CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38648 – PDFTranscoder does not block external resources
https://notcve.org/view.php?id=CVE-2022-38648
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14. Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en Batik de Apache XML Graphics permite a un atacante conseguir recursos externos. Este problema afecta a Batik de Apache XML Graphics versión 1.14 • https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html https://security.gentoo.org/glsa/202401-11 https://access.redhat.com/security/cve/CVE-2022-38648 https://bugzilla.redhat.com/show_bug.cgi?id=2155295 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2022-40146 – Jar url should be blocked by DefaultScriptSecurity
https://notcve.org/view.php?id=CVE-2022-40146
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en Batik de Apache XML Graphics permite a un atacante acceder a archivos usando una url de Jar. Este problema afecta a Batik de Apache XML Graphics versión 1.14 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apache Batik. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the DefaultScriptSecurity class. • https://github.com/soulfoodisgood/CVE-2022-40146 https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html https://security.gentoo.org/glsa/202401-11 https://access.redhat.com/security/cve/CVE-2022-40146 https://bugzilla.redhat.com/show_bug.cgi?id=2155291 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2022-1941 – Out of Memory issue in ProtocolBuffers for cpp and python
https://notcve.org/view.php?id=CVE-2022-1941
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated. Una vulnerabilidad de análisis de tipo MessageSet en ProtocolBuffers versiones anteriores a 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 y 3.21.5 para protobuf-cpp, y las versiones anteriores a la 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 y 4.21.5 para protobuf-python, entre otras, puede conllevar a fallos de memoria. • http://www.openwall.com/lists/oss-security/2022/09/27/1 https://cloud.google.com/support/bulletins#GCP-2022-019 https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP https:/&# • CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38398 – Server-Side Request Forgery Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-38398
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en Batik de Apache XML Graphics permite a un atacante cargar una url mediante el protocolo jar. Este problema afecta a Batik de Apache XML Graphics versión 1.14 This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apache Batik. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the DefaultExternalResourceSecurity class. • https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html https://security.gentoo.org/glsa/202401-11 https://access.redhat.com/security/cve/CVE-2022-38398 https://bugzilla.redhat.com/show_bug.cgi?id=2155292 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2022-3256 – Use After Free in vim/vim
https://notcve.org/view.php?id=CVE-2022-3256
Use After Free in GitHub repository vim/vim prior to 9.0.0530. Un Uso de Memoria Previamente Liberada en el repositorio de GitHub vim/vim versiones anteriores a 9.0.0530 • https://github.com/vim/vim/commit/8ecfa2c56b4992c7f067b92488aa9acea5a454ad https://huntr.dev/bounties/8336a3df-212a-4f8d-ae34-76ef1f936bb3 https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/messa • CWE-416: Use After Free •