CVSS: 7.4EPSS: 0%CPEs: 15EXPL: 0CVE-2021-44531 – nodejs: Improper handling of URI Subject Alternative Names
https://notcve.org/view.php?id=CVE-2021-44531
24 Feb 2022 — Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This ... • https://hackerone.com/reports/1429694 • CWE-295: Improper Certificate Validation •
CVSS: 8.2EPSS: 0%CPEs: 16EXPL: 0CVE-2022-21824 – nodejs: Prototype pollution via console.table properties
https://notcve.org/view.php?id=CVE-2022-21824
24 Feb 2022 — Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the objec... • https://hackerone.com/reports/1431042 • CWE-471: Modification of Assumed-Immutable Data (MAID) CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 5.9EPSS: 0%CPEs: 35EXPL: 0CVE-2021-4160 – BN_mod_exp may produce incorrect results on MIPS
https://notcve.org/view.php?id=CVE-2021-4160
28 Jan 2022 — There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because ... • https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf •
CVSS: 7.1EPSS: 0%CPEs: 58EXPL: 0CVE-2022-23437 – Infinite loop within Apache XercesJ xml parser
https://notcve.org/view.php?id=CVE-2022-23437
24 Jan 2022 — There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. Se presenta una vulnerabilidad en el analizador XML de Apache Xerces Java (XercesJ) cuando maneja cargas útiles de documentos XML especialmente diseñados. Esto c... • http://www.openwall.com/lists/oss-security/2022/01/24/3 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-21369
https://notcve.org/view.php?id=CVE-2022-21369
19 Jan 2022 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Rich Text Editor). Supported versions that are affected are 8.57, 8.58 and 8.59. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additio... • https://www.oracle.com/security-alerts/cpujan2022.html •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-21364
https://notcve.org/view.php?id=CVE-2022-21364
19 Jan 2022 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Weblogic). Supported versions that are affected are 8.57, 8.58 and 8.59. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). • https://www.oracle.com/security-alerts/cpujan2022.html •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-21359
https://notcve.org/view.php?id=CVE-2022-21359
19 Jan 2022 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Optimization Framework). Supported versions that are affected are 8.57, 8.58 and 8.59. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact a... • https://www.oracle.com/security-alerts/cpujan2022.html •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-21345
https://notcve.org/view.php?id=CVE-2022-21345
19 Jan 2022 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.58 and 8.59. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.5 (Confidentiali... • https://www.oracle.com/security-alerts/cpujan2022.html •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-21272
https://notcve.org/view.php?id=CVE-2022-21272
19 Jan 2022 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.57, 8.58 and 8.59. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional produc... • https://www.oracle.com/security-alerts/cpujan2022.html •
CVSS: 5.9EPSS: 65%CPEs: 213EXPL: 10CVE-2021-45105 – Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
https://notcve.org/view.php?id=CVE-2021-45105
18 Dec 2021 — Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. Apache Log4j2 versiones 2.0-alpha1 hasta 2.16.0 (excluyendo las versiones 2.12.3 y 2.3.1) no protegían de la recursión no controlada de las búsquedas autorreferenciales.... • https://github.com/thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832 • CWE-20: Improper Input Validation CWE-674: Uncontrolled Recursion •