Security Vulnerabilities - CVEs Published In April 2022
CVE-2022-22965
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Known exploited
CVSS Score
9.8
EPSS Score
0.944
Published
2022-04-01
When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality.
CVSS Score
5.5
EPSS Score
0.091
Published
2022-04-01
Modbus Tools Modbus Slave (versions 7.4.2 and prior) is vulnerable to a stack-based buffer overflow in the registration field. This may cause the program to crash when a long character string is used.
CVSS Score
5.5
EPSS Score
0.002
Published
2022-04-01
Delta Electronics DIAEnergie (all versions prior to 1.8.02.004) are vulnerable to a DLL hijacking condition. When combined with the Incorrect Default Permissions vulnerability of 4.2.2 above, this makes it possible for an attacker to escalate privileges
CVSS Score
7.8
EPSS Score
0.0
Published
2022-04-01
Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user.
CVSS Score
7.7
EPSS Score
0.0
Published
2022-04-01
Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the vulnerability dashboard.
CVSS Score
4.3
EPSS Score
0.003
Published
2022-04-01
A DNS rebinding vulnerability in the Irker IRC Gateway integration in all versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server Side Request Forgery (SSRF) attacks.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-01
An issue has been discovered in GitLab CE/EE affecting all versions starting with 8.15 . It was possible to trigger a DOS by using the math feature with a specific formula in issue comments.
CVSS Score
3.5
EPSS Score
0.002
Published
2022-04-01
Improper input validation in all versions of GitLab CE/EE using sendmail to send emails allowed an attacker to steal environment variables via specially crafted email addresses.
CVSS Score
5.8
EPSS Score
0.003
Published
2022-04-01
The software does not perform any authentication for critical system functionality.
CVSS Score
6.5
EPSS Score
0.0
Published
2022-04-01