CVSS: 5.5EPSS: 0%CPEs: 23EXPL: 1CVE-2022-0530
https://notcve.org/view.php?id=CVE-2022-0530
A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. Se ha encontrado un fallo en Unzip. La vulnerabilidad se produce durante la conversión de una cadena amplia a una cadena local que conduce a un montón de escritura fuera de límites. • http://seclists.org/fulldisclosure/2022/May/33 http://seclists.org/fulldisclosure/2022/May/35 http://seclists.org/fulldisclosure/2022/May/38 https://bugzilla.redhat.com/show_bug.cgi?id=2051395 https://github.com/ByteHackr/unzip_poc https://lists.debian.org/debian-lts-announce/2022/09/msg00028.html https://security.gentoo.org/glsa/202310-17 https://support.apple.com/kb/HT213255 https://support.apple.com/kb/HT213256 https://support.apple.com/kb/HT213257 https://www. •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-21986 – .NET Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2022-21986
.NET Denial of Service Vulnerability Una Vulnerabilidad de Denegación de Servicio en .NET A vulnerability was found in dotnet’s ASP.NET Core Krestel when pooling HTTP/2 and HTTP/3 headers. This flaw allows a remote, unauthenticated attacker to cause a denial of service. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21986 https://access.redhat.com/security/cve/CVE-2022-21986 https://bugzilla.redhat.com/show_bug.cgi?id=2051490 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 1CVE-2022-0391 – python: urllib.parse does not sanitize URLs containing ASCII newline and tabs
https://notcve.org/view.php?id=CVE-2022-0391
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14. • https://bugs.python.org/issue43882 https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSD2YBXP3ZF44E44QMIIAR5VTO35KTRB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDBDBAU6HUPZHISBOARTXZ5GKHF2VH5U https://security.gentoo.org/glsa/202305-02 https://security.netapp.com/advisory/ntap-20220225-0009 https://www.oracle.com/security-alerts/cpuapr2022.html https://access. • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 1CVE-2022-0522 – Access of Memory Location Before Start of Buffer in radareorg/radare2
https://notcve.org/view.php?id=CVE-2022-0522
Access of Memory Location Before Start of Buffer in NPM radare2.js prior to 5.6.2. Un Acceso a una Ubicación de Memoria Antes del Inicio del Búfer en el repositorio de GitHub radareorg/radare2 versiones anteriores a 5.6.2 • https://github.com/radareorg/radare2/commit/d17a7bdf166108a29a27cd89bf454f9fa6c050d6 https://huntr.dev/bounties/2d45e589-d614-4875-bba1-be0f729e7ca9 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZTIMAS53YT66FUS4QHQAFRJOBMUFG6D https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6YBRQ3UCFWJVSOYIKPVUDASZ544TFND • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-786: Access of Memory Location Before Start of Buffer •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2022-21713 – Exposure of Sensitive Information in Grafana
https://notcve.org/view.php?id=CVE-2022-21713
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. • https://github.com/grafana/grafana/pull/45083 https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH https://lists.fedoraproject.org/archives/list • CWE-425: Direct Request ('Forced Browsing') CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •