CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 2CVE-2022-42004 – jackson-databind: use of deeply nested arrays
https://notcve.org/view.php?id=CVE-2022-42004
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. En FasterXML jackson-databind versiones anteriores a 2.13.4, el agotamiento de los recursos puede ocurrir debido a una falta de comprobación en BeanDeserializer._deserializeFromArray para impedir el uso de arrays profundamente anidados. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490 https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88 https://github.com/FasterXML/jackson-databind/issues/3582 https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html https://security.gentoo.org/glsa/202210-21 https://security.netapp.com/advisory/ntap-20221118-0008 https://www.debian.org/security/2022/dsa-5283 https://access.redhat.com/security/cve/CVE-2022-42004 https://bugzilla.r • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-2466
https://notcve.org/view.php?id=CVE-2022-2466
It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior. Se ha detectado que Quarkus versión 2.10.x, no termina el contexto de el encabezado de las peticiones HTTP, lo que puede conllevar a un comportamiento imprevisible • https://github.com/yuxblank/CVE-2022-2466---Request-Context-not-terminated-with-GraphQL https://github.com/quarkusio/quarkus/issues/26748 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0981 – quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus
https://notcve.org/view.php?id=CVE-2022-0981
A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended. Se ha encontrado un fallo en Quarkus. El estado y los permisos potencialmente asociados pueden filtrarse de una petición web a otra en RestEasy Reactive. • https://bugzilla.redhat.com/show_bug.cgi?id=2062520 https://github.com/quarkusio/quarkus/issues/23269 https://access.redhat.com/security/cve/CVE-2022-0981 • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 2%CPEs: 8EXPL: 2CVE-2022-21724 – Unchecked Class Instantiation when providing Plugin Classes
https://notcve.org/view.php?id=CVE-2022-21724
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. • https://github.com/ToontjeM/CVE-2022-21724 https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS https://security.netapp.com/advisory/ntap-20220311-0005 https://www.debian.org/security/2022/dsa-5196 https://access.redhat.com&# • CWE-665: Improper Initialization •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2022-21363 – mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors
https://notcve.org/view.php?id=CVE-2022-21363
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). • https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2022-21363 https://bugzilla.redhat.com/show_bug.cgi?id=2047343 • CWE-280: Improper Handling of Insufficient Permissions or Privileges •