Fedora 35

A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.

Published: 2022-11-28T00:00:00.000Z
Updated: 2025-04-14T18:09:26.247Z

A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.

Published: 2022-12-08T00:00:00.000Z
Updated: 2025-04-22T20:33:21.916Z

A vulnerability was found in buildah. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure.

Published: 2022-12-08T00:00:00.000Z
Updated: 2025-04-22T20:30:06.788Z

qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file.

Published: 2022-11-23T00:00:00.000Z
Updated: 2025-04-25T18:35:51.761Z

A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.

Published: 2022-11-25T00:00:00.000Z
Updated: 2025-04-29T14:22:36.364Z

The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Published: 2022-11-23T00:00:00.000Z
Updated: 2025-04-25T19:28:48.118Z

A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to open a specially crafted link that executes an arbitrary HTML and script code in user's browser in context of vulnerable website. This vulnerability may allow an attacker to perform cross-site scripting (XSS) attacks to gain access potentially sensitive information and modification of web pages.

Published: 2022-11-23T00:00:00.000Z
Updated: 2025-04-25T19:29:24.937Z

A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform cross-site request forgery attacks.

Published: 2022-11-23T00:00:00.000Z
Updated: 2025-04-25T19:40:45.380Z

xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.

Published: 2022-11-10T00:00:00.000Z
Updated: 2026-04-08T17:24:10.360Z

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Published: 2022-11-09T00:00:00.000Z
Updated: 2025-11-03T21:46:44.155Z

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T14:28:59.931Z

An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.

Published: 2022-11-09T00:00:00.000Z
Updated: 2025-05-01T14:30:34.031Z

In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.

Published: 2022-11-03T00:00:00.000Z
Updated: 2025-05-02T19:12:26.755Z

An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an "unsupported, production-like configuration."

Published: 2022-10-29T00:00:00.000Z
Updated: 2025-05-07T13:57:26.002Z

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

Published: 2022-10-24T00:00:00.000Z
Updated: 2025-05-30T19:20:52.533Z

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

Published: 2022-11-07T00:00:00.000Z
Updated: 2024-08-03T13:19:05.457Z

Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.

Published: 2022-11-06T00:00:00.000Z
Updated: 2025-11-03T21:46:36.550Z

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

Published: 2022-10-29T00:00:00.000Z
Updated: 2026-02-13T19:48:21.552Z

curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.

Published: 2022-10-29T00:00:00.000Z
Updated: 2025-05-07T13:59:25.363Z

A logic issue was addressed with improved state management. This issue is fixed in tvOS 16.1, macOS Ventura 13, watchOS 9.1, Safari 16.1, iOS 16.1 and iPadOS 16. Processing maliciously crafted web content may disclose sensitive user information.

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-04-21T15:32:51.273Z

A type confusion issue was addressed with improved memory handling. This issue is fixed in tvOS 16.1, macOS Ventura 13, watchOS 9.1, Safari 16.1, iOS 16.1 and iPadOS 16. Processing maliciously crafted web content may lead to arbitrary code execution.

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-04-21T15:39:06.209Z

The issue was addressed with improved UI handling. This issue is fixed in tvOS 16.1, macOS Ventura 13, watchOS 9.1, Safari 16.1, iOS 16.1 and iPadOS 16. Visiting a malicious website may lead to user interface spoofing.

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-05-05T16:34:16.366Z

In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices.

Published: 2022-10-13T00:00:00.000Z
Updated: 2024-08-03T13:10:41.460Z

A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code.

Published: 2022-10-13T00:00:00.000Z
Updated: 2025-05-15T20:45:39.878Z

A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.

Published: 2022-10-13T00:00:00.000Z
Updated: 2025-05-15T20:48:06.121Z

Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes.

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-05-05T15:07:15.730Z

Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes.

Published: 2022-11-01T00:00:00.000Z
Updated: 2024-08-03T13:03:45.931Z

Oxenstored 32->31 bit integer truncation issues Integers in Ocaml are 63 or 31 bits of signed precision. The Ocaml Xenbus library takes a C uint32_t out of the ring and casts it directly to an Ocaml integer. In 64-bit Ocaml builds this is fine, but in 32-bit builds, it truncates off the most significant bit, and then creates unsigned/signed confusion in the remainder. This in turn can feed a negative value into logic not expecting a negative value, resulting in unexpected exceptions being thrown. The unexpected exception is not handled suitably, creating a busy-loop trying (and failing) to take the bad packet out of the xenstore ring.

Published: 2022-11-01T00:00:00.000Z
Updated: 2024-08-03T13:03:45.972Z

Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota.

Published: 2022-11-01T00:00:00.000Z
Updated: 2024-08-03T13:03:45.898Z

Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota.

Published: 2022-11-01T00:00:00.000Z
Updated: 2024-08-03T13:03:45.973Z

Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using recursion for some Xenstore operations (e.g. for deleting a sub-tree of Xenstore nodes). With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored.

Published: 2022-11-01T00:00:00.000Z
Updated: 2024-08-03T13:03:45.928Z

Xenstore: Guests can get access to Xenstore nodes of deleted domains Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is normally no problem, as those access right entries will be corrected when such a node is written later. There is a small time window when a new domain is created, where the access rights of a past domain with the same domid as the new one will be regarded to be still valid, leading to the new domain being able to get access to a node which was meant to be accessible by the removed domain. For this to happen another domain needs to write the node before the newly created domain is being introduced to Xenstore by dom0.

Published: 2022-11-01T00:00:00.000Z
Updated: 2024-11-20T14:37:31.914Z

Xenstore: Guests can cause Xenstore to not free temporary memory When working on a request of a guest, xenstored might need to allocate quite large amounts of memory temporarily. This memory is freed only after the request has been finished completely. A request is regarded to be finished only after the guest has read the response message of the request from the ring page. Thus a guest not reading the response can cause xenstored to not free the temporary memory. This can result in memory shortages causing Denial of Service (DoS) of xenstored.

Published: 2022-11-01T00:00:00.000Z
Updated: 2024-08-03T13:03:45.976Z

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-05-05T16:38:32.706Z

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-05-05T19:52:32.158Z

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-05-05T19:55:24.818Z

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-05-06T14:49:50.978Z

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-05-06T14:50:30.164Z

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-05-06T14:57:46.018Z

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-05-06T14:59:37.340Z

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-05-06T15:05:48.860Z

Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore data base, as the cleanup after the error will not remove all nodes already created. When the transaction is committed after this situation, nodes without a valid parent can be made permanent in the data base.

Published: 2022-11-01T00:00:00.000Z
Updated: 2024-08-03T13:03:45.923Z

Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the guest e.g. by exceeding the quota value of maximum nodes per domain.

Published: 2022-11-01T00:00:00.000Z
Updated: 2024-08-03T13:03:45.940Z

An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.

Published: 2022-10-09T00:00:00.000Z
Updated: 2025-06-09T15:04:43.166Z

An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.

Published: 2022-10-09T00:00:00.000Z
Updated: 2025-06-09T15:05:41.494Z

An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.

Published: 2022-10-09T00:00:00.000Z
Updated: 2025-06-09T15:06:45.678Z

Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50 option.

Published: 2022-10-17T00:00:00.000Z
Updated: 2025-05-13T15:27:49.974Z

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.

Published: 2022-10-19T21:20:50.106Z
Updated: 2025-05-08T18:11:30.671Z

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.

Published: 2022-10-19T21:20:24.882Z
Updated: 2025-05-08T18:12:10.565Z

An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.

Published: 2022-10-13T00:00:00.000Z
Updated: 2025-05-15T14:26:34.892Z

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.

Published: 2022-10-06T00:00:00.000Z
Updated: 2024-08-03T12:42:46.654Z

NuGet Client Elevation of Privilege Vulnerability

Published: 2022-10-11T00:00:00.000Z
Updated: 2025-02-28T20:53:42.375Z

drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.

Published: 2022-09-18T00:00:00.000Z
Updated: 2024-08-03T12:28:41.522Z

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

Published: 2022-09-14T00:00:00.000Z
Updated: 2025-05-30T19:18:52.952Z

cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read.

Published: 2022-09-09T20:38:22.000Z
Updated: 2024-08-03T12:14:40.077Z

The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.

Published: 2022-09-30T16:37:12.000Z
Updated: 2025-05-20T16:39:07.787Z

A limited SQL injection risk was identified in the "browse list of users" site administration page.

Published: 2022-09-30T16:35:15.000Z
Updated: 2025-05-20T16:41:34.571Z

Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.

Published: 2022-09-30T16:34:00.000Z
Updated: 2025-05-20T18:20:46.944Z

A buffer overflow was discovered in NTFS-3G before 2022.10.3. Crafted metadata in an NTFS image can cause code execution. A local attacker can exploit this if the ntfs-3g binary is setuid root. A physically proximate attacker can exploit this if NTFS-3G software is configured to execute upon attachment of an external storage device.

Published: 2022-11-06T00:00:00.000Z
Updated: 2025-05-02T18:42:11.770Z

Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. During an attack, an authoritative server must return large NS sets or address sets.

Published: 2022-09-23T00:00:00.000Z
Updated: 2025-05-27T14:55:35.830Z

An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.

Published: 2022-11-08T00:00:00.000Z
Updated: 2025-05-02T18:12:20.028Z

A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.

Published: 2022-10-26T00:00:00.000Z
Updated: 2025-04-15T13:24:20.033Z

A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211944.

Published: 2022-10-21T00:00:00.000Z
Updated: 2024-08-03T01:14:03.216Z

A vulnerability was found in Exim and classified as problematic. This issue affects the function dmarc_dns_lookup of the file dmarc.c of the component DMARC Handler. The manipulation leads to use after free. The attack may be initiated remotely. The name of the patch is 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211919.

Published: 2022-10-20T00:00:00.000Z
Updated: 2025-04-15T13:25:57.357Z

A vulnerability was found in Exim and classified as problematic. This issue affects some unknown processing of the component Regex Handler. The manipulation leads to use after free. The name of the patch is 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2. It is recommended to apply a patch to fix this issue. The identifier VDB-211073 was assigned to this vulnerability.

Published: 2022-10-17T00:00:00.000Z
Updated: 2025-11-03T21:46:26.053Z

A vulnerability, which was classified as problematic, has been found in X.org Server. Affected by this issue is the function ProcXkbGetKbdByName of the file xkb/xkb.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211052.

Published: 2022-10-17T00:00:00.000Z
Updated: 2025-04-15T13:43:04.746Z

A vulnerability classified as critical was found in X.org Server. Affected by this vulnerability is the function _GetCountedString of the file xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211051.

Published: 2022-10-17T00:00:00.000Z
Updated: 2025-04-15T13:43:12.186Z

A vulnerability was found in keylime. This security issue happens in some circumstances, due to some improperly handled exceptions, there exists the possibility that a rogue agent could create errors on the verifier that stopped attestation attempts for that host leaving it in an attested state but not verifying that anymore.

Published: 2022-11-22T00:00:00.000Z
Updated: 2025-04-29T04:27:39.253Z

A vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability.

Published: 2022-10-08T00:00:00.000Z
Updated: 2025-04-15T13:46:07.987Z

Use After Free in GitHub repository vim/vim prior to 9.0.0614.

Published: 2022-09-29T00:00:00.000Z
Updated: 2025-05-20T20:17:40.967Z

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.

Published: 2022-09-27T00:00:00.000Z
Updated: 2025-11-03T20:34:54.509Z

Use After Free in GitHub repository vim/vim prior to 9.0.0579.

Published: 2022-09-25T00:00:00.000Z
Updated: 2025-05-21T19:40:02.377Z

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.

Published: 2022-09-25T00:00:00.000Z
Updated: 2025-05-22T14:14:10.613Z

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.

Published: 2022-09-23T00:00:00.000Z
Updated: 2025-05-22T18:28:37.480Z

Use After Free in GitHub repository vim/vim prior to 9.0.0530.

Published: 2022-09-22T00:00:00.000Z
Updated: 2025-05-23T20:31:50.981Z

Use After Free in GitHub repository vim/vim prior to 9.0.0490.

Published: 2022-09-18T00:00:00.000Z
Updated: 2024-08-03T01:00:10.715Z

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.

Published: 2022-09-17T00:00:00.000Z
Updated: 2024-08-03T01:00:10.976Z

A heap buffer overflow issue was found in ImageMagick. When an application processes a malformed TIFF file, it could lead to undefined behavior or a crash causing a denial of service.

Published: 2022-09-19T17:31:48.000Z
Updated: 2024-08-03T01:00:10.859Z

A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records.

Published: 2022-09-26T13:41:46.275Z
Updated: 2025-05-05T16:13:06.842Z

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to 7.3.6.

Published: 2022-10-11T00:00:00.000Z
Updated: 2024-08-03T01:00:10.521Z

Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a.

Published: 2022-09-05T10:10:09.000Z
Updated: 2024-08-03T01:00:10.525Z

Use After Free in GitHub repository vim/vim prior to 9.0.0360.

Published: 2022-09-03T00:00:00.000Z
Updated: 2025-11-03T20:34:51.636Z

By sending specific queries to the resolver, an attacker can cause named to crash.

Published: 2022-09-21T10:15:29.861Z
Updated: 2024-09-17T01:56:40.440Z

Use After Free in GitHub repository vim/vim prior to 9.0.0322.

Published: 2022-08-30T20:35:10.000Z
Updated: 2024-08-03T01:00:10.487Z

A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.

Published: 2022-08-31T00:00:00.000Z
Updated: 2024-08-03T00:53:00.701Z

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.

Published: 2022-09-20T00:00:00.000Z
Updated: 2025-11-03T19:27:33.077Z

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

Published: 2022-09-20T00:00:00.000Z
Updated: 2025-11-03T19:27:31.661Z

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).

Published: 2022-09-20T00:00:00.000Z
Updated: 2025-11-03T19:27:30.250Z

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

Published: 2022-09-20T00:00:00.000Z
Updated: 2025-11-03T19:27:28.861Z

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Published: 2022-10-18T00:00:00.000Z
Updated: 2026-05-27T13:11:32.827Z

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

Published: 2022-11-08T00:00:00.000Z
Updated: 2025-11-03T17:31:00.911Z

phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS < 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server service registry is configured to only allow known and trusted service URLs the severity of the vulnerability is reduced substantially in its severity since an attacker must be in control of another authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior.

Published: 2022-11-01T00:00:00.000Z
Updated: 2025-04-23T16:41:58.291Z

Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue.

Published: 2022-11-25T00:00:00.000Z
Updated: 2025-04-23T16:34:56.234Z

FreeRDP is a free remote desktop protocol library and clients. All FreeRDP based clients when using the `/video` command line switch might read uninitialized data, decode it as audio/video and display the result. FreeRDP based server implementations are not affected. This issue has been patched in version 2.8.1. If you cannot upgrade do not use the `/video` switch.

Published: 2022-10-12T00:00:00.000Z
Updated: 2025-11-03T20:34:57.300Z

FreeRDP is a free remote desktop protocol library and clients. FreeRDP based clients on unix systems using `/parallel` command line switch might read uninitialized data and send it to the server the client is currently connected to. FreeRDP based server implementations are not affected. Please upgrade to 2.8.1 where this issue is patched. If unable to upgrade, do not use parallel port redirection (`/parallel` command line switch) as a workaround.

Published: 2022-10-12T00:00:00.000Z
Updated: 2025-11-03T20:34:55.910Z

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

Published: 2022-09-28T00:00:00.000Z
Updated: 2025-04-23T16:54:59.321Z

Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.

Published: 2022-10-19T00:00:00.000Z
Updated: 2024-08-03T12:00:43.573Z

Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.

Published: 2022-10-19T00:00:00.000Z
Updated: 2024-08-03T12:00:43.267Z

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

Published: 2022-09-15T00:00:00.000Z
Updated: 2025-04-23T17:10:11.051Z

In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock.

Published: 2022-08-27T00:00:00.000Z
Updated: 2024-08-03T11:02:14.577Z

Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.

Published: 2022-08-30T02:58:33.566Z
Updated: 2024-09-17T03:54:54.096Z

By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

Published: 2022-09-21T10:15:29.078Z
Updated: 2025-05-28T15:23:06.572Z

By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

Published: 2022-09-21T10:15:28.292Z
Updated: 2025-05-28T15:23:30.627Z

In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.

Published: 2022-08-11T00:00:00.000Z
Updated: 2025-10-20T18:03:22.733Z

.NET Core and Visual Studio Denial of Service Vulnerability

Published: 2022-09-13T00:00:00.000Z
Updated: 2026-05-27T13:49:37.761Z

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

Published: 2022-10-21T00:00:00.000Z
Updated: 2025-05-08T15:03:28.946Z

Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.

Published: 2022-08-06T17:02:11.000Z
Updated: 2024-08-03T10:29:21.028Z

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Published: 2022-08-05T00:00:00.000Z
Updated: 2025-05-30T19:47:26.322Z

The component tcpprep in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in parse_mpls at common/get.c:150. NOTE: this is different from CVE-2022-27942.

Published: 2022-08-18T00:00:00.000Z
Updated: 2024-08-03T10:21:32.606Z

The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_l2len_protocol at common/get.c:344. NOTE: this is different from CVE-2022-27941.

Published: 2022-08-18T00:00:00.000Z
Updated: 2024-08-03T10:21:32.756Z

The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_ipv6_next at common/get.c:713. NOTE: this is different from CVE-2022-27940.

Published: 2022-08-18T00:00:00.000Z
Updated: 2024-08-03T10:21:32.468Z

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

Published: 2022-09-23T00:00:00.000Z
Updated: 2025-05-27T14:56:43.802Z

Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source. When `Vec::with_capacity` fails to allocate, the default Rust allocator will abort the current process, killing all threads. This affects only sync (non-Tokio) implementation. Async version also does not limit memory, but does not use `with_capacity`, so DoS can happen only when bytes for oversized dataframe or message actually got delivered by the attacker. The crashes are fixed in version 0.26.5 by imposing default dataframe size limits. Affected users are advised to update to this version. Users unable to upgrade are advised to filter websocket traffic externally or to only accept trusted traffic.

Published: 2022-08-01T21:35:11.000Z
Updated: 2025-04-23T17:54:31.658Z

A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users.

Published: 2022-07-25T15:33:11.000Z
Updated: 2024-08-03T09:36:44.402Z

An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Published: 2022-07-25T15:31:36.000Z
Updated: 2024-08-03T09:36:44.483Z

A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.

Published: 2022-07-25T15:30:22.000Z
Updated: 2024-08-03T09:36:44.408Z

The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.

Published: 2022-07-25T15:29:06.000Z
Updated: 2024-08-03T09:36:44.416Z

The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Published: 2022-07-25T15:27:27.000Z
Updated: 2024-08-03T09:36:44.417Z

Advancecomp v2.3 was discovered to contain a heap buffer overflow via the component __interceptor_memcpy at /sanitizer_common/sanitizer_common_interceptors.inc.

Published: 2022-08-29T00:00:00.000Z
Updated: 2024-08-03T09:29:16.403Z

Advancecomp v2.3 was discovered to contain a segmentation fault.

Published: 2022-08-29T00:00:00.000Z
Updated: 2024-08-03T09:29:16.490Z

Advancecomp v2.3 was discovered to contain a segmentation fault.

Published: 2022-08-29T00:00:00.000Z
Updated: 2024-08-03T09:29:16.556Z

Advancecomp v2.3 was discovered to contain a heap buffer overflow.

Published: 2022-08-29T00:00:00.000Z
Updated: 2024-08-03T09:29:16.438Z

Advancecomp v2.3 was discovered to contain a heap buffer overflow.

Published: 2022-08-29T00:00:00.000Z
Updated: 2024-08-03T09:29:16.665Z

Advancecomp v2.3 was discovered to contain a heap buffer overflow via le_uint32_read at /lib/endianrw.h.

Published: 2022-08-29T00:00:00.000Z
Updated: 2024-08-03T09:29:16.542Z

Advancecomp v2.3 contains a segmentation fault.

Published: 2022-08-29T00:00:00.000Z
Updated: 2024-08-03T09:29:16.568Z

GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.

Published: 2022-07-01T21:05:18.000Z
Updated: 2024-08-03T09:22:10.754Z

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Published: 2022-07-19T00:00:00.000Z
Updated: 2026-05-27T12:51:15.955Z

lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, but in respectively opposite order. With suitable timing between the involved grant copy operations this may result in the locking up of a CPU.

Published: 2022-10-11T00:00:00.000Z
Updated: 2024-08-03T08:09:22.688Z

Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings.

Published: 2022-10-11T00:00:00.000Z
Updated: 2024-08-03T08:09:22.675Z

P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing.

Published: 2022-10-11T00:00:00.000Z
Updated: 2024-08-03T08:09:22.668Z

insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary.

Published: 2022-07-26T00:00:00.000Z
Updated: 2024-08-03T08:09:22.681Z

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

Published: 2022-07-05T12:50:39.000Z
Updated: 2024-08-03T08:09:22.683Z

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

Published: 2022-07-05T12:50:33.000Z
Updated: 2024-08-03T08:09:22.659Z

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

Published: 2022-07-05T12:50:30.000Z
Updated: 2024-08-03T08:09:22.628Z

An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.

Published: 2022-07-01T11:26:38.000Z
Updated: 2024-08-03T08:01:20.153Z

An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

Published: 2022-06-22T13:24:42.000Z
Updated: 2024-08-03T08:01:19.054Z

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1, Safari 15.6.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Published: 2022-08-24T00:00:00.000Z
Updated: 2025-10-21T23:15:36.579Z

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 16, iOS 16, iOS 15.7 and iPadOS 15.7. Processing maliciously crafted web content may lead to arbitrary code execution.

Published: 2022-09-20T00:00:00.000Z
Updated: 2025-05-29T14:14:14.900Z

Multiple out-of-bounds write issues were addressed with improved bounds checking. This issue is fixed in macOS Monterey 12.5, watchOS 8.7, tvOS 15.6, iOS 15.6 and iPadOS 15.6. An app may be able to disclose kernel memory.

Published: 2022-08-24T00:00:00.000Z
Updated: 2025-05-30T16:40:54.704Z

jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable.

Published: 2022-06-06T21:55:11.000Z
Updated: 2024-08-03T07:46:43.573Z

net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.

Published: 2022-06-02T20:51:34.000Z
Updated: 2024-08-03T07:39:50.446Z

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

Published: 2022-07-14T00:00:00.000Z
Updated: 2025-04-30T22:24:42.485Z

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

Published: 2022-07-14T00:00:00.000Z
Updated: 2025-04-30T22:24:45.103Z

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

Published: 2022-07-14T00:00:00.000Z
Updated: 2025-04-30T22:24:44.217Z

# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags: ["select", "style"] %>```see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]```or```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])```All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.## CreditsThis vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user).

Published: 2022-06-24T00:00:00.000Z
Updated: 2025-11-03T21:46:21.461Z

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

Published: 2022-07-07T00:00:00.000Z
Updated: 2025-05-05T16:16:44.842Z

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

Published: 2022-07-07T00:00:00.000Z
Updated: 2025-04-23T18:04:31.119Z

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

Published: 2022-07-07T00:00:00.000Z
Updated: 2025-05-05T16:16:54.022Z

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

Published: 2022-07-07T00:00:00.000Z
Updated: 2025-05-05T16:17:03.151Z

MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.

Published: 2022-07-01T00:00:00.000Z
Updated: 2024-08-03T07:32:56.002Z

MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level.

Published: 2022-07-01T00:00:00.000Z
Updated: 2024-08-03T07:32:55.965Z

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.

Published: 2022-07-01T00:00:00.000Z
Updated: 2024-08-03T07:32:55.951Z

MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc.

Published: 2022-07-01T00:00:00.000Z
Updated: 2024-08-03T07:32:55.949Z

MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.

Published: 2022-07-01T00:00:00.000Z
Updated: 2024-08-03T07:32:55.958Z

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.

Published: 2022-06-08T10:00:57.000Z
Updated: 2024-08-03T07:26:01.124Z

Bottle before 0.12.20 mishandles errors during early request binding.

Published: 2022-05-29T21:25:44.000Z
Updated: 2024-08-03T07:26:01.088Z

Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

Published: 2022-08-10T00:00:00.000Z
Updated: 2024-08-03T07:26:01.168Z

Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

Published: 2022-08-10T05:50:40.000Z
Updated: 2024-08-03T07:26:01.104Z

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.

Published: 2022-09-28T22:25:10.116Z
Updated: 2025-11-04T17:12:24.069Z

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Published: 2022-09-28T22:25:09.309Z
Updated: 2025-05-20T20:24:57.733Z

A Privilege Context Switching issue was discovered in join.c in Firejail 0.9.68. By crafting a bogus Firejail container that is accepted by the Firejail setuid-root program as a join target, a local attacker can enter an environment in which the Linux user namespace is still the initial user namespace, the NO_NEW_PRIVS prctl is not activated, and the entered mount namespace is under the attacker's control. In this way, the filesystem layout can be adjusted to gain root privileges through execution of available setuid-root binaries such as su or sudo.

Published: 2022-06-09T00:00:00.000Z
Updated: 2024-08-03T07:11:39.674Z

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.

Published: 2022-08-03T00:00:00.000Z
Updated: 2025-11-03T21:46:18.502Z

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

Published: 2022-07-20T00:00:00.000Z
Updated: 2025-04-22T17:48:33.457Z

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Published: 2022-07-06T00:00:00.000Z
Updated: 2025-11-03T21:46:17.025Z

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. This issue has been resolved in version 5.4.0 and all users should upgrade to UltraJSON 5.4.0. There are no known workarounds for this issue.

Published: 2022-07-05T17:30:13.000Z
Updated: 2025-04-23T18:05:03.670Z

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue.

Published: 2022-07-05T17:35:11.000Z
Updated: 2025-04-22T17:52:13.305Z

Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether. It is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for. Remote users are not able to exploit this directly, because the URL preview endpoint is authenticated. Deployments with `url_preview_enabled: false` set in configuration are not affected. Deployments with `url_preview_enabled: true` set in configuration **are** affected. Deployments with no configuration value set for `url_preview_enabled` are not affected, because the default is `false`. Administrators of homeservers with URL previews enabled are advised to upgrade to v1.61.1 or higher. Users unable to upgrade should set `url_preview_enabled` to false.

Published: 2022-06-28T17:10:11.000Z
Updated: 2025-04-23T18:05:56.038Z

The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue.

Published: 2022-06-09T20:00:16.000Z
Updated: 2025-04-23T18:17:26.066Z

containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.

Published: 2022-06-06T00:00:00.000Z
Updated: 2024-08-03T07:03:40.336Z

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array in NTFS-3G through 2021.8.22.

Published: 2022-05-26T00:00:00.000Z
Updated: 2025-12-02T21:01:18.279Z

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_mft_rec_alloc in NTFS-3G through 2021.8.22.

Published: 2022-05-26T00:00:00.000Z
Updated: 2025-12-02T21:00:45.318Z

An integer underflow in fuse_lib_readdir enables arbitrary memory read operations in NTFS-3G through 2021.8.22 when using libfuse-lite.

Published: 2022-05-26T00:00:00.000Z
Updated: 2024-08-03T07:03:38.621Z

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_names_full_collate in NTFS-3G through 2021.8.22.

Published: 2022-05-26T00:00:00.000Z
Updated: 2025-12-02T21:00:22.961Z

A file handle created in fuse_lib_opendir, and later used in fuse_lib_readdir, enables arbitrary memory read and write operations in NTFS-3G through 2021.8.22 when using libfuse-lite.

Published: 2022-05-26T00:00:00.000Z
Updated: 2024-08-03T06:56:14.096Z

A crafted NTFS image can cause heap exhaustion in ntfs_get_attribute_value in NTFS-3G through 2021.8.22.

Published: 2022-05-26T00:00:00.000Z
Updated: 2025-12-02T20:59:57.414Z

An invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic between NTFS-3G and the kernel in NTFS-3G through 2021.8.22 when using libfuse-lite.

Published: 2022-05-26T00:00:00.000Z
Updated: 2024-08-03T06:56:14.021Z

NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.

Published: 2022-08-01T14:13:58.392Z
Updated: 2024-09-16T18:29:59.438Z

NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.

Published: 2022-08-01T14:13:44.911Z
Updated: 2024-09-16T19:35:09.568Z

Adobe InDesign versions 16.4.2 (and earlier) and 17.3 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published: 2022-09-16T17:20:25.733Z
Updated: 2025-04-23T17:06:49.820Z

A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

Published: 2022-05-18T17:19:55.000Z
Updated: 2024-08-03T06:56:12.672Z

A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.

Published: 2022-05-18T17:09:01.000Z
Updated: 2024-08-03T06:56:12.939Z

A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.

Published: 2022-05-18T17:06:36.000Z
Updated: 2024-08-03T06:56:12.967Z

A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.

Published: 2022-05-18T17:02:35.000Z
Updated: 2024-08-03T06:56:13.022Z

A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.

Published: 2022-05-18T16:59:52.000Z
Updated: 2024-08-03T06:56:12.964Z

Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.

Published: 2022-06-08T10:00:55.000Z
Updated: 2024-08-03T06:48:36.447Z

If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.

Published: 2022-06-08T10:00:54.000Z
Updated: 2024-08-03T06:48:36.355Z

Heap-based buffer overflow in sqbaselib.cpp in SQUIRREL 3.2 due to lack of a certain sq_reservestack call.

Published: 2022-05-04T22:53:14.000Z
Updated: 2024-08-03T06:48:36.316Z

.NET and Visual Studio Information Disclosure Vulnerability

Published: 2022-06-15T21:52:20.000Z
Updated: 2025-02-28T19:57:01.224Z

Use After Free in GitHub repository vim/vim prior to 9.0.0246.

Published: 2022-08-23T00:00:00.000Z
Updated: 2024-08-03T00:53:00.389Z

A flaw was found in the Linux kernel's implementation of Pressure Stall Information. While the feature is disabled by default, it could allow an attacker to crash the system or have other memory-corruption side effects.

Published: 2022-08-23T00:00:00.000Z
Updated: 2024-08-03T00:53:00.381Z

In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory.

Published: 2022-10-07T04:45:12.836Z
Updated: 2024-09-16T18:28:37.665Z

In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.

Published: 2022-10-07T04:45:11.751Z
Updated: 2024-09-17T00:21:40.167Z

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240.

Published: 2022-08-22T00:00:00.000Z
Updated: 2024-08-03T00:53:00.468Z

Use After Free in GitHub repository vim/vim prior to 9.0.0225.

Published: 2022-08-19T00:00:00.000Z
Updated: 2024-08-03T00:52:59.666Z

libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering this flaw could cause a crash or potentially further exploitation.

Published: 2022-08-17T00:00:00.000Z
Updated: 2024-08-03T00:52:59.054Z

libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.

Published: 2022-08-17T00:00:00.000Z
Updated: 2024-08-03T00:52:59.323Z

libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.

Published: 2022-08-17T00:00:00.000Z
Updated: 2024-08-03T00:52:59.602Z

A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514.

Published: 2022-10-14T00:00:00.000Z
Updated: 2025-11-03T20:34:50.179Z

Improper Validation of Specified Quantity in Input in GitHub repository vim/vim prior to 9.0.0218.

Published: 2022-08-17T00:00:00.000Z
Updated: 2024-08-03T00:52:58.914Z

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0211.

Published: 2022-08-15T00:00:00.000Z
Updated: 2024-08-03T00:52:59.508Z

Use After Free in GitHub repository vim/vim prior to 9.0.0213.

Published: 2022-08-15T00:00:00.000Z
Updated: 2024-08-03T00:52:58.962Z

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212.

Published: 2022-08-15T00:00:00.000Z
Updated: 2024-08-03T00:52:58.831Z

By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.

Published: 2022-09-21T10:15:25.796Z
Updated: 2024-11-29T12:04:33.614Z

The authfile directive in the booth config file is ignored, preventing use of authentication in communications from node to node. As a result, nodes that do not have the correct authentication key are not prevented from communicating with other nodes in the cluster.

Published: 2022-07-28T00:00:00.000Z
Updated: 2024-08-03T00:39:08.049Z

A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.

Published: 2022-08-01T14:01:10.000Z
Updated: 2025-12-02T20:44:07.901Z

A null pointer dereference bug was found in wavpack-5.4.0 The results from the ASAN log: AddressSanitizer:DEADLYSIGNAL ===================================================================84257==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The signal is caused by a WRITE memory access. ==84257==Hint: address points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834 #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in main ==84257==ABORTING

Published: 2022-07-19T00:00:00.000Z
Updated: 2024-08-03T00:39:07.680Z

Use After Free in GitHub repository vim/vim prior to 9.0.0046.

Published: 2022-07-08T00:00:00.000Z
Updated: 2024-08-03T00:32:09.701Z

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.

Published: 2022-07-08T00:00:00.000Z
Updated: 2024-08-03T00:32:09.510Z

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.

Published: 2022-07-08T00:00:00.000Z
Updated: 2024-08-03T00:32:09.611Z

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.

Published: 2022-07-05T00:00:00.000Z
Updated: 2025-11-03T20:34:45.959Z

Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via direct UI interactions.

Published: 2022-07-28T01:01:01.000Z
Updated: 2024-08-03T00:32:09.607Z

Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Published: 2022-07-28T01:00:50.000Z
Updated: 2024-08-03T00:32:09.605Z

Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Published: 2022-07-28T00:00:00.000Z
Updated: 2025-10-21T23:15:37.301Z

Use After Free in GitHub repository vim/vim prior to 9.0.

Published: 2022-07-03T00:00:00.000Z
Updated: 2024-08-03T00:32:09.390Z

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.

Published: 2022-07-03T00:00:00.000Z
Updated: 2024-08-03T00:32:09.377Z

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.

Published: 2022-07-02T00:00:00.000Z
Updated: 2024-08-03T00:32:09.365Z

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.

Published: 2022-07-02T00:00:00.000Z
Updated: 2024-08-03T00:32:09.551Z

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.

Published: 2022-07-02T00:00:00.000Z
Updated: 2024-08-03T00:32:09.379Z

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.

Published: 2022-07-02T00:00:00.000Z
Updated: 2024-08-03T00:32:09.615Z

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.

Published: 2022-07-01T00:00:00.000Z
Updated: 2024-08-03T00:32:09.533Z

Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.

Published: 2022-06-30T00:00:00.000Z
Updated: 2024-08-03T00:32:09.557Z

NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.

Published: 2022-06-28T00:00:00.000Z
Updated: 2024-08-03T00:32:09.511Z

Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.

Published: 2022-06-27T00:00:00.000Z
Updated: 2024-08-03T00:32:08.749Z

NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.

Published: 2022-06-27T00:00:00.000Z
Updated: 2024-08-03T00:32:08.726Z

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Published: 2022-06-27T00:00:00.000Z
Updated: 2024-08-03T00:32:08.718Z

Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

Published: 2022-06-26T00:00:00.000Z
Updated: 2024-08-03T00:32:08.643Z

Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

Published: 2022-06-23T00:00:00.000Z
Updated: 2024-08-03T00:32:08.693Z

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Published: 2022-06-23T00:00:00.000Z
Updated: 2024-08-03T00:32:08.598Z

Buffer Over-read in GitHub repository vim/vim prior to 8.2.

Published: 2022-06-23T00:00:00.000Z
Updated: 2024-08-03T00:32:09.074Z

Insufficient data validation in URL formatting in Google Chrome prior to 103.0.5060.53 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

Published: 2022-07-28T00:41:15.000Z
Updated: 2024-08-03T00:32:07.964Z

Inappropriate implementation in Extensions API in Google Chrome prior to 103.0.5060.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted HTML page.

Published: 2022-07-28T00:41:01.000Z
Updated: 2024-08-03T00:32:07.993Z

Use after free in Cast UI and Toolbar in Google Chrome prior to 103.0.5060.134 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via UI interaction.

Published: 2022-07-28T01:00:25.000Z
Updated: 2024-08-03T00:32:08.018Z

Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 103.0.5060.53 allowed a remote attacker to bypass file system access via a crafted HTML page.

Published: 2022-07-28T00:40:48.000Z
Updated: 2024-08-03T00:32:07.995Z

Use after free in WebApp Provider in Google Chrome prior to 103.0.5060.53 allowed a remote attacker who convinced the user to engage in specific user interactions to potentially exploit heap corruption via specific UI interactions.

Published: 2022-07-28T00:40:43.000Z
Updated: 2024-08-03T00:32:07.946Z

Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 103.0.5060.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from a user's local files via a crafted HTML page.

Published: 2022-07-28T00:40:37.000Z
Updated: 2026-06-02T13:44:56.368Z

Type confusion in V8 in Google Chrome prior to 103.0.5060.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Published: 2022-07-28T00:40:31.000Z
Updated: 2024-08-03T00:32:07.973Z

Use after free in Interest groups in Google Chrome prior to 103.0.5060.53 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Published: 2022-07-28T00:40:26.000Z
Updated: 2024-08-03T00:32:08.541Z

Use after free in Core in Google Chrome prior to 103.0.5060.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Published: 2022-07-28T00:40:20.000Z
Updated: 2024-08-03T00:32:07.960Z

Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.

Published: 2022-06-19T00:00:00.000Z
Updated: 2025-11-03T20:34:44.448Z

Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

Published: 2022-06-19T00:00:00.000Z
Updated: 2024-08-03T00:24:44.233Z

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Published: 2022-06-19T00:00:00.000Z
Updated: 2024-08-03T00:24:44.280Z

Buffer Over-read in GitHub repository vim/vim prior to 8.2.

Published: 2022-06-19T00:00:00.000Z
Updated: 2024-08-03T00:24:44.258Z

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).

Published: 2022-07-05T10:30:13.658Z
Updated: 2024-09-17T01:06:49.390Z

A NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to render a large number of bits in memory. When allocating a buffer device, it relies on an init_device_procs defined for the device that uses it as a prototype that depends upon the number of bits per pixel. For bpp > 64, mem_x_device is used and does not have an init_device_procs defined. This flaw allows an attacker to parse a large number of bits (more than 64 bits per pixel), which triggers a NULL pointer dereference flaw, causing an application to crash.

Published: 2022-06-16T00:00:00.000Z
Updated: 2025-02-13T16:28:52.337Z

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).

Published: 2022-06-21T14:45:20.597Z
Updated: 2025-12-30T04:55:27.130Z

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.

Published: 2022-06-30T00:00:00.000Z
Updated: 2024-08-03T00:24:44.171Z

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.

Published: 2022-06-30T00:00:00.000Z
Updated: 2024-08-03T00:24:44.313Z

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.

Published: 2022-06-30T00:00:00.000Z
Updated: 2024-08-03T00:24:44.219Z

Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.

Published: 2022-06-07T00:00:00.000Z
Updated: 2025-11-03T20:34:41.619Z

An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private.

Published: 2022-05-02T04:00:27.000Z
Updated: 2024-08-03T06:40:46.290Z

Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.

Published: 2022-07-12T00:00:00.000Z
Updated: 2024-08-03T06:33:43.000Z

Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.

Published: 2022-07-12T15:50:10.585Z
Updated: 2024-11-20T16:13:31.449Z

cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file.

Published: 2022-04-28T00:00:00.000Z
Updated: 2024-08-03T06:33:42.941Z

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Published: 2022-05-03T00:00:00.000Z
Updated: 2024-08-03T06:33:42.645Z

In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process) via a long page title. The issue occurs because the number of bytes for a UTF-8 ellipsis character is not properly considered.

Published: 2022-04-20T22:37:09.000Z
Updated: 2024-08-03T06:26:06.251Z

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

Published: 2022-06-22T13:15:32.000Z
Updated: 2024-08-03T06:26:06.342Z

SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control that leads to Escalation of Privileges.

Published: 2022-05-05T16:13:50.000Z
Updated: 2024-08-03T06:26:05.875Z

SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control that leads to Escalation of Privileges and code execution.

Published: 2022-05-05T16:13:56.000Z
Updated: 2024-08-03T06:26:05.998Z

SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control that leads to Information Disclosure.

Published: 2022-05-05T16:14:04.000Z
Updated: 2024-08-03T06:26:05.935Z

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.

Published: 2022-06-08T10:00:52.000Z
Updated: 2024-08-03T06:17:55.325Z

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

Published: 2022-05-24T14:10:10.000Z
Updated: 2025-04-23T18:22:46.326Z

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

Published: 2022-07-12T00:00:00.000Z
Updated: 2024-08-03T06:17:54.233Z

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.

Published: 2022-05-17T00:00:00.000Z
Updated: 2025-04-23T18:25:42.249Z

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).

Published: 2022-08-02T14:22:52.000Z
Updated: 2024-08-03T06:10:59.386Z

.NET and Visual Studio Denial of Service Vulnerability

Published: 2022-05-10T20:34:56.000Z
Updated: 2026-05-27T13:50:41.008Z

.NET and Visual Studio Denial of Service Vulnerability

Published: 2022-05-10T20:34:23.000Z
Updated: 2026-05-27T13:51:43.788Z

HTMLCreator release_stable_2020-07-29 was discovered to contain a cross-site scripting (XSS) vulnerability via the function _generateFilename.

Published: 2022-05-12T15:43:08.000Z
Updated: 2024-08-03T06:10:57.542Z

singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.

Published: 2022-04-08T00:00:00.000Z
Updated: 2024-08-03T06:03:53.085Z

jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

Published: 2022-04-08T04:11:51.000Z
Updated: 2024-08-03T06:03:52.967Z

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.

Published: 2022-06-08T10:00:51.000Z
Updated: 2025-12-18T15:26:47.398Z

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.

Published: 2022-06-08T10:00:48.000Z
Updated: 2024-08-03T05:56:16.107Z

There is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RGB() in gif2rgb.c:298:45.

Published: 2022-04-25T12:53:01.000Z
Updated: 2024-08-03T05:56:15.548Z

Tcpreplay version 4.4.1 contains a memory leakage flaw in fix_ipv6_checksums() function. The highest threat from this vulnerability is to data confidentiality.

Published: 2022-05-04T00:00:00.000Z
Updated: 2024-08-03T05:56:15.122Z

ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.

Published: 2022-04-03T20:07:21.000Z
Updated: 2024-08-03T05:56:15.238Z

mcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through 5.17.1 has a double free.

Published: 2022-04-03T20:07:30.000Z
Updated: 2024-08-03T05:56:15.265Z

usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free.

Published: 2022-04-03T20:07:39.000Z
Updated: 2025-05-05T16:21:52.141Z

The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.

Published: 2022-04-20T00:00:00.000Z
Updated: 2024-08-03T05:48:38.092Z

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.

Published: 2022-08-09T00:00:00.000Z
Updated: 2024-08-03T05:48:36.830Z

Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

Published: 2022-08-10T00:00:00.000Z
Updated: 2024-08-03T05:48:36.561Z

STB v2.27 was discovered to contain an integer shift of invalid size in the component stbi__jpeg_decode_block_prog_ac.

Published: 2022-04-15T13:06:36.000Z
Updated: 2024-08-03T05:41:11.181Z

stb_image.h v2.27 was discovered to contain an heap-based use-after-free via the function stbi__jpeg_huff_decode.

Published: 2022-04-15T00:00:00.000Z
Updated: 2024-08-03T05:41:11.387Z

stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

Published: 2022-04-15T00:00:00.000Z
Updated: 2024-08-03T05:41:11.417Z

tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in parse_mpls in common/get.c.

Published: 2022-03-26T00:00:00.000Z
Updated: 2024-08-03T05:41:11.166Z

tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_l2len_protocol in common/get.c.

Published: 2022-03-26T00:00:00.000Z
Updated: 2024-08-03T05:41:11.341Z

tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_ipv6_next in common/get.c.

Published: 2022-03-26T00:00:00.000Z
Updated: 2024-08-03T05:41:10.935Z

tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in get_layer4_v6 in common/get.c.

Published: 2022-03-26T00:00:00.000Z
Updated: 2024-08-03T05:41:10.913Z

libkiwix 10.0.0 and 10.0.1 allows XSS in the built-in webserver functionality via the search suggestions URL parameter. This is fixed in 10.1.0.

Published: 2022-03-25T20:00:38.000Z
Updated: 2024-08-03T05:41:10.779Z

A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.

Published: 2022-03-23T05:07:01.000Z
Updated: 2024-08-03T05:32:59.797Z

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

Published: 2022-04-18T16:20:29.000Z
Updated: 2024-08-03T05:32:59.921Z

A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.

Published: 2022-04-04T19:45:44.000Z
Updated: 2024-08-03T05:32:59.789Z

A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

Published: 2022-04-04T19:45:43.000Z
Updated: 2024-08-03T05:32:59.900Z

SDL_ttf v2.0.18 and below was discovered to contain an arbitrary memory write via the function TTF_RenderText_Solid(). This vulnerability is triggered via a crafted TTF file.

Published: 2022-05-04T02:34:44.000Z
Updated: 2024-08-03T05:25:32.705Z