Search

The most known CVEs of the last two weeks !



Introduction

As every two weeks, this second article will focus on a watch of the CVEs that appeared in the last days.


I) List of CVEs

1) CVE-2022-33175

a) Description

Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 have an insecure permissions setting on the user.token field that is accessible to everyone through the /cgi/get_param.cgi HTTP API. This leads to disclosing active session ids of currently logged-in administrators. The session id can then be reused to act as the administrator, allowing reading of the cleartext password, or reconfiguring the device.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33175

  • https://gynvael.coldwind.pl/?lang=en&id=748

2) CVE-2022-32981

a) Description

An issue was discovered in the Linux kernel through 5.18.3 on powerpc 32-bit platforms. There is a buffer overflow in ptrace PEEKUSER and POKEUSER (aka PEEKUSR and POKEUSR) when accessing floating point registers.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-32981

  • https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?id=8e1278444446fc97778a5e5c99bca1ce0bbc5ec9

  • http://www.openwall.com/lists/oss-security/2022/06/14/3

3) CVE-2022-32740

a) Description

A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32740

  • https://otrs.com/release-notes/otrs-security-advisory-2022-08/

4) CVE-2022-32739

a) Description

When Secure::DisableBanner system configuration has been disabled and agent shares his calendar via public URL, received ICS file contains OTRS release number.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32739

  • https://otrs.com/release-notes/otrs-security-advisory-2022-07/

5) CVE-2022-32565

a) Description

An issue was discovered in Couchbase Server before 7.0.4. The Backup Service log leaks unredacted usernames and document ids.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32565

  • https://docs.couchbase.com/server/current/release-notes/relnotes.html

  • https://forums.couchbase.com/tags/security

  • https://www.couchbase.com/alerts

6)CVE-2022-32563

a) Description

An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.579 client certificates, the admin credentials provided to the Admin REST API are ignored, resulting in privilege escalation for unauthenticated users. The Public REST API is not impacted by this issue. A workaround is to replace X.509 certificate based authentication with Username and Password authentication inside the bootstrap configuration.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-32563

  • https://forums.couchbase.com/tags/security

7) CVE-2022-32296

a) Description

The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32296

  • https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.17.9

  • https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5

8) CVE-2022-32291

a) Description

In Real Player through 20.1.0.312, attackers can execute arbitrary code by placing a UNC share pathname (for a DLL file) in a RAM file.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32291

  • https://github.com/Edubr2020/RP_RecordClip_DLL_Hijack

9) CVE-2022-32278

a) Description

XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32278

  • https://gitlab.xfce.org/xfce/exo/-/commit/c71c04ff5882b2866a0d8506fb460d4ef796de9f

10) CVE-2022-32275

a) Description

Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32275

  • MISC:https://github.com/BrotherOfJhonny/grafana

  • MISC:https://github.com/BrotherOfJhonny/grafana/blob/main/README.md

  • MISC:https://github.com/grafana/grafana/issues/50336

  • MISC:https://grafana.com

11) CVE-2022-32273

a) Description

As a result of an observable discrepancy in returned messages, OPSWAT MetaDefender Core (MDCore) before 5.1.2 could allow an authenticated user to enumerate filenames on the server.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32273

  • https://docs.opswat.com/mdcore/release-notes

  • https://opswat.com

12) CVE-2022-32272

a) Description

OPSWAT MetaDefender Core (MDCore) before 5.1.2 has incorrect access control, resulting in privilege escalation.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-32272

  • MISC:https://docs.opswat.com/mdcore/release-notes

  • MISC:https://opswat.com

13) CVE-2022-32271

a) Description

In Real Player 20.0.8.310, there is a DCP:// URI Remote Arbitrary Code Execution Vulnerability. This is an internal URL Protocol used by Real Player to reference a file that contains an URL. It is possible to inject script code to arbitrary domains. It is also possible to reference arbitrary local files.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32271

  • https://github.com/Edubr2020/RP_DCP_Code_Exec

  • https://youtu.be/AMODp3iTnqY

14) CVE-2022-32270

a) Description

In Real Player 20.0.7.309 and 20.0.8.310, external::Import() allows download of arbitrary file types and Directory Traversal, leading to Remote Code Execution. This occurs because it is possible to plant executables in the startup folder (DLL planting could also occur).

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32270

  • https://github.com/Edubr2020/RP_Import_RCE

  • https://youtu.be/CONlijEgDLc

15) CVE-2022-32269

a) Description

In Real Player 20.0.8.310, the G2 Control allows injection of unsafe javascript: URIs in local HTTP error pages (displayed by Internet Explorer core). This leads to arbitrary code execution.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32269

  • https://github.com/Edubr2020/RealPlayer_G2_RCE

  • https://www.youtube.com/watch?v=9c9Q4VZQOUk

16) CVE-2022-32268

a) Description

StarWind SAN and NAS v0.2 build 1914 allow remote code execution.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32268

  • https://www.starwindsoftware.com/security/sw-20220531-0001/

17) CVE-2022-32265

a) Description

qDecoder before 12.1.0 does not ensure that the percent character is followed by two hex digits for URL decoding.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32265

  • https://github.com/wolkykim/qdecoder/pull/29

  • https://github.com/wolkykim/qdecoder/pull/29/commits/ce7c8a7ac450a823a11b06508ef1eb7441241f81#diff-1c4e2f5adfa1ad30618e78ff459b2c0758ecf34278459ad0a8d58db4fec622ea

  • https://github.com/wolkykim/qdecoder/releases/tag/v12.1.0

18) CVE-2022-32250

a) Description

net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32250

  • http://www.openwall.com/lists/oss-security/2022/06/03/1

  • http://www.openwall.com/lists/oss-security/2022/06/04/1

  • https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/net/netfilter?id=520778042ccca019f3ffa136dd0ca565c486cedd

19) CVE-2022-32202

a) Description

In libjpeg 1.63, there is a NULL pointer dereference in LineBuffer::FetchRegion in linebuffer.cpp.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32202

  • https://github.com/thorfdbg/libjpeg/commit/51c3241b6da39df30f016b63f43f31c4011222c7

  • https://github.com/thorfdbg/libjpeg/issues/74

20) CVE-2022-32028

a) Description

Car Rental Management System v1.0 is vulnerable to SQL Injection via /car-rental-management-system/admin/manage_user.php?id=.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32028

  • https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-8.md

21) CVE-2022-3198489

a) Description

Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/requests/take_action.php?id=.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31984

  • https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-10.md

22) CVE-2022-31971

a) Description

ChatBot App with Suggestion v1.0 is vulnerable to SQL Injection via /simple_chat_bot/admin/?page=responses/view_response&id=.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-31971

  • https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/chatbot-app-suggestion/SQLi-3.md

23) CVE-2022-31965

a) Description

Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/admin/respondent_types/manage_respondent_type.php?id=.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-31965

  • https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/rescue-dispatch-management-system/SQLi-12.md

24) CVE-2022-31830

a) Description

Kity Minder v1.3.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the init function at ImageCapture.class.php.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-31830

  • https://github.com/fex-team/kityminder/issues/345

25) CVE-2022-31813

a) Description

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813

  • MISC:https://httpd.apache.org/security/vulnerabilities_24.html

  • URL:https://httpd.apache.org/security/vulnerabilities_24.html

  • URL:http://www.openwall.com/lists/oss-security/2022/06/08/8

26) CVE-2022-31799

a) Description

Bottle before 0.12.20 mishandles errors during early request binding.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-31799

  • https://github.com/bottlepy/bottle/commit/a2b0ee6bb4ce88895429ec4aca856616244c4c4c

  • https://github.com/bottlepy/bottle/compare/0.12.19...0.12.20

  • https://lists.debian.org/debian-lts-announce/2022/06/msg00010.html

27) CVE-2022-31796

a) Description

libjpeg 1.63 has a heap-based buffer over-read in HierarchicalBitmapRequester::FetchRegion in hierarchicalbitmaprequester.cpp because the MCU size can be different between allocation and use.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31796

  • MISC:https://github.com/thorfdbg/libjpeg/commit/187035b9726710b4fe11d565c7808975c930895d

  • MISC:https://github.com/thorfdbg/libjpeg/issues/71

28) CVE-2022-31782

a) Description

ftbench.c in FreeType Demo Programs through 2.12.1 has a heap-based buffer overflow.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-31782

  • https://gitlab.freedesktop.org/freetype/freetype-demos/-/issues/8

29) CVE-2022-31769

a) Description

IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.15.0 could allow a remote attacker to view product configuration information stored in PostgreSQL, which could be used in further attacks against the system. IBM X-Force ID: 228219.

b) References

  • https://exchange.xforce.ibmcloud.com/vulnerabilities/228219

  • https://exchange.xforce.ibmcloud.com/vulnerabilities/228219

  • https://www.ibm.com/support/pages/node/6593721

30) CVE-2022-31763

a) Description

The kernel module has the null pointer and out-of-bounds array vulnerabilities. Successful exploitation of this vulnerability may affect system availability.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31763

  • MISC:https://consumer.huawei.com/en/support/bulletin/2022/6/

  • URL:https://consumer.huawei.com/en/support/bulletin/2022/6/

  • MISC:https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202206-0000001270350482

  • URL:https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202206-0000001270350482

31) CVE-2022-32285

a) Description

A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32285

  • MISC:https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf

  • URL:https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf

32) CVE-2022-32260

a) Description

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application creates temporary user credentials for UMC (User Management Component) users. An attacker could use these temporary credentials for authentication bypass in certain scenarios.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32260

  • MISC:https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf

  • URL:https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf

33) CVE-2022-32241

a) Description

When a user opens manipulated Portable Document Format (.pdf, PDFView.x3d) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.

b) References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-32241

  • https://launchpad.support.sap.com/#/notes/3206271

  • https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

34) CVE-2022-32236

a) Description

When a user opens manipulated Windows Bitmap (.bmp, 2d.x3d) files received from untrusted sources in SAP 3D Visual Enterprise Viewer, the application crashes and becomes temporarily unavailable to the user until restart of the application.

b) References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32236

  • MISC:https://launchpad.support.sap.com/#/notes/3206271

  • URL:https://launchpad.support.sap.com/#/notes/3206271

  • MISC:https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

  • URL:https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

35) CVE-2022-32230

a) Description

Microsoft Windows SMBv3 suffers from a null pointer dereference in versions of Windows prior to the April, 2022 patch set. By sending a malformed FileNormalizedNameInformation SMBv3 request over a named pipe, an attacker can cause a Blue Screen of Death (BSOD) crash of the Windows kernel. For most systems, this attack requires authentication, except in the special case of Windows Domain Controllers, where unauthenticated users can always open named pipes as long as they can establish an SMB session. Typically, after the BSOD, the victim SMBv3 server will reboot.