CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2022-38817
https://notcve.org/view.php?id=CVE-2022-38817
Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data. Dapr Dashboard versiones v0.1.0 hasta v0.10.0, es vulnerable a un Control de Acceso Incorrecto que permite a atacantes obtener datos confidenciales • https://github.com/dapr/dashboard https://github.com/dapr/dashboard/issues/222 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-36025 – Incorrect Conversion between Numeric Types in Besu Ethereum Client
https://notcve.org/view.php?id=CVE-2022-36025
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. • https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x • CWE-196: Unsigned to Signed Conversion Error CWE-681: Incorrect Conversion between Numeric Types •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31006 – Hyperledger Indy DOS vulnerability
https://notcve.org/view.php?id=CVE-2022-31006
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose. However, the ledger content will not be impacted and the ledger will resume functioning after the attack. This attack exploits the trade-off between resilience and availability. Any protection against abusive client connections will also prevent the network being accessed by certain legitimate users. • https://github.com/hyperledger/indy-node/commit/53a2a1bf1a26cb8ba710fd6adc8bcf275186a4b3 https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31020 – Remote code execution in Indy's NODE_UPGRADE transaction
https://notcve.org/view.php?id=CVE-2022-31020
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. • https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5 https://github.com/hyperledger/indy-node/releases/tag/v1.12.5 https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p • CWE-20: Improper Input Validation CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35942 – loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter
https://notcve.org/view.php?id=CVE-2022-35942
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector's CRUD methods directly OR - Uses the connector's other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand. • https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c6737692a3a106b58a35406290cddb23e5 https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •