CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39660
https://notcve.org/view.php?id=CVE-2021-39660
In TBD of TBD, there is a possible way to archive arbitrary code execution in kernel due to a race condition. • https://source.android.com/security/bulletin/2022-12-01 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.8EPSS: 20%CPEs: 8EXPL: 0CVE-2022-27518 – Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2022-27518
Unauthenticated remote arbitrary code execution Ejecución remota de código arbitrario no autenticado Citrix Application Delivery Controller (ADC) and Gateway, when configured with SAML SP or IdP configuration, contain an authentication bypass vulnerability that allows an attacker to execute code as administrator. • https://support.citrix.com/article/CTX474995 • CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2022-4223
https://notcve.org/view.php?id=CVE-2022-4223
The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. The utility is executed by the server to determine what PostgreSQL version it is from. Versions of pgAdmin prior to 6.17 failed to properly secure this API, which could allow an unauthenticated user to call it with a path of their choosing, such as a UNC path to a server they control on a Windows machine. This would cause an appropriately named executable in the target path to be executed by the pgAdmin server. El servidor pgAdmin incluye una API HTTP diseñada para validar la ruta que un usuario selecciona a las utilidades externas de PostgreSQL, como pg_dump y pg_restore. • https://github.com/pgadmin-org/pgadmin4/issues/5593 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5EYTPKHVFSDCETBJI7LBZE4EYHBPN2Q • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-46157 – Remote php code execution in Akeneo PIM
https://notcve.org/view.php?id=CVE-2022-46157
Akeneo PIM is an open source Product Information Management (PIM). Akeneo PIM Community Edition versions before v5.0.119 and v6.0.53 allows remote authenticated users to execute arbitrary PHP code on the server by uploading a crafted image. Akeneo PIM Community Edition after the versions aforementioned provides patched Apache HTTP server configuration file, for docker setup and in documentation sample, to fix this vulnerability. Community Edition users must change their Apache HTTP server configuration accordingly to be protected. The patch for Cloud Based Akeneo PIM Services customers has been applied since 30th October 2022. • https://github.com/akeneo/pim-community-dev/blob/b4d79bb073c8b68ea26ab227c97cc78d86c4cba1/docker/httpd.conf#L39 https://github.com/akeneo/pim-community-dev/security/advisories/GHSA-w9wc-4xcq-8gr6 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 1CVE-2022-46166 – Spring Boot Admins integrated notifier support allows arbitrary code execution
https://notcve.org/view.php?id=CVE-2022-46166
Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint. • https://github.com/DickDock/CVE-2022-46166 https://github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75 https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6 • CWE-94: Improper Control of Generation of Code ('Code Injection') •