CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-28327 – golang: crypto/elliptic: panic caused by oversized scalar
https://notcve.org/view.php?id=CVE-2022-28327
20 Apr 2022 — The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input. La característica genérica P-256 en crypto/elliptic en Go versiones anteriores a 1.17.9 y versiones 1.18.x anteriores a 1.18.1, permite un pánico por medio de una entrada escalar larga An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBase... • https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 2%CPEs: 6EXPL: 1CVE-2022-25648 – Command Injection
https://notcve.org/view.php?id=CVE-2022-25648
19 Apr 2022 — The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. El paquete git versiones anteriores a 1.11.0, es vulnerable a una inyección de comandos por medio de una inyección de argumentos git. Cuando es llamada a la función fetch(remote = "origin"... • https://github.com/ruby-git/ruby-git/pull/569 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-27191 – golang: crash in a golang.org/x/crypto/ssh server
https://notcve.org/view.php?id=CVE-2022-27191
18 Mar 2022 — The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. El paquete golang.org/x/crypto/ssh anterior a 0.0.0-20220314234659-1baeb1ce4c0b para Go permite a un atacante bloquear un servidor en ciertas circunstancias que implican AddHostKey A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject ... • https://groups.google.com/g/golang-announce • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2022-21698 – Uncontrolled Resource Consumption in promhttp
https://notcve.org/view.php?id=CVE-2022-21698
15 Feb 2022 — client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlig... • https://github.com/prometheus/client_golang/pull/962 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 1CVE-2022-0571 – Cross-site Scripting (XSS) - Reflected in phoronix-test-suite/phoronix-test-suite
https://notcve.org/view.php?id=CVE-2022-0571
13 Feb 2022 — Cross-site Scripting (XSS) - Reflected in GitHub repository phoronix-test-suite/phoronix-test-suite prior to 10.8.2. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Reflejado en el repositorio de GitHub phoronix-test-suite/phoronix-test-suite versiones anteriores a 10.8.2 • https://github.com/phoronix-test-suite/phoronix-test-suite/commit/1eac9260c8313f0cfc77837ec676f4e6d68bd833 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 14EXPL: 0CVE-2021-45079 – Gentoo Linux Security Advisory 202405-08
https://notcve.org/view.php?id=CVE-2021-45079
25 Jan 2022 — In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. En strongSwan versiones anteriores a 5.9.5, un respondedor malicioso puede enviar un mensaje EAP-Success demasiado pronto sin autenticar realmente al cliente y (en el caso de los métodos EAP con autenticación mutua y autenticación sólo EAP par... • https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-%28cve-2021-45079%29.html • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 2CVE-2021-46141 – Debian Security Advisory 5063-1
https://notcve.org/view.php?id=CVE-2021-46141
06 Jan 2022 — An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner. Se ha detectado un problema en uriparser versiones anteriores a 0.9.6. Lleva a cabo operaciones inválidas en uriFreeUriMembers y uriMakeOwner. Two vulnerabilities were discovered in uriparser, a library that parses Uniform Resource Identifiers (URIs), which may result in denial of service or potentially in the the execution of arbitrary code. • https://blog.hartwork.org/posts/uriparser-096-with-security-fixes-released • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 2CVE-2021-46142 – Debian Security Advisory 5063-1
https://notcve.org/view.php?id=CVE-2021-46142
06 Jan 2022 — An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax. Se ha detectado un problema en uriparser versiones anteriores a 0.9.6. Lleva a cabo operaciones libres no válidas en uriNormalizeSyntax. Two vulnerabilities were discovered in uriparser, a library that parses Uniform Resource Identifiers (URIs), which may result in denial of service or potentially in the the execution of arbitrary code. • https://blog.hartwork.org/posts/uriparser-096-with-security-fixes-released • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 27EXPL: 1CVE-2021-3733 – python: urllib: Regular expression DoS in AbstractBasicAuthHandler
https://notcve.org/view.php?id=CVE-2021-3733
17 Sep 2021 — There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability. Se presenta un fallo en la clase AbstractBasicAuthHandler de urllib. Un atacante que controle un servidor H... • https://bugs.python.org/issue43075 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 1CVE-2021-21897
https://notcve.org/view.php?id=CVE-2021-21897
08 Sep 2021 — A code execution vulnerability exists in the DL_Dxf::handleLWPolylineData functionality of Ribbonsoft dxflib 3.17.0. A specially-crafted .dxf file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. Se presenta una vulnerabilidad de ejecución de código en la funcionalidad DL_Dxf::handleLWPolylineData de Ribbonsoft dxflib versión 3.17.0. Un archivo .dxf especialmente diseñado puede conllevar a un desbordamiento del búfer de la pila. • https://lists.debian.org/debian-lts-announce/2022/06/msg00008.html • CWE-191: Integer Underflow (Wrap or Wraparound) CWE-787: Out-of-bounds Write •