CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-31692 – spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security
https://notcve.org/view.php?id=CVE-2022-31692
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true) Spring Security, las versiones 5.7 anteriores a 5.7.5 y 5.6 anteriores a 5.6.9 podrían ser susceptibles a que las reglas de autorización se omitan mediante reenvío o incluyan tipos de despachadores. • https://security.netapp.com/advisory/ntap-20221215-0010 https://tanzu.vmware.com/security/cve-2022-31692 https://access.redhat.com/security/cve/CVE-2022-31692 https://bugzilla.redhat.com/show_bug.cgi?id=2162206 • CWE-863: Incorrect Authorization •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31678
https://notcve.org/view.php?id=CVE-2022-31678
VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure. VMware Cloud Foundation (NSX-V) contiene una vulnerabilidad de entidad externa XML (XXE). En instancias VCF 3.x con NSX-V implementado, esto puede permitir que un usuario aproveche este problema y provoque una condición de Denegación de Servicio o divulgación de información no intencionada. • https://www.vmware.com/security/advisories/VMSA-2022-0027.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31682
https://notcve.org/view.php?id=CVE-2022-31682
VMware Aria Operations contains an arbitrary file read vulnerability. A malicious actor with administrative privileges may be able to read arbitrary files containing sensitive data. VMware Aria Operations contiene una vulnerabilidad de lectura arbitraria de archivos. Un actor malicioso privilegiado administrativos puede ser capaz de leer archivos arbitrarios que contengan datos confidenciales • https://www.vmware.com/security/advisories/VMSA-2022-0026.html •
CVSS: 6.5EPSS: 0%CPEs: 21EXPL: 0CVE-2022-31681
https://notcve.org/view.php?id=CVE-2022-31681
VMware ESXi contains a null-pointer deference vulnerability. A malicious actor with privileges within the VMX process only, may create a denial of service condition on the host. VMware ESXi contiene una vulnerabilidad de deferencia de puntero null. Un actor malicioso con privilegios dentro del proceso VMX solamente, puede crear una condición de negación de servicio en el host • https://www.vmware.com/security/advisories/VMSA-2022-0025.html • CWE-476: NULL Pointer Dereference •
CVSS: 9.1EPSS: 0%CPEs: 28EXPL: 1CVE-2022-31680
https://notcve.org/view.php?id=CVE-2022-31680
The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller). A malicious actor with admin access on vCenter server may exploit this issue to execute arbitrary code on the underlying operating system that hosts the vCenter Server. El servidor vCenter contiene una vulnerabilidad de deserialización no segura en el PSC (Platform services controller). Un actor malicioso con acceso de administrador en el servidor vCenter puede aprovechar este problema para ejecutar código arbitrario en el sistema operativo subyacente que aloja el servidor vCenter • https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1587 https://www.vmware.com/security/advisories/VMSA-2022-0025.html • CWE-502: Deserialization of Untrusted Data •