CVEs from 2016
Total
8,453
critical
critical 1,164
high
high 3,521
medium
medium 3,173
low
low 248
% Critical
13.8%
% with KEV
0.7%
% with exploit
6.8%
Top vendors
Top products
- phpmyadmin 3,382
- php 1,748
- squid 1,549
- samba 1,093
- drupal 868
- firefox 757
- moodle 700
- openssl 664
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-0634 | high | 7.5 | 7.5 | 9y ago | The expansion of '\h' in the prompt string in bash 4.3 allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine. | |||
| CVE-2016-5816 | high | 7.5 | 7.5 | 9y ago | A Use of Hard-Coded Cryptographic Key issue was discovered in MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The device utilizes hard-coded privat… | |||
| CVE-2016-6796 | high | 7.5 | 7.5 | 9y ago | Apache Tomcat vulnerable to SecurityManager bypass | |||
| CVE-2016-8745 | high | 7.5 | 7.5 | 9y ago | A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted… | |||
| CVE-2016-6817 | high | 7.5 | 7.5 | 9y ago | The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of s… | |||
| CVE-2016-6797 | high | 7.5 | 7.5 | 9y ago | Incorrect Authorization in Apache Tomcat | |||
| CVE-2016-8739 | high | 7.5 | 7.5 | 9y ago | Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS | |||
| CVE-2016-4456 | high | 7.5 | 7.5 | 9y ago | The "GNUTLS_KEYLOGFILE" environment variable in gnutls 3.4.12 allows remote attackers to overwrite and corrupt arbitrary files in the filesystem. | |||
| CVE-2016-6220 | high | 7.5 | 7.5 | 9y ago | Information Disclosure vulnerability in the Dashboard and Error Pages in Trend Micro Control Manager SP3 6.0. | |||
| CVE-2016-8743 | high | 7.5 | 7.5 | 9y ago | Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors repres… | |||
| CVE-2016-2161 | high | 7.5 | 7.5 | 9y ago | In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests. | |||
| CVE-2016-10399 | high | 7.5 | 7.5 | 9y ago | Sendio versions before 8.2.1 were affected by a Local File Inclusion vulnerability that allowed an unauthenticated, remote attacker to read potentially sensitive system files via a specially crafted … | |||
| CVE-2016-7539 | high | 7.5 | 7.5 | 9y ago | Memory leak in AcquireVirtualMemory in ImageMagick before 7 allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors. | |||
| CVE-2016-10400 | high | 7.5 | 7.5 | 9y ago | Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= af… | |||
| CVE-2016-8951 | high | 7.5 | 7.5 | 9y ago | IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10.1.1.x is vulnerable to a denial of service attack. An attacker can exploit a vulnerability in the authentication features that co… | |||
| CVE-2016-10397 | high | 7.5 | 7.5 | 9y ago | In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.e… | |||
| CVE-2016-10396 | high | 7.5 | 7.5 | 9y ago | The racoon daemon in IPsec-Tools 0.8.2 contains a remotely exploitable computational-complexity attack when parsing and storing ISAKMP fragments. The implementation permits a remote attacker to exhau… | |||
| CVE-2016-3997 | high | 7.5 | 7.5 | 9y ago | NetApp Clustered Data ONTAP allows man-in-the-middle attackers to obtain sensitive information, gain privileges, or cause a denial of service by leveraging failure to enable SMB signing enforcement i… | |||
| CVE-2016-3400 | high | 7.5 | 7.5 | 9y ago | NetApp Data ONTAP 8.1 and 8.2, when operating in 7-Mode, allows man-in-the-middle attackers to obtain sensitive information, gain privileges, or cause a denial of service via vectors related to the S… | |||
| CVE-2016-10042 | high | 7.5 | 7.5 | 9y ago | Authorization Bypass in the Web interface of Arcadyan SLT-00 Star* (aka Swisscom Internet-Box) devices before R7.7 allows unauthorized reconfiguration of the static routing table via an unauthenticat… | |||
| CVE-2016-6342 | high | 7.5 | 7.5 | 9y ago | elog 3.1.1 allows remote attackers to post data as any username in the logbook. | |||
| CVE-2016-5414 | high | 7.5 | 7.5 | 9y ago | FreeIPA 4.4.0 allows remote attackers to request an arbitrary SAN name for services. | |||
| CVE-2016-9738 | high | 7.5 | 7.5 | 9y ago | IBM QRadar 7.2 and 7.3 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 119783. | |||
| CVE-2016-10363 | high | 7.5 | 7.5 | 9y ago | Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Log… | |||
| CVE-2016-1000222 | high | 7.5 | 7.5 | 9y ago | Logstash prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data. | |||
| CVE-2016-1000219 | high | 7.5 | 7.5 | 9y ago | Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack session… | |||
| CVE-2016-1000221 | high | 7.5 | 7.5 | 9y ago | Logstash Logs Sensitive Information | |||
| CVE-2016-5391 | high | 7.5 | 7.5 | 9y ago | libreswan before 3.18 allows remote attackers to cause a denial of service (NULL pointer dereference and pluto daemon restart). | |||
| CVE-2016-3704 | high | 7.5 | 7.5 | 9y ago | Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords. | |||
| CVE-2016-7833 | high | 7.5 | 7.5 | 9y ago | Cybozu Dezie 8.0.0 to 8.1.1 allows remote attackers to bypass access restrictions to delete an arbitrary DBM (Cybozu Dezie proprietary format) file via unspecified vectors. | |||
| CVE-2016-7814 | high | 7.5 | 7.5 | 9y ago | I-O DATA DEVICE TS-WRLP firmware version 1.00.01 and earlier and TS-WRLA firmware version 1.00.01 and earlier allow remote attackers to obtain authentication credentials via unspecified vectors. | |||
| CVE-2016-7807 | high | 7.5 | 7.5 | 9y ago | I-O DATA DEVICE WFS-SR01 firmware version 1.10 and earlier allow remote attackers to bypass access restriction to access data on storage devices inserted into the product via unspecified vectors. | |||
| CVE-2016-6594 | high | 7.5 | 7.5 | 9y ago | Blue Coat Advanced Secure Gateway 6.6, CacheFlow 3.4, ProxySG 6.5 and 6.6 allows remote attackers to bypass blocked requests, user authentication, and payload scanning. | |||
| CVE-2016-5416 | high | 7.5 | 7.5 | 9y ago | 389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstat… | |||
| CVE-2016-4992 | high | 7.5 | 7.5 | 9y ago | 389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstat… | |||
| CVE-2016-3099 | high | 7.5 | 7.5 | 9y ago | mod_ns in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to force the u… | |||
| CVE-2016-4457 | high | 7.5 | 7.5 | 9y ago | CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate. | |||
| CVE-2016-3112 | high | 7.5 | 7.5 | 9y ago | client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which allows remote authenticated users to obtain the consumer p… | |||
| CVE-2016-3091 | high | 7.5 | 7.5 | 9y ago | Cloud Foundry Diego 0.1468.0 through 0.1470.0 allows remote attackers to cause a denial of service. | |||
| CVE-2016-0768 | high | 7.5 | 7.5 | 9y ago | PostgreSQL PL/Java after 9.0 does not honor access controls on large objects. | |||
| CVE-2016-8231 | high | 7.5 | 7.5 | 9y ago | In Lenovo Service Bridge before version 4, a bug found in the signature verification logic of the code signing certificate could be exploited by an attacker to insert a forged code signing certificat… | |||
| CVE-2016-8230 | high | 7.5 | 7.5 | 9y ago | In Lenovo Service Bridge before version 4, an insecure HTTP connection is used by LSB to send system serial number, machine type and model and product name to Lenovo's servers. | |||
| CVE-2016-3083 | high | 7.5 | 7.5 | 9y ago | org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service vulnerable to Improper Certificate Validation | |||
| CVE-2016-5007 | high | 7.5 | 7.5 | 9y ago | Spring Security and Spring Framework may not recognize certain paths that should be protected | |||
| CVE-2016-0780 | high | 7.5 | 7.5 | 9y ago | It was discovered that cf-release v231 and lower, Pivotal Cloud Foundry Elastic Runtime 1.5.x versions prior to 1.5.17 and Pivotal Cloud Foundry Elastic Runtime 1.6.x versions prior to 1.6.18 do not … | |||
| CVE-2016-8741 | high | 7.5 | 7.5 | 9y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Qpid Broker for Java | |||
| CVE-2016-10331 | high | 7.5 | 7.5 | 9y ago | Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter. | |||
| CVE-2016-4864 | high | 7.5 | 7.5 | 9y ago | H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attackers to cause a denial-of-service (DoS) via format string specifiers in a template file via fastcgi, mruby, proxy, redire… | |||
| CVE-2016-10370 | high | 7.5 | 7.5 | 9y ago | An issue was discovered on OnePlus devices such as the 3T. The OnePlus OTA Updater pushes the signed-OTA image over HTTP without TLS. While it does not allow for installation of arbitrary OTAs (due t… | |||
| CVE-2016-7476 | high | 7.5 | 7.5 | 9y ago | The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, AAM, AFM, APM, ASM, GTM, Link Controller, PEM, PSM, and WebSafe 11.6.0 before 11.6.0 HF6, 11.5.0 before 11.5.3 HF2, and 11.3.0 before 11.4.1… | |||
| CVE-2016-9250 | high | 7.5 | 7.5 | 9y ago | In F5 BIG-IP 11.2.1, 11.4.0 through 11.6.1, and 12.0.0 through 12.1.2, an unauthenticated user with access to the control plane may be able to delete arbitrary files through an undisclosed mechanism. | |||
| CVE-2016-9256 | high | 7.5 | 7.5 | 9y ago | In F5 BIG-IP 12.1.0 through 12.1.2, permissions enforced by iControl can lag behind the actual permissions assigned to a user if the role_map is not reloaded between the time the permissions are chan… | |||
| CVE-2016-9253 | high | 7.5 | 7.5 | 9y ago | In F5 BIG-IP 12.1.0 through 12.1.2, specific websocket traffic patterns may cause a disruption of service for virtual servers configured to use the websocket profile. | |||
| CVE-2016-6799 | high | 7.5 | 7.5 | 9y ago | Information Exposure in cordova-android | |||
| CVE-2016-8209 | high | 7.5 | 7.5 | 9y ago | Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may all… | |||
| CVE-2016-7053 | high | 7.5 | 7.5 | 9y ago | In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.… | |||
| CVE-2016-2930 | high | 7.5 | 7.5 | 9y ago | IBM BigFix Remote Control 9.1.3 could allow a remote attacker to perform actions reserved for an administrator without authentication. IBM X-Force ID: 5512. | |||
| CVE-2016-10367 | high | 7.5 | 7.5 | 9y ago | In Opsview Monitor Pro (Prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch), an unauthenticated Directory Traversal vulnerabilit… | |||
| CVE-2016-9954 | high | 7.5 | 7.5 | 9y ago | The backtrack compilation code in the Irregex package (aka IrRegular Expressions) before 0.9.6 for Scheme allows remote attackers to cause a denial of service (memory consumption) via a crafted regul… | |||
| CVE-2016-5168 | high | 7.5 | 7.5 | 9y ago | Skia, as used in Google Chrome before 50.0.2661.94, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information. | |||
| CVE-2016-1556 | high | 7.5 | 7.5 | 9y ago | Information disclosure in Netgear WN604 before 3.3.3; WNAP210, WNAP320, WNDAP350, and WNDAP360 before 3.5.5.0; and WND930 before 2.0.11 allows remote attackers to read the wireless WPS PIN or passphr… | |||
| CVE-2016-10091 | high | 7.5 | 7.5 | 9y ago | Multiple stack-based buffer overflows in unrtf 0.21.9 allow remote attackers to cause a denial-of-service by writing a negative integer to the (1) cmd_expand function, (2) cmd_emboss function, or (3)… | |||
| CVE-2016-0833 | high | 7.5 | 7.5 | 9y ago | Android allows users to cause a denial of service. | |||
| CVE-2016-6337 | high | 7.5 | 7.5 | 9y ago | MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights. | |||
| CVE-2016-6335 | high | 7.5 | 7.5 | 9y ago | MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information vi… | |||
| CVE-2016-6332 | high | 7.5 | 7.5 | 9y ago | MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1, when $wgBlockDisablesLogin is true, might allow remote attackers to obtain sensitive information by leveraging failure to ter… | |||
| CVE-2016-6331 | high | 7.5 | 7.5 | 9y ago | ApiParse in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to bypass intended per-title read restrictions via a parse action to api.php. | |||
| CVE-2016-5409 | high | 7.5 | 7.5 | 9y ago | Red Hat OpenShift Enterprise 2 does not include the HTTPOnly flag in a Set-Cookie header for the GEARID cookie, which makes it easier for remote attackers to obtain potentially sensitive information … | |||
| CVE-2016-3036 | high | 7.5 | 7.5 | 9y ago | IBM Cognos TM1 10.1 and 10.2 is vulnerable to a denial of service, caused by a stack-based buffer overflow when parsing packets. A remote attacker could exploit this vulnerability to cause a denial o… | |||
| CVE-2016-5396 | high | 7.5 | 7.5 | 9y ago | Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack. | |||
| CVE-2016-7551 | high | 7.5 | 7.5 | 9y ago | chain_sip in Asterisk Open Source 11.x before 11.23.1 and 13.x 13.11.1 and Certified Asterisk 11.6 before 11.6-cert15 and 13.8 before 13.8-cert3 allows remote attackers to cause a denial of service (… | |||
| CVE-2016-6489 | high | 7.5 | 7.5 | 9y ago | The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack. | |||
| CVE-2016-3104 | high | 7.5 | 7.5 | 9y ago | mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representa… | |||
| CVE-2016-8727 | high | 7.5 | 7.5 | 9y ago | An exploitable information disclosure vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point. Retrieving a series of URLs without authentication can reveal … | |||
| CVE-2016-8726 | high | 7.5 | 7.5 | 9y ago | An exploitable null pointer dereference vulnerability exists in the Web Application /forms/web_runScript iw_filename functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. An HTT… | |||
| CVE-2016-8723 | high | 7.5 | 7.5 | 9y ago | An exploitable null pointer dereference exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. Any HTTP GET request not preceded by an '/' will caus… | |||
| CVE-2016-10326 | high | 7.5 | 7.5 | 9y ago | In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap buffer overflow in the osip_body_to_str() function defined in osipparser2/osip_body.c, resulting in a remote DoS. | |||
| CVE-2016-10325 | high | 7.5 | 7.5 | 9y ago | In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap buffer overflow in the _osip_message_to_str() function defined in osipparser2/osip_message_to_str.c, resulting in a remote Do… | |||
| CVE-2016-4970 | high | 7.5 | 7.5 | 9y ago | Loop with Unreachable Exit Condition in Netty | |||
| CVE-2016-1132 | high | 7.5 | 7.5 | 9y ago | Shoplat App for iOS 1.10.00 through 1.18.00 does not properly verify SSL certificates. | |||
| CVE-2016-4459 | high | 7.5 | 7.5 | 9y ago | Stack-based buffer overflow in native/mod_manager/node.c in mod_cluster 1.2.9. | |||
| CVE-2016-8716 | high | 7.5 | 7.5 | 9y ago | An exploitable Cleartext Transmission of Password vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. The Change Password functiona… | |||
| CVE-2016-7958 | high | 7.5 | 7.5 | 9y ago | In Wireshark 2.2.0, the NCP dissector could crash, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/CMakeLists.txt by registering this dissector. | |||
| CVE-2016-7957 | high | 7.5 | 7.5 | 9y ago | In Wireshark 2.2.0, the Bluetooth L2CAP dissector could crash, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-btl2cap.c by avoiding use of a s… | |||
| CVE-2016-4483 | high | 7.5 | 7.5 | 9y ago | The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute… | |||
| CVE-2016-5041 | high | 7.5 | 7.5 | 9y ago | dwarf_macro5.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a debugging information entry using DWARF5 and without a DW_AT_name. | |||
| CVE-2016-6879 | high | 7.5 | 7.5 | 9y ago | The X509_Certificate::allowed_usage function in botan 1.11.x before 1.11.31 might allow attackers to have unspecified impact by leveraging a call with more than one Key_Usage set in the enum value. | |||
| CVE-2016-6605 | high | 7.5 | 7.5 | 9y ago | Impala in CDH 5.2.0 through 5.7.2 and 5.8.0 allows remote attackers to bypass Setry authorization. | |||
| CVE-2016-6534 | high | 7.5 | 7.5 | 9y ago | Opmantek NMIS before 4.3.7c has command injection via man, finger, ping, trace, and nslookup in the tools.pl CGI script. Versions before 8.5.12G might be affected in non-default configurations. | |||
| CVE-2016-5076 | high | 7.5 | 7.5 | 9y ago | CloudView NMS before 2.10a allows remote attackers to obtain sensitive information via a direct request for admin/auto.def. | |||
| CVE-2016-5058 | high | 7.5 | 7.5 | 9y ago | OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 allows Zigbee replay. | |||
| CVE-2016-5057 | high | 7.5 | 7.5 | 9y ago | OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 does not use SSL pinning. | |||
| CVE-2016-5056 | high | 7.5 | 7.5 | 9y ago | OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 uses only 8 hex digits for a PSK. | |||
| CVE-2016-5054 | high | 7.5 | 7.5 | 9y ago | OSRAM SYLVANIA Osram Lightify Home through 2016-07-26 allows Zigbee replay. | |||
| CVE-2016-5052 | high | 7.5 | 7.5 | 9y ago | OSRAM SYLVANIA Osram Lightify Home through 2016-07-26 does not use SSL pinning. | |||
| CVE-2016-5051 | high | 7.5 | 7.5 | 9y ago | OSRAM SYLVANIA Osram Lightify Home before 2016-07-26 stores a PSK in cleartext under /private/var/mobile/Containers/Data/Application. | |||
| CVE-2016-9219 | high | 7.5 | 7.5 | 9y ago | A vulnerability with IPv6 UDP ingress packet processing in Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to cause an unexpected reload of the device. Th… | |||
| CVE-2016-10226 | high | 7.5 | 7.5 | 9y ago | JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 18, allows remote attackers to cause a denial of service (bitfield out-of-bounds read and application crash) via crafted … | |||
| CVE-2016-10222 | high | 7.5 | 7.5 | 9y ago | runtime/JSONObject.cpp in JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 18, allows remote attackers to cause a denial of service (segmentation violation and applicatio… | |||
| CVE-2016-10211 | high | 7.5 | 7.5 | 9y ago | libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted rule that is mishandled in the yr_parser_lookup_loop_variable… |