Security Vulnerabilities - CVEs Published In April 2022
A vulnerability within the Avira Password Manager Browser Extensions provided a potential loophole where, if a user visited a page crafted by an attacker, the discovered vulnerability could trigger the Password Manager Extension to fill in the password field automatically. An attacker could then access this information via JavaScript. The issue was fixed with the browser extensions version 2.18.5 for Chrome, MS Edge, Opera, Firefox, and Safari.
CVSS Score
6.5
EPSS Score
0.004
Published
2022-04-12
The affected product is vulnerable due to an invalid pointer initialization, which may lead to information disclosure.
CVSS Score
3.3
EPSS Score
0.002
Published
2022-04-12
The affected product is vulnerable to an out-of-bounds read, which may result in disclosure of sensitive information.
CVSS Score
3.3
EPSS Score
0.002
Published
2022-04-12
The affected product is vulnerable to a heap-based buffer overflow, which may lead to code execution.
CVSS Score
7.8
EPSS Score
0.005
Published
2022-04-12
The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code.
CVSS Score
7.8
EPSS Score
0.005
Published
2022-04-12
SAP BusinessObjects Business Intelligence Platform - versions 420, 430, may allow legitimate users to access information they shouldn't see through relational or OLAP connections. The main impact is the disclosure of company data to people that shouldn't or don't need to have access.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-04-12
A potential security vulnerability has been identified in HPE Superdome Flex and Superdome Flex 280 Servers. The vulnerability could be locally exploited to allow an user with Administrator access to escalate their privilege. The vulnerability is resolved in the latest firmware update. HPE Superdome Flex Server Version 3.50.58 or later, HPE Superdome Flex 280 Server Version 1.20.204 or later.
CVSS Score
6.7
EPSS Score
0.001
Published
2022-04-12
A security vulnerability has been identified in HPE Nimble Storage Hybrid Flash Arrays, HPE Nimble Storage All Flash Arrays and HPE Nimble Storage Secondary Flash Arrays during update. This would potentially allow an attacker to intercept and modify network communication for software updates initiated by the Nimble appliance. The following NimbleOS versions, and all subsequent releases, contain a software fix for this vulnerability: 5.0.10.100, 5.2.1.500, 6.0.0.100
CVSS Score
7.5
EPSS Score
0.002
Published
2022-04-12
The affected product is vulnerable to an out-of-bounds read, which may result in code execution
CVSS Score
7.8
EPSS Score
0.003
Published
2022-04-12
Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should. The vulnerability is only impacting Grafana Enterprise when the fine-grained access control beta feature is enabled and there are more than one API Keys in one organization with different roles assigned. All installations after Grafana Enterprise v8.1.0-beta1 should be upgraded as soon as possible. As an alternative, disable fine-grained access control will mitigate the vulnerability.
CVSS Score
8.0
EPSS Score
0.001
Published
2022-04-12