New most known CVEs !

Updated: Dec 7, 2022

Introduction

I) List of CVEs

1) CVE-2022-24889

a) Description

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.8 , 22.2.4, and 23.0.1.

b) References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5vw6-6prg-gvw6
https://github.com/nextcloud/server/pull/30615
https://hackerone.com/reports/1403614

2) CVE-2022-29243

a) Description

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.

b) References

https://github.com/nextcloud/server/pull/31658
https://hackerone.com/reports/1153138
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w

3) CVE-2022-30323

a) Description

go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

b) References

https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
https://discuss.hashicorp.com/

4) CVE-2022-25374

a) Description

HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1.

b) References

https://discuss.hashicorp.com/
https://discuss.hashicorp.com/t/hcsec-2022-06-terraform-enterprise-may-capture-sensitive-data-in-logs/

5) CVE-2022-37451

a) Description

Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.

b) References

https://www.exim.org/static/doc/security/
https://github.com/ivd38/exim_invalid_free
https://lists.exim.org/lurker/message/20220625.141825.d6de6074.en.html

6) CVE-2022-26979

a) Description

Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a NULL pointer dereference when this.Span is used for oState of Collab.addStateModel, because this.Span.text can be NULL.

b) References

https://drive.google.com/file/d/1WpwDgVRU-Mb792z6dgDoWMXDRSeB8ZLU/view?usp=sharing
https://www.foxit.com/support/security-bulletins.html

7) CVE-2022-35697

a) Description

Adobe Experience Manager Core Components version 2.20.6 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires a low author privilege access.

b) References

https://github.com/adobe/aem-core-wcm-components/security/advisories/GHSA-qcgc-6q86-7x2p

8) CVE-2022-34844

a) Description

In BIG-IP Versions 16.1.x before 16.1.3.1 and 15.1.x before 15.1.6.1, and all versions of BIG-IQ 8.x, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP or BIG-IQ on Amazon Web Services (AWS) systems, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Successful exploitation relies on conditions outside of the attacker's control. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

b) References

https://support.f5.com/csp/article/K34511555

9) CVE-2022-33203

a) Description

In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, and 14.1.x before 14.1.5, when a BIG-IP APM access policy with Service Connect agent is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

b) References

https://support.f5.com/csp/article/K52534925

10) CVE-2022-36839

a) Description

SQL injection vulnerability via IAPService in Samsung Checkout prior to version 5.0.53.1 allows attackers to access IAP information.

b) References

https://security.samsungmobile.com/serviceWeb.smsb?year==2022&month=08

11) CVE-2022-36446

a) Description

software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.

b) References

https://github.com/webmin/webmin/compare/1.996...1.997
https://github.com/webmin/webmin/commit/13f7bf9621a82d93f1e9dbd838d1e22020221bde
http://packetstormsecurity.com/files/167894/Webmin-1.996-Remote-Code-Execution.html

12) CVE-2022-1919

a) Description

Use after free in Codecs in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

b) References

https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
https://crbug.com/1313709
https://security.gentoo.org/glsa/202208-08

13) CVE-2022-32458

a) Description

Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.

b) References

https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html
https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb

14) CVE-2022-32457

a) Description

Digiwin BPM has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform Blind SSRF attack to discover internal network topology base on URL error response.

b) References

https://www.twcert.org.tw/tw/cp-132-6287-20ef0-1.html
https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb

15) CVE-2022-2122

a) Description

DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite.

b) References

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
https://www.debian.org/security/2022/dsa-5204

16) CVE-2022-1925

a) Description

DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in matroskaparse element in gst_matroska_decompress_data function which causes a heap overflow. Due to restrictions on chunk sizes in the matroskademux element, the overflow can't be triggered, however the matroskaparse element has no size checks.

b) References

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
https://www.debian.org/security/2022/dsa-5204
https://lists.debian.org/debian-lts-announce/2022/08/msg00001.html

17) CVE-2022-1921

a) Description

Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.

b) References

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
https://www.debian.org/security/2022/dsa-5204

18) CVE-2022-34663

a) Description

A vulnerability has been identified in RUGGEDCOM ROS M2100 (All versions), RUGGEDCOM ROS M2200 (All versions), RUGGEDCOM ROS M969 (All versions), RUGGEDCOM ROS RMC30 (All versions), RUGGEDCOM ROS RMC8388 (All versions < V5.6.0), RUGGEDCOM ROS RP110 (All versions), RUGGEDCOM ROS RS1600 (All versions), RUGGEDCOM ROS RS1600F (All versions), RUGGEDCOM ROS RS1600T (All versions), RUGGEDCOM ROS RS400 (All versions), RUGGEDCOM ROS RS401 (All versions), RUGGEDCOM ROS RS416 (All versions), RUGGEDCOM ROS RS416v2 (All versions < V5.6.0), RUGGEDCOM ROS RS8000 (All versions), RUGGEDCOM ROS RS8000A (All versions), RUGGEDCOM ROS RS8000H (All versions), RUGGEDCOM ROS RS8000T (All versions), RUGGEDCOM ROS RS900 (All versions), RUGGEDCOM ROS RS900 (32M) (All versions < V5.6.0), RUGGEDCOM ROS RS900G (All versions), RUGGEDCOM ROS RS900G (32M) (All versions < V5.6.0), RUGGEDCOM ROS RS900GP (All versions), RUGGEDCOM ROS RS900L (All versions), RUGGEDCOM ROS RS900W (All versions), RUGGEDCOM ROS RS910 (All versions), RUGGEDCOM ROS RS910L (All versions), RUGGEDCOM ROS RS910W (All versions), RUGGEDCOM ROS RS920L (All versions), RUGGEDCOM ROS RS920W (All versions), RUGGEDCOM ROS RS930L (All versions), RUGGEDCOM ROS RS930W (All versions), RUGGEDCOM ROS RS940G (All versions), RUGGEDCOM ROS RS969 (All versions), RUGGEDCOM ROS RSG2100 (All versions), RUGGEDCOM ROS RSG2100 (32M) (All versions < V5.6.0), RUGGEDCOM ROS RSG2100P (All versions), RUGGEDCOM ROS RSG2200 (All versions), RUGGEDCOM ROS RSG2288 (All versions < V5.6.0), RUGGEDCOM ROS RSG2300 (All versions < V5.6.0), RUGGEDCOM ROS RSG2300P (All versions < V5.6.0), RUGGEDCOM ROS RSG2488 (All versions < V5.6.0), RUGGEDCOM ROS RSG907R (All versions < V5.6.0), RUGGEDCOM ROS RSG908C (All versions < V5.6.0), RUGGEDCOM ROS RSG909R (All versions < V5.6.0), RUGGEDCOM ROS RSG910C (All versions < V5.6.0), RUGGEDCOM ROS RSG920P (All versions < V5.6.0), RUGGEDCOM ROS RSL910 (All versions < V5.6.0), RUGGEDCOM ROS RST2228 (All versions < V5.6.0), RUGGEDCOM ROS RST2228P (All versions < V5.6.0), RUGGEDCOM ROS RST916C (All versions < V5.6.0), RUGGEDCOM ROS RST916P (All versions < V5.6.0), RUGGEDCOM ROS i800 (All versions), RUGGEDCOM ROS i801 (All versions), RUGGEDCOM ROS i802 (All versions), RUGGEDCOM ROS i803 (All versions). Affected devices are vulnerable to a web-based code injection attack via the console. An attacker could exploit this vulnerability to inject code into the web server and cause malicious behavior in legitimate users accessing certain web resources on the affected device.

b) References

https://cert-portal.siemens.com/productcert/pdf/ssa-840800.pdf

19) CVE-2022-2309

a) Description

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

b) References

https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba
https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f

20) CVE-2022-31101

a) Description

prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.

b) References

https://github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prpp
https://github.com/PrestaShop/blockwishlist/commit/b3ec4b85af5fd73f74d55390b226d221298ca084

21) CVE-2022-30174

a) Description

Microsoft Office Remote Code Execution Vulnerability.

b) References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30174

22) CVE-2022-30168

a) Description

Microsoft Photos App Remote Code Execution Vulnerability.

b) References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30168

23) CVE-2022-29801

a) Description

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.

b) References

https://cert-portal.siemens.com/productcert/pdf/ssa-789162.pdf

24) CVE-2022-29110

a) Description

Microsoft Excel Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-29109.

b) References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29110

25) CVE-2022-30292

a) Description

Heap-based buffer overflow in sqbaselib.cpp in SQUIRREL 3.2 due to lack of a certain sq_reservestack call.

b) References

https://github.com/albertodemichelis/squirrel/commit/a6413aa690e0bdfef648c68693349a7b878fe60d
https://github.com/sprushed/CVE-2022-30292
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WBUYGYXDQX3OSAYHP4TCG3JS7PJTIE75/

26) CVE-2022-25622

a) Description

A vulnerability has been identified in SIMATIC CFU DIQ (All versions), SIMATIC CFU PA (All versions), SIMATIC ET200AL IM157-1 PN (All versions), SIMATIC ET200MP IM155-5 PN HF (incl. SIPLUS variants) (All versions >= V4.2), SIMATIC ET200SP IM155-6 MF HF (All versions), SIMATIC ET200SP IM155-6 PN HA (incl. SIPLUS variants) (All versions), SIMATIC ET200SP IM155-6 PN HF (incl. SIPLUS variants) (All versions >= V4.2), SIMATIC ET200SP IM155-6 PN/2 HF (incl. SIPLUS variants) (All versions >= V4.2), SIMATIC ET200SP IM155-6 PN/3 HF (incl. SIPLUS variants) (All versions >= V4.2), SIMATIC ET200ecoPN, CM 8x IO-Link, M12-L (All versions >= V5.1.1), SIMATIC ET200ecoPN, DI 16x24VDC, M12-L (All versions >= V5.1.1), SIMATIC ET200ecoPN, DI 8x24VDC, M12-L (All versions >= V5.1.1), SIMATIC ET200ecoPN, DIQ 16x24VDC/2A, M12-L (All versions >= V5.1.1), SIMATIC ET200ecoPN, DQ 8x24VDC/0,5A, M12-L (All versions >= V5.1.1), SIMATIC ET200ecoPN, DQ 8x24VDC/2A, M12-L (All versions >= V5.1.1), SIMATIC PN/MF Coupler (All versions), SIMATIC PN/PN Coupler (All versions >= 4.2), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions < V2.0.0), SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions), SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants) (All versions < V6.0.10), SIMATIC S7-400 PN/DP V7 CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-410 V10 CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-410 V8 CPU family (incl. SIPLUS variants) (All versions < V8.2.3), SIMATIC TDC CP51M1 (All versions), SIMATIC TDC CPU555 (All versions), SIMATIC WinAC RTX (All versions), SIMIT Simulation Platform (All versions), SINAMICS DCM (All versions with Ethernet interface), SINAMICS G110M (All versions with Ethernet interface), SINAMICS G115D (All versions with Ethernet interface), SINAMICS G120 (incl. SIPLUS variants) (All versions with Ethernet interface), SINAMICS G130 (All versions), SINAMICS G150 (All versions), SINAMICS S110 (All versions with Ethernet interface), SINAMICS S120 (incl. SIPLUS variants) (All versions), SINAMICS S150 (All versions), SINAMICS S210 (All versions), SINAMICS V90 (All versions with Ethernet interface), SIPLUS HCS4200 CIM4210 (All versions), SIPLUS HCS4200 CIM4210C (All versions), SIPLUS HCS4300 CIM4310 (All versions), SIPLUS NET PN/PN Coupler (All versions >= 4.2). The PROFINET (PNIO) stack, when integrated with the Interniche IP stack, improperly handles internal resources for TCP segments where the minimum TCP-Header length is less than defined. This could allow an attacker to create a denial of service condition for TCP services on affected devices by sending specially crafted TCP segments.

b) References

https://cert-portal.siemens.com/productcert/pdf/ssa-446448.pdf

27) CVE-2022-1040

a) Description

An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.

b) References

https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce
http://packetstormsecurity.com/files/168046/Sophos-XG115w-Firewall-17.0.10-MR-10-Authentication-Bypass.html

28) CVE-2022-0847

a) Description

A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

b) References

https://bugzilla.redhat.com/show_bug.cgi?id=2060795
http://packetstormsecurity.com/files/166229/Dirty-Pipe-Linux-Privilege-Escalation.html
http://packetstormsecurity.com/files/166258/Dirty-Pipe-Local-Privilege-Escalation.html

29) CVE-2022-24713

a) Description

regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.

b) References

https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283ehttps://lists.debian.org/debian-lts-announce/2022/04/msg00009.html

30) CVE-2022-21970

a) Description

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21954.

b) References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21970

31) CVE-2022-21907

a) Description

HTTP Protocol Stack Remote Code Execution Vulnerability.

b) References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21907
http://packetstormsecurity.com/files/165566/HTTP-Protocol-Stack-Denial-Of-Service-Remote-Code-Execution.html

32) CVE-2022-21906

a) Description

Windows Defender Application Control Security Feature Bypass Vulnerability.

b) References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21906

33) CVE-2022-31614

a) Description

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin) where it may double-free some resources. An attacker may exploit this vulnerability with other vulnerabilities to cause denial of service, code execution, and information disclosure.

b) References

https://nvidia.custhelp.com/app/answers/detail/a_id/5383

34) CVE-2022-35788

a) Description

Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-35774, CVE-2022-35775, CVE-2022-35780, CVE-2022-35781, CVE-2022-35782, CVE-2022-35783, CVE-2022-35784, CVE-2022-35785, CVE-2022-35786, CVE-2022-35787, CVE-2022-35789, CVE-2022-35790, CVE-2022-35791, CVE-2022-35799, CVE-2022-35800, CVE-2022-35801, CVE-2022-35802, CVE-2022-35807, CVE-2022-35808, CVE-2022-35809, CVE-2022-35810, CVE-2022-35811, CVE-2022-35812, CVE-2022-35813, CVE-2022-35814, CVE-2022-35815, CVE-2022-35816, CVE-2022-35817, CVE-2022-35818, CVE-2022-35819.

b) References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35788

35) CVE-2022-24010

a) Description

A buffer overflow vulnerability exists in the GetValue functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted configuration value can lead to a buffer overflow. An attacker can modify a configuration value to trigger this vulnerability.This vulnerability represents all occurances of the buffer overflow vulnerability within the cwmpd binary.

b) References

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1463

36) CVE-2022-24007

a) Description

b) References

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1463

Conclusion

Every day, new vulnerabilities are discovered and published on the Internet. These vulnerabilities are quickly used, by malicious people, and affect the security of your systems. Companies must implement countermeasures as soon as possible, and then deploy definitive patches.

About us

Headquarter: 9 rue des colonnes 75002 Paris

Phone: +33134908672

Email: contact@bluepinksecurity.com

New most known CVEs !

Introduction

I) List of CVEs

1) CVE-2022-24889

2) CVE-2022-29243

3) CVE-2022-30323

4) CVE-2022-25374

5) CVE-2022-37451

6) CVE-2022-26979

7) CVE-2022-35697

8) CVE-2022-34844

9) CVE-2022-33203

10) CVE-2022-36839

11) CVE-2022-36446

12) CVE-2022-1919

13) CVE-2022-32458

14) CVE-2022-32457

15) CVE-2022-2122

16) CVE-2022-1925

17) CVE-2022-1921

18) CVE-2022-34663

19) CVE-2022-2309

20) CVE-2022-31101

21) CVE-2022-30174

22) CVE-2022-30168

23) CVE-2022-29801

24) CVE-2022-29110

25) CVE-2022-30292

26) CVE-2022-25622

27) CVE-2022-1040

28) CVE-2022-0847

29) CVE-2022-24713

30) CVE-2022-21970

31) CVE-2022-21907

32) CVE-2022-21906

33) CVE-2022-31614

34) CVE-2022-35788

35) CVE-2022-24010

36) CVE-2022-24007

Conclusion

About us

Recent Posts

PRIVACY & TOS

CONTACT US