Security Vulnerabilities - CVEs Published In May 2022
Windows PlayToManager Elevation of Privilege Vulnerability
CVSS Score
7.0
EPSS Score
0.003
Published
2022-05-10
Remote Desktop Client Remote Code Execution Vulnerability
CVSS Score
8.8
EPSS Score
0.146
Published
2022-05-10
Remote Procedure Call Runtime Remote Code Execution Vulnerability
CVSS Score
8.8
EPSS Score
0.051
Published
2022-05-10
Windows Hyper-V Denial of Service Vulnerability
CVSS Score
5.6
EPSS Score
0.002
Published
2022-05-10
.NET and Visual Studio Denial of Service Vulnerability
CVSS Score
7.5
EPSS Score
0.082
Published
2022-05-10
Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
CVSS Score
8.1
EPSS Score
0.484
Published
2022-05-10
Windows ALPC Elevation of Privilege Vulnerability
CVSS Score
7.0
EPSS Score
0.014
Published
2022-05-10
In CarSetings, there is a possible to pair BT device bypassing user's consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-216190509
CVSS Score
7.8
EPSS Score
0.0
Published
2022-05-10
This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.
CVSS Score
5.3
EPSS Score
0.003
Published
2022-05-10
Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 14.9 before 14.9.4, and all versions starting from 14.10 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs
CVSS Score
4.3
EPSS Score
0.003
Published
2022-05-10