Page 36 of 1100 results (0.012 seconds)

CVSS: 7.4EPSS: 0%CPEs: 3EXPL: 2

CVE-2022-29154 – rsync: remote arbitrary files write inside the directories of connecting peers

https://notcve.org/view.php?id=CVE-2022-29154

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file). Se ha detectado un problema en rsync versiones anteriores a 3.2.5, que permite a servidores remotos maliciosos escribir archivos arbitrarios dentro de los directorios de los pares conectados. • https://github.com/EgeBalci/CVE-2022-29154 http://www.openwall.com/lists/oss-security/2022/08/02/1 https://github.com/WayneD/rsync/tags https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2 https://access.redhat.com/security/cve/CVE-2022-29154 https://bugzilla.redhat.com/show_bug.cgi?id=2110928 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

CVE-2022-35922 – Memory allocation based on untrusted length in rust-websocket

https://notcve.org/view.php?id=CVE-2022-35922

Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source. When `Vec::with_capacity` fails to allocate, the default Rust allocator will abort the current process, killing all threads. • https://github.com/websockets-rs/rust-websocket/commit/cbf6e9983e839d2ecad86de8cd1b3f20ed43390b https://github.com/websockets-rs/rust-websocket/security/advisories/GHSA-qrjv-rf5q-qpxc https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V2EOOU5OLEHVMKAH6BALQXKDKIZRXCI https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYPNCM4H4OFBIZI6XMJ2DUTS54FT2TWP • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

CVE-2021-3670

https://notcve.org/view.php?id=CVE-2021-3670

MaxQueryDuration not honoured in Samba AD DC LDAP MaxQueryDuration no es cumplido en Samba AD DC LDAP • https://bugzilla.redhat.com/show_bug.cgi?id=2077533 https://bugzilla.samba.org/show_bug.cgi?id=14694 https://gitlab.com/samba-team/samba/-/commit/1d5b155619bc532c46932965b215bd73a920e56f https://gitlab.com/samba-team/samba/-/commit/2b3af3b560c9617a233c131376c870fce146c002 https://gitlab.com/samba-team/samba/-/commit/3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393 https://gitlab.com/samba-team/samba/-/commit/5f0590362c5c0c5ee20503a67467f9be2d50e73b https://gitlab.com/samba-team/samba/-/commit/86fe9d48883f87c928bf31ccbd275db420386803 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

CVE-2022-30699 – Novel "ghost domain names" attack by updating almost expired delegation information

https://notcve.org/view.php?id=CVE-2022-30699

NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. • https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5L3ZFWZZFPBIL654BG75RWXUMPFQJ5EC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D35CX4SCZVNKZTWJXPDFTHWZHINMGEZD https://security.gentoo.org/glsa/202212-02 https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt https://access.redhat.com/security/cve/CVE-2022-30699 https://bugzilla.redhat.com • CWE-613: Insufficient Session Expiration •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

CVE-2022-30698 – Novel "ghost domain names" attack by introducing subdomain delegations

https://notcve.org/view.php?id=CVE-2022-30698

NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. • https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5L3ZFWZZFPBIL654BG75RWXUMPFQJ5EC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D35CX4SCZVNKZTWJXPDFTHWZHINMGEZD https://security.gentoo.org/glsa/202212-02 https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt https://access.redhat.com/security/cve/CVE-2022-30698 https://bugzilla.redhat.com • CWE-613: Insufficient Session Expiration •