CVSS: 7.5EPSS: 0%CPEs: 77EXPL: 1CVE-2020-36518 – jackson-databind: denial of service via a large depth of nested objects
https://notcve.org/view.php?id=CVE-2020-36518
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. jackson-databind versiones anteriores a 2.13.0, permite una excepción Java StackOverflow y una denegación de servicio por medio de una gran profundidad de objetos anidados A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects. • https://github.com/FasterXML/jackson-databind/issues/2816 https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html https://security.netapp.com/advisory/ntap-20220506-0004 https://www.debian.org/security/2022/dsa-5283 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2020-36518 https://bugzilla.redhat.com/ • CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26846
https://notcve.org/view.php?id=CVE-2022-26846
SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code. SPIP versiones anteriores a 3.2.14 y versiones 4.x anteriores a 4.0.5, permite a editores remotos autenticados ejecutar código arbitrario • https://blog.spip.net/Mise-a-jour-critique-de-securite-sorties-de-SPIP-4-0-5-et-SPIP-3-2-14.html https://git.spip.net/spip/medias/commit/3014b845da2dd8ad15ff04b50fd9dbba388a9ca2 https://lists.debian.org/debian-lts-announce/2022/03/msg00020.html https://lists.debian.org/debian-security-announce/2022/msg00060.html •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26847
https://notcve.org/view.php?id=CVE-2022-26847
SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects. SPIP versiones anteriores a 3.2.14 y versiones 4.x anteriores a 4.0.5, permite el acceso no autenticado a información sobre objetos editoriales • https://blog.spip.net/Mise-a-jour-critique-de-securite-sorties-de-SPIP-4-0-5-et-SPIP-3-2-14.html https://git.spip.net/spip/medias/commit/3014b845da2dd8ad15ff04b50fd9dbba388a9ca2 https://lists.debian.org/debian-lts-announce/2022/03/msg00020.html https://lists.debian.org/debian-security-announce/2022/msg00060.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.6EPSS: 0%CPEs: 63EXPL: 0CVE-2022-23960 – hw: cpu: arm64: Spectre-BHB
https://notcve.org/view.php?id=CVE-2022-23960
Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. Algunos procesadores Arm Cortex y Neoverse versiones hasta 08-03-2022 no restringen apropiadamente la especulación de la caché, también conocida como Spectre-BHB. Un atacante puede aprovechar el historial de bifurcaciones compartido en el Buffer del Historial de Bifurcaciones (BHB) para influir en las bifurcaciones predichas inapropiadamente. • http://www.openwall.com/lists/oss-security/2022/03/18/2 https://developer.arm.com/support/arm-security-updates https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html https://www.debian.org/security/2022/dsa-5173 https://access.redhat.com/security/cve/CVE-2022-23960 https://bugzilla.redhat.com/show_bug.cgi?id=2062284 •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 1CVE-2022-24713 – Regular expression denial of service in Rust's regex crate
https://notcve.org/view.php?id=CVE-2022-24713
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. • https://github.com/ItzSwirlz/CVE-2022-24713-POC https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8 https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JAN • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •