Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2024-0049
Vulnerability from csaf_certbund - Published: 2024-01-09 23:00 - Updated: 2024-07-01 22:00Summary
Splunk Enterprise: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Splunk Enterprise ermöglicht Monitoring und Analyse von Clickstream-Daten und Kundentransaktionen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Splunk Enterprise ausnutzen, um beliebigen Programmcode auszuführen, einen Denial of Service Zustand herbeizuführen oder unbekannte Auswirkungen zu verursachen.
Betroffene Betriebssysteme
- Linux
- UNIX
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Splunk Enterprise erm\u00f6glicht Monitoring und Analyse von Clickstream-Daten und Kundentransaktionen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Splunk Enterprise ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0049 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0049.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0049 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0049"
},
{
"category": "external",
"summary": "Splunk Security Advisory SVD-2024-0101 vom 2024-01-09",
"url": "https://advisory.splunk.com//advisories/SVD-2024-0101"
},
{
"category": "external",
"summary": "Splunk Security Advisory SVD-2024-0102 vom 2024-01-09",
"url": "https://advisory.splunk.com//advisories/SVD-2024-0102"
},
{
"category": "external",
"summary": "Splunk Security Advisory SVD-2024-0103 vom 2024-01-09",
"url": "https://advisory.splunk.com//advisories/SVD-2024-0103"
},
{
"category": "external",
"summary": "Splunk Security Advisory SVD-2024-0104 vom 2024-01-09",
"url": "https://advisory.splunk.com//advisories/SVD-2024-0104"
},
{
"category": "external",
"summary": "Splunk Security Advisory SVD-2024-0112 vom 2024-01-30",
"url": "https://advisory.splunk.com//advisories/SVD-2024-0112"
},
{
"category": "external",
"summary": "Splunk Security Advisory SVD-2024-0718 vom 2024-07-02",
"url": "https://advisory.splunk.com/advisories/SVD-2024-0718"
}
],
"source_lang": "en-US",
"title": "Splunk Enterprise: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-07-01T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T18:03:28.208+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2024-0049",
"initial_release_date": "2024-01-09T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-01-09T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-01-30T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Splunk-SVD aufgenommen"
},
{
"date": "2024-07-01T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Splunk-SVD aufgenommen"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Security \u003c7.3.0",
"product": {
"name": "Splunk Splunk Enterprise Security \u003c7.3.0",
"product_id": "T031923"
}
},
{
"category": "product_version_range",
"name": "Security \u003c7.2.0",
"product": {
"name": "Splunk Splunk Enterprise Security \u003c7.2.0",
"product_id": "T031924"
}
},
{
"category": "product_version_range",
"name": "Security \u003c7.1.2",
"product": {
"name": "Splunk Splunk Enterprise Security \u003c7.1.2",
"product_id": "T031925"
}
},
{
"category": "product_version_range",
"name": "UBA \u003c5.3.0",
"product": {
"name": "Splunk Splunk Enterprise UBA \u003c5.3.0",
"product_id": "T031926"
}
},
{
"category": "product_version_range",
"name": "UBA \u003c5.2.1",
"product": {
"name": "Splunk Splunk Enterprise UBA \u003c5.2.1",
"product_id": "T031927"
}
},
{
"category": "product_version_range",
"name": "\u003c9.2.1",
"product": {
"name": "Splunk Splunk Enterprise \u003c9.2.1",
"product_id": "T033705"
}
},
{
"category": "product_version_range",
"name": "\u003c9.1.4",
"product": {
"name": "Splunk Splunk Enterprise \u003c9.1.4",
"product_id": "T033718"
}
},
{
"category": "product_version_range",
"name": "\u003c9.0.9",
"product": {
"name": "Splunk Splunk Enterprise \u003c9.0.9",
"product_id": "T033720"
}
}
],
"category": "product_name",
"name": "Splunk Enterprise"
}
],
"category": "vendor",
"name": "Splunk"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-5237",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2015-5237"
},
{
"cve": "CVE-2021-23446",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2021-23446"
},
{
"cve": "CVE-2022-25883",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2022-25883"
},
{
"cve": "CVE-2022-3171",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2022-3171"
},
{
"cve": "CVE-2022-3509",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2022-3509"
},
{
"cve": "CVE-2022-3510",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2022-3510"
},
{
"cve": "CVE-2022-37599",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2022-37599"
},
{
"cve": "CVE-2022-37601",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2022-37601"
},
{
"cve": "CVE-2022-37603",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2022-37603"
},
{
"cve": "CVE-2022-46175",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2022-46175"
},
{
"cve": "CVE-2023-2976",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2023-2976"
},
{
"cve": "CVE-2023-32695",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2023-32695"
},
{
"cve": "CVE-2023-45133",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese sind auf Fehler bei Komponenten von Drittanbietern zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren oder unbekannte Auswirkungen zu verursachen. Einige der Schwachstellen ben\u00f6tigen eine Benutzerinteraktion zur erfolgreichen Ausnutzung."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2023-45133"
},
{
"cve": "CVE-2024-22164",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese bestehen in der Komponente \"Investigator\" und sind auf Fehler bei der Verarbeitung von Requests und Investigationen zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2024-22164"
},
{
"cve": "CVE-2024-22165",
"notes": [
{
"category": "description",
"text": "In Splunk Enterprise existieren mehrere Schwachstellen. Diese bestehen in der Komponente \"Investigator\" und sind auf Fehler bei der Verarbeitung von Requests und Investigationen zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren."
}
],
"product_status": {
"known_affected": [
"T033720",
"T033718",
"T033705"
]
},
"release_date": "2024-01-09T23:00:00.000+00:00",
"title": "CVE-2024-22165"
}
]
}
CVE-2024-22164 (GCVE-0-2024-22164)
Vulnerability from cvelistv5 – Published: 2024-01-09 17:01 – Updated: 2025-06-03 14:31
VLAI?
EPSS
Summary
In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible.
Severity ?
4.3 (Medium)
CWE
- CWE-400 - The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Splunk | Splunk Enterprise Security (ES) |
Affected:
7.3 , < 7.3.0
(custom)
Affected: 7.2 , < 7.2.0 (custom) Affected: 7.1 , < 7.1.2 (custom) |
Credits
Vikram Ashtaputre, Splunk
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisory.splunk.com/advisories/SVD-2024-0101"
},
{
"tags": [
"x_transferred"
],
"url": "https://research.splunk.com/application/bb85b25e-2d6b-4e39-bd27-50db42edcb8f/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:56:30.171752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:31:04.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise Security (ES)",
"vendor": "Splunk",
"versions": [
{
"lessThan": "7.3.0",
"status": "affected",
"version": "7.3",
"versionType": "custom"
},
{
"lessThan": "7.2.0",
"status": "affected",
"version": "7.2",
"versionType": "custom"
},
{
"lessThan": "7.1.2",
"status": "affected",
"version": "7.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vikram Ashtaputre, Splunk"
}
],
"datePublic": "2024-01-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible."
}
],
"value": "In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T11:03:48.237Z",
"orgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"shortName": "Splunk"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2024-0101"
},
{
"url": "https://research.splunk.com/application/bb85b25e-2d6b-4e39-bd27-50db42edcb8f/"
}
],
"source": {
"advisory": "SVD-2024-0101"
},
"title": "Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachments"
}
},
"cveMetadata": {
"assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"assignerShortName": "Splunk",
"cveId": "CVE-2024-22164",
"datePublished": "2024-01-09T17:01:07.832Z",
"dateReserved": "2024-01-05T16:53:01.503Z",
"dateUpdated": "2025-06-03T14:31:04.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3510 (GCVE-0-2022-3510)
Vulnerability from cvelistv5 – Published: 2022-11-11 16:35 – Updated: 2025-04-22 15:09
VLAI?
EPSS
Summary
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ProtocolBuffers |
Affected:
3.21.0 , < 3.21.7
(semver)
Affected: 3.20.0 , < 3.20.3 (semver) Affected: 3.19.0 , < 3.19.6 (semver) Affected: 3.16.0 , < 3.16.3 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:01.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3510",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:08:55.087167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T15:09:17.050Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "ProtocolBuffers",
"repo": "https://github.com/protocolbuffers/protobuf/",
"vendor": "Google",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "3.21.0",
"versionType": "semver"
},
{
"lessThan": "3.20.3",
"status": "affected",
"version": "3.20.0",
"versionType": "semver"
},
{
"lessThan": "3.19.6",
"status": "affected",
"version": "3.19.0",
"versionType": "semver"
},
{
"lessThan": "3.16.3",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.\u003c/p\u003e"
}
],
"value": "A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-12T12:11:04.548Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Parsing issue in protobuf message-type extension",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2022-3510",
"datePublished": "2022-11-11T16:35:20.765Z",
"dateReserved": "2022-10-14T13:53:33.104Z",
"dateUpdated": "2025-04-22T15:09:17.050Z",
"requesterUserId": "0482d1dc-86d9-41dd-bdd2-3f4c4834e1b3",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37599 (GCVE-0-2022-37599)
Vulnerability from cvelistv5 – Published: 2022-10-11 00:00 – Updated: 2025-11-04 18:14
VLAI?
EPSS
Summary
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:14:20.740Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L83"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/issues/211"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/issues/216"
},
{
"name": "FEDORA-2024-5ecc250449",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/"
},
{
"name": "FEDORA-2024-28fc0c2ef4",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-28T02:06:10.213Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38"
},
{
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L83"
},
{
"url": "https://github.com/webpack/loader-utils/issues/211"
},
{
"url": "https://github.com/webpack/loader-utils/issues/216"
},
{
"name": "FEDORA-2024-5ecc250449",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/"
},
{
"name": "FEDORA-2024-28fc0c2ef4",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37599",
"datePublished": "2022-10-11T00:00:00.000Z",
"dateReserved": "2022-08-08T00:00:00.000Z",
"dateUpdated": "2025-11-04T18:14:20.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-46175 (GCVE-0-2022-46175)
Vulnerability from cvelistv5 – Published: 2022-12-24 00:00 – Updated: 2024-08-03 14:24
VLAI?
EPSS
Summary
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Severity ?
7.1 (High)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/json5/json5/issues/199"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/json5/json5/issues/295"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/json5/json5/pull/298"
},
{
"name": "FEDORA-2023-e7297a4aeb",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE/"
},
{
"name": "[debian-lts-announce] 20231125 [SECURITY] [DLA 3665-1] node-json5 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "json5",
"vendor": "json5",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-26T00:06:12.132080",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
},
{
"url": "https://github.com/json5/json5/issues/199"
},
{
"url": "https://github.com/json5/json5/issues/295"
},
{
"url": "https://github.com/json5/json5/pull/298"
},
{
"name": "FEDORA-2023-e7297a4aeb",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE/"
},
{
"name": "[debian-lts-announce] 20231125 [SECURITY] [DLA 3665-1] node-json5 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html"
}
],
"source": {
"advisory": "GHSA-9c47-m6qq-7p4h",
"discovery": "UNKNOWN"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-46175",
"datePublished": "2022-12-24T00:00:00",
"dateReserved": "2022-11-28T00:00:00",
"dateUpdated": "2024-08-03T14:24:03.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45133 (GCVE-0-2023-45133)
Vulnerability from cvelistv5 – Published: 2023-10-12 16:17 – Updated: 2025-02-13 17:13
VLAI?
EPSS
Summary
Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any "polyfill provider" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3.
Severity ?
9.4 (Critical)
CWE
- CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.735Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92"
},
{
"name": "https://github.com/babel/babel/pull/16033",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/babel/babel/pull/16033"
},
{
"name": "https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82"
},
{
"name": "https://github.com/babel/babel/releases/tag/v7.23.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/babel/babel/releases/tag/v7.23.2"
},
{
"name": "https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5528"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T15:45:41.131211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T15:46:03.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "babel",
"vendor": "babel",
"versions": [
{
"status": "affected",
"version": "\u003c 7.23.2"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-alpha.0, \u003c 8.0.0-alpha.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any \"polyfill provider\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T08:06:11.273Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92"
},
{
"name": "https://github.com/babel/babel/pull/16033",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/babel/babel/pull/16033"
},
{
"name": "https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82"
},
{
"name": "https://github.com/babel/babel/releases/tag/v7.23.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/babel/babel/releases/tag/v7.23.2"
},
{
"name": "https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4"
},
{
"url": "https://www.debian.org/security/2023/dsa-5528"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html"
}
],
"source": {
"advisory": "GHSA-67hx-6x53-jw92",
"discovery": "UNKNOWN"
},
"title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45133",
"datePublished": "2023-10-12T16:17:08.624Z",
"dateReserved": "2023-10-04T16:02:46.328Z",
"dateUpdated": "2025-02-13T17:13:48.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37601 (GCVE-0-2022-37601)
Vulnerability from cvelistv5 – Published: 2022-10-12 00:00 – Updated: 2024-10-28 19:41
VLAI?
EPSS
Summary
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:21.030Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/issues/212"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884"
},
{
"tags": [
"x_transferred"
],
"url": "https://dl.acm.org/doi/abs/10.1145/3488932.3497769"
},
{
"tags": [
"x_transferred"
],
"url": "https://dl.acm.org/doi/pdf/10.1145/3488932.3497769"
},
{
"tags": [
"x_transferred"
],
"url": "http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826"
},
{
"name": "[debian-lts-announce] 20221231 [SECURITY] [DLA 3258-1] node-loader-utils security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-37601",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T19:39:00.731353Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T19:41:38.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-10T15:59:24.822577",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11"
},
{
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47"
},
{
"url": "https://github.com/webpack/loader-utils/issues/212"
},
{
"url": "https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884"
},
{
"url": "https://dl.acm.org/doi/abs/10.1145/3488932.3497769"
},
{
"url": "https://dl.acm.org/doi/pdf/10.1145/3488932.3497769"
},
{
"url": "http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf"
},
{
"url": "https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826"
},
{
"name": "[debian-lts-announce] 20221231 [SECURITY] [DLA 3258-1] node-loader-utils security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37601",
"datePublished": "2022-10-12T00:00:00",
"dateReserved": "2022-08-08T00:00:00",
"dateUpdated": "2024-10-28T19:41:38.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22165 (GCVE-0-2024-22165)
Vulnerability from cvelistv5 – Published: 2024-01-09 17:01 – Updated: 2025-02-28 11:03
VLAI?
EPSS
Summary
In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.<br>The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users.
Severity ?
6.5 (Medium)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Splunk | Splunk Enterprise Security (ES) |
Affected:
7.3 , < 7.3.0
(custom)
Affected: 7.2 , < 7.2.0 (custom) Affected: 7.1 , < 7.1.2 (custom) |
Credits
Eric LaMothe, Splunk
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-10T19:58:58.267037Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:52:31.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisory.splunk.com/advisories/SVD-2024-0102"
},
{
"tags": [
"x_transferred"
],
"url": "https://research.splunk.com/application/7f6a07bd-82ef-46b8-8eba-802278abd00e/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise Security (ES)",
"vendor": "Splunk",
"versions": [
{
"lessThan": "7.3.0",
"status": "affected",
"version": "7.3",
"versionType": "custom"
},
{
"lessThan": "7.2.0",
"status": "affected",
"version": "7.2",
"versionType": "custom"
},
{
"lessThan": "7.1.2",
"status": "affected",
"version": "7.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Eric LaMothe, Splunk"
}
],
"datePublic": "2024-01-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.\u003cbr\u003eThe vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users."
}
],
"value": "In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.\u003cbr\u003eThe vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T11:03:43.686Z",
"orgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"shortName": "Splunk"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2024-0102"
},
{
"url": "https://research.splunk.com/application/7f6a07bd-82ef-46b8-8eba-802278abd00e/"
}
],
"source": {
"advisory": "SVD-2024-0102"
},
"title": "Denial of Service in Splunk Enterprise Security of the Investigations manager through Investigation creation"
}
},
"cveMetadata": {
"assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"assignerShortName": "Splunk",
"cveId": "CVE-2024-22165",
"datePublished": "2024-01-09T17:01:04.884Z",
"dateReserved": "2024-01-05T16:53:01.504Z",
"dateUpdated": "2025-02-28T11:03:43.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23446 (GCVE-0-2021-23446)
Vulnerability from cvelistv5 – Published: 2021-09-29 16:45 – Updated: 2024-09-16 19:31
VLAI?
EPSS
Summary
The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function.
Severity ?
7.5 (High)
CWE
- Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| n/a | handsontable |
Affected:
unspecified , < 10.0.0
(custom)
|
|||||||
|
|||||||||
Credits
Unknown
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:56.029Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-HANDSONTABLE-1726770"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-DOTNET-HANDSONTABLE-1726793"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBHANDSONTABLE-1726794"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1726795"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1726796"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1726797"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/handsontable/handsontable/issues/8752"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/handsontable/handsontable/pull/8742"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "handsontable",
"vendor": "n/a",
"versions": [
{
"lessThan": "10.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Handsontable",
"vendor": "n/a",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "10.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Unknown"
}
],
"datePublic": "2021-09-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-29T16:45:28",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-HANDSONTABLE-1726770"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-DOTNET-HANDSONTABLE-1726793"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBHANDSONTABLE-1726794"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1726795"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1726796"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1726797"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/handsontable/handsontable/issues/8752"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/handsontable/handsontable/pull/8742"
}
],
"title": "Regular Expression Denial of Service (ReDoS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-09-29T16:44:30.760996Z",
"ID": "CVE-2021-23446",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service (ReDoS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "handsontable",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "10.0.0"
}
]
}
}
]
},
"vendor_name": "n/a"
},
{
"product": {
"product_data": [
{
"product_name": "Handsontable",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0"
},
{
"version_affected": "\u003c",
"version_value": "10.0.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Unknown"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regular Expression Denial of Service (ReDoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-HANDSONTABLE-1726770",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-HANDSONTABLE-1726770"
},
{
"name": "https://snyk.io/vuln/SNYK-DOTNET-HANDSONTABLE-1726793",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-DOTNET-HANDSONTABLE-1726793"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBHANDSONTABLE-1726794",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBHANDSONTABLE-1726794"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1726795",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1726795"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1726796",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1726796"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1726797",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1726797"
},
{
"name": "https://github.com/handsontable/handsontable/issues/8752",
"refsource": "MISC",
"url": "https://github.com/handsontable/handsontable/issues/8752"
},
{
"name": "https://github.com/handsontable/handsontable/pull/8742",
"refsource": "MISC",
"url": "https://github.com/handsontable/handsontable/pull/8742"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2021-23446",
"datePublished": "2021-09-29T16:45:28.726765Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T19:31:26.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3509 (GCVE-0-2022-3509)
Vulnerability from cvelistv5 – Published: 2022-11-01 18:09 – Updated: 2025-04-22 15:10
VLAI?
EPSS
Summary
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ProtocolBuffers |
Affected:
3.21.0 , < 3.21.7
(semver)
Affected: 3.20.0 , < 3.20.3 (semver) Affected: 3.19.0 , < 3.19.6 (semver) Affected: 3.16.0 , < 3.16.3 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:02.398Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:09:47.292910Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T15:10:13.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "ProtocolBuffers",
"repo": "https://github.com/protocolbuffers/protobuf/",
"vendor": "Google",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "3.21.0",
"versionType": "semver"
},
{
"lessThan": "3.20.3",
"status": "affected",
"version": "3.20.0",
"versionType": "semver"
},
{
"lessThan": "3.19.6",
"status": "affected",
"version": "3.19.0",
"versionType": "semver"
},
{
"lessThan": "3.16.3",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.\u003c/span\u003e"
}
],
"value": "A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-12T12:11:04.548Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Parsing issue in protobuf textformat",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2022-3509",
"datePublished": "2022-11-01T18:09:31.634Z",
"dateReserved": "2022-10-14T13:51:45.771Z",
"dateUpdated": "2025-04-22T15:10:13.149Z",
"requesterUserId": "0482d1dc-86d9-41dd-bdd2-3f4c4834e1b3",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37603 (GCVE-0-2022-37603)
Vulnerability from cvelistv5 – Published: 2022-10-14 00:00 – Updated: 2025-05-15 14:51
VLAI?
EPSS
Summary
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:21.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/webpack/loader-utils/issues/213"
},
{
"name": "FEDORA-2023-86d75130fe",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/"
},
{
"name": "FEDORA-2023-a4f0b29f6c",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/"
},
{
"name": "FEDORA-2023-2e38c3756f",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-37603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T14:51:07.504643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T14:51:37.708Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-30T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38"
},
{
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107"
},
{
"url": "https://github.com/webpack/loader-utils/issues/213"
},
{
"name": "FEDORA-2023-86d75130fe",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/"
},
{
"name": "FEDORA-2023-a4f0b29f6c",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/"
},
{
"name": "FEDORA-2023-2e38c3756f",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37603",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-08-08T00:00:00.000Z",
"dateUpdated": "2025-05-15T14:51:37.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2976 (GCVE-0-2023-2976)
Vulnerability from cvelistv5 – Published: 2023-06-14 17:36 – Updated: 2025-11-03 21:47
VLAI?
EPSS
Summary
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Severity ?
5.5 (Medium)
CWE
- Creation of Temporary File With Insecure Permissions
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:47:58.120Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/google/guava/issues/2575"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230818-0008/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241108-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Guava",
"vendor": "Google",
"versions": [
{
"lessThan": "32.0.0",
"status": "affected",
"version": "1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUse of Java\u0027s default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\u003c/p\u003e\u003cp\u003eEven though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.\u003c/p\u003e"
}
],
"value": "Use of Java\u0027s default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\nEven though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Creation of Temporary File With Insecure Permissions",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-13T19:05:56.194Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://github.com/google/guava/issues/2575"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230818-0008/"
},
{
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Use of temporary directory for file creation in `FileBackedOutputStream` in Guava",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2023-2976",
"datePublished": "2023-06-14T17:36:40.640Z",
"dateReserved": "2023-05-30T13:15:41.560Z",
"dateUpdated": "2025-11-03T21:47:58.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-3171 (GCVE-0-2022-3171)
Vulnerability from cvelistv5 – Published: 2022-10-12 00:00 – Updated: 2025-04-21 13:47
VLAI?
EPSS
Summary
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Severity ?
4.3 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Google LLC | Protocolbuffers |
Affected:
3.21.7 , < 3.21.7
(custom)
Affected: 3.20.3 , < 3.20.3 (custom) Affected: 3.19.6 , < 3.19.6 (custom) Affected: 3.16.3 , < 3.16.3 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.773Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
},
{
"name": "FEDORA-2022-25f35ed634",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
},
{
"name": "GLSA-202301-09",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202301-09"
},
{
"name": "FEDORA-2022-15729fa33d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3171",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T13:36:41.564407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T13:47:57.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"core and lite"
],
"product": "Protocolbuffers",
"vendor": "Google LLC",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "3.21.7",
"versionType": "custom"
},
{
"lessThan": "3.20.3",
"status": "affected",
"version": "3.20.3",
"versionType": "custom"
},
{
"lessThan": "3.19.6",
"status": "affected",
"version": "3.19.6",
"versionType": "custom"
},
{
"lessThan": "3.16.3",
"status": "affected",
"version": "3.16.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-27T00:00:00.000Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
},
{
"name": "FEDORA-2022-25f35ed634",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
},
{
"name": "GLSA-202301-09",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202301-09"
},
{
"name": "FEDORA-2022-15729fa33d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Memory handling vulnerability in ProtocolBuffers Java core and lite",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2022-3171",
"datePublished": "2022-10-12T00:00:00.000Z",
"dateReserved": "2022-09-09T00:00:00.000Z",
"dateUpdated": "2025-04-21T13:47:57.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5237 (GCVE-0-2015-5237)
Vulnerability from cvelistv5 – Published: 2017-09-25 17:00 – Updated: 2024-08-06 06:41
VLAI?
EPSS
Summary
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:41:08.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/google/protobuf/issues/760"
},
{
"name": "[oss-security] 20150827 CVE-2015-5237: Integer overflow in protobuf serialization (currently minor)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/27/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1256426"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200425 [GitHub] [pulsar] guyv opened a new issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra28fed69eef3a71e5fe5daea001d0456b05b102044237330ec5c7c82%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200428 [GitHub] [pulsar] gaoran10 edited a comment on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r17dc6f394429f6bffb5e4c66555d93c2e9923cbbdc5a93db9a56c1c7%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200428 [GitHub] [pulsar] gaoran10 commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r42e47994734cd1980ef3e204a40555336e10cc80096927aca2f37d90%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200428 [GitHub] [pulsar] guyv commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re6d04a214424a97ea59c62190d79316edf311a0a6346524dfef3b940%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200428 [GitHub] [pulsar] guyv edited a comment on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1263fa5b51e4ec3cb8f09ff40e4747428c71198e9bee93349ec96a3c%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200430 [GitHub] [pulsar] sijie commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r42ef6acfb0d86a2df0c2390702ecbe97d2104a331560f2790d17ca69%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200506 [GitHub] [pulsar] gaoran10 commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb71dac1d9dd4e8a8ae3dbc033aeae514eda9be1263c1df3b42a530a2%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200506 [GitHub] [pulsar] gaoran10 edited a comment on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r320dc858da88846ba00bb077bcca2cdf75b7dde0f6eb3a3d60dba6a1%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200506 [GitHub] [pulsar] sijie commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r85c9a764b573c786224688cc906c27e28343e18f5b33387f94cae90f%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cuser.flink.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9250: Protobuf version used in broker and client affected by vulnerability CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5e52caf41dc49df55b4ee80758356fe1ff2a88179ff24c685de7c28d%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] merlimat commented on issue #9250: Protobuf version used in broker and client affected by vulnerability CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf7539287c90be979bac94af9aaba34118fbf968864944b4871af48dd%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210128 [GitHub] [pulsar] codelipenghui closed issue #9250: Protobuf version used in broker and client affected by vulnerability CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1d274d647b3c2060df9be21eade4ce56d3a59998cf19ac72662dd994%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[spark-issues] 20210624 [jira] [Assigned] (SPARK-35877) Spark Protobuf jar has CVE issue CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb40dc9d63a5331bce8e80865b7fa3af9dd31e16555affd697b6f3526%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210624 [jira] [Commented] (SPARK-35877) Spark Protobuf jar has CVE issue CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4886108206d4c535db9b20c813fe4723d4fe6a91b9278382af8b9d08%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210624 [jira] [Created] (SPARK-35877) Spark Protobuf jar has CVE issue CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5741f4dbdd129dbb9885f5fb170dc1b24a06b9313bedef5e67fded94%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210720 [jira] [Resolved] (SPARK-35877) Spark Protobuf jar has CVE issue CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r14fa8d38d5757254f1a2e112270c996711d514de2e3b01c93d397ab4%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[hadoop-common-dev] 20210823 [jira] [Created] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities CVEs #CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r00d9ab1fc0f1daf14cd4386564dd84f7889404438d81462c86dfa836%40%3Ccommon-dev.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210823 [jira] [Updated] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r764fc66435ee4d185d359c28c0887d3e5866d7292a8d5598d9e7cbc4%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210823 [jira] [Created] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities CVEs #CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2ea33ce5591a9cb9ed52750b6ab42ab658f529a7028c3166ba93c7d5%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210823 [jira] [Commented] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0ca83171c4898dc92b86fa6f484a7be1dc96206765f4d01dce0f1b28%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hbase-issues] 20210828 [jira] [Commented] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4ef574a5621b0e670a3ce641e9922543e34f22bf4c9ee9584aa67fcf%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210828 [jira] [Created] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r00097d0b5b6164ea428554007121d5dc1f88ba2af7b9e977a10572cd%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210828 [jira] [Created] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd64381fb8f92d640c1975dc50dcdf1b8512e02a2a7b20292d3565cae%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210902 [jira] [Updated] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237, CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7fed8dd9bee494094e7011cf3c2ab75bd8754ea314c6734688c42932%40%3Ccommon-issues.hadoop.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-08-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "protobuf allows remote authenticated attackers to cause a heap-based buffer overflow."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-02T14:06:08",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/google/protobuf/issues/760"
},
{
"name": "[oss-security] 20150827 CVE-2015-5237: Integer overflow in protobuf serialization (currently minor)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/27/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1256426"
},
{
"name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200425 [GitHub] [pulsar] guyv opened a new issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra28fed69eef3a71e5fe5daea001d0456b05b102044237330ec5c7c82%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200428 [GitHub] [pulsar] gaoran10 edited a comment on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r17dc6f394429f6bffb5e4c66555d93c2e9923cbbdc5a93db9a56c1c7%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200428 [GitHub] [pulsar] gaoran10 commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r42e47994734cd1980ef3e204a40555336e10cc80096927aca2f37d90%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200428 [GitHub] [pulsar] guyv commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re6d04a214424a97ea59c62190d79316edf311a0a6346524dfef3b940%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200428 [GitHub] [pulsar] guyv edited a comment on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1263fa5b51e4ec3cb8f09ff40e4747428c71198e9bee93349ec96a3c%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200430 [GitHub] [pulsar] sijie commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r42ef6acfb0d86a2df0c2390702ecbe97d2104a331560f2790d17ca69%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200506 [GitHub] [pulsar] gaoran10 commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb71dac1d9dd4e8a8ae3dbc033aeae514eda9be1263c1df3b42a530a2%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200506 [GitHub] [pulsar] gaoran10 edited a comment on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r320dc858da88846ba00bb077bcca2cdf75b7dde0f6eb3a3d60dba6a1%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20200506 [GitHub] [pulsar] sijie commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r85c9a764b573c786224688cc906c27e28343e18f5b33387f94cae90f%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cuser.flink.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9250: Protobuf version used in broker and client affected by vulnerability CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5e52caf41dc49df55b4ee80758356fe1ff2a88179ff24c685de7c28d%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210120 [GitHub] [pulsar] merlimat commented on issue #9250: Protobuf version used in broker and client affected by vulnerability CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf7539287c90be979bac94af9aaba34118fbf968864944b4871af48dd%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210128 [GitHub] [pulsar] codelipenghui closed issue #9250: Protobuf version used in broker and client affected by vulnerability CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1d274d647b3c2060df9be21eade4ce56d3a59998cf19ac72662dd994%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[spark-issues] 20210624 [jira] [Assigned] (SPARK-35877) Spark Protobuf jar has CVE issue CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb40dc9d63a5331bce8e80865b7fa3af9dd31e16555affd697b6f3526%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210624 [jira] [Commented] (SPARK-35877) Spark Protobuf jar has CVE issue CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4886108206d4c535db9b20c813fe4723d4fe6a91b9278382af8b9d08%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210624 [jira] [Created] (SPARK-35877) Spark Protobuf jar has CVE issue CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5741f4dbdd129dbb9885f5fb170dc1b24a06b9313bedef5e67fded94%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210720 [jira] [Resolved] (SPARK-35877) Spark Protobuf jar has CVE issue CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r14fa8d38d5757254f1a2e112270c996711d514de2e3b01c93d397ab4%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[hadoop-common-dev] 20210823 [jira] [Created] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities CVEs #CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r00d9ab1fc0f1daf14cd4386564dd84f7889404438d81462c86dfa836%40%3Ccommon-dev.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210823 [jira] [Updated] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r764fc66435ee4d185d359c28c0887d3e5866d7292a8d5598d9e7cbc4%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210823 [jira] [Created] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities CVEs #CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2ea33ce5591a9cb9ed52750b6ab42ab658f529a7028c3166ba93c7d5%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210823 [jira] [Commented] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0ca83171c4898dc92b86fa6f484a7be1dc96206765f4d01dce0f1b28%40%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"name": "[hbase-issues] 20210828 [jira] [Commented] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4ef574a5621b0e670a3ce641e9922543e34f22bf4c9ee9584aa67fcf%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210828 [jira] [Created] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r00097d0b5b6164ea428554007121d5dc1f88ba2af7b9e977a10572cd%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210828 [jira] [Created] (HBASE-26234) Protobuf-java-2.5.0.jar Has Several Security Vulnerabilities,CVE-2015-5237,CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd64381fb8f92d640c1975dc50dcdf1b8512e02a2a7b20292d3565cae%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hadoop-common-issues] 20210902 [jira] [Updated] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237, CVE-2019-15544",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7fed8dd9bee494094e7011cf3c2ab75bd8754ea314c6734688c42932%40%3Ccommon-issues.hadoop.apache.org%3E"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-5237",
"datePublished": "2017-09-25T17:00:00",
"dateReserved": "2015-07-01T00:00:00",
"dateUpdated": "2024-08-06T06:41:08.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25883 (GCVE-0-2022-25883)
Vulnerability from cvelistv5 – Published: 2023-06-21 05:00 – Updated: 2024-12-06 16:55
VLAI?
EPSS
Summary
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Severity ?
5.3 (Medium)
CWE
- CWE-1333 - Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Credits
Alessio Della Libera - Snyk Research Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-10-25T13:07:28.542Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/pull/564"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241025-0004/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25883",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T16:54:52.064322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T16:55:09.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "semver",
"vendor": "n/a",
"versions": [
{
"lessThan": "7.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alessio Della Libera - Snyk Research Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-21T05:00:03.352Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795"
},
{
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160"
},
{
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138"
},
{
"url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104"
},
{
"url": "https://github.com/npm/node-semver/pull/564"
},
{
"url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25883",
"datePublished": "2023-06-21T05:00:03.352Z",
"dateReserved": "2022-02-24T11:58:25.192Z",
"dateUpdated": "2024-12-06T16:55:09.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32695 (GCVE-0-2023-32695)
Vulnerability from cvelistv5 – Published: 2023-05-27 15:44 – Updated: 2025-01-13 21:03
VLAI?
EPSS
Summary
socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.
Severity ?
7.3 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| socketio | socket.io-parser |
Affected:
>= 4.0.0, < 4.2.3
Affected: >= 3.4.0, < 3.4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.835Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9"
},
{
"name": "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced"
},
{
"name": "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3"
},
{
"name": "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32695",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T21:03:23.583073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T21:03:34.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "socket.io-parser",
"vendor": "socketio",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.2.3"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-27T15:44:03.235Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9"
},
{
"name": "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced"
},
{
"name": "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3"
},
{
"name": "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3"
}
],
"source": {
"advisory": "GHSA-cqmj-92xf-r6r9",
"discovery": "UNKNOWN"
},
"title": "Insufficient validation when decoding a Socket.IO packet"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32695",
"datePublished": "2023-05-27T15:44:03.235Z",
"dateReserved": "2023-05-11T16:33:45.733Z",
"dateUpdated": "2025-01-13T21:03:34.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…