CVSS: 7.5EPSS: 0%CPEs: 43EXPL: 0CVE-2022-1473 – Resource leakage when decoding certificates and keys
https://notcve.org/view.php?id=CVE-2022-1473
03 May 2022 — The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long liv... • https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf • CWE-401: Missing Release of Memory after Effective Lifetime CWE-459: Incomplete Cleanup •
CVSS: 7.8EPSS: 0%CPEs: 15EXPL: 1CVE-2022-29968 – Ubuntu Security Notice USN-5471-1
https://notcve.org/view.php?id=CVE-2022-29968
02 May 2022 — An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private. Se ha detectado un problema en el kernel de Linux versiones hasta 5.17.5. La función io_rw_init_file en el archivo fs/io_uring.c carece de la inicialización de kiocb-)private It was discovered that the Linux kernel did not properly restrict access to the kernel debugger when booted in secure boot environments. A privileged attacker could use this to bypass UEFI Secure Boot res... • https://github.com/jprx/CVE-2022-29968 • CWE-909: Missing Initialization of Resource •
CVSS: 8.1EPSS: 0%CPEs: 20EXPL: 1CVE-2022-22576 – curl: OAUTH2 bearer bypass in connection re-use
https://notcve.org/view.php?id=CVE-2022-22576
29 Apr 2022 — An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). Se presenta una vulnerabilidad de autenticación inapropiada en curl versiones 7.33.0 hasta 7.82.0 incluyéndola, que podría permitir reúso de conexiones aute... • https://hackerone.com/reports/1526328 • CWE-287: Improper Authentication CWE-295: Improper Certificate Validation CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: 31EXPL: 0CVE-2022-21496 – OpenJDK: URI parsing inconsistencies (JNDI, 8278972)
https://notcve.org/view.php?id=CVE-2022-21496
19 Apr 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized... • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html • CWE-1173: Improper Use of Validation Framework •
CVSS: 7.5EPSS: 0%CPEs: 155EXPL: 0CVE-2022-21476 – OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)
https://notcve.org/view.php?id=CVE-2022-21476
19 Apr 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unautho... • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html • CWE-179: Incorrect Behavior Order: Early Validation •
CVSS: 7.5EPSS: 37%CPEs: 22EXPL: 11CVE-2022-21449 – OpenJDK: Improper ECDSA signature verification (Libraries, 8277233)
https://notcve.org/view.php?id=CVE-2022-21449
19 Apr 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or ... • https://github.com/notkmhn/CVE-2022-21449-TLS-PoC • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 4.3EPSS: 0%CPEs: 33EXPL: 0CVE-2022-21443 – OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)
https://notcve.org/view.php?id=CVE-2022-21443
19 Apr 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unaut... • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 37EXPL: 0CVE-2022-21434 – OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)
https://notcve.org/view.php?id=CVE-2022-21434
19 Apr 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unautho... • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 5.3EPSS: 0%CPEs: 37EXPL: 0CVE-2022-21426 – OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)
https://notcve.org/view.php?id=CVE-2022-21426
19 Apr 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized... • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 26EXPL: 0CVE-2022-28893 – kernel: use after free in SUNRPC subsystem
https://notcve.org/view.php?id=CVE-2022-28893
11 Apr 2022 — The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state. El subsistema SUNRPC en el kernel de Linux versiones hasta 5.17.2, puede llamar a xs_xprt_free antes de asegurarse de que los sockets están en el estado deseado A use-after-free flaw was found in the Linux kernel’s net/sunrpc/xprt.c function in the Remote Procedure Call (SunRPC) protocol. This flaw allows a local attacker to crash the system, leading to a kernel information l... • http://www.openwall.com/lists/oss-security/2022/04/11/3 • CWE-416: Use After Free •