CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2022-21698 – Uncontrolled Resource Consumption in promhttp
https://notcve.org/view.php?id=CVE-2022-21698
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods. client_golang es la biblioteca de instrumentación para aplicaciones Go en Prometheus, y el paquete promhttp en client_golang proporciona herramientas en torno a los servidores y clientes HTTP. En client_golang versiones anteriores a 1.11.1, el servidor HTTP es susceptible de una Denegación de Servicio mediante una cardinalidad no limitada, y un potencial agotamiento de la memoria, cuando es manejado peticiones con métodos HTTP no estándar. • https://github.com/prometheus/client_golang/pull/962 https://github.com/prometheus/client_golang/pull/987 https://github.com/prometheus/client_golang/releases/tag/v1.11.1 https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D https://lists.fedor • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 8.0EPSS: 0%CPEs: 12EXPL: 0CVE-2022-23634 – Information Exposure when using Puma with Rails
https://notcve.org/view.php?id=CVE-2022-23634
Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. • https://github.com/advisories/GHSA-rmj8-8hhh-gv5h https://github.com/advisories/GHSA-wh98-p28r-vrc9 https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1 https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-404: Improper Resource Shutdown or Release •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-29454 – Sandbox Escape by math function in smarty
https://notcve.org/view.php?id=CVE-2021-29454
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch. Smarty es un motor de plantillas para PHP que facilita la separación de la presentación (HTML/CSS) de la lógica de la aplicación. • https://github.com/smarty-php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71 https://github.com/smarty-php/smarty/releases/tag/v3.1.42 https://github.com/smarty-php/smarty/releases/tag/v4.0.2 https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ https://lists.fedoraproject.org/archives/l • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2021-21408 – Access to restricted PHP code by dynamic static class access in smarty
https://notcve.org/view.php?id=CVE-2021-21408
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch. Smarty es un motor de plantillas para PHP que facilita la separación de la presentación (HTML/CSS) de la lógica de la aplicación. Antes de las versiones 3.1.43 y 4.0.3, los autores de plantillas podían ejecutar métodos estáticos restringidos de php. • https://github.com/smarty-php/smarty/commit/19ae410bf56007a5ef24441cdc6414619cfaf664 https://github.com/smarty-php/smarty/releases/tag/v3.1.43 https://github.com/smarty-php/smarty/releases/tag/v4.0.3 https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7RMKG6WJQQ https://lists.fedoraproject.org/archives/l • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 3CVE-2021-45958
https://notcve.org/view.php?id=CVE-2021-45958
UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation. UltraJSON (también conocido como ujson) a través de 5.1.0 tiene un desbordamiento de búfer basado en pila en Buffer_AppendIndentUnchecked (llamado desde encode). La explotación puede, por ejemplo, utilizar una gran cantidad de sangría • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009 https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ujson/OSV-2021-955.yaml https://github.com/ultrajson/ultrajson/issues/501 https://github.com/ultrajson/ultrajson/issues/502#issuecomment-1031747284 https://github.com/ultrajson/ultrajson/pull/504 https://lists.debian.org/debian-lts-announce/2022/02/msg00023.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CN7W3GOXALINKFUUE7ICQIC2EF5HNKUQ& • CWE-787: Out-of-bounds Write •