debian CVE Vulnerabilities & Metrics

About debian Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with debian. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Critical debian CVEs (CVSS ≥ 9) Over 20 Years

Top 5 Highest CVSS debian CVEs

These are the five CVEs with the highest CVSS scores for debian, sorted by severity first and recency.

• CVE-2022-2068 debian Published on 21 Jun 2022, 15:15 UTC (CVSS: 10.0)
  In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly pas...
• CVE-2022-1292 debian Published on 03 May 2022, 16:15 UTC (CVSS: 10.0)
  The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL reh...
• CVE-2022-24720 debian Published on 01 Mar 2022, 23:15 UTC (CVSS: 10.0)
  image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the `#apply` method from image_processing to apply a series of operations that are coming from unsanitized user input allows the attacker to execute shell commands. This method is called internally by Active Storage variants, so Active Storage is vulnerable as well. The vul...
• CVE-2022-23221 debian Published on 19 Jan 2022, 17:15 UTC (CVSS: 10.0)
  H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
• CVE-2021-42392 debian Published on 10 Jan 2022, 14:10 UTC (CVSS: 10.0)
  The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.