CVSS: 5.3EPSS: 0%CPEs: 37EXPL: 0CVE-2022-21426 – OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)
https://notcve.org/view.php?id=CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html https://security.netapp.com/advisory/ntap-20220429-0006 https://www.debian.org/security/2022/dsa-5128 https://www.debian.org/security/2022/dsa-5131 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2022-21426 https://bugzilla.redhat.com/show_bug.cgi?id=2075788 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 1CVE-2021-3624
https://notcve.org/view.php?id=CVE-2021-3624
There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system. Se presenta una vulnerabilidad de desbordamiento de enteros en dcraw. Cuando la víctima ejecuta dcraw con una imagen de entrada X3F maliciosamente diseñada, puede ejecutarse código arbitrario en el sistema de la víctima • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984761 • CWE-20: Improper Input Validation CWE-190: Integer Overflow or Wraparound •
CVSS: 6.2EPSS: 0%CPEs: 2EXPL: 2CVE-2022-24859 – Manipulated inline images can cause Infinite Loop in PyPDF2
https://notcve.org/view.php?id=CVE-2022-24859
PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. • https://github.com/py-pdf/PyPDF2/issues/329 https://github.com/py-pdf/PyPDF2/pull/740 https://github.com/py-pdf/PyPDF2/releases/tag/1.27.5 https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79 https://lists.debian.org/debian-lts-announce/2022/06/msg00001.html https://lists.debian.org/debian-lts-announce/2023/06/msg00013.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2022-28044
https://notcve.org/view.php?id=CVE-2022-28044
Irzip v0.640 was discovered to contain a heap memory corruption via the component lrzip.c:initialise_control. Se ha detectado que Irzip versión v0.640, contenía una corrupción de memoria de la pila por medio del componente lrzip.c:initialise_control • https://github.com/ckolivas/lrzip/commit/5faf80cd53ecfd16b636d653483144cd12004f46 https://github.com/ckolivas/lrzip/issues/216 https://lists.debian.org/debian-lts-announce/2022/05/msg00016.html https://www.debian.org/security/2022/dsa-5145 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-1328 – mutt: buffer overflow in uudecoder function
https://notcve.org/view.php?id=CVE-2022-1328
Buffer Overflow in uudecoder in Mutt affecting all versions starting from 0.94.13 before 2.2.3 allows read past end of input line Un Desbordamiento del Búfer en uudecoder en Mutt afectando a todas las versiones a partir de 0.94.13 antes de 2.2.3 permite leer más allá del final de la línea de entrada A flaw was found in mutt. When reading unencoded messages, mutt uses the line length from the untrusted input without any validation. This flaw allows an attacker to craft a malicious message, which leads to an out-of-bounds read, causing data leaks that include fragments of other unrelated messages. In mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in replys, for example fragments of other messages, passphrases or keys. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1328.json https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5 https://gitlab.com/muttmua/mutt/-/issues/404 https://access.redhat.com/security/cve/CVE-2022-1328 https://bugzilla.redhat.com/show_bug.cgi?id=2076058 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •