CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 2CVE-2022-22844 – libtiff: out-of-bounds read in _TIFFmemcpy() in tif_unix.c
https://notcve.org/view.php?id=CVE-2022-22844
LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field. LibTIFF versión 4.3.0, presenta una lectura fuera de límites en la función _TIFFmemcpy en el archivo tif_unix.c en determinadas situaciones que implican una etiqueta personalizada y 0x0200 como la segunda palabra del campo DE A buffer overflow vulnerability was found in libtiff. This flaw allows an attacker with network access to pass specially crafted files, causing an application to halt or crash. The root cause of this issue was from the memcpy function in tif_unix.c. • https://gitlab.com/libtiff/libtiff/-/issues/355 https://gitlab.com/libtiff/libtiff/-/merge_requests/287 https://lists.debian.org/debian-lts-announce/2022/03/msg00001.html https://security.gentoo.org/glsa/202210-10 https://security.netapp.com/advisory/ntap-20220311-0002 https://www.debian.org/security/2022/dsa-5108 https://access.redhat.com/security/cve/CVE-2022-22844 https://bugzilla.redhat.com/show_bug.cgi?id=2042603 • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-29050
https://notcve.org/view.php?id=CVE-2020-29050
SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows directory traversal (in conjunction with CVE-2019-14511) because the mysql client can be used for CALL SNIPPETS and load_file operations on a full pathname (e.g., a file in the /etc directory). NOTE: this is unrelated to CMUSphinx. SphinxSearch en Sphinx Technologies Sphinx versiones hasta 3.1.1, permite un salto de directorio (en conjunto con CVE-2019-14511) porque el cliente mysql puede ser usado para operaciones CALL SNIPPETS y load_file en una ruta completa (por ejemplo, un archivo en el directorio /etc). NOTA: esto no está relacionado con CMUSphinx • https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-14511 https://lists.debian.org/debian-lts-announce/2022/01/msg00009.html https://security-tracker.debian.org/tracker/CVE-2020-29050 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-22816 – python-pillow: buffer over-read during initialization of ImagePath.Path in path_getbbox() in path.c
https://notcve.org/view.php?id=CVE-2022-22816
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. La función path_getbbox en el archivo path.c en Pillow versiones anteriores a 9.0.0, presenta una lectura excesiva del buffer durante la inicialización de ImagePath.Path A flaw was found in python-pillow. The vulnerability occurs due to improper initialization of image paths, leading to a buffer over-read and improper initialization. This flaw allows an attacker to unauthorized memory access that causes memory access errors, incorrect results, or crashes. • https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331 https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling https://security.gentoo.org/glsa/202211-10 https://www.debian.org/security/2022/dsa-5053 https://access.redhat.com/security/cve/CVE-2022-22816 https://bugzilla.redhat.com/show_bug.cgi?id=2042522 • CWE-125: Out-of-bounds Read •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2022-22817 – python-pillow: PIL.ImageMath.eval allows evaluation of arbitrary expressions
https://notcve.org/view.php?id=CVE-2022-22817
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used. PIL.ImageMath.eval en Pillow antes de la versión 9.0.0 permite la evaluación de expresiones arbitrarias, como las que utilizan el método exec de Python. También se puede utilizar una expresión lambda, A flaw was found in python-pillow. The vulnerability occurs due to Improper Neutralization, leading to command injection. • https://github.com/JawadPy/CVE-2022-22817-Exploit https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security https://security.gentoo.org/glsa/202211-10 https://www.debian.org/security/2022/dsa-5053 https://access.redhat.com/se • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 49%CPEs: 5EXPL: 2CVE-2021-42392 – h2: Remote Code Execution in Console
https://notcve.org/view.php?id=CVE-2021-42392
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution. El método org.h2.util.JdbcUtils.getConnection de la base de datos H2 toma como parámetros el nombre de la clase del controlador y la URL de la base de datos. Un atacante puede pasar un nombre de controlador JNDI y una URL que conlleve a un servidor LDAP o RMI, causando una ejecución de código remota. • https://github.com/cybersecurityworks553/CVE-2021-42392-Detect https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html https://security.netapp.com/advisory/ntap-20220119-0001 https://www.debian.org/security/2022/dsa-5076 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.secpod.com/blog/log4shell-critical • CWE-502: Deserialization of Untrusted Data •