CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41906 – OpenSearch Notifications is vulnerable to Server-Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2022-41906
OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin starting in 2.0.0 and prior to 2.2.1 could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds. OpenSearch Notifications es un complemento de notificaciones para OpenSearch que permite que otros complementos envíen notificaciones a través de canales de correo electrónico, Slack, Amazon Chime, web-hook personalizado, etc. • https://github.com/opensearch-project/notifications/pull/496 https://github.com/opensearch-project/notifications/pull/507 https://github.com/opensearch-project/notifications/security/advisories/GHSA-pfc4-3436-jgrw • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41828
https://notcve.org/view.php?id=CVE-2022-41828
In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before 2.1.0.8, the Object Factory does not check the class type when instantiating an object from a class name. En el controlador JDBC de Amazon AWS Redshift (también se conoce como amazon-redshift-jdbc-driver o redshift-jdbc42) versiones anteriores a 2.1.0.8, la fábrica de objetos no comprueba el tipo de clase cuando es instanciado un objeto a partir de un nombre de clase • https://github.com/murataydemir/CVE-2022-41828 https://github.com/aws/amazon-redshift-jdbc-driver/commit/40b143b4698faf90c788ffa89f2d4d8d2ad068b5 https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-jc69-hjw2-fm86 • CWE-704: Incorrect Type Conversion or Cast •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39230 – Security issue in fhir-works-on-aws-authz-smart
https://notcve.org/view.php?id=CVE-2022-39230
fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. • https://github.com/awslabs/fhir-works-on-aws-authz-smart/security/advisories/GHSA-vv7x-7w4m-q72f • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35980 – OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information
https://notcve.org/view.php?id=CVE-2022-35980
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features document level security (DLS), field level security (FLS), and/or field masking will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. • https://github.com/opensearch-project/security/commit/7eaaafec2939d7db23a02ffca9cc68e0343de246 https://github.com/opensearch-project/security/pull/1999 https://github.com/opensearch-project/security/security/advisories/GHSA-f4qr-f4xx-hjxw • CWE-612: Improper Authorization of Index Containing Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-34266
https://notcve.org/view.php?id=CVE-2022-34266
The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource. El paquete libtiff versión 4.0.3-35.amzn2.0.1 para LibTIFF en Amazon Linux 2 permite a los atacantes causar una denegación de servicio (bloqueo de la aplicación), una vulnerabilidad diferente a CVE-2022-0562. Cuando es procesado un archivo TIFF malicioso, puede pasarse un rango no válido como argumento a la función memset() dentro de TIFFFetchStripThing() en tif_dirread.c. • https://alas.aws.amazon.com/AL2/ALAS-2022-1814.html https://bugs.gentoo.org/859433 • CWE-908: Use of Uninitialized Resource •