CVSS: 7.8EPSS: 0%CPEs: 56EXPL: 33CVE-2021-4034 – Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
https://notcve.org/view.php?id=CVE-2021-4034
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine. • https://github.com/dzonerzy/poc-cve-2021-4034 https://github.com/arthepsy/CVE-2021-4034 https://github.com/berdav/CVE-2021-4034 https://www.exploit-db.com/exploits/50689 https://github.com/PwnFunction/CVE-2021-4034 https://github.com/joeammond/CVE-2021-4034 https://github.com/nikaiw/CVE-2021-4034 https://github.com/ryaagard/CVE-2021-4034 https://github.com/Rvn0xsy/CVE-2021-4034 https://github.com/Ayrx/CVE-2021-4034 https://github.com/zhzyker/CVE-2021-4034& • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2021-3717 – wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users
https://notcve.org/view.php?id=CVE-2021-3717
A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfly-core versions prior to 17.0. Se ha encontrado un fallo en Wildfly. • https://bugzilla.redhat.com/show_bug.cgi?id=1991305 https://security.netapp.com/advisory/ntap-20220804-0002 https://access.redhat.com/security/cve/CVE-2021-3717 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 5.9EPSS: 0%CPEs: 18EXPL: 0CVE-2021-3629 – undertow: potential security issue in flow control over HTTP/2 may lead to DOS
https://notcve.org/view.php?id=CVE-2021-3629
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final. Se ha encontrado un fallo en Undertow. • https://bugzilla.redhat.com/show_bug.cgi?id=1977362 https://security.netapp.com/advisory/ntap-20220729-0008 https://access.redhat.com/security/cve/CVE-2021-3629 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2021-2464
https://notcve.org/view.php?id=CVE-2021-2464
Vulnerability in Oracle Linux (component: OSwatcher). Supported versions that are affected are 7 and 8. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Linux executes to compromise Oracle Linux. Successful attacks of this vulnerability can result in takeover of Oracle Linux. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). • https://linux.oracle.com/errata/ELSA-2021-9444.html https://www.oracle.com/security-alerts/cpuapr2022.html •
CVSS: 5.9EPSS: 0%CPEs: 22EXPL: 0CVE-2021-3597 – undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
https://notcve.org/view.php?id=CVE-2021-3597
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final. Se ha encontrado un fallo en Undertow. • https://bugzilla.redhat.com/show_bug.cgi?id=1970930 https://security.netapp.com/advisory/ntap-20220804-0003 https://access.redhat.com/security/cve/CVE-2021-3597 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •