Security Vulnerabilities - CVEs Published In November 2022
A vulnerability was found in Dalli up to 3.2.2. It has been classified as problematic. Affected is the function self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb of the component Meta Protocol Handler. The manipulation of the argument cas/ttl leads to injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.2.3 is able to address this issue. The patch is identified as 48d594dae55934476fec61789e7a7c3700e0f50d. It is recommended to upgrade the affected component.
CVSS Score
3.7
EPSS Score
0.003
Published
2022-11-19
knative.dev/func is is a client library and CLI enabling the development and deployment of Kubernetes functions. Developers using a malicious or compromised third-party buildpack could expose their registry credentials or local docker socket to a malicious `lifecycle` container. This issues has been patched in PR #1442, and is part of release 1.8.1. This issue only affects users who are using function buildpacks from third-parties; pinning the builder image to a specific content-hash with a valid `lifecycle` image will also mitigate the attack.
CVSS Score
6.1
EPSS Score
0.001
Published
2022-11-19
Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after `v1.5` and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The XSS attack occurs after a visitor opens the relevant discussion page. All communities running Flarum from `v1.5.0` to `v1.6.1` are impacted. The vulnerability has been fixed and published as flarum/core `v1.6.2`. All communities running Flarum from `v1.5.0` to `v1.6.1` have to upgrade as soon as possible to v1.6.2. There are no known workarounds for this issue.
CVSS Score
9.0
EPSS Score
0.006
Published
2022-11-19
When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
CVSS Score
7.4
EPSS Score
0.0
Published
2022-11-19
Block BYPASS vulnerability in iQ Block Country plugin <= 1.2.18 on WordPress.
CVSS Score
5.3
EPSS Score
0.001
Published
2022-11-19
Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress.
CVSS Score
6.4
EPSS Score
0.002
Published
2022-11-19
NVIDIA CUDA Toolkit SDK contains a stack-based buffer overflow vulnerability in cuobjdump, where an unprivileged remote attacker could exploit this buffer overflow condition by persuading a local user to download a specially crafted corrupted file and execute cuobjdump against it locally, which may lead to a limited denial of service and some loss of data integrity for the local user.
CVSS Score
4.4
EPSS Score
0.003
Published
2022-11-19
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where a local user with basic capabilities can cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-11-19
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.
CVSS Score
6.5
EPSS Score
0.0
Published
2022-11-19
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer, where any local user can cause a null-pointer dereference, which may lead to a kernel panic.
CVSS Score
7.1
EPSS Score
0.0
Published
2022-11-19