CVSS: 5.6EPSS: 0%CPEs: 63EXPL: 0CVE-2022-23960 – hw: cpu: arm64: Spectre-BHB
https://notcve.org/view.php?id=CVE-2022-23960
Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. Algunos procesadores Arm Cortex y Neoverse versiones hasta 08-03-2022 no restringen apropiadamente la especulación de la caché, también conocida como Spectre-BHB. Un atacante puede aprovechar el historial de bifurcaciones compartido en el Buffer del Historial de Bifurcaciones (BHB) para influir en las bifurcaciones predichas inapropiadamente. • http://www.openwall.com/lists/oss-security/2022/03/18/2 https://developer.arm.com/support/arm-security-updates https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html https://www.debian.org/security/2022/dsa-5173 https://access.redhat.com/security/cve/CVE-2022-23960 https://bugzilla.redhat.com/show_bug.cgi?id=2062284 •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2022-23035
https://notcve.org/view.php?id=CVE-2022-23035
Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid. Un saneo insuficiente de las IRQs de dispositivos pasados. • http://www.openwall.com/lists/oss-security/2022/01/25/4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3 https://security.gentoo.org/glsa/202208-23 https://www.debian.org/security/2022/dsa-5117 https://xenbits.xenproject.org/xsa/advisory-395.txt • CWE-459: Incomplete Cleanup •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-23034
https://notcve.org/view.php?id=CVE-2022-23034
A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check. • http://www.openwall.com/lists/oss-security/2022/01/25/3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3 https://security.gentoo.org/glsa/202208-23 https://www.debian.org/security/2022/dsa-5117 https://xenbits.xenproject.org/xsa/advisory-394.txt • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-23033
https://notcve.org/view.php?id=CVE-2022-23033
arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes. arm: la función guest_physmap_remove_page no elimina los mapeos p2m Las funciones para eliminar una o más entradas de una tabla de páginas p2m de huésped en Arm (p2m_remove_mapping, guest_physmap_remove_page y p2m_set_entry con mfn establecido como INVALID_MFN) no borran realmente la entrada de la tabla de páginas si la entrada no presenta el bit válido establecido. Es posible tener una entrada válida en la tabla de páginas sin el bit válido establecido cuando un sistema operativo huésped usa instrucciones de mantenimiento de caché set/way. Por ejemplo, un huésped que emite una instrucción de mantenimiento de caché set/way, y luego llama a la hiperllamada XENMEM_decrease_reservation para devolver páginas de memoria a Xen, podría ser capaz de retener el acceso a esas páginas incluso después de que Xen empezara a reusarlas para otros propósitos • http://www.openwall.com/lists/oss-security/2022/01/25/2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3 https://security.gentoo.org/glsa/202208-23 https://www.debian.org/security/2022/dsa-5117 https://xenbits.xenproject.org/xsa/advisory-393.txt • CWE-404: Improper Resource Shutdown or Release •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-4949 – AdSanity < 1.8.2 - Authenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-4949
The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers with Contributor+ level privileges to upload arbitrary files on the affected sites server which makes remote code execution possible. El plugin AdSanity para WordPress es vulnerable a la subida de archivos arbitrarios debido a la falta de validación del tipo de archivo en la función "ajax_upload" en las versiones hasta la 1.8.1 inclusive. Esto hace posible que atacantes autenticados con privilegios de nivel "Contributor+" carguen archivos arbitrarios en el servidor de los sitios afectados, lo que posibilita la ejecución remota de código. • http://www.openwall.com/lists/oss-security/2023/11/09/3 http://xenbits.xen.org/xsa/advisory-443.html https://blog.nintechnet.com/critical-vulnerability-in-wordpress-adsanity-plugin https://www.wordfence.com/threat-intel/vulnerabilities/id/effd72d2-876d-4f8d-b1e4-5ab38eab401b?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •