Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15223 | 1 Ory | 1 Fosite | 2022-10-21 | 4.0 MEDIUM | 8.0 HIGH |
| In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store. This is fixed in version 0.34.0 | |||||
| CVE-2022-31684 | 1 Pivotal | 1 Reactor Netty | 2022-10-21 | N/A | 4.3 MEDIUM |
| Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled. | |||||
| CVE-2022-22227 | 1 Juniper | 4 Acx7100-32c, Acx7100-48l, Acx7509 and 1 more | 2022-10-21 | N/A | 5.3 MEDIUM |
| An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on ACX7000 Series allows an unauthenticated network-based attacker to cause a partial Denial of Service (DoS). On receipt of specific IPv6 transit traffic, Junos OS Evolved on ACX7100-48L, ACX7100-32C and ACX7509 sends this traffic to the Routing Engine (RE) instead of forwarding it, leading to increased CPU utilization of the RE and a partial DoS. This issue only affects systems configured with IPv6. This issue does not affect ACX7024 which is supported from 22.3R1-EVO onwards where the fix has already been incorporated as indicated in the solution section. This issue affects Juniper Networks Junos OS Evolved on ACX7100-48L, ACX7100-32C, ACX7509: 21.1-EVO versions prior to 21.1R3-S2-EVO; 21.2-EVO versions prior to 21.2R3-S2-EVO; 21.3-EVO versions prior to 21.3R3-EVO; 21.4-EVO versions prior to 21.4R1-S1-EVO, 21.4R2-EVO. This issue does not affect Juniper Networks Junos OS Evolved versions prior to 21.1R1-EVO. | |||||
| CVE-2020-15117 | 2 Fedoraproject, Symless | 2 Fedora, Synergy | 2022-10-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Synergy before version 1.12.0, a Synergy server can be crashed by receiving a kMsgHelloBack packet with a client name length set to 0xffffffff (4294967295) if the servers memory is less than 4 GB. It was verified that this issue does not cause a crash through the exception handler if the available memory of the Server is more than 4GB. | |||||
| CVE-2020-15087 | 1 Prestosql | 1 Presto | 2022-10-21 | 6.5 MEDIUM | 8.8 HIGH |
| In Presto before version 337, authenticated users can bypass authorization checks by directly accessing internal APIs. This impacts Presto server installations with secure internal communication configured. This does not affect installations that have not configured secure internal communication, as these installations are inherently insecure. This only affects Presto server installations. This does NOT affect clients such as the CLI or JDBC driver. This vulnerability has been fixed in version 337. Additionally, this issue can be mitigated by blocking network access to internal APIs on the coordinator and workers. | |||||
| CVE-2022-22226 | 1 Juniper | 35 Ex4300, Ex4300-24p, Ex4300-24p-s and 32 more | 2022-10-21 | N/A | 6.5 MEDIUM |
| In VxLAN scenarios on EX4300-MP, EX4600, QFX5000 Series devices an Uncontrolled Memory Allocation vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated adjacently located attacker sending specific packets to cause a Denial of Service (DoS) condition by crashing one or more PFE's when they are received and processed by the device. Upon automatic restart of the PFE, continued processing of these packets will cause the memory leak to reappear. Depending on the volume of packets received the attacker may be able to create a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS on EX4300-MP, EX4600, QFX5000 Series: 17.1 version 17.1R1 and later versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R2-S13, 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R1-S8, 18.4R2-S6, 18.4R3-S6; 19.1 versions prior to 19.1R3-S4; 19.2 versions prior to 19.2R1-S7, 19.2R3-S1; 19.3 versions prior to 19.3R2-S6, 19.3R3-S1; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3-S1; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2-S3, 20.2R3; 20.3 versions prior to 20.3R2. This issue does not affect Junos OS versions prior to 17.1R1. | |||||
| CVE-2020-15084 | 1 Auth0 | 1 Express-jwt | 2022-10-21 | 4.3 MEDIUM | 9.1 CRITICAL |
| In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0. | |||||
| CVE-2022-41708 | 1 Relatedcode | 1 Messenger | 2022-10-21 | N/A | 4.3 MEDIUM |
| Relatedcode's Messenger version 7bcd20b allows an authenticated external attacker to access existing chats in the workspaces of any user of the application. This is possible because the application does not validate permissions correctly. | |||||
| CVE-2022-22225 | 1 Juniper | 2 Junos, Junos Os Evolved | 2022-10-21 | N/A | 5.9 MEDIUM |
| A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker with an established BGP session to cause a Denial of Service (DoS). In a BGP multipath scenario, when one of the contributing routes is flapping often and rapidly, rpd may crash. As this crash depends on whether a route is a contributing route, and on the internal timing of the events triggered by the flap this vulnerability is outside the direct control of a potential attacker. This issue affects: Juniper Networks Junos OS 19.2 versions prior to 19.2R3-S6; 20.2 versions prior to 20.2R3-S4; 20.3 versions prior to 20.3R3-S3; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R2; 21.3 versions prior to 21.3R2. Juniper Networks Junos OS Evolved All versions prior to 20.4R3-S4-EVO; 21.1-EVO version 21.1R1-EVO and later versions; 21.2-EVO versions prior to 21.2R2-EVO; 21.3-EVO versions prior to 21.3R2-EVO. This issue does not affect: Juniper Networks Junos OS versions 19.2 versions prior to 19.2R2, 19.3R1 and above prior to 20.2R1. Juniper Networks Junos OS Evolved versions prior to 20.2R1-EVO. | |||||
| CVE-2020-10744 | 1 Redhat | 2 Ansible, Ansible Tower | 2022-10-21 | 3.7 LOW | 5.0 MEDIUM |
| An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected. | |||||
| CVE-2020-10716 | 2 Redhat, Theforeman | 3 Satellite, Satellite Capsule, Foreman Ansible | 2022-10-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data. This flaw affects tfm-rubygem-foreman_ansible versions before 4.0.3.4. | |||||
| CVE-2020-10709 | 1 Redhat | 1 Ansible Tower | 2022-10-21 | 3.6 LOW | 7.1 HIGH |
| A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower. This flaw affects Ansible Tower versions before 3.6.4 and Ansible Tower versions before 3.5.6. | |||||
| CVE-2020-15279 | 1 Bitdefender | 1 Endpoint Security Tools | 2022-10-21 | 2.1 LOW | 3.3 LOW |
| An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to 6.6.23.320 allows a regular user to learn the scanning exclusion paths. This issue was discovered during external security research. | |||||
| CVE-2022-22228 | 1 Juniper | 1 Junos | 2022-10-21 | N/A | 7.5 HIGH |
| An Improper Validation of Specified Type of Input vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS allows an attacker to cause an RPD memory leak leading to a Denial of Service (DoS). This memory leak only occurs when the attacker's packets are destined to any configured IPv6 address on the device. This issue affects: Juniper Networks Junos OS 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2. This issue does not affect Juniper Networks Junos OS versions prior to 21.1R1. | |||||
| CVE-2021-41290 | 1 Ecoa | 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more | 2022-10-21 | 10.0 HIGH | 9.8 CRITICAL |
| ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device. | |||||
| CVE-2022-43407 | 1 Jenkins | 1 Input Step | 2022-10-21 | N/A | 8.8 HIGH |
| Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with. | |||||
| CVE-2022-2210 | 2 Fedoraproject, Vim | 2 Fedora, Vim | 2022-10-21 | 6.8 MEDIUM | 7.8 HIGH |
| Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. | |||||
| CVE-2022-34798 | 1 Jenkins | 1 Deployment Dashboard | 2022-10-21 | 3.5 LOW | 4.3 MEDIUM |
| Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials. | |||||
| CVE-2017-20043 | 1 Vendavo | 1 Pricepoint | 2022-10-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in Navetti PricePoint 4.6.0.0 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting (Persistent). The attack may be launched remotely. Upgrading to version 4.7.0.0 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-20042 | 1 Vendavo | 1 Pricepoint | 2022-10-21 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been found in Navetti PricePoint 4.6.0.0 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to sql injection (Blind). The attack can be launched remotely. Upgrading to version 4.7.0.0 is able to address this issue. It is recommended to upgrade the affected component. | |||||