Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-3692 | 1 Yiiframework | 1 Yii | 2022-04-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | |||||
| CVE-2021-36276 | 1 Dell | 1 Dbutildrv2.sys Firmware | 2022-04-25 | 4.6 MEDIUM | 7.8 HIGH |
| Dell DBUtilDrv2.sys driver (versions 2.5 and 2.6) contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required. | |||||
| CVE-2022-26830 | 1 Microsoft | 2 Windows 11, Windows Server 2022 | 2022-04-25 | 5.1 MEDIUM | 7.5 HIGH |
| DiskUsage.exe Remote Code Execution Vulnerability. | |||||
| CVE-2021-37215 | 1 Larvata | 1 Flygo | 2022-04-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| The employee management page of Flygo contains an Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attacker can manipulate the user data and then over-write another employee’s user data by specifying that employee’s ID in the API parameter. | |||||
| CVE-2021-37214 | 1 Larvata | 1 Flygo | 2022-04-25 | 6.5 MEDIUM | 8.8 HIGH |
| The employee management page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID in specific parameters to arbitrary access employee's data, modify it, and then obtain administrator privilege and execute arbitrary command. | |||||
| CVE-2021-37213 | 1 Larvata | 1 Flygo | 2022-04-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| The check-in record page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID and date in specific parameters to access particular employee’s check-in record. | |||||
| CVE-2021-37212 | 1 Larvata | 1 Flygo | 2022-04-25 | 5.5 MEDIUM | 5.4 MEDIUM |
| The bulletin function of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the bulletin ID in specific Url parameters and access and modify bulletin particular content. | |||||
| CVE-2021-29970 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2022-04-25 | 5.1 MEDIUM | 8.8 HIGH |
| A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90. | |||||
| CVE-2021-32706 | 1 Pi-hole | 1 Pi-hole | 2022-04-25 | 6.5 MEDIUM | 8.8 HIGH |
| Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the `validDomainWildcard` preg_match filter allows a malicious character through that can be used to execute code, list directories, and overwrite sensitive files. The issue lies in the fact that one of the periods is not escaped, allowing any character to be used in its place. A patch for this vulnerability was released in version 5.5.1. | |||||
| CVE-2021-25219 | 6 Debian, Fedoraproject, Isc and 3 more | 23 Debian Linux, Fedora, Bind and 20 more | 2022-04-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing. | |||||
| CVE-2021-36155 | 1 Linuxfoundation | 1 Grpc Swift | 2022-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| LengthPrefixedMessageReader in gRPC Swift 1.1.0 and earlier allocates buffers of arbitrary length, which allows remote attackers to cause uncontrolled resource consumption and deny service. | |||||
| CVE-2021-27483 | 1 Zoll | 1 Defibrillator Dashboard | 2022-04-25 | 4.6 MEDIUM | 7.8 HIGH |
| ZOLL Defibrillator Dashboard, v prior to 2.2,The affected products contain insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user. | |||||
| CVE-2021-39135 | 3 Npmjs, Oracle, Siemens | 4 Arborist, Npm, Graalvm and 1 more | 2022-04-25 | 4.4 MEDIUM | 7.8 HIGH |
| `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2. | |||||
| CVE-2021-30468 | 2 Apache, Oracle | 5 Cxf, Tomee, Business Intelligence and 2 more | 2022-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11. | |||||
| CVE-2021-3565 | 3 Fedoraproject, Redhat, Tpm2-tools Project | 3 Fedora, Enterprise Linux, Tpm2-tools | 2022-04-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| A flaw was found in tpm2-tools in versions before 5.1.1 and before 4.3.2. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a MITM attacker to unwrap the inner portion and reveal the key being imported. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2021-3424 | 1 Redhat | 1 Single Sign-on | 2022-04-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges. | |||||
| CVE-2019-25058 | 3 Debian, Fedoraproject, Usbguard Project | 3 Debian Linux, Fedora, Usbguard | 2022-04-25 | 4.4 MEDIUM | 7.8 HIGH |
| An issue was discovered in USBGuard before 1.1.0. On systems with the usbguard-dbus daemon running, an unprivileged user could make USBGuard allow all USB devices to be connected in the future. | |||||
| CVE-2021-43953 | 1 Atlassian | 2 Data Center, Jira | 2022-04-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5. | |||||
| CVE-2022-26828 | 1 Microsoft | 4 Windows 10, Windows Server 2016, Windows Server 2019 and 1 more | 2022-04-25 | 4.4 MEDIUM | 7.0 HIGH |
| Windows Bluetooth Driver Elevation of Privilege Vulnerability. | |||||
| CVE-2022-26496 | 3 Debian, Fedoraproject, Network Block Device Project | 3 Debian Linux, Fedora, Network Block Device | 2022-04-25 | 7.5 HIGH | 9.8 CRITICAL |
| In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name. | |||||
| CVE-2022-26495 | 3 Debian, Fedoraproject, Network Block Device Project | 3 Debian Linux, Fedora, Network Block Device | 2022-04-25 | 7.5 HIGH | 9.8 CRITICAL |
| In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages. | |||||
| CVE-2022-26827 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-04-25 | 6.9 MEDIUM | 7.0 HIGH |
| Windows File Server Resource Management Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-26810. | |||||
| CVE-2022-23648 | 3 Debian, Fedoraproject, Linuxfoundation | 3 Debian Linux, Fedora, Containerd | 2022-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue. | |||||
| CVE-2011-1762 | 1 Wordpress | 1 Wordpress | 2022-04-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission. | |||||
| CVE-2021-37709 | 1 Shopware | 1 Shopware | 2022-04-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | |||||
| CVE-2021-37639 | 1 Google | 1 Tensorflow | 2022-04-25 | 4.6 MEDIUM | 7.8 HIGH |
| TensorFlow is an end-to-end open source platform for machine learning. When restoring tensors via raw APIs, if the tensor name is not provided, TensorFlow can be tricked into dereferencing a null pointer. Alternatively, attackers can read memory outside the bounds of heap allocated data by providing some tensor names but not enough for a successful restoration. The [implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/kernels/save_restore_tensor.cc#L158-L159) retrieves the tensor list corresponding to the `tensor_name` user controlled input and immediately retrieves the tensor at the restoration index (controlled via `preferred_shard` argument). This occurs without validating that the provided list has enough values. If the list is empty this results in dereferencing a null pointer (undefined behavior). If, however, the list has some elements, if the restoration index is outside the bounds this results in heap OOB read. We have patched the issue in GitHub commit 9e82dce6e6bd1f36a57e08fa85af213e2b2f2622. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range. | |||||
| CVE-2021-32804 | 3 Oracle, Siemens, Tar Project | 3 Graalvm, Sinec Infrastructure Network Services, Tar | 2022-04-25 | 5.8 MEDIUM | 8.1 HIGH |
| The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar. | |||||
| CVE-2021-27039 | 1 Autodesk | 2 Autocad, Design Review | 2022-04-25 | 6.8 MEDIUM | 7.8 HIGH |
| A maliciously crafted TIFF and PCX file can be forced to read and write beyond allocated boundaries when parsing the TIFF and PCX file for based overflow. This vulnerability can be exploited to execute arbitrary code. | |||||
| CVE-2022-1380 | 1 Snipeitapp | 1 Snipe-it | 2022-04-25 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerability is capable of stolen the user Cookie. | |||||
| CVE-2021-29988 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2022-04-25 | 6.8 MEDIUM | 8.8 HIGH |
| Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. | |||||
| CVE-2021-3633 | 1 Lenovo | 1 Drivers Management | 2022-04-25 | 6.9 MEDIUM | 7.8 HIGH |
| A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow privilege escalation. | |||||
| CVE-2021-3615 | 1 Lenovo | 6 Smart Camera C2e, Smart Camera C2e Firmware, Smart Camera X3 and 3 more | 2022-04-25 | 4.6 MEDIUM | 6.8 MEDIUM |
| A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow code execution if a specific file exists on the attached SD card. This vulnerability is the same as CNVD-2021-45262. | |||||
| CVE-2022-29287 | 1 Kentico | 1 Kentico | 2022-04-25 | 4.0 MEDIUM | 4.9 MEDIUM |
| Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. It allows an attacker with user management rights (default is Administrator) to export the user options of any user, even ones with higher privileges (like Global Administrators) than the current user. The exported XML contains every option of the exported user (even the hashed password). | |||||
| CVE-2022-29020 | 1 Forestblog Project | 1 Forestblog | 2022-04-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| ForestBlog through 2022-02-16 allows admin/profile/save userAvatar XSS during addition of a user avatar. | |||||
| CVE-2021-32763 | 1 Openproject | 1 Openproject | 2022-04-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| OpenProject is open-source, web-based project management software. In versions prior to 11.3.3, the `MessagesController` class of OpenProject has a `quote` method that implements the logic behind the Quote button in the discussion forums, and it uses a regex to strip `<pre>` tags from the message being quoted. The `(.|\s)` part can match a space character in two ways, so an unterminated `<pre>` tag containing `n` spaces causes Ruby's regex engine to backtrack to try 2<sup>n</sup> states in the NFA. This will result in a Regular Expression Denial of Service. The issue is fixed in OpenProject 11.3.3. As a workaround, one may install the patch manually. | |||||
| CVE-2022-1365 | 1 Cross-fetch Project | 1 Cross-fetch | 2022-04-25 | 5.8 MEDIUM | 6.1 MEDIUM |
| Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5. | |||||
| CVE-2022-29072 | 2 7-zip, Microsoft | 2 7-zip, Windows | 2022-04-25 | 7.2 HIGH | 7.8 HIGH |
| ** DISPUTED ** 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process. NOTE: multiple third parties have reported that no privilege escalation can occur. | |||||
| CVE-2022-24279 | 1 Springtree | 1 Madlib-object-utils | 2022-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676) | |||||
| CVE-2022-28113 | 1 Fantec | 2 Mwid25-ds, Mwid25-ds Firmware | 2022-04-25 | 9.0 HIGH | 7.2 HIGH |
| An issue in upload.csp of FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows attackers to write files and reset the user passwords without having a valid session cookie. | |||||
| CVE-2022-27048 | 1 Moxa | 40 Mgate Mb3170, Mgate Mb3170-m-sc, Mgate Mb3170-m-sc-t and 37 more | 2022-04-25 | 5.8 MEDIUM | 7.4 HIGH |
| A vulnerability has been discovered in Moxa MGate which allows an attacker to perform a man-in-the-middle (MITM) attack on the device. This affects MGate MB3170 Series Firmware Version 4.2 or lower. and MGate MB3270 Series Firmware Version 4.2 or lower. and MGate MB3280 Series Firmware Version 4.1 or lower. and MGate MB3480 Series Firmware Version 3.2 or lower. | |||||
| CVE-2022-20693 | 1 Cisco | 1 Ios Xe | 2022-04-25 | 9.0 HIGH | 7.2 HIGH |
| A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI API. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges. | |||||
| CVE-2021-37713 | 4 Microsoft, Npmjs, Oracle and 1 more | 4 Windows, Tar, Graalvm and 1 more | 2022-04-25 | 4.4 MEDIUM | 8.6 HIGH |
| The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\path`. If the drive letter does not match the extraction target, for example `D:\extraction\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves. | |||||
| CVE-2021-37712 | 5 Debian, Microsoft, Npmjs and 2 more | 5 Debian Linux, Windows, Tar and 2 more | 2022-04-25 | 4.4 MEDIUM | 8.6 HIGH |
| The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p. | |||||
| CVE-2022-26810 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8.1 and 6 more | 2022-04-25 | 4.6 MEDIUM | 7.8 HIGH |
| Windows File Server Resource Management Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-26827. | |||||
| CVE-2022-26924 | 1 Microsoft | 1 Yet Another Reverse Proxy | 2022-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| YARP Denial of Service Vulnerability. | |||||
| CVE-2022-26921 | 1 Microsoft | 1 Visual Studio Code | 2022-04-25 | 4.6 MEDIUM | 7.8 HIGH |
| Visual Studio Code Elevation of Privilege Vulnerability. | |||||
| CVE-2022-26920 | 1 Microsoft | 5 Windows 10, Windows 11, Windows Server 2016 and 2 more | 2022-04-25 | 4.9 MEDIUM | 5.5 MEDIUM |
| Windows Graphics Component Information Disclosure Vulnerability. | |||||
| CVE-2021-37701 | 4 Debian, Npmjs, Oracle and 1 more | 4 Debian Linux, Tar, Graalvm and 1 more | 2022-04-25 | 4.4 MEDIUM | 8.6 HIGH |
| The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/` characters as path separators, however `\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc. | |||||
| CVE-2022-26919 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-04-25 | 9.3 HIGH | 8.1 HIGH |
| Windows LDAP Remote Code Execution Vulnerability. | |||||
| CVE-2022-26918 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-04-25 | 5.1 MEDIUM | 7.8 HIGH |
| Windows Fax Compose Form Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-26916, CVE-2022-26917. | |||||