CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-2225 – Zero Trust Secure Web Gateway policies bypass using WARP client subcommands
https://notcve.org/view.php?id=CVE-2022-2225
By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Secure Web Gateway policies) and features such as 'Lock WARP switch'. Mediante el uso de los subcomandos de warp-cli (disable-ethernet, disable-wifi), era posible a un usuario no privilegiado de administrador omitir las políticas de seguridad configuradas de Zero Trust (por ejemplo, las políticas de Secure Web Gateway) y funciones como "Lock WARP switch". • https://github.com/cloudflare/advisories/security/advisories/GHSA-cg88-vx48-976c • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2145 – Cloudlfare WARP Arbitrary File Overwrite
https://notcve.org/view.php?id=CVE-2022-2145
Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files. El cliente WARP de Cloudflare para Windows (versiones hasta 2022.5.309.0) permitía la creación de puntos de montaje desde su carpeta ProgramData. Durante la instalación del cliente WARP, era posible escalar privilegios y sobrescribir archivos protegidos por el sistema • https://github.com/cloudflare/advisories/security/advisories/GHSA-6fpc-qxmr-6wrq • CWE-20: Improper Input Validation CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2147 – Unquoted Service Path in Cloudflare WARP for Windows
https://notcve.org/view.php?id=CVE-2022-2147
Cloudflare Warp for Windows from version 2022.2.95.0 contained an unquoted service path which enables arbitrary code execution leading to privilege escalation. The fix was released in version 2022.3.186.0. Cloudflare Warp para Windows a partir de la versión 2022.2.95.0, contenía una ruta de servicio no citada que permite una ejecución de código arbitrario conllevando a una escalada de privilegios. La corrección fue publicada en versión 2022.3.186.0 • https://github.com/cloudflare/advisories/security/advisories/GHSA-m6w8-3pf9-p68r • CWE-428: Unquoted Search Path or Element •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3912 – OctoRPKI crashes when processing GZIP bomb returned via malicious repository
https://notcve.org/view.php?id=CVE-2021-3912
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash). OctoRPKI intenta cargar todo el contenido de un repositorio en memoria, y en el caso de una bomba GZIP, descomprimirlo en memoria, haciendo posible crear un repositorio que hace que OctoRPKI se quede sin memoria (y por tanto se bloquee) • https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg https://www.debian.org/security/2022/dsa-5041 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3911 – Misconfigured IP address field in ROA leads to OctoRPKI crash
https://notcve.org/view.php?id=CVE-2021-3911
If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash. Si el ROA que devuelve un repositorio contiene demasiados bits para la dirección IP, OctoRPKI será bloqueado • https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22 https://www.debian.org/security/2022/dsa-5041 • CWE-20: Improper Input Validation CWE-252: Unchecked Return Value •