β APIC/EPIC! Intel chips leak secrets even the kernel shouldnβt seeβ¦ β
π Read
via "Naked Security".
If you've ever written code that left stuff lying around in memory when you didn't need it any more... we bet you've regretted it!π Read
via "Naked Security".
Naked Security
APIC/EPIC! Intel chips leak secrets even the kernel shouldnβt seeβ¦
If youβve ever written code that left stuff lying around in memory when you didnβt need it any moreβ¦ we bet youβve regretted it!
βΌ CVE-2022-38133 βΌ
π Read
via "National Vulnerability Database".
In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some casesπ Read
via "National Vulnerability Database".
βΌ CVE-2022-33926 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite 3.6.1 and below contains an improper access control vulnerability. A remote malicious user could exploit this vulnerability in order to retain access to a file repository after it has been revoked.π Read
via "National Vulnerability Database".
βΌ CVE-2022-20866 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the handling of RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve an RSA private key. This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key. The following conditions may be observed on an affected device: This vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key. The RSA key could be valid but have specific characteristics that make it vulnerable to the potential leak of the RSA private key. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic. See the Indicators of Compromise section for more information on the detection of this type of RSA key. The RSA key could be malformed and invalid. A malformed RSA key is not functional, and a TLS client connection to a device that is running Cisco ASA Software or Cisco FTD Software that uses the malformed RSA key will result in a TLS signature failure, which means a vulnerable software release created an invalid RSA signature that failed verification. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29090 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite 3.6.1 and below contains a Sensitive Data Exposure vulnerability. A low privileged malicious user could potentially exploit this vulnerability in order to obtain credentials. The attacker may be able to use the exposed credentials to access the target device and perform unauthorized actions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34365 βΌ
π Read
via "National Vulnerability Database".
WMS 3.7 contains a Path Traversal Vulnerability in Device API. An attacker could potentially exploit this vulnerability, to gain unauthorized read access to the files stored on the server filesystem, with the privileges of the running web application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33930 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite 3.6.1 and below contains Information Disclosure in Devices error pages. An attacker could potentially exploit this vulnerability, leading to the disclosure of certain sensitive information. The attacker may be able to use the exposed information to access and further vulnerability research.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33925 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite 3.6.1 and below contains an Improper Access control vulnerability in UI. An remote authenticated attacker could potentially exploit this vulnerability by bypassing access controls in order to download reports containing sensitive information.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33924 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite 3.6.1 and below contains an Improper Access control vulnerability with which an attacker with no access to create rules could potentially exploit this vulnerability and create rules.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0028 βΌ
π Read
via "National Vulnerability Database".
A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target. To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a source zone that has an external facing interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator. If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack. We have taken prompt action to address this issue in our PAN-OS software. All software updates for this issue are expected to be released no later than the week of August 15, 2022. This issue does not impact Panorama M-Series or Panorama virtual appliances. This issue has been resolved for all Cloud NGFW and Prisma Access customers and no additional action is required from them.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33931 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite 3.6.1 and below contains an Improper Access control vulnerability in UI. An attacker with no access to Alert Classification page could potentially exploit this vulnerability, leading to the change the alert categories.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35715 βΌ
π Read
via "National Vulnerability Database".
IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in a stack trace. This information could be used in further attacks against the system. IBM X-Force ID: 231202.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33928 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite 3.6.1 and below contains an Plain-text Password Storage Vulnerability in UI. An attacker with low privileges could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2756 βΌ
π Read
via "National Vulnerability Database".
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33929 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite 3.6.1 and below contains a Reflected Cross-Site Scripting Vulnerability in EndUserSummary page. An authenticated attacker could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33927 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite 3.6.1 and below contains a Session Fixation vulnerability. A unauthenticated attacker could exploit this by taking advantage of a user with multiple active sessions in order to hijack a user's session.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22411 βΌ
π Read
via "National Vulnerability Database".
IBM Spectrum Scale Data Access Services (DAS) 5.1.3.1 could allow an authenticated user to insert code which could allow the attacker to manipulate cluster resources due to excessive permissions. IBM X-Force ID: 223016.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35280 βΌ
π Read
via "National Vulnerability Database".
IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 230634.π Read
via "National Vulnerability Database".
βΌ CVE-2022-20713 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the Clientless SSL VPN (WebVPN) component of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks. This vulnerability is due to improper validation of input that is passed to the Clientless SSL VPN component. An attacker could exploit this vulnerability by convincing a targeted user to visit a website that can pass malicious requests to an ASA device that has the Clientless SSL VPN feature enabled. A successful exploit could allow the attacker to conduct browser-based attacks, including cross-site scripting attacks, against the targeted user.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22490 βΌ
π Read
via "National Vulnerability Database".
IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a privileged user to obtain sensitive Azure bot credential information. IBM X-Force ID: 226342.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22369 βΌ
π Read
via "National Vulnerability Database".
IBM Workload Scheduler 9.4 and 9.5 could allow a local user to overwrite key system files which would cause the system to crash. IBM X-Force ID: 221187.π Read
via "National Vulnerability Database".