CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 1CVE-2021-22569 – Denial of Service of protobuf-java parsing procedure
https://notcve.org/view.php?id=CVE-2021-22569
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. Un problema en protobuf-java permitía intercalar campos com.google.protobuf.UnknownFieldSet de tal manera que eran procesados fuera de orden. Una pequeña carga útil maliciosa puede ocupar el analizador durante varios minutos al crear un gran número de objetos de corta duración que causan frecuentes y repetidas pausas. • http://www.openwall.com/lists/oss-security/2022/01/12/4 http://www.openwall.com/lists/oss-security/2022/01/12/7 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330 https://cloud.google.com/support/bulletins#gcp-2022-001 https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2021-22569 https://bugzilla.redhat.com/show_bug.cgi?id=2039903 • CWE-696: Incorrect Behavior Order •
CVSS: 5.9EPSS: 96%CPEs: 213EXPL: 7CVE-2021-45105 – Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
https://notcve.org/view.php?id=CVE-2021-45105
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. Apache Log4j2 versiones 2.0-alpha1 hasta 2.16.0 (excluyendo las versiones 2.12.3 y 2.3.1) no protegían de la recursión no controlada de las búsquedas autorreferenciales. Esto permite a un atacante con control sobre los datos de Thread Context Map causar una denegación de servicio cuando es interpretada una cadena diseñada. • https://github.com/thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832 https://github.com/tejas-nagchandi/CVE-2021-45105 https://github.com/pravin-pp/log4j2-CVE-2021-45105 https://github.com/dileepdkumar/https-github.com-pravin-pp-log4j2-CVE-2021-45105-1 https://github.com/dileepdkumar/https-github.com-pravin-pp-log4j2-CVE-2021-45105 https://github.com/dileepdkumar/https-github.com-dileepdkumar-https-github.com-pravin-pp-log4j2-CVE-2021-45105-v htt • CWE-20: Improper Input Validation CWE-674: Uncontrolled Recursion •
CVSS: 6.5EPSS: 0%CPEs: 14EXPL: 0CVE-2021-41973 – Apache MINA HTTP listener DOS
https://notcve.org/view.php?id=CVE-2021-41973
In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater. En Apache MINA, una petición HTTP específicamente diseñada y malformada puede causar que el decodificador de encabezados HTTP haga un bucle indefinido. El decodificador asume que el encabezado HTTP comienza al principio del buffer y hace un bucle si presenta más datos de los esperados. • http://www.openwall.com/lists/oss-security/2021/11/01/2 http://www.openwall.com/lists/oss-security/2021/11/01/8 https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2021-22096 – springframework: malicious input leads to insertion of additional log entries
https://notcve.org/view.php?id=CVE-2021-22096
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. En Spring Framework versiones 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, y en versiones anteriores no soportadas, es posible para un usuario proporcionar una entrada maliciosa para causar una inserción de entradas de registro adicionales • https://security.netapp.com/advisory/ntap-20211125-0005 https://tanzu.vmware.com/security/cve-2021-22096 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2021-22096 https://bugzilla.redhat.com/show_bug.cgi?id=2034584 • CWE-117: Improper Output Neutralization for Logs •
CVSS: 7.9EPSS: 0%CPEs: 7EXPL: 2CVE-2021-2471 – mysql-connector-java: unauthorized access to critical
https://notcve.org/view.php?id=CVE-2021-2471
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). • https://github.com/cckuailong/CVE-2021-2471 https://github.com/DrunkenShells/CVE-2021-2471 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat.com/security/cve/CVE-2021-2471 https://bugzilla.redhat.com/show_bug.cgi?id=2020583 • CWE-863: Incorrect Authorization •