CVE-2022-2255
https://notcve.org/view.php?id=CVE-2022-2255
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing. Se encontró una vulnerabilidad en mod_wsgi. El encabezado X-Client-IP no es eliminado de una solicitud procedente de un proxy no confiable, lo que permite a un atacante pasar la cabecera X-Client-IP a la aplicación WSGI de destino porque falta la condición para eliminarla. • https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941 https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082 https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html • CWE-345: Insufficient Verification of Data Authenticity CWE-348: Use of Less Trusted Source •
CVE-2022-37434 – zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
https://notcve.org/view.php?id=CVE-2022-37434
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). zlib versiones hasta 1.2.12, presenta una lectura excesiva de búfer en la región heap de la memoria o desbordamiento de búfer en el archivo inflate.c por medio de un campo extra del encabezado gzip. NOTA: sólo están afectadas las aplicaciones que llaman a inflateGetHeader. Algunas aplicaciones comunes agrupan el código fuente de zlib afectado pero pueden ser incapaces de llamar a inflateGetHeader (por ejemplo, véase la referencia nodejs/node) A security vulnerability was found in zlib. • http://seclists.org/fulldisclosure/2022/Oct/37 http://seclists.org/fulldisclosure/2022/Oct/38 http://seclists.org/fulldisclosure/2022/Oct/41 http://seclists.org/fulldisclosure/2022/Oct/42 http://www.openwall.com/lists/oss-security/2022/08/05/2 http://www.openwall.com/lists/oss-security/2022/08/09/1 https://github.com/curl/curl/issues/9271 https://github.com/ivd38/zlib_overflow https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2022-31197 – SQL Injection in ResultSet.refreshRow() with malicious column names in pgjdbc
https://notcve.org/view.php?id=CVE-2022-31197
PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. • https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637 https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2 https://lists.debian.org/debian-lts-announce/2022/10/msg00009.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6WHUADTZBBQLVHO4YG4XCWDGWBT4LRP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTFE6SV33P5YYU2GNTQZQKQRVR3GYE4S https://access.redhat.com/security/cve/CVE-2022-31197 https://b • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2022-32292 – ConnMan received_data Out-Of-Bounds Write Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-32292
In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to exploit a heap-based buffer overflow in received_data to execute code. En ConnMan versiones hasta 1.41, los atacantes remotos capaces de enviar peticiones HTTP al componente gweb pueden explotar un desbordamiento de búfer en la región heap de la memoria en la función received_data para ejecutar código This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installation of ConnMan. Authentication is not required to exploit this vulnerability. The specific flaw exists within the received_data method. Crafted data in a HTTP response can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the ConnMan process. This vulnerability was demonstrated on a Tesla Model 3 during Pwn2Own 2022 Vancouver competition. • https://bugzilla.suse.com/show_bug.cgi?id=1200189 https://lore.kernel.org/connman/20220801080043.4861-5-wagi%40monom.org https://security.gentoo.org/glsa/202310-21 https://www.debian.org/security/2022/dsa-5231 • CWE-787: Out-of-bounds Write •
CVE-2022-32293 – ConnMan wispr_portal_web_result wp_object Double Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-32293
In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a use-after-free in WISPR handling, leading to crashes or code execution. En ConnMan versiones hasta 1.41, un ataque de tipo "man-in-the-middle" contra una consulta HTTP WISPR podría ser usado para desencadenar un uso de memoria previamente liberada en el manejo de WISPR, conllevando a bloqueos o ejecución de código This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ConnMan. Authentication is not required to exploit this vulnerability. The specific flaw exists within the wispr_portal_web_result method. The issue results from the lack of validating the existence of an object prior to performing further free operations on the object. An attacker can leverage this vulnerability to execute code in the context of the ConnMan process. This vulnerability was demonstrated on a Tesla Model 3 during Pwn2Own 2022 Vancouver competition. • https://bugzilla.suse.com/show_bug.cgi?id=1200190 https://lore.kernel.org/connman/20220801080043.4861-1-wagi%40monom.org https://lore.kernel.org/connman/20220801080043.4861-3-wagi%40monom.org https://security.gentoo.org/glsa/202310-21 https://www.debian.org/security/2022/dsa-5231 • CWE-416: Use After Free •