Security Vulnerabilities - CVEs Published In March 2022
tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in get_layer4_v6 in common/get.c.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-03-26
tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_ipv6_next in common/get.c.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-03-26
tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_l2len_protocol in common/get.c.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-03-26
tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in parse_mpls in common/get.c.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-03-26
libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.
CVSS Score
5.5
EPSS Score
0.0
Published
2022-03-26
User after free in mrb_vm_exec in GitHub repository mruby/mruby prior to 3.2.
CVSS Score
7.7
EPSS Score
0.003
Published
2022-03-26
The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator.
CVSS Score
8.8
EPSS Score
0.249
Published
2022-03-25
The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session of a user with administrator role. NOTE: the vendor states that this is the intended behavior: admins are supposed to be able to execute code in this manner
CVSS Score
8.8
EPSS Score
0.035
Published
2022-03-25
CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.
CVSS Score
6.1
EPSS Score
0.009
Published
2022-03-25
A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall.
CVSS Score
9.8
EPSS Score
0.386
Published
2022-03-25