Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2023-AVI-0272
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Elles permettent à un attaquant de provoquer un déni de service à distance, une élévation de privilèges, un contournement de la politique de sécurité, une exécution de code arbitraire, une injection de code indirecte à distance (XSS), une atteinte à la confidentialité des données et un problème de sécurité non spécifié par l'éditeur.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | WebSphere | IBM WebSphere Automation versions antérieures à 1.5.2 | ||
| IBM | Spectrum | IBM Spectrum Protect Plus Container Agent (Red Hat OpenShift) versions antérieures à 10.1.12.4 | ||
| IBM | QRadar SIEM | IBM QRadar SIEM 7.4.3 sans le correctif de sécurité FP9 | ||
| IBM | Spectrum | IBM Spectrum Protect Plus Container Agent (Kubernetes) versions antérieures à 10.1.12.4 | ||
| IBM | QRadar SIEM | IBM QRadar SIEM 7.5.0 sans le correctif de sécurité UP4 IF01 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM WebSphere Automation versions ant\u00e9rieures \u00e0 1.5.2",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Protect Plus Container Agent (Red Hat OpenShift) versions ant\u00e9rieures \u00e0 10.1.12.4",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM 7.4.3 sans le correctif de s\u00e9curit\u00e9 FP9",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Protect Plus Container Agent (Kubernetes) versions ant\u00e9rieures \u00e0 10.1.12.4",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM 7.5.0 sans le correctif de s\u00e9curit\u00e9 UP4 IF01",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-32189",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32189"
},
{
"name": "CVE-2022-30631",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30631"
},
{
"name": "CVE-2022-23825",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23825"
},
{
"name": "CVE-2022-41725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41725"
},
{
"name": "CVE-2022-30635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30635"
},
{
"name": "CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"name": "CVE-2022-41722",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41722"
},
{
"name": "CVE-2022-29900",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29900"
},
{
"name": "CVE-2022-29901",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29901"
},
{
"name": "CVE-2022-30629",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30629"
},
{
"name": "CVE-2022-40897",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40897"
},
{
"name": "CVE-2022-32148",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32148"
},
{
"name": "CVE-2022-30630",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30630"
},
{
"name": "CVE-2023-27589",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27589"
},
{
"name": "CVE-2022-1705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1705"
},
{
"name": "CVE-2022-41720",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41720"
},
{
"name": "CVE-2022-41716",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41716"
},
{
"name": "CVE-2022-30633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30633"
},
{
"name": "CVE-2022-30632",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30632"
},
{
"name": "CVE-2022-1962",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1962"
},
{
"name": "CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"name": "CVE-2022-28131",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28131"
},
{
"name": "CVE-2023-25136",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25136"
},
{
"name": "CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"name": "CVE-2022-26373",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-26373"
},
{
"name": "CVE-2022-2879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2879"
},
{
"name": "CVE-2022-42898",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42898"
},
{
"name": "CVE-2022-41721",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41721"
},
{
"name": "CVE-2022-41724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41724"
},
{
"name": "CVE-2022-2588",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2588"
},
{
"name": "CVE-2022-30580",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30580"
},
{
"name": "CVE-2022-23816",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23816"
},
{
"name": "CVE-2022-41723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
},
{
"name": "CVE-2022-41727",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41727"
},
{
"name": "CVE-2022-40898",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40898"
},
{
"name": "CVE-2022-23491",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23491"
},
{
"name": "CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0272",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-03-30T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits \u003cspan\nclass=\"textit\"\u003eIBM\u003c/span\u003e. Elles permettent \u00e0 un attaquant de provoquer\nun d\u00e9ni de service \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges, un\ncontournement de la politique de s\u00e9curit\u00e9, une ex\u00e9cution de code\narbitraire, une injection de code indirecte \u00e0 distance (XSS), une\natteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6967016 du 29 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6967016"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6966998 du 29 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6966998"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6965352 du 29 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6965352"
}
]
}
CVE-2022-1705 (GCVE-0-2022-1705)
Vulnerability from cvelistv5 – Published: 2022-08-09 20:16 – Updated: 2026-03-06 17:46
VLAI
EPSS
Title
Improper sanitization of Transfer-Encoding headers in net/http
Summary
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
Severity
6.5 (Medium)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http |
Affected:
0 , < 1.17.12
(semver)
Affected: 1.18.0-0 , < 1.18.4 (semver) |
Credits
Zeyu Zhang (https://www.zeyu2001.com/)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.918Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/409874"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/53188"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/410714"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2022-0525"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-1705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T20:38:47.035806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T17:46:56.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http",
"product": "net/http",
"programRoutines": [
{
"name": "transferReader.parseTransferEncoding"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.17.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.18.4",
"status": "affected",
"version": "1.18.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Zeyu Zhang (https://www.zeyu2001.com/)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-12T19:04:43.089Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/409874"
},
{
"url": "https://go.googlesource.com/go/+/e5017a93fcde94f09836200bca55324af037ee5f"
},
{
"url": "https://go.dev/issue/53188"
},
{
"url": "https://go.dev/cl/410714"
},
{
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
},
{
"url": "https://pkg.go.dev/vuln/GO-2022-0525"
}
],
"title": "Improper sanitization of Transfer-Encoding headers in net/http"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-1705",
"datePublished": "2022-08-09T20:16:57.000Z",
"dateReserved": "2022-05-13T00:00:00.000Z",
"dateUpdated": "2026-03-06T17:46:56.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-1962 (GCVE-0-2022-1962)
Vulnerability from cvelistv5 – Published: 2022-08-09 20:18 – Updated: 2026-03-06 19:08
VLAI
EPSS
Title
Stack exhaustion due to deeply nested types in go/parser
Summary
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
Severity
5.5 (Medium)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | go/parser |
Affected:
0 , < 1.17.12
(semver)
Affected: 1.18.0-0 , < 1.18.4 (semver) |
Credits
Juho Nurminen of Mattermost
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:43.737Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/417063"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/53616"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2022-0515"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-1962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T19:32:02.875913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T19:08:08.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "go/parser",
"product": "go/parser",
"programRoutines": [
{
"name": "ParseFile"
},
{
"name": "ParseExprFrom"
},
{
"name": "parser.tryIdentOrType"
},
{
"name": "parser.parsePrimaryExpr"
},
{
"name": "parser.parseUnaryExpr"
},
{
"name": "parser.parseBinaryExpr"
},
{
"name": "parser.parseIfStmt"
},
{
"name": "parser.parseStmt"
},
{
"name": "resolver.openScope"
},
{
"name": "resolver.closeScope"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.17.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.18.4",
"status": "affected",
"version": "1.18.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Nurminen of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-12T19:04:29.406Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/417063"
},
{
"url": "https://go.googlesource.com/go/+/695be961d57508da5a82217f7415200a11845879"
},
{
"url": "https://go.dev/issue/53616"
},
{
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
},
{
"url": "https://pkg.go.dev/vuln/GO-2022-0515"
}
],
"title": "Stack exhaustion due to deeply nested types in go/parser"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-1962",
"datePublished": "2022-08-09T20:18:18.000Z",
"dateReserved": "2022-05-31T00:00:00.000Z",
"dateUpdated": "2026-03-06T19:08:08.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-23491 (GCVE-0-2022-23491)
Vulnerability from cvelistv5 – Published: 2022-12-07 21:15 – Updated: 2025-04-23 16:31
VLAI
EPSS
Title
Removal of TrustCor root certificate
Summary
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
Severity
6.8 (Medium)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/certifi/python-certifi/securit… | x_refsource_CONFIRM |
| https://groups.google.com/a/mozilla.org/g/dev-sec… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| certifi | python-certifi |
Affected:
< 2022.12.07
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.116Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230223-0010/"
},
{
"name": "https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8"
},
{
"name": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23491",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:52:56.533262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:31:36.080Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "python-certifi",
"vendor": "certifi",
"versions": [
{
"status": "affected",
"version": "\u003c 2022.12.07"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from \"TrustCor\" from the root store. These are in the process of being removed from Mozilla\u0027s trust store. TrustCor\u0027s root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor\u0027s ownership also operated a business that produced spyware. Conclusions of Mozilla\u0027s investigation can be found in the linked google group discussion."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-07T21:15:53.804Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8"
},
{
"name": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ",
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ"
}
],
"source": {
"advisory": "GHSA-43fp-rhv2-5gv8",
"discovery": "UNKNOWN"
},
"title": "Removal of TrustCor root certificate"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23491",
"datePublished": "2022-12-07T21:15:53.804Z",
"dateReserved": "2022-01-19T21:23:53.763Z",
"dateUpdated": "2025-04-23T16:31:36.080Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23816 (GCVE-0-2022-23816)
Vulnerability from cvelistv5 – Published: – Updated: 2023-01-17 00:00
VLAI
EPSS
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2023-01-17T00:00:00.000Z",
"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"shortName": "AMD"
},
"rejectedReasons": [
{
"lang": "en",
"value": "DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"assignerShortName": "AMD",
"cveId": "CVE-2022-23816",
"dateRejected": "2023-01-17T00:00:00.000Z",
"dateReserved": "2022-01-21T00:00:00.000Z",
"dateUpdated": "2023-01-17T00:00:00.000Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}
CVE-2022-23825 (GCVE-0-2022-23825)
Vulnerability from cvelistv5 – Published: 2022-07-14 19:27 – Updated: 2024-09-16 17:48
VLAI
EPSS
Summary
Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.
Severity
No CVSS data available.
CWE
- NA
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| https://www.amd.com/en/corporate/product-security… | |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| https://www.debian.org/security/2022/dsa-5184 | vendor-advisory |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2022/11/08/1 | mailing-list |
| http://www.openwall.com/lists/oss-security/2022/11/10/2 | mailing-list |
| https://security.gentoo.org/glsa/202402-07 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AMD | AMD Processors |
Affected:
Processor Some AMD Processors
|
Date Public
2022-07-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.140Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2022-c69ef9c1dd",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037"
},
{
"name": "FEDORA-2022-8aab5b5cde",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/"
},
{
"name": "DSA-5184",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5184"
},
{
"name": "FEDORA-2022-3e6ce58029",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSRW4LLTAT3CZMOYVNTC7YIYGX3KLED/"
},
{
"name": "FEDORA-2022-a0d7a5eaf2",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/"
},
{
"name": "[oss-security] 20221108 Xen Security Advisory 422 v1 (CVE-2022-23824) - x86: Multiple speculative security issues",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/08/1"
},
{
"name": "[oss-security] 20221110 Xen Security Advisory 422 v2 (CVE-2022-23824) - x86: Multiple speculative security issues",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/10/2"
},
{
"name": "GLSA-202402-07",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202402-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AMD Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "Processor Some AMD Processors"
}
]
}
],
"datePublic": "2022-07-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "NA",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-04T08:06:51.356Z",
"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"shortName": "AMD"
},
"references": [
{
"name": "FEDORA-2022-c69ef9c1dd",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/"
},
{
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037"
},
{
"name": "FEDORA-2022-8aab5b5cde",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/"
},
{
"name": "DSA-5184",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5184"
},
{
"name": "FEDORA-2022-3e6ce58029",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSRW4LLTAT3CZMOYVNTC7YIYGX3KLED/"
},
{
"name": "FEDORA-2022-a0d7a5eaf2",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/"
},
{
"name": "[oss-security] 20221108 Xen Security Advisory 422 v1 (CVE-2022-23824) - x86: Multiple speculative security issues",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/08/1"
},
{
"name": "[oss-security] 20221110 Xen Security Advisory 422 v2 (CVE-2022-23824) - x86: Multiple speculative security issues",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/10/2"
},
{
"name": "GLSA-202402-07",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202402-07"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"assignerShortName": "AMD",
"cveId": "CVE-2022-23825",
"datePublished": "2022-07-14T19:27:08.292Z",
"dateReserved": "2022-01-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:48:09.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2588 (GCVE-0-2022-2588)
Vulnerability from cvelistv5 – Published: 2024-01-08 17:50 – Updated: 2025-05-22 18:23
VLAI
EPSS
Summary
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.
Severity
5.3 (Medium)
CWE
Assigner
References
15 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The Linux Kernel Organization | linux |
Affected:
0 , < 6.0~rc1
(semver)
|
Credits
Zhenpeng Lin working with Trend Micro's Zero Day Initiative
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5565-1"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5562-1"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2022/08/09/6"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5582-1"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2588"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5564-1"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5566-1"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1117/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5588-1"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5560-1"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/Markakd/CVE-2022-2588"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5567-1"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5560-2"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://lore.kernel.org/netdev/20220809170518.164662-1-cascardo@canonical.com/T/#u"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-5557-1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2588",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-06T20:44:16.386267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:23:25.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"packageName": "linux",
"platforms": [
"Linux"
],
"product": "linux",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git",
"vendor": "The Linux Kernel Organization",
"versions": [
{
"lessThan": "6.0~rc1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zhenpeng Lin working with Trend Micro\u0027s Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"value": "It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-08T17:50:47.948Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5565-1"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5562-1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://www.openwall.com/lists/oss-security/2022/08/09/6"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5582-1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2588"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5564-1"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5566-1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1117/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5588-1"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5560-1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Markakd/CVE-2022-2588"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5567-1"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5560-2"
},
{
"tags": [
"issue-tracking"
],
"url": "https://lore.kernel.org/netdev/20220809170518.164662-1-cascardo@canonical.com/T/#u"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-5557-1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2022-2588",
"datePublished": "2024-01-08T17:50:47.948Z",
"dateReserved": "2022-07-29T23:41:31.412Z",
"dateUpdated": "2025-05-22T18:23:25.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26373 (GCVE-0-2022-26373)
Vulnerability from cvelistv5 – Published: 2022-08-18 00:00 – Updated: 2025-05-05 16:22
VLAI
EPSS
Summary
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
Severity
5.5 (Medium)
CWE
- information disclosure
Assigner
References
4 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Intel(R) Processors |
Affected:
See references
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:03:32.895Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00706.html"
},
{
"name": "[debian-lts-announce] 20220911 [SECURITY] [DLA 3102-1] linux-5.10 new package",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00011.html"
},
{
"name": "[debian-lts-announce] 20221002 [SECURITY] [DLA 3131-1] linux security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221007-0005/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-26373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:20:22.737694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T16:22:27.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Intel(R) Processors",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "See references"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "information disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-07T00:00:00.000Z",
"orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"shortName": "intel"
},
"references": [
{
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00706.html"
},
{
"name": "[debian-lts-announce] 20220911 [SECURITY] [DLA 3102-1] linux-5.10 new package",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00011.html"
},
{
"name": "[debian-lts-announce] 20221002 [SECURITY] [DLA 3131-1] linux security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221007-0005/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"assignerShortName": "intel",
"cveId": "CVE-2022-26373",
"datePublished": "2022-08-18T00:00:00.000Z",
"dateReserved": "2022-05-11T00:00:00.000Z",
"dateUpdated": "2025-05-05T16:22:27.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27664 (GCVE-0-2022-27664)
Vulnerability from cvelistv5 – Published: 2022-09-06 17:29 – Updated: 2024-08-03 05:32
VLAI
EPSS
Summary
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://groups.google.com/g/golang-announce | x_refsource_MISC |
| https://groups.google.com/g/golang-announce/c/x49… | x_refsource_CONFIRM |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://security.netapp.com/advisory/ntap-2022092… | x_refsource_CONFIRM |
| https://security.gentoo.org/glsa/202209-26 | vendor-advisoryx_refsource_GENTOO |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:32:59.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"name": "FEDORA-2022-67ec8c61d0",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/"
},
{
"name": "FEDORA-2022-45097317b4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220923-0004/"
},
{
"name": "GLSA-202209-26",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-26"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-29T16:06:56.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/golang-announce"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"name": "FEDORA-2022-67ec8c61d0",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/"
},
{
"name": "FEDORA-2022-45097317b4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220923-0004/"
},
{
"name": "GLSA-202209-26",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-26"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-27664",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/golang-announce",
"refsource": "MISC",
"url": "https://groups.google.com/g/golang-announce"
},
{
"name": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s",
"refsource": "CONFIRM",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
},
{
"name": "FEDORA-2022-67ec8c61d0",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/"
},
{
"name": "FEDORA-2022-45097317b4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220923-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220923-0004/"
},
{
"name": "GLSA-202209-26",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-26"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-27664",
"datePublished": "2022-09-06T17:29:08.000Z",
"dateReserved": "2022-03-23T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:32:59.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28131 (GCVE-0-2022-28131)
Vulnerability from cvelistv5 – Published: 2022-08-09 00:00 – Updated: 2024-08-03 05:48
VLAI
EPSS
Title
Stack exhaustion from deeply nested XML documents in encoding/xml
Summary
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
Severity
No CVSS data available.
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | encoding/xml |
Affected:
0 , < 1.17.12
(semver)
Affected: 1.18.0-0 , < 1.18.4 (semver) |
Credits
Go Security Team
Juho Nurminen of Mattermost
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:48:36.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/417062"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/53614"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2022-0521"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "encoding/xml",
"product": "encoding/xml",
"programRoutines": [
{
"name": "Decoder.Skip"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.17.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.18.4",
"status": "affected",
"version": "1.18.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Go Security Team"
},
{
"lang": "en",
"value": "Juho Nurminen of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-12T19:04:35.004Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/417062"
},
{
"url": "https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3"
},
{
"url": "https://go.dev/issue/53614"
},
{
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
},
{
"url": "https://pkg.go.dev/vuln/GO-2022-0521"
}
],
"title": "Stack exhaustion from deeply nested XML documents in encoding/xml"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-28131",
"datePublished": "2022-08-09T00:00:00.000Z",
"dateReserved": "2022-03-29T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:48:36.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2879 (GCVE-0-2022-2879)
Vulnerability from cvelistv5 – Published: 2022-10-14 00:00 – Updated: 2025-02-13 16:32
VLAI
EPSS
Title
Unbounded memory consumption when reading headers in archive/tar
Summary
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
Severity
No CVSS data available.
CWE
- CWE 400: Uncontrolled Resource Consumption
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | archive/tar |
Affected:
0 , < 1.18.7
(semver)
Affected: 1.19.0-0 , < 1.19.2 (semver) |
Credits
Adam Korczynski (ADA Logics)
OSS-Fuzz
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.498Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/54853"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/439355"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2022-1037"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "archive/tar",
"product": "archive/tar",
"programRoutines": [
{
"name": "Reader.next"
},
{
"name": "parsePAX"
},
{
"name": "Writer.writePAXHeader"
},
{
"name": "Reader.Next"
},
{
"name": "Writer.WriteHeader"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.18.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.19.2",
"status": "affected",
"version": "1.19.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Adam Korczynski (ADA Logics)"
},
{
"lang": "en",
"value": "OSS-Fuzz"
}
],
"descriptions": [
{
"lang": "en",
"value": "Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE 400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-25T11:10:09.147Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/54853"
},
{
"url": "https://go.dev/cl/439355"
},
{
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
},
{
"url": "https://pkg.go.dev/vuln/GO-2022-1037"
},
{
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "Unbounded memory consumption when reading headers in archive/tar"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-2879",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-08-17T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:32:38.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…