CVSS: 7.4EPSS: 0%CPEs: 15EXPL: 0CVE-2021-44531 – nodejs: Improper handling of URI Subject Alternative Names
https://notcve.org/view.php?id=CVE-2021-44531
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option. Aceptar tipos de nombres alternativos de sujeto (SAN) arbitrarios, a menos que una PKI esté definida específicamente para usar un tipo de SAN concreto, puede resultar en una omisión de los intermediarios con restricción de nombre. • https://hackerone.com/reports/1429694 https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases https://security.netapp.com/advisory/ntap-20220325-0007 https://www.debian.org/security/2022/dsa-5170 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2021-44531 https://bugzilla.redhat.com/show_bug.cgi?id=2040839 • CWE-295: Improper Certificate Validation •
CVSS: 8.2EPSS: 0%CPEs: 16EXPL: 0CVE-2022-21824 – nodejs: Prototype pollution via console.table properties
https://notcve.org/view.php?id=CVE-2022-21824
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to. Debido a la lógica de formato de la función "console.table()" no era seguro permitir que pasara la entrada controlada por el usuario al parámetro "properties" mientras pasaba simultáneamente un objeto plano con al menos una propiedad como primer parámetro, que podía ser "__proto__". La contaminación del prototipo presenta un control muy limitado, ya que sólo permite asignar una cadena vacía a las claves numéricas del prototipo del objeto.Node.js versiones posteriores a 12.22.9 incluyéndola, versiones posteriores a 14.18.3 incluyéndola, versiones posteriores a 16.13.2 incluyéndola, y versiones posteriores a 17.3.1 incluyéndola, usan un prototipo nulo para el objeto al que es asignada estas propiedades. • https://hackerone.com/reports/1431042 https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases https://security.netapp.com/advisory/ntap-20220325-0007 https://security.netapp.com/advisory/ntap-20220729-0004 https://www.debian.org/security/2022/dsa-5170 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-2 • CWE-471: Modification of Assumed-Immutable Data (MAID) CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.0EPSS: 0%CPEs: 26EXPL: 0CVE-2022-23181 – Local privilege escalation with FileStore
https://notcve.org/view.php?id=CVE-2022-23181
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore. Una corrección del bug CVE-2020-9484 introdujo una vulnerabilidad de tiempo de comprobación, tiempo de uso en Apache Tomcat versiones 10.1.0-M1 a 10.1.0-M8, versiones 10.0.0-M5 a 10.0.14, versiones 9.0.35 a 9.0.56 y versiones 8.5.55 a 8.5.73, que permitía a un atacante local llevar a cabo acciones con los privilegios del usuario que está usando el proceso Tomcat. Este problema sólo es explotable cuando Tomcat está configurado para persistir sesiones usando el FileStore • https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html https://security.netapp.com/advisory/ntap-20220217-0010 https://www.debian.org/security/2022/dsa-5265 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-23181 https://bugzilla.redhat.com/show_bug.cgi?id=2047417 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 9.0EPSS: 0%CPEs: 39EXPL: 0CVE-2022-23307 – A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.
https://notcve.org/view.php?id=CVE-2022-23307
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. CVE-2020-9493 identificó un problema de deserialización presente en Apache Chainsaw. Versiones anteriores a Chainsaw V2.0 Chainsaw era un componente de Apache Log4j versiones 1.2.x donde se presenta el mismo problema A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run. • https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh https://logging.apache.org/log4j/1.2/index.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-23307 https://bugzilla.redhat.com/show_bug.cgi?id=2041967 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 42EXPL: 0CVE-2022-23305 – SQL injection in JDBC Appender in Apache Log4j V1
https://notcve.org/view.php?id=CVE-2022-23305
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. • http://www.openwall.com/lists/oss-security/2022/01/18/4 https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y https://logging.apache.org/log4j/1.2/index.html https://security.netapp.com/advisory/ntap-20220217-0007 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-23305 https://bugzilla.redhat.com/show_bug.cgi?id=2041959 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •