‼ CVE-2021-28544 ‼
📖 Read
via "National Vulnerability Database".
Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23161 ‼
📖 Read
via "National Vulnerability Database".
Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contains a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker could potentially exploit this vulnerability, leading to denial-of-service. (of course this is temporary and will need to be adapted/reviewed as we determine the CWE with Srisimha Tummala 's help)📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0915 ‼
📖 Read
via "National Vulnerability Database".
There is a Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability in Logitech Sync for Windows prior to 2.4.574. Successful exploitation of these vulnerabilities may escalate the permission to the system user.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22565 ‼
📖 Read
via "National Vulnerability Database".
Dell PowerScale OneFS, versions 9.0.0-9.3.0, contain an improper authorization of index containing sensitive information. An authenticated and privileged user could potentially exploit this vulnerability, leading to disclosure or modification of sensitive data.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24842 ‼
📖 Read
via "National Vulnerability Database".
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22561 ‼
📖 Read
via "National Vulnerability Database".
Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to compromised accounts.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24413 ‼
📖 Read
via "National Vulnerability Database".
Dell PowerScale OneFS, versions 8.2.2-9.3.x, contain a time-of-check-to-time-of-use vulnerability. A local user with access to the filesystem could potentially exploit this vulnerability, leading to data loss.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22562 ‼
📖 Read
via "National Vulnerability Database".
Dell PowerScale OneFS, versions 8.2.0-9.3.0, contain a improper handling of missing values exploit. An unauthenticated network attacker could potentially exploit this denial-of-service vulnerability.📖 Read
via "National Vulnerability Database".
❌ Microsoft Zero-Days, Wormable Bugs Spark Concern ❌
📖 Read
via "Threat Post".
For April Patch Tuesday, the computing giant addressed a zero-day under active attack and several critical security vulnerabilities, including three that allow self-propagating exploits.📖 Read
via "Threat Post".
Threat Post
Microsoft Zero-Days, Wormable Bugs Spark Concern
For April Patch Tuesday, the computing giant addressed a zero-day under active attack and several critical security vulnerabilities, including three that allow self-propagating exploits.
🕴 How Do I Conduct a Resilience Review? 🕴
📖 Read
via "Dark Reading".
As the first step, make sure that all business-critical data across your organization is protected.📖 Read
via "Dark Reading".
Dark Reading
How Do I Conduct a Resilience Review?
As the first step, make sure that all business-critical data across your organization is protected.
‼ CVE-2022-27416 ‼
📖 Read
via "National Vulnerability Database".
Tcpreplay v4.4.1 was discovered to contain a double-free via __interceptor_free.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27387 ‼
📖 Read
via "National Vulnerability Database".
MariaDB Server v10.7 and below was discovered to contain a global buffer overflow in the component decimal_bin_size, which is exploited via specially crafted SQL statements.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27418 ‼
📖 Read
via "National Vulnerability Database".
Tcpreplay v4.4.1 has a heap-based buffer overflow in do_checksum_math at /tcpedit/checksum.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27381 ‼
📖 Read
via "National Vulnerability Database".
An issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27380 ‼
📖 Read
via "National Vulnerability Database".
An issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27378 ‼
📖 Read
via "National Vulnerability Database".
An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27376 ‼
📖 Read
via "National Vulnerability Database".
MariaDB Server v10.6.5 and below was discovered to contain an use-after-free in the component Item_args::walk_arg, which is exploited via specially crafted SQL statements.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29047 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29038 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the name and description of Extended Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29052 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29051 ‼
📖 Read
via "National Vulnerability Database".
Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials.📖 Read
via "National Vulnerability Database".