CVSS: 7.8EPSS: 0%CPEs: 15EXPL: 0CVE-2022-1319 – undertow: Double AJP response for 400 from EAP 7 results in CPING failures
https://notcve.org/view.php?id=CVE-2022-1319
07 Jun 2022 — A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG. Se ha encontrado un fallo en Undertow. Para una respuesta AJP 400, EAP 7 envía inapropiadamente el flag de reúso habilitado aunque JBoss EAP cierra la conexión. es producido ... • https://access.redhat.com/security/cve/CVE-2022-1319 • CWE-252: Unchecked Return Value •
CVSS: 7.5EPSS: 0%CPEs: 26EXPL: 0CVE-2022-1678
https://notcve.org/view.php?id=CVE-2022-1678
25 May 2022 — An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients. Se ha detectado un problema en el Kernel de Linux de la 4.18 a 4.19, una actualización inapropiada de la referencia sock en el paso TCP puede conllevar a una pérdida de memoria/netns, que puede ser usada por clientes remotos • https://anas.openanolis.cn/cves/detail/CVE-2022-1678 • CWE-911: Improper Update of Reference Count •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 1CVE-2022-22970 – springframework: DoS via data binding to multipartFile or servlet part
https://notcve.org/view.php?id=CVE-2022-22970
12 May 2022 — In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. En spring Framework versiones anteriores a 5.3.20+ , 5.2.22+ y las versiones antiguas no soportadas, las aplicaciones que manejan cargas de archivos son vulnerables a un ataque de denegación de servicio si dependen de la vinculación de datos para establec... • https://github.com/Performant-Labs/CVE-2022-22970 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 31EXPL: 0CVE-2022-21496 – OpenJDK: URI parsing inconsistencies (JNDI, 8278972)
https://notcve.org/view.php?id=CVE-2022-21496
19 Apr 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized... • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html • CWE-1173: Improper Use of Validation Framework •
CVSS: 7.5EPSS: 0%CPEs: 155EXPL: 0CVE-2022-21476 – OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)
https://notcve.org/view.php?id=CVE-2022-21476
19 Apr 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unautho... • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html • CWE-179: Incorrect Behavior Order: Early Validation •
CVSS: 7.5EPSS: 36%CPEs: 22EXPL: 11CVE-2022-21449 – OpenJDK: Improper ECDSA signature verification (Libraries, 8277233)
https://notcve.org/view.php?id=CVE-2022-21449
19 Apr 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or ... • https://github.com/notkmhn/CVE-2022-21449-TLS-PoC • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 4.3EPSS: 0%CPEs: 33EXPL: 0CVE-2022-21443 – OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)
https://notcve.org/view.php?id=CVE-2022-21443
19 Apr 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unaut... • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 37EXPL: 0CVE-2022-21434 – OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)
https://notcve.org/view.php?id=CVE-2022-21434
19 Apr 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unautho... • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 5.3EPSS: 0%CPEs: 37EXPL: 0CVE-2022-21426 – OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)
https://notcve.org/view.php?id=CVE-2022-21426
19 Apr 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized... • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 31%CPEs: 12EXPL: 1CVE-2022-22968 – Framework: Data Binding Rules Vulnerability
https://notcve.org/view.php?id=CVE-2022-22968
14 Apr 2022 — In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. En Spring Framework versiones 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, y en las versiones anteriores no soportadas, los... • https://github.com/MarcinGadz/spring-rce-poc • CWE-20: Improper Input Validation CWE-178: Improper Handling of Case Sensitivity •