CVSS: 4.3EPSS: 0%CPEs: 33EXPL: 0CVE-2022-21443 – OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)
https://notcve.org/view.php?id=CVE-2022-21443
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html https://security.netapp.com/advisory/ntap-20220429-0006 https://security.netapp.com/advisory/ntap-20240621-0006 https://www.debian.org/security/2022/dsa-5128 https://www.debian.org/security/2022/dsa-5131 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2022-21443 https://bugzilla.redhat.com/show_bug.cgi?id=2075793 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 37EXPL: 0CVE-2022-21434 – OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)
https://notcve.org/view.php?id=CVE-2022-21434
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html https://security.netapp.com/advisory/ntap-20220429-0006 https://security.netapp.com/advisory/ntap-20240621-0006 https://www.debian.org/security/2022/dsa-5128 https://www.debian.org/security/2022/dsa-5131 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2022-21434 https://bugzilla.redhat.com/show_bug.cgi?id=2075836 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 5.3EPSS: 0%CPEs: 37EXPL: 0CVE-2022-21426 – OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)
https://notcve.org/view.php?id=CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html https://security.netapp.com/advisory/ntap-20220429-0006 https://www.debian.org/security/2022/dsa-5128 https://www.debian.org/security/2022/dsa-5131 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2022-21426 https://bugzilla.redhat.com/show_bug.cgi?id=2075788 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 12EXPL: 0CVE-2022-22968 – Framework: Data Binding Rules Vulnerability
https://notcve.org/view.php?id=CVE-2022-22968
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. En Spring Framework versiones 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, y en las versiones anteriores no soportadas, los patrones para disallowedFields en un DataBinder distinguen entre mayúsculas y minúsculas, lo que significa que un campo no está efectivamente protegido a menos que aparezca con mayúsculas y minúsculas para el primer carácter del campo, incluyendo mayúsculas y minúsculas para el primer carácter de todos los campos anidados dentro de la ruta de la propiedad • https://security.netapp.com/advisory/ntap-20220602-0004 https://tanzu.vmware.com/security/cve-2022-22968 https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-22968 https://bugzilla.redhat.com/show_bug.cgi?id=2075441 • CWE-20: Improper Input Validation CWE-178: Improper Handling of Case Sensitivity •
CVSS: 6.8EPSS: 0%CPEs: 27EXPL: 1CVE-2021-4203 – kernel: Race condition in races in sk_peer_pid and sk_peer_cred accesses
https://notcve.org/view.php?id=CVE-2021-4203
A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information. Se ha encontrado un fallo de lectura de uso de memoria previamente liberada en la función sock_getsockopt() en el archivo net/core/sock.c debido a la carrera de SO_PEERCRED y SO_PEERGROUPS con listen() (y connect()) en el kernel de Linux. En este fallo, un atacante con privilegios de usuario puede bloquear el sistema o filtrar información interna del kernel A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information. • https://bugs.chromium.org/p/project-zero/issues/detail?id=2230&can=7&q=modified-after%3Atoday-30&sort=-modified&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary%20Modified%20Cve&cells=tiles&redir=1 https://bugzilla.redhat.com/show_bug.cgi?id=2036934 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=35306eb23814 https://lore.kernel.org/netdev/20210929225750.2548112-1-eric.dumazet%40gmail.com/T https://security.netapp.com/advisory/ntap-20221111-0003 https:&# • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •