CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-31572
https://notcve.org/view.php?id=CVE-2021-31572
The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in stream_buffer.c for a stream buffer. El kernel en Amazon Web Services FreeRTOS versiones anteriores a 10.4.3, presenta un desbordamiento de enteros en el archivo stream_buffer.c para un búfer de flujo • https://github.com/FreeRTOS/FreeRTOS-Kernel/commit/d05b9c123f2bf9090bce386a244fc934ae44db5b • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-31571
https://notcve.org/view.php?id=CVE-2021-31571
The kernel in Amazon Web Services FreeRTOS before 10.4.3 has an integer overflow in queue.c for queue creation. El kernel en Amazon Web Services FreeRTOS versiones anteriores a 10.4.3, presenta un desbordamiento de enteros en el archivo queue.c para una creación de cola • https://github.com/FreeRTOS/FreeRTOS-Kernel/commit/47338393f1f79558f6144213409f09f81d7c4837 • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 1%CPEs: 20EXPL: 4CVE-2020-28472 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2020-28472
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context. Esto afecta al paquete @aws-sdk/shared-ini-file-loader versiones anteriores a 1.0.0-rc.9; el paquete aws-sdk versiones anteriores a 2.814.0. Si un atacante envía un archivo INI malicioso hacia una aplicación que lo analiza con la función loadSharedConfigFiles, contaminará el prototipo de la aplicación. • https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9 https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425 https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424 https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304 •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8897 – Robustness weakness in AWS KMS and Encryption SDKs
https://notcve.org/view.php?id=CVE-2020-8897
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later. Se presenta una vulnerabilidad de robustez débil en los AWS Encryption SDKs para Java, Python, C y JavaScript versiones anteriores a 2.0.0. Debido a la propiedad non-committing de AES-GCM (y otros cifrados AEAD como AES-GCM-SIV o (X)ChaCha20Poly1305) usados por los SDK para cifrar mensajes, un atacante puede diseñar un texto cifrado único que descifrará a múltiples resultados, y se vuelve especialmente relevante en un entorno de múltiples destinatarios. • https://aws.amazon.com/blogs/security/improved-client-side-encryption-explicit-keyids-and-key-commitment https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf • CWE-310: Cryptographic Issues CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-27174
https://notcve.org/view.php?id=CVE-2020-27174
In Amazon AWS Firecracker before 0.21.3, and 0.22.x before 0.22.1, the serial console buffer can grow its memory usage without limit when data is sent to the standard input. This can result in a memory leak on the microVM emulation thread, possibly occupying more memory than intended on the host. En Amazon AWS Firecracker versiones anteriores a 0.21.3 y versiones 0.22.x anteriores a 0.22.1, el búfer de la consola serial puede aumentar su uso de memoria sin límite cuando los datos son enviados a la entrada estándar. Esto puede resultar en una pérdida de memoria en el subproceso (hilo) de emulación microVM, posiblemente ocupando más memoria de la prevista en el host • http://www.openwall.com/lists/oss-security/2020/10/23/1 https://github.com/firecracker-microvm/firecracker/issues/2177 https://github.com/firecracker-microvm/firecracker/pull/2178 https://github.com/firecracker-microvm/firecracker/pull/2179 • CWE-401: Missing Release of Memory after Effective Lifetime •