CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 2CVE-2022-37601 – loader-utils (JS package) < 2.0.3 - Prototype Pollution
https://notcve.org/view.php?id=CVE-2022-37601
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. Una vulnerabilidad de contaminación de prototipos en la función parseQuery en el archivo parseQuery.js en webpack loader-utils 2.0.0 por medio de la variable name en parseQuery.js A prototype pollution vulnerability was found in the parseQuery function in parseQuery.js in the webpack loader-utils via the name variable in parseQuery.js. This flaw can lead to a denial of service or remote code execution. The package loader-utils before 1.4.1, from 2.0.0 and before 2.0.3 is vulnerable to prototype pollution via the function parseQuery which could make injecting malicious web scripts possible in some cases. • http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf https://dl.acm.org/doi/abs/10.1145/3488932.3497769 https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11 https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47 https://github.com/webpack/loader-utils/issues/212 https://github.com/webpack/loader-utils/issues/212#issu • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-20422
https://notcve.org/view.php?id=CVE-2022-20422
In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel En la función emulation_proc_handler del archivo armv8_deprecated.c, se presenta una posible forma de corromper la memoria debido a una condición de carrera. Esto podría conllevar a una escalada local de privilegios sin ser necesarios privilegios de ejecución adicionales. No es requerida una interacción del usuario para su explotación. • https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html https://source.android.com/security/bulletin/2022-10-01 • CWE-667: Improper Locking •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-20421
https://notcve.org/view.php?id=CVE-2022-20421
In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239630375References: Upstream kernel En la función binder_inc_ref_for_node del archivo binder.c, se presenta una posible forma de corromper la memoria debido a un uso de memoria previamente liberada. Esto podría conllevar a una escalada local de privilegios sin ser necesarios privilegios de ejecución adicionales. No es requerida una interacción del usuario para su explotación. • https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html https://source.android.com/security/bulletin/2022-10-01 https://www.debian.org/security/2022/dsa-5257 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-41404
https://notcve.org/view.php?id=CVE-2022-41404
An issue in the fetch() method in the BasicProfile class of org.ini4j before v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors. Un problema en el método fetch() de la clase BasicProfile de org.ini4j versiones anteriores a v0.5.4, permite a atacantes causar una denegación de servicio (DoS) por medio de vectores no especificados • https://lists.debian.org/debian-lts-announce/2022/11/msg00037.html https://sourceforge.net/p/ini4j/bugs/56 •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-37616
https://notcve.org/view.php?id=CVE-2022-37616
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted." Se presenta una vulnerabilidad de contaminación de prototipos en la función copy en el archivo dom.js en el paquete xmldom (publicado como @xmldom/xmldom) versiones anteriores a 0.8.3 para Node.js por medio de la variable p. NOTA: el proveedor afirma que "estamos en proceso de marcar este informe como no válido" • http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf https://dl.acm.org/doi/abs/10.1145/3488932.3497769 https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1 https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3 https://github.com/xmldom/xmldom/issues/436 https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826 https://github. • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •