CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 1CVE-2020-22217 – c-ares: Heap buffer over read in ares_parse_soa_reply
https://notcve.org/view.php?id=CVE-2020-22217
Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c. Vulnerabilidad de desbordamiento de búfer en c-ares antes de 1_16_1 a 1_17_0 mediante la función ares_parse_soa_reply en ares_parse_soa_reply.c. A heap buffer over-read flaw was found in c-ares via the ares_parse_soa_reply function in ares_parse_soa_reply.c. • https://github.com/c-ares/c-ares/issues/333 https://lists.debian.org/debian-lts-announce/2023/09/msg00014.html https://access.redhat.com/security/cve/CVE-2020-22217 https://bugzilla.redhat.com/show_bug.cgi?id=2235527 • CWE-125: Out-of-bounds Read CWE-126: Buffer Over-read •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 1CVE-2022-48565 – python: XML External Entity in XML processing plistlib module
https://notcve.org/view.php?id=CVE-2022-48565
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. A flaw was found in Python caused by improper handling of XML external entity (XXE) declarations by the plistlib module. By using a specially crafted XML content, an attacker could obtain sensitive information by disclosing files specified by parsing URI, and may cause denial of service by resource exhaustion. • https://bugs.python.org/issue42051 https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5B • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.9EPSS: 0%CPEs: 8EXPL: 1CVE-2022-48566
https://notcve.org/view.php?id=CVE-2022-48566
An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest. • https://bugs.python.org/issue40791 https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html https://security.netapp.com/advisory/ntap-20231006-0013 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 1CVE-2022-48560 – python: use after free in heappushpop() of heapq module
https://notcve.org/view.php?id=CVE-2022-48560
A use-after-free exists in Python through 3.9 via heappushpop in heapq. A use-after-free vulnerability was found in Python via the heappushpop function in the heapq module. This flaw allows an attacker to submit a specially crafted request, causing a service disruption that leads to a denial of service attack. • https://bugs.python.org/issue39421 https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZ5OOBWNYWXFTZDMCGHJVGDLDTHLWITJ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VO7Y2YZSDK3UYJD2KBGLXRTGNG6T326J https://security.netapp.com/advisory/ntap-20230929-0008 https://access.redhat.com/security/cve/CVE-2022&# • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-37050
https://notcve.org/view.php?id=CVE-2022-37050
In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662. En Poppler 22.07.0, PDFDoc::savePageAs en PDFDoc.c permite a los atacantes provocar una denegación de servicio (la aplicación se bloquea con SIGABRT) mediante la creación de un archivo PDF en el que la estructura de datos xref se maneja incorrectamente en el procesamiento getCatalog. Tenga en cuenta que esta vulnerabilidad está causada por el parche incompleto de CVE-2018-20662. • https://gitlab.freedesktop.org/poppler/poppler/-/commit/dcd5bd8238ea448addd102ff045badd0aca1b990 https://gitlab.freedesktop.org/poppler/poppler/-/issues/1274 https://lists.debian.org/debian-lts-announce/2023/10/msg00022.html •