Security Measurement

Days of Risk Report (automatically generated)

This is a sample report run from the public available data sets. Other example reports are also available, or alternatively run your own with the programs provided.

Product: Red Hat Enterprise Linux 8 (all packages)
CPE: cpe:/o:redhat:enterprise_linux:8
Starting date: 20190507
Ending date: 20210420
For Severity: Critical

24 issues with half of all issues (median) fixed within 5.5 days. Average of 21.1 days.

CVE RHSA Description Severity Public Fixed Days
CVE-2020-27221 RHSA-2021:0736 In Eclipse OpenJ9 up to and including version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.  C 20210212 20210304 20
CVE-2020-16044 RHSA-2021:0052 RHSA-2021:0089 Use after free in WebRTC in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted SCTP packet.  C 20210106 20210111 5
CVE-2020-26950 RHSA-2020:5100 RHSA-2020:5146 In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.  C 20201109 20201112 3
CVE-2020-1147 RHSA-2020:2938 RHSA-2020:2954 A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'.  C 20200714 20200715 1
CVE-2020-12387 RHSA-2020:2031 RHSA-2020:2046 A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.  C 20200505 20200506 1
CVE-2020-12395 RHSA-2020:2031 RHSA-2020:2046 Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.  C 20200505 20200506 1
CVE-2020-6819 RHSA-2020:1341 RHSA-2020:1495 Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1.  C 20200403 20200407 4
CVE-2020-6820 RHSA-2020:1341 RHSA-2020:1495 Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1.  C 20200403 20200407 4
CVE-2020-11100 RHSA-2020:1288 In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.  C 20200402 20200402 0
CVE-2020-0603 RHSA-2020:0130 A remote code execution vulnerability exists in ASP.NET Core software when the software fails to handle objects in memory.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka 'ASP.NET Core Remote Code Execution Vulnerability'.  C 20200114 20200116 2
CVE-2019-17026 RHSA-2020:0111 RHSA-2020:0127 Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1.  C 20200108 20200114 6
CVE-2019-11043 RHSA-2019:3735 RHSA-2019:3736 In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.  C 20191024 20191106 13
CVE-2019-11764 RHSA-2019:3196 RHSA-2019:3237 Mozilla developers and community members reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.  C 20191022 20191024 2
CVE-2019-11709 RHSA-2019:1764 RHSA-2019:1799 Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.  C 20190710 20190711 1
CVE-2019-11707 RHSA-2019:1623 RHSA-2019:1696 A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.  C 20190619 20190627 8
CVE-2019-9800 RHSA-2019:1269 RHSA-2019:1308 Mozilla developers and community members reported memory safety bugs present in Firefox 66, Firefox ESR 60.6, and Thunderbird 60.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.  C 20190522 20190523 1
CVE-2018-12547 RHSA-2019:1238 In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code.  C 20190301 20190516 76
CVE-2018-12549 RHSA-2019:1238 In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when accelerating it.  C 20190301 20190516 76
CVE-2019-9788 RHSA-2019:0966 RHSA-2019:1144 Mozilla developers and community members reported memory safety bugs present in Firefox 65, Firefox ESR 60.5, and Thunderbird 60.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.  C 20190320 20190507 48
CVE-2019-9790 RHSA-2019:0966 RHSA-2019:1144 A use-after-free vulnerability can occur when a raw pointer to a DOM element on a page is obtained using JavaScript and the element is then removed while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.  C 20190320 20190507 48
CVE-2019-9791 RHSA-2019:0966 RHSA-2019:1144 The type inference system allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMonkey just-in-time (JIT) compiler and when the constructor function is entered through on-stack replacement (OSR). This allows for possible arbitrary reading and writing of objects during an exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.  C 20190320 20190507 48
CVE-2019-9792 RHSA-2019:0966 RHSA-2019:1144 The IonMonkey just-in-time (JIT) compiler can leak an internal JS_OPTIMIZED_OUT magic value to the running script during a bailout. This magic value can then be used by JavaScript to achieve memory corruption, which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.  C 20190320 20190507 48
CVE-2019-9810 RHSA-2019:0966 RHSA-2019:1144 Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.  C 20190322 20190507 46
CVE-2019-9813 RHSA-2019:0966 RHSA-2019:1144 Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.  C 20190322 20190507 46

Notes:

  • This report is for illustrative purposes only and has been generated automatically. You are advised to check the report and data for accuracy if you are relying on it's contents
  • The date an issue was first known to the public is based on data collected by Red Hat, Steven Christey, and third party researchers. The date an issue was fixed is parsed from data supplied by Red Hat Network with additional data from the archives of Red Hat mailing lists. The raw data is available
  • The description (where supplied) is taken verbatim from the CVE dictionary.
  • Dates are based on UTC timezone where possible. The actual time of day an advisory is released and issue is public is not taken into account, therefore some issues that say "1 day" are actually less than 24 hours. "0 day" means 'on the same date'.