Total
270 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28131 | 3 Fedoraproject, Golang, Netapp | 3 Fedora, Go, Cloud Insights Telegraf | 2024-11-21 | N/A | 7.5 HIGH |
| Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. | |||||
| CVE-2022-27943 | 2 Fedoraproject, Gnu | 2 Fedora, Gcc | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new. | |||||
| CVE-2022-27810 | 1 Facebook | 1 Hermes | 2024-11-21 | N/A | 7.5 HIGH |
| It was possible to trigger an infinite recursion condition in the error handler when Hermes executed specific maliciously formed JavaScript. This condition was only possible to trigger in dev-mode (when asserts were enabled). This issue affects Hermes versions prior to v0.12.0. | |||||
| CVE-2022-25313 | 5 Debian, Fedoraproject, Libexpat Project and 2 more | 6 Debian Linux, Fedora, Libexpat and 3 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. | |||||
| CVE-2022-24921 | 3 Debian, Golang, Netapp | 3 Debian Linux, Go, Astra Trident | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression. | |||||
| CVE-2022-24675 | 3 Fedoraproject, Golang, Netapp | 3 Fedora, Go, Kubernetes Monitoring Operator | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data. | |||||
| CVE-2022-23974 | 1 Apache | 1 Pinot | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0 | |||||
| CVE-2022-23889 | 1 Yzmcms | 1 Yzmcms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The comment function in YzmCMS v6.3 was discovered as being able to be operated concurrently, allowing attackers to create an unusually large number of comments. | |||||
| CVE-2022-23606 | 1 Envoyproxy | 1 Envoy | 2024-11-21 | 4.0 MEDIUM | 4.4 MEDIUM |
| Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. This infinite recursion causes Envoy to crash. Users are advised to upgrade. | |||||
| CVE-2022-23591 | 1 Google | 1 Tensorflow | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Tensorflow is an Open Source Machine Learning Framework. The `GraphDef` format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a `GraphDef` containing a fragment such as the following can be consumed when loading a `SavedModel`. This would result in a stack overflow during execution as resolving each `NodeDef` means resolving the function itself and its nodes. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. | |||||
| CVE-2022-23516 | 1 Loofah Project | 1 Loofah | 2024-11-21 | N/A | 7.5 HIGH |
| Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized. | |||||
| CVE-2022-23500 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A | 5.9 MEDIUM |
| TYPO3 is an open source PHP based web content management system. In versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1, requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This vulnerability is very similar, but not identical, to the one described in CVE-2021-21359. This issue is patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20 or 12.1.1. | |||||
| CVE-2022-23460 | 1 Json\+\+ Project | 1 Json\+\+ | 2024-11-21 | N/A | 5.9 MEDIUM |
| Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized (ASAN) build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the current commit of the jsonxx project and the project itself has been archived. Updates are not expected. Users are advised to find a replacement. | |||||
| CVE-2022-21708 | 1 Graphql-go Project | 1 Graphql-go | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
| graphql-go is a GraphQL server with a focus on ease of use. In versions prior to 1.3.0 there exists a DoS vulnerability that is possible due to a bug in the library that would allow an attacker with specifically designed queries to cause stack overflow panics. Any user with access to the GraphQL handler can send these queries and cause stack overflows. This in turn could potentially compromise the ability of the server to serve data to its users. The issue has been patched in version `v1.3.0`. The only known workaround for this issue is to disable the `graphql.MaxDepth` option from your schema which is not recommended. | |||||
| CVE-2022-20382 | 1 Google | 1 Android | 2024-11-21 | N/A | 6.7 MEDIUM |
| In (TBD) of (TBD), there is a possible out of bounds write due to kernel stack overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-214245176References: Upstream kernel | |||||
| CVE-2022-1962 | 1 Golang | 1 Go | 2024-11-21 | N/A | 5.5 MEDIUM |
| Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. | |||||
| CVE-2022-1771 | 1 Vim | 1 Vim | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975. | |||||
| CVE-2021-46509 | 1 Cesanta | 1 Mjs | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Cesanta MJS v2.20.0 was discovered to contain a stack overflow via snquote at mjs/src/mjs_json.c. | |||||
| CVE-2021-46507 | 1 Jsish | 1 Jsish | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| Jsish v3.5.0 was discovered to contain a stack overflow via Jsi_LogMsg at src/jsiUtils.c. | |||||
| CVE-2021-46505 | 1 Jsish | 1 Jsish | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| Jsish v3.5.0 was discovered to contain a stack overflow via /usr/lib/x86_64-linux-gnu/libasan.so.4+0x5b1e5. | |||||