020-10-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:25:44.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27969 (GCVE-0-2020-27969)
Vulnerability from cvelistv5 – Published: 2021-09-13 11:44 – Updated: 2024-08-04 16:25
VLAI
Summary
Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing
Severity
No CVSS data available.
CWE
- User Interface (UI) Misrepresentation of Critical Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://yandex.com/bugbounty/i/hall-of-fame-browser/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Yandex Browser for Android |
Affected:
All versions prior to version 20.8.4.
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:25:44.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Yandex Browser for Android",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 20.8.4."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-13T11:44:01.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2020-27969",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Yandex Browser for Android",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 20.8.4."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Interface (UI) Misrepresentation of Critical Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
"refsource": "MISC",
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2020-27969",
"datePublished": "2021-09-13T11:44:01.000Z",
"dateReserved": "2020-10-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:25:44.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25263 (GCVE-0-2021-25263)
Vulnerability from cvelistv5 – Published: 2021-08-17 18:34 – Updated: 2024-08-03 19:56
VLAI
Summary
Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process.
Severity
No CVSS data available.
CWE
- Privilege escalation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://yandex.com/bugbounty/i/hall-of-fame-browser/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Yandex Browser (Desktop) |
Affected:
All versions prior to version 21.9.0.390
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:56:11.179Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Yandex Browser (Desktop)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 21.9.0.390"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Privilege escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-15T19:06:06.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2021-25263",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Yandex Browser (Desktop)",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 21.9.0.390"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Privilege escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
"refsource": "MISC",
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2021-25263",
"datePublished": "2021-08-17T18:34:04.000Z",
"dateReserved": "2021-01-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:56:11.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15024 (GCVE-0-2019-15024)
Vulnerability from cvelistv5 – Published: 2019-12-30 14:39 – Updated: 2024-08-05 00:34
VLAI
Summary
In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the malicious replica, it can force clickhouse-server to write to arbitrary path on filesystem.
Severity
No CVSS data available.
CWE
- Arbitrary write
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://clickhouse.yandex/docs/en/security_changelog/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | ClickHouse |
Affected:
All versions prior to version 19.14.3.
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.024Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ClickHouse",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 19.14.3."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the malicious replica, it can force clickhouse-server to write to arbitrary path on filesystem."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary write",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-30T14:39:00.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2019-15024",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ClickHouse",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 19.14.3."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the malicious replica, it can force clickhouse-server to write to arbitrary path on filesystem."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary write"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://clickhouse.yandex/docs/en/security_changelog/",
"refsource": "MISC",
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2019-15024",
"datePublished": "2019-12-30T14:39:00.000Z",
"dateReserved": "2019-08-13T00:00:00.000Z",
"dateUpdated": "2024-08-05T00:34:53.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16535 (GCVE-0-2019-16535)
Vulnerability from cvelistv5 – Published: 2019-12-30 14:35 – Updated: 2024-08-05 01:17
VLAI
Summary
In all versions of ClickHouse before 19.14, an OOB read, OOB write and integer underflow in decompression algorithms can be used to achieve RCE or DoS via native protocol.
Severity
No CVSS data available.
CWE
- DOS, RCE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://clickhouse.yandex/docs/en/security_changelog/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | ClickHouse |
Affected:
All versions prior to version 19.14.
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:40.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ClickHouse",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 19.14."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In all versions of ClickHouse before 19.14, an OOB read, OOB write and integer underflow in decompression algorithms can be used to achieve RCE or DoS via native protocol."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DOS, RCE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-30T14:35:21.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2019-16535",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ClickHouse",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 19.14."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In all versions of ClickHouse before 19.14, an OOB read, OOB write and integer underflow in decompression algorithms can be used to achieve RCE or DoS via native protocol."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "DOS, RCE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://clickhouse.yandex/docs/en/security_changelog/",
"refsource": "MISC",
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2019-16535",
"datePublished": "2019-12-30T14:35:21.000Z",
"dateReserved": "2019-09-19T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:17:40.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-14672 (GCVE-0-2018-14672)
Vulnerability from cvelistv5 – Published: 2019-08-15 17:54 – Updated: 2024-08-05 09:38
VLAI
Summary
In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages.
Severity
No CVSS data available.
CWE
- Path Traversal
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://clickhouse.yandex/docs/en/security_changelog/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | ClickHouse |
Affected:
All versions prior to version 18.12.13.
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ClickHouse",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 18.12.13."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-15T17:54:05.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2018-14672",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ClickHouse",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 18.12.13."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://clickhouse.yandex/docs/en/security_changelog/",
"refsource": "MISC",
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2018-14672",
"datePublished": "2019-08-15T17:54:05.000Z",
"dateReserved": "2018-07-27T00:00:00.000Z",
"dateUpdated": "2024-08-05T09:38:13.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-14671 (GCVE-0-2018-14671)
Vulnerability from cvelistv5 – Published: 2019-08-15 17:46 – Updated: 2024-08-05 09:38
VLAI
Summary
In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability.
Severity
No CVSS data available.
CWE
- Remote Code Execution
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://clickhouse.yandex/docs/en/security_changelog/ | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ClickHouse | ClickHouse |
Affected:
All versions prior to version 18.10.3.
|
Date Public
2019-08-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:12.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ClickHouse",
"vendor": "ClickHouse",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 18.10.3."
}
]
}
],
"datePublic": "2019-08-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-15T17:46:03.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2018-14671",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ClickHouse",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 18.10.3."
}
]
}
}
]
},
"vendor_name": "ClickHouse"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://clickhouse.yandex/docs/en/security_changelog/",
"refsource": "CONFIRM",
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2018-14671",
"datePublished": "2019-08-15T17:46:03.000Z",
"dateReserved": "2018-07-27T00:00:00.000Z",
"dateUpdated": "2024-08-05T09:38:12.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-14669 (GCVE-0-2018-14669)
Vulnerability from cvelistv5 – Published: 2019-08-15 17:39 – Updated: 2024-08-05 09:38
VLAI
Summary
ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server.
Severity
No CVSS data available.
CWE
- Local File Disclosure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://clickhouse.yandex/docs/en/security_changelog/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | ClickHouse |
Affected:
All versions prior to version 1.1.54390.
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:12.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ClickHouse",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 1.1.54390."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ClickHouse MySQL client before versions 1.1.54390 had \"LOAD DATA LOCAL INFILE\" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Local File Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-15T17:39:30.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2018-14669",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ClickHouse",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 1.1.54390."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ClickHouse MySQL client before versions 1.1.54390 had \"LOAD DATA LOCAL INFILE\" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Local File Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://clickhouse.yandex/docs/en/security_changelog/",
"refsource": "MISC",
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2018-14669",
"datePublished": "2019-08-15T17:39:30.000Z",
"dateReserved": "2018-07-27T00:00:00.000Z",
"dateUpdated": "2024-08-05T09:38:12.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-14668 (GCVE-0-2018-14668)
Vulnerability from cvelistv5 – Published: 2019-08-15 17:31 – Updated: 2024-08-05 09:38
VLAI
Summary
In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks.
Severity
No CVSS data available.
CWE
- Cross Protocol Request Forgery
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://clickhouse.yandex/docs/en/security_changelog/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | ClickHouse |
Affected:
All versions prior to version 1.1.54388.
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:12.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ClickHouse",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 1.1.54388."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In ClickHouse before 1.1.54388, \"remote\" table function allowed arbitrary symbols in \"user\", \"password\" and \"default_database\" fields which led to Cross Protocol Request Forgery Attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Protocol Request Forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-15T17:31:24.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2018-14668",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ClickHouse",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 1.1.54388."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ClickHouse before 1.1.54388, \"remote\" table function allowed arbitrary symbols in \"user\", \"password\" and \"default_database\" fields which led to Cross Protocol Request Forgery Attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Protocol Request Forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://clickhouse.yandex/docs/en/security_changelog/",
"refsource": "MISC",
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2018-14668",
"datePublished": "2019-08-15T17:31:24.000Z",
"dateReserved": "2018-07-27T00:00:00.000Z",
"dateUpdated": "2024-08-05T09:38:12.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-14670 (GCVE-0-2018-14670)
Vulnerability from cvelistv5 – Published: 2019-08-15 17:13 – Updated: 2024-08-05 09:38
VLAI
Summary
Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database.
Severity
No CVSS data available.
CWE
- Execution with Unnecessary Privileges
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://clickhouse.yandex/docs/en/security_changelog/ | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ClickHouse | ClickHouse |
Affected:
All versions prior to version 1.1.54131.
|
Date Public
2019-08-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.009Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ClickHouse",
"vendor": "ClickHouse",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 1.1.54131."
}
]
}
],
"datePublic": "2019-08-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Execution with Unnecessary Privileges",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-15T17:13:39.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2018-14670",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ClickHouse",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 1.1.54131."
}
]
}
}
]
},
"vendor_name": "ClickHouse"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Execution with Unnecessary Privileges"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://clickhouse.yandex/docs/en/security_changelog/",
"refsource": "CONFIRM",
"url": "https://clickhouse.yandex/docs/en/security_changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2018-14670",
"datePublished": "2019-08-15T17:13:39.000Z",
"dateReserved": "2018-07-27T00:00:00.000Z",
"dateUpdated": "2024-08-05T09:38:13.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7325 (GCVE-0-2017-7325)
Vulnerability from cvelistv5 – Published: 2018-01-19 17:00 – Updated: 2024-09-16 22:36
VLAI
Summary
Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open.
Severity
No CVSS data available.
CWE
- Address bar spoofing
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://browser.yandex.com/security/changelogs/fi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Yandex N.V. | Yandex Browser |
Affected:
All versions prior to version 16.9.0
|
Date Public
2018-01-18 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:56:36.458Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://browser.yandex.com/security/changelogs/fixed-in-version-16-9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Yandex Browser",
"vendor": "Yandex N.V.",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 16.9.0"
}
]
}
],
"datePublic": "2018-01-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Address bar spoofing",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-19T16:57:01.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://browser.yandex.com/security/changelogs/fixed-in-version-16-9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"DATE_PUBLIC": "2018-01-18T00:00:00",
"ID": "CVE-2017-7325",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Yandex Browser",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 16.9.0"
}
]
}
}
]
},
"vendor_name": "Yandex N.V."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Address bar spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://browser.yandex.com/security/changelogs/fixed-in-version-16-9",
"refsource": "CONFIRM",
"url": "https://browser.yandex.com/security/changelogs/fixed-in-version-16-9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2017-7325",
"datePublished": "2018-01-19T17:00:00.000Z",
"dateReserved": "2017-03-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:36:01.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7326 (GCVE-0-2017-7326)
Vulnerability from cvelistv5 – Published: 2018-01-19 17:00 – Updated: 2024-09-17 03:37
VLAI
Summary
Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page
Severity
No CVSS data available.
CWE
- Memory corruption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://browser.yandex.com/security/changelogs/fi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Yandex N.V. | Yandex Browser for Android |
Affected:
All versions prior to version 17.4.0.16.
|
Date Public
2018-01-18 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:56:36.417Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Yandex Browser for Android",
"vendor": "Yandex N.V.",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 17.4.0.16."
}
]
}
],
"datePublic": "2018-01-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Memory corruption",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-19T16:57:01.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"DATE_PUBLIC": "2018-01-18T00:00:00",
"ID": "CVE-2017-7326",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Yandex Browser for Android",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 17.4.0.16."
}
]
}
}
]
},
"vendor_name": "Yandex N.V."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Memory corruption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4",
"refsource": "CONFIRM",
"url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2017-7326",
"datePublished": "2018-01-19T17:00:00.000Z",
"dateReserved": "2017-03-30T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:37:27.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7327 (GCVE-0-2017-7327)
Vulnerability from cvelistv5 – Published: 2018-01-19 17:00 – Updated: 2024-09-16 21:57
VLAI
Summary
Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll.
Severity
No CVSS data available.
CWE
- Dll hijacking
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://browser.yandex.com/security/changelogs/fi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Yandex N.V. | Yandex Browser for Desktop |
Affected:
All versions prior to version 17.4.1
|
Date Public
2018-01-18 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:56:36.464Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Yandex Browser for Desktop",
"vendor": "Yandex N.V.",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 17.4.1"
}
]
}
],
"datePublic": "2018-01-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Dll hijacking",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-19T16:57:01.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"DATE_PUBLIC": "2018-01-18T00:00:00",
"ID": "CVE-2017-7327",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Yandex Browser for Desktop",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 17.4.1"
}
]
}
}
]
},
"vendor_name": "Yandex N.V."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Dll hijacking"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4",
"refsource": "CONFIRM",
"url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2017-7327",
"datePublished": "2018-01-19T17:00:00.000Z",
"dateReserved": "2017-03-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:57:43.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8508 (GCVE-0-2016-8508)
Vulnerability from cvelistv5 – Published: 2017-03-01 15:00 – Updated: 2024-08-06 02:27
VLAI
Summary
Yandex Browser for desktop before 17.1.1.227 does not show Protect (similar to Safebrowsing in Chromium) warnings in web-sites with special content-type, which could be used by remote attacker for prevention Protect warning on own malicious web-site.
Severity
No CVSS data available.
CWE
- Yandex Browser Protect mechanism bypass
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/96514 | vdb-entryx_refsource_BID |
| https://yandex.com/blog/security-changelogs/fixed… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Yandex N.V. | Yandex Browser for desktop |
Affected:
before 17.1.1.227 for OSx and Windows
|
Date Public
2017-02-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:27:40.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "96514",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96514"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://yandex.com/blog/security-changelogs/fixed-in-version-17-1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Yandex Browser for desktop",
"vendor": "Yandex N.V.",
"versions": [
{
"status": "affected",
"version": "before 17.1.1.227 for OSx and Windows"
}
]
}
],
"datePublic": "2017-02-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Yandex Browser for desktop before 17.1.1.227 does not show Protect (similar to Safebrowsing in Chromium) warnings in web-sites with special content-type, which could be used by remote attacker for prevention Protect warning on own malicious web-site."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Yandex Browser Protect mechanism bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-03T10:57:02.000Z",
"orgId": "a51c9250-e584-488d-808b-03e6f1386796",
"shortName": "yandex"
},
"references": [
{
"name": "96514",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96514"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://yandex.com/blog/security-changelogs/fixed-in-version-17-1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "browser-security@yandex-team.ru",
"ID": "CVE-2016-8508",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Yandex Browser for desktop",
"version": {
"version_data": [
{
"version_value": "before 17.1.1.227 for OSx and Windows"
}
]
}
}
]
},
"vendor_name": "Yandex N.V."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Yandex Browser for desktop before 17.1.1.227 does not show Protect (similar to Safebrowsing in Chromium) warnings in web-sites with special content-type, which could be used by remote attacker for prevention Protect warning on own malicious web-site."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Yandex Browser Protect mechanism bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "96514",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96514"
},
{
"name": "https://yandex.com/blog/security-changelogs/fixed-in-version-17-1",
"refsource": "CONFIRM",
"url": "https://yandex.com/blog/security-changelogs/fixed-in-version-17-1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
"assignerShortName": "yandex",
"cveId": "CVE-2016-8508",
"datePublished": "2017-03-01T15:00:00.000Z",
"dateReserved": "2016-10-07T00:00:00.000Z",
"dateUpdated": "2024-08-06T02:27:40.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}