Total
2847 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-27508 | 1 Citrix | 2 Application Delivery Controller, Gateway | 2024-08-03 | 7.5 High |
| Unauthenticated denial of service | ||||
| CVE-2022-27507 | 1 Citrix | 2 Application Delivery Controller, Gateway | 2024-08-03 | 6.5 Medium |
| Authenticated denial of service | ||||
| CVE-2022-27194 | 1 Siemens | 3 Simatic Pcs Neo, Sinetplan, Totally Integrated Automation Portal | 2024-08-03 | 7.5 High |
| A vulnerability has been identified in SIMATIC PCS neo (Administration Console) (All versions < V3.1 SP1), SINETPLAN (All versions), TIA Portal (V15, V15.1, V16 and V17). The affected system cannot properly process specially crafted packets sent to port 8888/tcp. A remote attacker could exploit this vulnerability to cause a Denial-of-Service condition. The affected devices must be restarted manually. | ||||
| CVE-2022-26832 | 1 Microsoft | 12 .net, .net Framework, Windows 10 and 9 more | 2024-08-03 | 7.5 High |
| .NET Framework Denial of Service Vulnerability | ||||
| CVE-2022-26498 | 2 Debian, Digium | 2 Debian Linux, Asterisk | 2024-08-03 | 7.5 High |
| An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2. | ||||
| CVE-2022-26477 | 1 Apache | 1 Systemds | 2024-08-03 | 7.5 High |
| The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. As a fix, we added an upper bound and termination condition in the read and write logic. We classify it as a "low-priority but useful improvement". SystemDS is a distributed system and needs to serialize/deserialize data but in many code paths (e.g., on Spark broadcast/shuffle or writing to sequence files) the byte stream is anyway protected by additional CRC fingerprints. In this particular case though, the number of decoders is upper-bounded by twice the number of columns, which means an attacker would need to modify two entries in the byte stream in a consistent manner. By adding these checks robustness was strictly improved with almost zero overhead. These code changes are available in versions higher than 2.2.1. | ||||
| CVE-2022-25779 | 1 Secomea | 8 Gatemanager 4250, Gatemanager 4250 Firmware, Gatemanager 4260 and 5 more | 2024-08-03 | 4.3 Medium |
| Logging of Excessive Data vulnerability in audit log of Secomea GateManager allows logged in user to write text entries in audit log. This issue affects: Secomea GateManager versions prior to 9.7. | ||||
| CVE-2022-25622 | 1 Siemens | 23 Simatic Cfu Diq, Simatic Cfu Diq Firmware, Simatic Cfu Pa and 20 more | 2024-08-03 | 5.3 Medium |
| The PROFINET (PNIO) stack, when integrated with the Interniche IP stack, improperly handles internal resources for TCP segments where the minimum TCP-Header length is less than defined. This could allow an attacker to create a denial of service condition for TCP services on affected devices by sending specially crafted TCP segments. | ||||
| CVE-2022-25313 | 6 Debian, Fedoraproject, Libexpat Project and 3 more | 8 Debian Linux, Fedora, Libexpat and 5 more | 2024-08-03 | 6.5 Medium |
| In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. | ||||
| CVE-2022-24921 | 4 Debian, Golang, Netapp and 1 more | 11 Debian Linux, Go, Astra Trident and 8 more | 2024-08-03 | 7.5 High |
| regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression. | ||||
| CVE-2022-24902 | 1 Python | 1 Tkvideoplayer | 2024-08-03 | 2.9 Low |
| TkVideoplayer is a simple library to play video files in tkinter. Uncontrolled memory consumption in versions of TKVideoplayer prior to 2.0.0 can theoretically lead to performance degradation. There are no known workarounds. This issue has been patched and users are advised to upgrade to version 2.0.0 or later. | ||||
| CVE-2022-24863 | 1 Http-swagger Project | 1 Http-swagger | 2024-08-03 | 7.5 High |
| http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0. In versions of http-swagger prior to 1.2.6 an attacker may perform a denial of service attack consisting of memory exhaustion on the host system. The cause of the memory exhaustion is down to improper handling of http methods. Users are advised to upgrade. Users unable to upgrade may to restrict the path prefix to the "GET" method as a workaround. | ||||
| CVE-2022-24839 | 2 Nekohtml Project, Oracle | 2 Nekohtml, Weblogic Server | 2024-08-03 | 7.5 High |
| org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability. | ||||
| CVE-2022-24741 | 1 Nextcloud | 1 Nextcloud Server | 2024-08-03 | 3.5 Low |
| Nextcloud server is an open source, self hosted cloud style services platform. In affected versions an attacker can cause a denial of service by uploading specially crafted files which will cause the server to allocate too much memory / CPU. It is recommended that the Nextcloud Server is upgraded to 21.0.8 , 22.2.4 or 23.0.1. Users unable to upgrade should disable preview generation with the `'enable_previews'` config flag. | ||||
| CVE-2022-24713 | 4 Debian, Fedoraproject, Redhat and 1 more | 6 Debian Linux, Fedora, Enterprise Linux and 3 more | 2024-08-03 | 7.5 High |
| regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes. | ||||
| CVE-2022-24729 | 4 Ckeditor, Drupal, Fedoraproject and 1 more | 9 Ckeditor, Drupal, Fedora and 6 more | 2024-08-03 | 6.5 Medium |
| CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. | ||||
| CVE-2022-24726 | 2 Istio, Redhat | 2 Istio, Service Mesh | 2024-08-03 | 7.5 High |
| Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities. | ||||
| CVE-2022-24678 | 2 Microsoft, Trendmicro | 4 Windows, Apex One, Worry-free Business Security and 1 more | 2024-08-03 | 7.5 High |
| An security agent resource exhaustion denial-of-service vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service, Trend Micro Worry-Free Business Security 10.0 SP1 and Trend Micro Worry-Free Business Security Services agents could allow an attacker to flood a temporary log location and consume all disk space on affected installations. | ||||
| CVE-2022-24614 | 2 Metadata-extractor Project, Redhat | 2 Metadata-extractor, Jboss Fuse | 2024-08-03 | 5.5 Medium |
| When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library. | ||||
| CVE-2022-24615 | 1 Zip4j Project | 1 Zip4j | 2024-08-03 | 5.5 Medium |
| zip4j up to v2.10.0 can throw various uncaught exceptions while parsing a specially crafted ZIP file, which could result in an application crash. This could be used to mount a denial of service attack against services that use zip4j library. | ||||