Total
310 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41963 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | N/A | 2.7 LOW |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1 | |||||
| CVE-2022-36102 | 1 Shopware | 1 Shopware | 2024-11-21 | N/A | 6.3 MEDIUM |
| Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current version (5.7.15). Users can get the update via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue. | |||||
| CVE-2022-36062 | 1 Grafana | 1 Grafana | 2024-11-21 | N/A | 7.6 HIGH |
| Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually. | |||||
| CVE-2022-32969 | 1 Metamask | 1 Metamask | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| MetaMask before 10.11.3 might allow an attacker to access a user's secret recovery phrase because an input field is used for a BIP39 mnemonic, and Firefox and Chromium save such fields to disk in order to support the Restore Session feature, aka the Demonic issue. | |||||
| CVE-2022-31755 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| The communication module has a vulnerability of improper permission preservation. Successful exploitation of this vulnerability may affect system availability. | |||||
| CVE-2022-31608 | 1 Nvidia | 4 Geforce, Gpu Display Driver, Rtx and 1 more | 2024-11-21 | N/A | 7.8 HIGH |
| NVIDIA GPU Display Driver for Linux contains a vulnerability in an optional D-Bus configuration file, where a local user with basic capabilities can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2022-31262 | 1 Gog | 1 Galaxy | 2024-11-21 | N/A | 7.8 HIGH |
| An exploitable local privilege escalation vulnerability exists in GOG Galaxy 2.0.46. Due to insufficient folder permissions, an attacker can hijack the %ProgramData%\GOG.com folder structure and change the GalaxyCommunication service executable to a malicious file, resulting in code execution as SYSTEM. | |||||
| CVE-2022-31237 | 1 Dell | 1 Emc Powerscale Onefs | 2024-11-21 | N/A | 3.3 LOW |
| Dell PowerScale OneFS, versions 9.2.0 up to and including 9.2.1.12 and 9.3.0.5 contain an improper preservation of permissions vulnerability in SyncIQ. A low privileged local attacker may potentially exploit this vulnerability, leading to limited information disclosure. | |||||
| CVE-2022-31096 | 1 Discourse | 1 Discourse | 2024-11-21 | 2.1 LOW | 5.7 MEDIUM |
| Discourse is an open source discussion platform. Under certain conditions, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggravated when the invite has been configured to add the user that accepts the invite into restricted groups. Once a user has been incorrectly added to a restricted group, the user may then be able to view content which that are restricted to the respective group. Users are advised to upgrade to the current stable releases. There are no known workarounds to this issue. | |||||
| CVE-2022-2787 | 1 Debian | 2 Debian Linux, Schroot | 2024-11-21 | N/A | 4.3 MEDIUM |
| Schroot before 1.6.13 had too permissive rules on chroot or session names, allowing a denial of service on the schroot service for all users that may start a schroot session. | |||||
| CVE-2022-29594 | 2 Eginnovations, Microsoft | 5 Eg Agent, Eg Manager, Eg Rum Collectors and 2 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| eG Agent before 7.2 has weak file permissions that enable escalation of privileges to SYSTEM. | |||||
| CVE-2022-24618 | 1 Heimdalsecurity | 1 Heimdal Premium Security | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Heimdal.Wizard.exe installer in Heimdal Premium Security 2.5.395 and earlier has insecure permissions, which allows unprivileged local users to elevate privileges to SYSTEM via the "Browse For Folder" window accessible by triggering a "Repair" on the MSI package located in C:\Windows\Installer. | |||||
| CVE-2022-24428 | 1 Dell | 1 Emc Powerscale Onefs | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| Dell PowerScale OneFS, versions 8.2.x, 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, and 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure. | |||||
| CVE-2022-22650 | 1 Apple | 2 Mac Os X, Macos | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A plug-in may be able to inherit the application's permissions and access user data. | |||||
| CVE-2022-22472 | 2 Ibm, Linux | 2 Spectrum Protect Plus Container Backup And Restore, Linux Kernel | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Spectrum Protect Plus Container Backup and Restore (10.1.5 through 10.1.10.2 for Kubernetes and 10.1.7 through 10.1.10.2 for Red Hat OpenShift) could allow a remote attacker to bypass IBM Spectrum Protect Plus role based access control restrictions, caused by improper disclosure of session information. By retrieving the logs of a container an attacker could exploit this vulnerability to bypass login security of the IBM Spectrum Protect Plus server and gain unauthorized access based on the permissions of the IBM Spectrum Protect Plus user to the vulnerable Spectrum Protect Plus server software. IBM X-Force ID: 225340. | |||||
| CVE-2022-1227 | 4 Fedoraproject, Podman Project, Psgo Project and 1 more | 16 Fedora, Podman, Psgo and 13 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service. | |||||
| CVE-2022-0330 | 4 Fedoraproject, Linux, Netapp and 1 more | 46 Fedora, Linux Kernel, H300e and 43 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system. | |||||
| CVE-2021-45446 | 1 Hitachi | 1 Vantara Pentaho | 2024-11-21 | N/A | 5.0 MEDIUM |
| A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located inside the directory. | |||||
| CVE-2021-45008 | 1 Plesk | 1 Plesk | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Plesk CMS 18.0.37 is affected by an insecure permissions vulnerability that allows privilege Escalation from user to admin rights. OTE: the vendor states that this is only a site-specific problem on websites of one or more Plesk users | |||||
| CVE-2021-43816 | 2 Fedoraproject, Linuxfoundation | 2 Fedora, Containerd | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible. | |||||