Total
553 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-0001 | 1 Intel | 4 Integrated Performance Primitives Cryptography, Sgx Dcap, Sgx Psw and 1 more | 2024-08-03 | 4.7 Medium |
| Observable timing discrepancy in Intel(R) IPP before version 2020 update 1 may allow authorized user to potentially enable information disclosure via local access. | ||||
| CVE-2022-48251 | 1 Arm | 20 Cortex-a53, Cortex-a53 Firmware, Cortex-a55 and 17 more | 2024-08-03 | 7.5 High |
| The AES instructions on the ARMv8 platform do not have an algorithm that is "intrinsically resistant" to side-channel attacks. NOTE: the vendor reportedly offers the position "while power side channel attacks ... are possible, they are not directly caused by or related to the Arm architecture." | ||||
| CVE-2022-47952 | 1 Linuxcontainers | 1 Lxc | 2024-08-03 | 3.3 Low |
| lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist. | ||||
| CVE-2022-46392 | 2 Arm, Fedoraproject | 2 Mbed Tls, Fedora | 2024-08-03 | 5.3 Medium |
| An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) can recover an RSA private key after observing the victim performing a single private-key operation, if the window size (MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller. | ||||
| CVE-2022-45403 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Thunderbird and 5 more | 2024-08-03 | 6.5 Medium |
| Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. | ||||
| CVE-2022-45416 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Thunderbird and 5 more | 2024-08-03 | 6.5 Medium |
| Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. | ||||
| CVE-2022-45163 | 1 Nxp | 46 I.mx 6, I.mx 6 Firmware, I.mx 6dual and 43 more | 2024-08-03 | 5.3 Medium |
| An information-disclosure vulnerability exists on select NXP devices when configured in Serial Download Protocol (SDP) mode: i.MX RT 1010, i.MX RT 1015, i.MX RT 1020, i.MX RT 1050, i.MX RT 1060, i.MX 6 Family, i.MX 7Dual/Solo, i.MX 7ULP, i.MX 8M Quad, i.MX 8M Mini, and Vybrid. In a device security-enabled configuration, memory contents could potentially leak to physically proximate attackers via the respective SDP port in cold and warm boot attacks. (The recommended mitigation is to completely disable the SDP mode by programming a one-time programmable eFUSE. Customers can contact NXP for additional information.) | ||||
| CVE-2022-44381 | 1 Snipeitapp | 1 Snipe-it | 2024-08-03 | 5.3 Medium |
| Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request. | ||||
| CVE-2022-43411 | 1 Jenkins | 1 Gitlab | 2024-08-03 | 5.3 Medium |
| Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | ||||
| CVE-2022-43412 | 1 Jenkins | 1 Generic Webhook Trigger | 2024-08-03 | 5.3 Medium |
| Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | ||||
| CVE-2022-42288 | 1 Nvidia | 2 Dgx A100, Dgx A100 Firmware | 2024-08-03 | 5.3 Medium |
| NVIDIA BMC contains a vulnerability in IPMI handler, where an unauthorized attacker can use certain oracles to guess a valid BMC username, which may lead to an information disclosure. | ||||
| CVE-2022-41914 | 1 Zulip | 1 Zulip Server | 2024-08-03 | 3.7 Low |
| Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity Management(SCIM) account management enabled, Zulip Server 5.0 through 5.6 checked the SCIM bearer token using a comparator that did not run in constant time. Therefore, it might theoretically be possible for an attacker to infer the value of the token by performing a sophisticated timing analysis on a large number of failing requests. If successful, this would allow the attacker to impersonate the SCIM client for its abilities to read and update user accounts in the Zulip organization. Organizations where SCIM account management has not been enabled are not affected. | ||||
| CVE-2022-41765 | 1 Mediawiki | 1 Mediawiki | 2024-08-03 | 5.3 Medium |
| An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. | ||||
| CVE-2022-41354 | 2 Linuxfoundation, Redhat | 2 Argo-cd, Openshift Gitops | 2024-08-03 | 4.3 Medium |
| An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications. | ||||
| CVE-2022-40982 | 5 Debian, Intel, Netapp and 2 more | 1058 Debian Linux, Celeron 5205u, Celeron 5205u Firmware and 1055 more | 2024-08-03 | 6.5 Medium |
| Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | ||||
| CVE-2022-40895 | 1 Nedi | 1 Nedi | 2024-08-03 | 9.1 Critical |
| In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability. The vulnerability is due to insecure design, where a difference in forgot password utility could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users. This affects NeDi 1.0.7 for OS X 1.0.7 <= and NeDi for Suse 1.0.7 <= and NeDi for FreeBSD 1.0.7 <=. | ||||
| CVE-2022-40482 | 1 Laravel | 1 Framework | 2024-08-03 | 5.3 Medium |
| The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user is found to not exist. | ||||
| CVE-2022-40084 | 1 Opencrx | 1 Opencrx | 2024-08-03 | 5.3 Medium |
| OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid. | ||||
| CVE-2022-39228 | 1 Vantage6 | 1 Vantage6 | 2024-08-03 | 5.3 Medium |
| vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This issue has been fixed in version 3.8.0. | ||||
| CVE-2022-37459 | 1 Amperecomputing | 4 Ampere Altra, Ampere Altra Firmware, Ampere Altra Max and 1 more | 2024-08-03 | 7.8 High |
| Ampere Altra devices before 1.08g and Ampere Altra Max devices before 2.05a allow attackers to control the predictions for return addresses and potentially hijack code flow to execute arbitrary code via a side-channel attack, aka a "Retbleed" issue. | ||||