CVSS: 4.9EPSS: 0%CPEs: 6EXPL: 0CVE-2022-21455 – mysql: Server: PAM Auth Plugin unspecified vulnerability (CPU Jul 2022)
https://notcve.org/view.php?id=CVE-2022-21455
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PAM Auth Plugin). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). • https://security.netapp.com/advisory/ntap-20220729-0004 https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-21455 https://bugzilla.redhat.com/show_bug.cgi?id=2115282 •
CVSS: 8.1EPSS: 0%CPEs: 23EXPL: 1CVE-2022-27778
https://notcve.org/view.php?id=CVE-2022-27778
A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`. Una vulnerabilidad en el uso de nombres resueltos incorrectamente, corregida en versión 7.83.1, podía eliminar el archivo equivocado cuando es usado "--no-clobber" junto con "--remove-on-error" • https://hackerone.com/reports/1553598 https://security.netapp.com/advisory/ntap-20220609-0009 https://security.netapp.com/advisory/ntap-20220729-0004 https://www.oracle.com/security-alerts/cpujul2022.html • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 10.0EPSS: 12%CPEs: 59EXPL: 5CVE-2022-1292 – The c_rehash script allows command injection
https://notcve.org/view.php?id=CVE-2022-1292
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). • https://github.com/alcaparra/CVE-2022-1292 https://github.com/li8u99/CVE-2022-1292 https://github.com/greek0x0/CVE-2022-1292 https://github.com/rama291041610/CVE-2022-1292 https://github.com/und3sc0n0c1d0/CVE-2022-1292 https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2 https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb https://git • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.4EPSS: 0%CPEs: 17EXPL: 1CVE-2021-44533 – nodejs: Incorrect handling of certificate subject and issuer fields
https://notcve.org/view.php?id=CVE-2021-44533
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable. Node.js versiones anteriores a 12.22.9, versiones anteriores a 14.18.3, versiones anteriores a 16.13.2, y versiones anteriores a 17.3.1, no manejaba correctamente los Nombres Distinguidos Relativos de varios valores. Los atacantes podrían diseñar sujetos de certificados que contengan un Nombre Distinguido Relativo de un solo valor que sería interpretado como un Nombre Distinguido Relativo de varios valores, por ejemplo, para inyectar un Nombre Común que permitiría omitir la verificación del sujeto del certificado. • https://hackerone.com/reports/1429694 https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases https://security.netapp.com/advisory/ntap-20220325-0007 https://www.debian.org/security/2022/dsa-5170 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2021-44533 https://bugzilla.redhat.com/show_bug.cgi?id=2040856 • CWE-295: Improper Certificate Validation •
CVSS: 7.4EPSS: 0%CPEs: 16EXPL: 1CVE-2021-44532 – nodejs: Certificate Verification Bypass via String Injection
https://notcve.org/view.php?id=CVE-2021-44532
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option. Node.js versiones anteriores a 12.22.9, versiones anteriores a 14.18.3, versiones anteriores a 16.13.2 y versiones anteriores a 17.3.1, convierte los SAN (Subject Alternative Names) a un formato de cadena. usa esta cadena para comprobar los certificados de los compañeros con los nombres de host cuando comprueba las conexiones. • https://hackerone.com/reports/1429694 https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases https://security.netapp.com/advisory/ntap-20220325-0007 https://www.debian.org/security/2022/dsa-5170 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2021-44532 https://bugzilla.redhat.com/show_bug.cgi?id=2040846 • CWE-295: Improper Certificate Validation CWE-296: Improper Following of a Certificate's Chain of Trust •