CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-31008 – Predictable credential obfuscation seed value used in rabbitmq-server
https://notcve.org/view.php?id=CVE-2022-31008
RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. • https://github.com/rabbitmq/rabbitmq-server/pull/4841 https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8 • CWE-330: Use of Insufficiently Random Values CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) •
CVSS: 3.7EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31679
https://notcve.org/view.php?id=CVE-2022-31679
Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes. Las aplicaciones que permiten el acceso HTTP PATCH a los recursos expuestos por Spring Data REST en versiones 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, y las versiones más antiguas no soportadas, si un atacante conoce la estructura del modelo de dominio subyacente, puede diseñar peticiones HTTP que expongan atributos de entidad ocultos • https://tanzu.vmware.com/security/cve-2022-31679 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31677
https://notcve.org/view.php?id=CVE-2022-31677
An Insufficient Session Expiration issue was discovered in the Pinniped Supervisor (before v0.19.0). A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow. Se ha detectado un problema de caducidad de sesión insuficiente en el supervisor Pinniped (versiones anteriores a 0.19.0). Un usuario que es autenticado en clusters Kubernetes por medio del Supervisor Pinniped podría usar su token de acceso para continuar su sesión más allá de lo que el uso apropiado de su token de actualización podría permitir • https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-rp4v-hhm6-rcv9 • CWE-613: Insufficient Session Expiration •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2022-31676 – open-vm-tools: local root privilege escalation in the virtual machine
https://notcve.org/view.php?id=CVE-2022-31676
VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine. VMware Tools (versiones 12.0.0, 11.x.y y 10.x.y) contiene una vulnerabilidad de escalada de privilegios local. Un actor malicioso con acceso local no administrativo al Sistema Operativo invitado puede escalar privilegios como usuario root en la máquina virtual. A flaw was found in open-vm-tools. • http://www.openwall.com/lists/oss-security/2022/08/23/3 https://lists.debian.org/debian-lts-announce/2022/08/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C5VV2R4LV4T3SNQJYRLFD4C75HBDVV76 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O4TZF6QRJIDECGMEGBPXJCHZ6YC3VZ6Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZA63DWRW7HROTVBNRIPBJQWBYIYAQMEW https://security.gentoo.org/glsa/202 • CWE-250: Execution with Unnecessary Privileges CWE-269: Improper Privilege Management •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2022-21793
https://notcve.org/view.php?id=CVE-2022-21793
Insufficient control flow management in the Intel(R) Ethernet 500 Series Controller drivers for VMWare before version 1.11.4.0 and in the Intel(R) Ethernet 700 Series Controller drivers for VMWare before version 2.1.5.0 may allow an authenticated user to potentially enable a denial of service via local access. Una gestión insuficiente del flujo de control en los controladores Intel(R) Ethernet de la serie 500 para VMWare versiones anteriores a 1.11.4.0 y los controladores Intel(R) Ethernet de la serie 700 para VMWare versiones anteriores a 2.1.5.0, puede permitir que un usuario autenticado permita potencialmente una denegación de servicio por medio de acceso local. • https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00650.html •