CVE-2022-0001 – hw: cpu: intel: Branch History Injection (BHI)
https://notcve.org/view.php?id=CVE-2022-0001
Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. La compartición no transparente de selectores de predicción de rama entre contextos en algunos procesadores Intel(R) puede permitir que un usuario autorizado permita potencialmente una divulgación de información por medio del acceso local A flaw was found in hw. The Branch History Injection (BHI) describes a specific form of intra-mode BTI. This flaw allows an unprivileged attacker to manipulate the branch history before transitioning to supervisor or VMX root mode. This issue is an effort to cause an indirect branch predictor to select a specific predictor entry for an indirect branch, and a disclosure gadget at the predicted target will transiently execute. • http://www.openwall.com/lists/oss-security/2022/03/18/2 https://security.netapp.com/advisory/ntap-20220818-0004 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html https://www.kb.cert.org/vuls/id/155143 https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-0001 https://bugzilla.redhat.com/show_bug.cgi?id=2061712 •
CVE-2022-0002 – hw: cpu: intel: Intra-Mode BTI
https://notcve.org/view.php?id=CVE-2022-0002
Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. La compartición no transparente de selectores de predicción de rama dentro de un contexto en algunos procesadores Intel(R) puede permitir que un usuario autorizado permita potencialmente una divulgación de información por medio del acceso local A flaw was found in hw. The Intra-mode BTI refers to a variant of Branch Target Injection aka SpectreV2 (BTI) where an indirect branch speculates to an aliased predictor entry for a different indirect branch in the same predictor mode, and a disclosure gadget at the predicted target transiently executes. These predictor entries may contain targets corresponding to the targets of an indirect near jump, indirect near call, and near return instructions, even if these branches were only transiently executed. The managed runtimes provide an attacker with the means to create the aliasing required for intra-mode BTI attacks. • http://www.openwall.com/lists/oss-security/2022/03/18/2 https://security.netapp.com/advisory/ntap-20220818-0004 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-0002 https://bugzilla.redhat.com/show_bug.cgi?id=2061721 •
CVE-2022-22946
https://notcve.org/view.php?id=CVE-2022-22946
In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates. En spring cloud gateway versiones anteriores a 3.1.1+ , las aplicaciones que son configuradas para habilitar HTTP2 y no es establecido un almacén de claves o certificados confiables son configurados para usar un TrustManager no seguro. Esto hace que la pasarela pueda conectarse a servicios remotos con certificados no válidos o personalizados • https://tanzu.vmware.com/security/cve-2022-22946 https://www.oracle.com/security-alerts/cpujul2022.html • CWE-295: Improper Certificate Validation •
CVE-2022-22947 – VMware Spring Cloud Gateway Code Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-22947
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host. En spring cloud gateway versiones anteriores a 3.1.1+ y a 3.0.7+ , las aplicaciones son vulnerables a un ataque de inyección de código cuando el endpoint del Actuador de la Puerta de Enlace está habilitado, expuesto y sin seguridad. Un atacante remoto podría realizar una petición maliciosamente diseñada que podría permitir una ejecución remota arbitraria en el host remoto Spring Cloud Gateway version 3.1.0 suffers from a remote code execution vulnerability. Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. • https://www.exploit-db.com/exploits/50799 https://github.com/lucksec/Spring-Cloud-Gateway-CVE-2022-22947 https://github.com/0x7eTeam/CVE-2022-22947 https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway https://github.com/crowsec-edtech/CVE-2022-22947 https://github.com/0730Nophone/CVE-2022-22947- https://github.com/Wrin9/CVE-2022-22947 https://github.com/M0ge/CVE-2022-22947-Spring-Cloud-Gateway-SpelRCE https://github.com/nanaao/CVE-2022-22947-POC https:// • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVE-2022-23308 – libxml2: Use-after-free of ID and IDREF attributes
https://notcve.org/view.php?id=CVE-2022-23308
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. El archivo valid.c en libxml2 versiones anteriores a 2.9.13, presenta un uso de memoria previamente liberada de los atributos ID e IDREF. A flaw was found in libxml2. A call to the xmlGetID function can return a pointer already freed when parsing an XML document with the XML_PARSE_DTDVALID option and without the XML_PARSE_NOENT option, resulting in a use-after-free issue. • http://seclists.org/fulldisclosure/2022/May/33 http://seclists.org/fulldisclosure/2022/May/34 http://seclists.org/fulldisclosure/2022/May/35 http://seclists.org/fulldisclosure/2022/May/36 http://seclists.org/fulldisclosure/2022/May/37 http://seclists.org/fulldisclosure/2022/May/38 https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS https://lists.debian.org/debian-lts-announce/2022/04/msg00004. • CWE-416: Use After Free •