CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2712
https://notcve.org/view.php?id=CVE-2022-2712
In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code. En las versiones 5.1.0 a 6.2.5 de Eclipse GlassFish, existe una vulnerabilidad en relative path traversal porque no filtra la ruta de solicitud que comienza con './'. Una explotación exitosa podría permitir que un atacante remoto no autenticado acceda a datos críticos, como archivos de configuración y código fuente de aplicaciones implementadas. • https://bugs.eclipse.org/580502 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2022-36022 – Some Deeplearning4J packages use unclaimed s3 bucket in tests and examples
https://notcve.org/view.php?id=CVE-2022-36022
Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely affect people who use some older NLP examples that reference an old S3 bucket. The problem has been patched. Users should upgrade to snapshots as Deeplearning4J plan to publish a release with the fix at a later date. • https://github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687w https://github.com/mmihaltz/word2vec-GoogleNews-vectors • CWE-330: Use of Insufficiently Random Values CWE-344: Use of Invariant Value in Dynamically Changing Context •
CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39368 – Californium Failing DTLS handshakes causes Data Loss due to throttling blocking processing of records
https://notcve.org/view.php?id=CVE-2022-39368
Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Service. Failing handshakes don't cleanup counters for throttling, causing the threshold to be reached without being released again. This results in permanently dropping records. The issue was reported for certificate based handshakes, but may also affect PSK based handshakes. • https://github.com/eclipse-californium/californium/commit/5648a0c27c2c2667c98419254557a14bac2b1f3f https://github.com/eclipse-californium/californium/commit/726bac57659410da463dcf404b3e79a7312ac0b9 https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjg https://access.redhat.com/security/cve/CVE-2022-39368 https://bugzilla.redhat.com/show_bug.cgi?id=2145205 • CWE-404: Improper Resource Shutdown or Release CWE-459: Incomplete Cleanup •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3676
https://notcve.org/view.php?id=CVE-2022-3676
In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatible type. En Eclipse Openj9 versiones anteriores a 0.35.0, las llamadas a interfaces pueden ser inlineadas sin una comprobación de tipo en tiempo de ejecución. El código de bytes malicioso podría hacer uso de este inlining para acceder o modificar la memoria por medio de un tipo no compatible • https://github.com/eclipse-openj9/openj9/pull/16122 https://github.com/eclipse/omr/pull/6773 https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/389 • CWE-20: Improper Input Validation CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25897 – Denial of Service (DoS)
https://notcve.org/view.php?id=CVE-2022-25897
The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False. El paquete org.eclipse.milo:sdk-server versiones anteriores a 0.6.8, es vulnerable a una Denegación de Servicio (DoS) al omitir las limitaciones por consumo excesivo de memoria mediante el envío de varias peticiones CloseSession con el parámetro deleteSubscription igual a False A flaw was found in the Eclipse Milo SDK Server. This flaw allows an attacker to consume the application memory, leading to a denial of service by sending specific requests. • https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5 https://github.com/eclipse/milo/issues/1030 https://github.com/eclipse/milo/pull/1031 https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191 https://access.redhat.com/security/cve/CVE-2022-25897 https://bugzilla.redhat.com/show_bug.cgi?id=2136188 • CWE-770: Allocation of Resources Without Limits or Throttling •