Security Vulnerabilities - CVEs Published In March 2022
There is an out-of-bounds read vulnerability in the IFAA module. Successful exploitation of this vulnerability may cause stack overflow.
CVSS Score
9.8
EPSS Score
0.002
Published
2022-03-10
There is a vulnerability of memory not being released after effective lifetime in the Bastet module. Successful exploitation of this vulnerability may affect integrity.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-03-10
A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released.
CVSS Score
3.3
EPSS Score
0.0
Published
2022-03-10
A NULL pointer dereference flaw was found in the btrfs_rm_device function in fs/btrfs/volumes.c in the Linux Kernel, where triggering the bug requires ‘CAP_SYS_ADMIN’. This flaw allows a local attacker to crash the system or leak kernel internal information. The highest threat from this vulnerability is to system availability.
CVSS Score
7.1
EPSS Score
0.0
Published
2022-03-10
A flaw was found in the Linux kernel's OverlayFS subsystem in the way the user mounts the TmpFS filesystem with OverlayFS. This flaw allows a local user to gain access to hidden files that should not be accessible.
CVSS Score
5.5
EPSS Score
0.0
Published
2022-03-10
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
CVSS Score
6.5
EPSS Score
0.006
Published
2022-03-10
A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality.
CVSS Score
7.5
EPSS Score
0.001
Published
2022-03-10
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
CVSS Score
4.3
EPSS Score
0.003
Published
2022-03-10
Ming 0.4.8 has an out-of-bounds read vulnerability in the function newVar_N() in decompile.c which causes a huge information leak.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-03-10
Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details about the Web Help Desk installation.
CVSS Score
5.3
EPSS Score
0.007
Published
2022-03-10