CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-45693 – jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos
https://notcve.org/view.php?id=CVE-2022-45693
Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string. Se descubrió que Jettison anterior a v1.5.2 contenía un desbordamiento de pila a través del parámetro map. Esta vulnerabilidad permite a los atacantes provocar una Denegación de Servicio (DoS) a través de una cadena manipulada. A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. • https://github.com/jettison-json/jettison/issues/52 https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html https://www.debian.org/security/2023/dsa-5312 https://access.redhat.com/security/cve/CVE-2022-45693 https://bugzilla.redhat.com/show_bug.cgi?id=2155970 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41915
https://notcve.org/view.php?id=CVE-2022-41915
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values. • https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4 https://github.com/netty/netty/issues/13084 https://github.com/netty/netty/pull/12760 https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html https://security.netapp.com/advisory/ntap-20230113-0004 https://www.debian.org/security/2023/dsa-5316 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE-436: Interpretation Conflict •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-45685 – jettison: stack overflow in JSONObject() allows attackers to cause a Denial of Service (DoS) via crafted JSON data
https://notcve.org/view.php?id=CVE-2022-45685
A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data. Un desbordamiento de pila en Jettison anterior a v1.5.2 permite a los atacantes provocar una Denegación de Servicio (DoS) a través de datos JSON manipulados. A flaw was found in Jettison. Sending a specially crafted string can cause a stack-based buffer overflow. This issue may allow a remote attacker to cause a denial of service. • https://github.com/jettison-json/jettison/issues/54 https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html https://www.debian.org/security/2023/dsa-5312 https://access.redhat.com/security/cve/CVE-2022-45685 https://bugzilla.redhat.com/show_bug.cgi?id=2214825 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41881 – codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
https://notcve.org/view.php?id=CVE-2022-41881
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. El proyecto Netty es un framework de aplicación de red asíncrona impulsado por eventos. • https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html https://security.netapp.com/advisory/ntap-20230113-0004 https://www.debian.org/security/2023/dsa-5316 https://access.redhat.com/security/cve/CVE-2022-41881 https://bugzilla.redhat.com/show_bug.cgi?id=2153379 • CWE-674: Uncontrolled Recursion •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23477 – Buffer Overflow in xrdp
https://notcve.org/view.php?id=CVE-2022-23477
xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in audin_send_open() function. There are no known workarounds for this issue. Users are advised to upgrade. xrdp es un proyecto de código abierto que proporciona un inicio de sesión gráfico para máquinas remotas utilizando Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contiene un flujo del búfer desbordado en la función auditin_send_open(). No se conocen workarounds para este problema. Se recomienda a los usuarios que actualicen. • https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-hqw2-jx2c-wrr2 https://www.debian.org/security/2023/dsa-5502 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •