CVSS: 6.1EPSS: 0%CPEs: 46EXPL: 1CVE-2021-22947 – curl: Server responses received before STARTTLS processed after TLS handshake
https://notcve.org/view.php?id=CVE-2021-22947
When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server. Cuando en curl versiones posteriores a 7.20.0 incluyéndola, y versiones anteriores a 7.78.0 incluyéndola, se conecta a un servidor IMAP o POP3 para recuperar datos usando STARTTLS para actualizar a la seguridad TLS, el servidor puede responder y enviar múltiples respuestas a la vez que curl almacena en caché. curl entonces actualizaría a TLS pero no vaciaría la cola de respuestas almacenadas en caché, sino que continuaría usando y confiando en las respuestas que obtuvo *antes* del protocolo de enlace TLS como si estuvieran autenticadas. Usando este fallo, permite a un atacante de tipo Man-In-The-Middle inyectar primero las respuestas falsas, luego pasar mediante el tráfico TLS del servidor legítimo y engañar a curl para que envíe datos de vuelta al usuario pensando que los datos inyectados por el atacante provienen del servidor protegido por TLS A flaw was found in curl. The flaw lies in how curl handles cached or pipelined responses that it receives from either a IMAP, POP3, SMTP or FTP server before the TLS upgrade using STARTTLS. In such a scenario curl even after upgrading to TLS would trust these cached responses treating them as valid and authenticated and use them. • http://seclists.org/fulldisclosure/2022/Mar/29 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://hackerone.com/reports/1334763 https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67 • CWE-310: Cryptographic Issues CWE-319: Cleartext Transmission of Sensitive Information CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 9.8EPSS: 6%CPEs: 42EXPL: 0CVE-2021-3711 – SM2 Decryption Buffer Overflow
https://notcve.org/view.php?id=CVE-2021-3711
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. • http://www.openwall.com/lists/oss-security/2021/08/26/2 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46 https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E https://security.gentoo.org/glsa/202209-02 https://security.ge • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 7.4EPSS: 0%CPEs: 56EXPL: 0CVE-2021-3712 – Read buffer overruns processing ASN.1 strings
https://notcve.org/view.php?id=CVE-2021-3712
ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. • http://www.openwall.com/lists/oss-security/2021/08/26/2 https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11 https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12 https://kc.mcafee.com/corporate/index?page=content&id=SB10366 https://lists.apache.org/thread.html/r18995de860f0e63635f3008f • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 24EXPL: 0CVE-2021-37714 – Crafted input may cause the jsoup HTML and XML parser to get stuck, timeout, or throw unchecked exceptions
https://notcve.org/view.php?id=CVE-2021-37714
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. • https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c https://jsoup.org/news/release-1.14.1 https://jsoup.org/news/release-1.14.2 https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E https://lists.apa • CWE-248: Uncaught Exception CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 9.8EPSS: 3%CPEs: 18EXPL: 1CVE-2021-22931 – nodejs: Improper handling of untypical characters in domain names
https://notcve.org/view.php?id=CVE-2021-22931
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. Node.js versiones anteriores a 16.6.0, 14.17.4 y 12.22.4, es vulnerable a una Ejecución de Código Remota , ataques de tipo XSS, bloqueo de Aplicaciones debido a una falta de comprobación de entrada de los nombres de host devueltos por los Servidores de Nombres de Dominio en la librería dns de Node.js, que puede conllevar a la salida de nombres de host erróneos (conllevando al Secuestro de Dominio) y vulnerabilidades de inyección en aplicaciones que usan la librería. A flaw was found in Node.js. These vulnerabilities include remote code execution, Cross-site scripting (XSS), application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library, which can lead to the output of wrong hostnames (leading to Domain hijacking) and injection vulnerabilities in applications using the library. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://hackerone.com/reports/1178337 https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases https://security.gentoo.org/glsa/202401-02 https://security.netapp.com/advisory/ntap-20210923-0001 https://security.netapp.com/advisory/ntap-20211022-0003 https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://www.oracle.com/security-alerts/cpuoct2021.html https:&# • CWE-20: Improper Input Validation CWE-170: Improper Null Termination •