CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1CVE-2022-36033 – jsoup may not sanitize Cross-Site Scripting (XSS) attempts if SafeList.preserveRelativeLinks is enabled
https://notcve.org/view.php?id=CVE-2022-36033
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. • https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3 https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369 https://jsoup.org/news/release-1.15.3 https://security.netapp.com/advisory/ntap-20221104-0006 https://access.redhat.com/security/cve/CVE-2022-36033 https://bugzilla.redhat.com/show_bug.cgi?id=2127078 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVSS: 4.0EPSS: 0%CPEs: 10EXPL: 0CVE-2022-2047 – jetty-http: improver hostname input handling
https://notcve.org/view.php?id=CVE-2022-2047
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. En Eclipse Jetty versiones 9.4.0 hasta 9.4.46, y 10.0.0 hasta 10.0.9, y 11.0.0 hasta 11.0.9, el análisis sintáctico del segmento de autoridad de un URI de esquema http, la clase Jetty HttpURI detecta inapropiadamente una entrada no válida como nombre de host. Esto puede conllevar a fallos en un escenario Proxy A flaw was found in Eclipse Jetty. When parsing the authority segment of an HTTP scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. • https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html https://security.netapp.com/advisory/ntap-20220901-0006 https://www.debian.org/security/2022/dsa-5198 https://access.redhat.com/security/cve/CVE-2022-2047 https://bugzilla.redhat.com/show_bug.cgi?id=2116949 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2022-2048 – http2-server: Invalid HTTP/2 requests cause DoS
https://notcve.org/view.php?id=CVE-2022-2048
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. En la implementación del servidor Eclipse Jetty HTTP/2, cuando es encontrada una petición HTTP/2 no válida, el manejo de errores presenta un error que puede terminar por no limpiar apropiadamente las conexiones activas y los recursos asociados. Esto puede conllevar a un escenario de denegación de servicio en el que no queden recursos suficientes para procesar las peticiones buenas A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests. • http://www.openwall.com/lists/oss-security/2022/09/09/2 https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html https://security.netapp.com/advisory/ntap-20220901-0006 https://www.debian.org/security/2022/dsa-5198 https://access.redhat.com/security/cve/CVE-2022-2048 https://bugzilla.redhat.com/show_bug.cgi?id=2116952 • CWE-410: Insufficient Resource Pool CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 1CVE-2022-24736 – A Malformed Lua script can crash Redis
https://notcve.org/view.php?id=CVE-2022-24736
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules. Redis es una base de datos en memoria que persiste en el disco. • https://github.com/redis/redis/pull/10651 https://github.com/redis/redis/releases/tag/6.2.7 https://github.com/redis/redis/releases/tag/7.0.0 https://github.com/redis/redis/security/advisories/GHSA-3qpw-7686-5984 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4ZK3675DGHVVDOFLJN7WX6YYH27GPMK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPYKSG7LKUJGVM2P72EHXKVRVRWHLORX https://lists.fedoraproject.org/archives/list/ • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 1CVE-2022-24735 – Lua scripts can be manipulated to overcome ACL rules in Redis
https://notcve.org/view.php?id=CVE-2022-24735
Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. • https://github.com/redis/redis/pull/10651 https://github.com/redis/redis/releases/tag/6.2.7 https://github.com/redis/redis/releases/tag/7.0.0 https://github.com/redis/redis/security/advisories/GHSA-647m-2wmq-qmvq https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4ZK3675DGHVVDOFLJN7WX6YYH27GPMK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPYKSG7LKUJGVM2P72EHXKVRVRWHLORX https://lists.fedoraproject.org/archives/list/ • CWE-94: Improper Control of Generation of Code ('Code Injection') •