Total
11506 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-31779 | 3 Apache, Debian, Fedoraproject | 3 Traffic Server, Debian Linux, Fedora | 2024-11-21 | N/A | 7.5 HIGH |
| Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | |||||
| CVE-2022-31778 | 2 Apache, Debian | 2 Traffic Server, Debian Linux | 2024-11-21 | N/A | 7.5 HIGH |
| Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2. | |||||
| CVE-2022-31772 | 5 Hp, Ibm, Linux and 2 more | 8 Hp-ux, Aix, I and 5 more | 2024-11-21 | N/A | 5.3 MEDIUM |
| IBM MQ 8.0, 9.0 LTS, 9.1 CD, 9.1 LTS, 9.2 CD, and 9.2 LTS could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. IBM X-Force ID: 228335. | |||||
| CVE-2022-31762 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| The AMS module has a vulnerability in input validation. Successful exploitation of this vulnerability may cause privilege escalation. | |||||
| CVE-2022-31616 | 2 Microsoft, Nvidia | 7 Windows, Cloud Gaming Guest, Geforce and 4 more | 2024-11-21 | N/A | 6.1 MEDIUM |
| NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a local user with basic capabilities can cause an out-of-bounds read, which may lead to denial of service, or information disclosure. | |||||
| CVE-2022-31607 | 2 Linux, Nvidia | 6 Linux Kernel, Cloud Gaming Guest, Geforce and 3 more | 2024-11-21 | N/A | 7.8 HIGH |
| NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where a local user with basic capabilities can cause improper input validation, which may lead to denial of service, escalation of privileges, data tampering, and limited information disclosure. | |||||
| CVE-2022-31321 | 1 Boltcms | 1 Bolt | 2024-11-21 | N/A | 9.1 CRITICAL |
| The foldername parameter in Bolt 5.1.7 was discovered to have incorrect input validation, allowing attackers to perform directory enumeration or cause a Denial of Service (DoS) via a crafted input. | |||||
| CVE-2022-31172 | 1 Openzeppelin | 1 Contracts | 2024-11-21 | N/A | 7.5 HIGH |
| OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1. | |||||
| CVE-2022-31170 | 1 Openzeppelin | 1 Contracts | 2024-11-21 | N/A | 7.5 HIGH |
| OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning `false`. `ERC165Checker.supportsInterface` is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1. The contracts that may be affected are those that use `ERC165Checker` to check for support for an interface and then handle the lack of support in a way other than reverting. The issue was patched in version 4.7.1. | |||||
| CVE-2022-31121 | 1 Hyperledger | 1 Fabric | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and returns an error to the consensus client should the message be missing. Users are advised to upgrade to versions 2.2.7 or v2.4.5. There are no known workarounds for this issue. | |||||
| CVE-2022-31041 | 1 Maykinmedia | 1 Open Forms | 2024-11-21 | 4.0 MEDIUM | 7.6 HIGH |
| Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users (e.g. only PDF / Excel / ...). The input validation of uploaded files is insufficient in versions prior to 1.0.9 and 1.1.1. Users could alter or strip file extensions to bypass this validation. This results in files being uploaded to the server that are of a different file type than indicated by the file name extension. These files may be downloaded (manually or automatically) by staff and/or other applications for further processing. Malicious files can therefore find their way into internal/trusted networks. Versions 1.0.9 and 1.1.1 contain patches for this issue. As a workaround, an API gateway or intrusion detection solution in front of open-forms may be able to scan for and block malicious content before it reaches the Open Forms application. | |||||
| CVE-2022-31036 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a Helm-type Application may commit a symlink which points to an out-of-bounds file. If the target file is a valid YAML file, the attacker can read the contents of that file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any YAML-formatted secrets which have been mounted as files on the repo-server. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. If you are using a version >=v2.3.0 and do not have any Helm-type Applications you may disable the Helm config management tool as a workaround. | |||||
| CVE-2022-31020 | 1 Linuxfoundation | 1 Indy-node | 2024-11-21 | N/A | 8.8 HIGH |
| Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded. | |||||
| CVE-2022-31013 | 1 Chat Server Project | 1 Chat Server | 2024-11-21 | 7.5 HIGH | 9.1 CRITICAL |
| Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function `this.authProvider.verifyAccessKey` is an async function, as the code is not using `await` to wait for the verification result. Every time the function responds back with success, along with an unhandled exception if the token is invalid. A patch is available in version 2.6.0. | |||||
| CVE-2022-30756 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 8.5 HIGH |
| Implicit Intent hijacking vulnerability in Finder prior to SMR Jul-2022 Release 1 allow allows attackers to launch certain activities with privilege of Finder. | |||||
| CVE-2022-30754 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 8.5 HIGH |
| Implicit Intent hijacking vulnerability in AppLinker prior to SMR Jul-2022 Release 1 allow allows attackers to launch certain activities with privilege of AppLinker. | |||||
| CVE-2022-30744 | 1 Samsung | 1 Kies | 2024-11-21 | 4.4 MEDIUM | 6.2 MEDIUM |
| DLL hijacking vulnerability in KiesWrapper in Samsung Kies prior to version 2.6.4.22043_1 allows attacker to execute arbitrary code. | |||||
| CVE-2022-30726 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 6.2 MEDIUM |
| Unprotected component vulnerability in DeviceSearchTrampoline in SecSettingsIntelligence prior to SMR Jun-2022 Release 1 allows local attackers to launch activities of SecSettingsIntelligence. | |||||
| CVE-2022-30721 | 1 Google | 1 Android | 2024-11-21 | 5.0 MEDIUM | 2.5 LOW |
| Improper input validation check logic vulnerability in libsmkvextractor prior to SMR Jun-2022 Release 1 allows attackers to trigger crash. | |||||
| CVE-2022-30720 | 1 Google | 1 Android | 2024-11-21 | 5.0 MEDIUM | 2.5 LOW |
| Improper input validation check logic vulnerability in libsmkvextractor prior to SMR Jun-2022 Release 1 allows attackers to trigger crash. | |||||