CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2021-37789
https://notcve.org/view.php?id=CVE-2021-37789
stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load, leading to Information Disclosure or Denial of Service. stb_image.h 2.27 tiene un búfer basado en montón en stbi__jpeg_load, lo que provoca divulgación de información o denegación de servicio. • https://github.com/nothings/stb/issues/1178 https://lists.debian.org/debian-lts-announce/2023/01/msg00045.html • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-43236
https://notcve.org/view.php?id=CVE-2022-43236
Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vulnerability via put_qpel_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. Se descubrió que Libde265 v1.0.8 contenía una vulnerabilidad de desbordamiento del búfer a través de put_qpel_fallback en fallback-motion.cc. Esta vulnerabilidad permite a los atacantes provocar una denegación de servicio (DoS) a través de un archivo de vídeo manipulado. • https://github.com/strukturag/libde265/issues/343 https://lists.debian.org/debian-lts-announce/2023/01/msg00020.html https://www.debian.org/security/2023/dsa-5346 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 1CVE-2022-39353 – xmldom allows multiple root nodes in a DOM
https://notcve.org/view.php?id=CVE-2022-39353
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`. xmldom es un módulo `DOMParser` y `XMLSerializer` basado en el estándar W3C de JavaScript puro (XML DOM Level 2 Core). xmldom analiza XML que no está bien formado porque contiene múltiples elementos de nivel superior y agrega todos los nodos raíz a la colección `childNodes` del `Documento`, sin informar ningún error ni arrojar. Esto rompe la suposición de que solo hay un nodo raíz en el árbol, lo que llevó a la emisión de CVE-2022-39299, ya que es un problema potencial para los dependientes. • https://github.com/jindw/xmldom/issues/150 https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html • CWE-20: Improper Input Validation CWE-1288: Improper Validation of Consistency within Input •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-42823 – webkitgtk: type confusion issue leading to arbitrary code execution
https://notcve.org/view.php?id=CVE-2022-42823
A type confusion issue was addressed with improved memory handling. This issue is fixed in tvOS 16.1, macOS Ventura 13, watchOS 9.1, Safari 16.1, iOS 16.1 and iPadOS 16. Processing maliciously crafted web content may lead to arbitrary code execution. Se solucionó un problema de confusión de tipos mejorando el manejo de la memoria. Este problema se solucionó en tvOS 16.1, macOS Ventura 13, watchOS 9.1, Safari 16.1, iOS 16.1 y iPadOS 16. • http://www.openwall.com/lists/oss-security/2022/11/04/4 https://lists.debian.org/debian-lts-announce/2022/11/msg00010.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LF4LYP725XZ7RWOPFUV6DGPN4Q5DUU4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AQKLEGJK3LHAKUQOLBHNR2DI3IUGLLTY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JOFKX6BUEJFECSVFV6P5INQCOYQBB4NZ https://security.gentoo.org/glsa/202 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2022-42824 – webkitgtk: sensitive information disclosure issue
https://notcve.org/view.php?id=CVE-2022-42824
A logic issue was addressed with improved state management. This issue is fixed in tvOS 16.1, macOS Ventura 13, watchOS 9.1, Safari 16.1, iOS 16.1 and iPadOS 16. Processing maliciously crafted web content may disclose sensitive user information. Se abordó un problema lógico con una mejor gestión del estado. Este problema se solucionó en tvOS 16.1, macOS Ventura 13, watchOS 9.1, Safari 16.1, iOS 16.1 y iPadOS 16. • http://www.openwall.com/lists/oss-security/2022/11/04/4 https://lists.debian.org/debian-lts-announce/2022/11/msg00010.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LF4LYP725XZ7RWOPFUV6DGPN4Q5DUU4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AQKLEGJK3LHAKUQOLBHNR2DI3IUGLLTY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JOFKX6BUEJFECSVFV6P5INQCOYQBB4NZ https://security.gentoo.org/glsa/202 •