Security Vulnerabilities - CVEs Published In May 2023
VMware Aria Operations contains a Local privilege escalation vulnerability. A malicious actor with administrative privileges in the Aria Operations application can gain root access to the underlying operating system.
CVSS Score
6.7
EPSS Score
0.0
Published
2023-05-12
VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.
CVSS Score
6.7
EPSS Score
0.0
Published
2023-05-12
A maliciously crafted DLL file can be forced to read beyond allocated boundaries in Autodesk InfraWorks 2023, and 2021 when parsing the DLL files could lead to a resource injection vulnerability.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-05-12
A malicious actor may convince a user to open a malicious USD file that may trigger a use-after-free vulnerability which could result in code execution.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-05-12
A malicious actor may convince a user to open a malicious USD file that may trigger an uninitialized pointer which could result in code execution.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-05-12
A malicious actor may convince a user to open a malicious USD file that may trigger an out-of-bounds read vulnerability which could result in code execution.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-05-12
A malicious actor may convince a user to open a malicious USD file that may trigger an out-of-bounds write vulnerability which could result in code execution.
CVSS Score
7.8
EPSS Score
0.001
Published
2023-05-12
A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-05-12
An issue has been discovered in GitLab affecting all versions before 15.9.8, 15.10.0 before 15.10.7, and 15.11.0 before 15.11.3. A malicious developer could use a git feature called refs/replace to smuggle content into a merge request which would not be visible during review in the UI.
CVSS Score
6.3
EPSS Score
0.004
Published
2023-05-12
Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user's group and non-group to read the file as well. This issue was patched in version 2.0.1. As a workaround, set the secret file permissions to only user read/write by hand.
CVSS Score
5.2
EPSS Score
0.001
Published
2023-05-12