# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2022-32278 |
|
|
Exec Code |
2022-06-13 |
2022-06-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server. |
2 |
CVE-2022-31799 |
755 |
|
|
2022-06-02 |
2022-06-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Bottle before 0.12.20 mishandles errors during early request binding. |
3 |
CVE-2022-30688 |
269 |
|
|
2022-05-17 |
2022-05-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
needrestart 0.8 through 3.5 before 3.6 is prone to local privilege escalation. Regexes to detect the Perl, Python, and Ruby interpreters are not anchored, allowing a local user to escalate privileges when needrestart tries to detect if interpreters are using old source files. |
4 |
CVE-2022-29221 |
94 |
|
|
2022-05-24 |
2022-06-06 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds. |
5 |
CVE-2022-28739 |
125 |
|
|
2022-05-09 |
2022-06-24 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f. |
6 |
CVE-2022-27239 |
787 |
|
Overflow +Priv |
2022-04-27 |
2022-06-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges. |
7 |
CVE-2022-26847 |
200 |
|
+Info |
2022-03-10 |
2022-03-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects. |
8 |
CVE-2022-26846 |
|
|
Exec Code |
2022-03-10 |
2022-03-18 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code. |
9 |
CVE-2022-26691 |
269 |
|
+Priv |
2022-05-26 |
2022-06-16 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
A logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. An application may be able to gain elevated privileges. |
10 |
CVE-2022-26662 |
776 |
|
|
2022-03-10 |
2022-03-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server. |
11 |
CVE-2022-26661 |
611 |
|
|
2022-03-10 |
2022-03-18 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system. |
12 |
CVE-2022-26496 |
787 |
|
Overflow |
2022-03-06 |
2022-04-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name. |
13 |
CVE-2022-26495 |
190 |
|
Overflow |
2022-03-06 |
2022-04-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages. |
14 |
CVE-2022-25375 |
668 |
|
+Info |
2022-02-20 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory. |
15 |
CVE-2022-25315 |
190 |
|
Overflow |
2022-02-18 |
2022-06-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. |
16 |
CVE-2022-25314 |
190 |
|
Overflow |
2022-02-18 |
2022-06-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. |
17 |
CVE-2022-25313 |
400 |
|
|
2022-02-18 |
2022-06-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. |
18 |
CVE-2022-25258 |
476 |
|
Mem. Corr. |
2022-02-16 |
2022-05-11 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur. |
19 |
CVE-2022-25236 |
668 |
|
|
2022-02-16 |
2022-06-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. |
20 |
CVE-2022-25235 |
116 |
|
|
2022-02-16 |
2022-06-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. |
21 |
CVE-2022-24959 |
401 |
|
|
2022-02-11 |
2022-05-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c. |
22 |
CVE-2022-24884 |
347 |
|
|
2022-05-06 |
2022-05-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: `ecdsa_verify_list_legacy()` will accept an arbitrary number of such forged signatures. Both the `ecdsautil verify` CLI command and the libecdsautil library are affected. The issue has been fixed in ecdsautils 0.4.1. All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable. |
23 |
CVE-2022-24713 |
400 |
|
DoS Bypass |
2022-03-08 |
2022-06-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes. |
24 |
CVE-2022-24448 |
909 |
|
|
2022-02-04 |
2022-05-12 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. |
25 |
CVE-2022-24407 |
89 |
|
Sql |
2022-02-24 |
2022-04-25 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. |
26 |
CVE-2022-24301 |
276 |
|
|
2022-02-02 |
2022-02-28 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
In Minetest before 5.4.0, players can add or subtract items from a different player's inventory. |
27 |
CVE-2022-24300 |
74 |
|
|
2022-02-02 |
2022-02-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Minetest before 5.4.0 allows attackers to add or modify arbitrary meta fields of the same item stack as saved user input, aka ItemStack meta injection. |
28 |
CVE-2022-24070 |
416 |
|
Mem. Corr. |
2022-04-12 |
2022-04-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected. |
29 |
CVE-2022-23990 |
190 |
|
Overflow |
2022-01-26 |
2022-06-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function. |
30 |
CVE-2022-23959 |
444 |
|
|
2022-01-26 |
2022-03-17 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections. |
31 |
CVE-2022-23221 |
94 |
|
Exec Code |
2022-01-19 |
2022-04-20 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. |
32 |
CVE-2022-23094 |
476 |
|
DoS |
2022-01-15 |
2022-01-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists. This is fixed in 4.6. |
33 |
CVE-2022-22844 |
125 |
|
|
2022-01-10 |
2022-04-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field. |
34 |
CVE-2022-22817 |
|
|
|
2022-01-10 |
2022-04-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used, |
35 |
CVE-2022-22816 |
125 |
|
|
2022-01-10 |
2022-02-16 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. |
36 |
CVE-2022-22815 |
665 |
|
|
2022-01-10 |
2022-05-04 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. |
37 |
CVE-2022-22707 |
787 |
|
DoS Overflow |
2022-01-06 |
2022-01-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system. |
38 |
CVE-2022-21699 |
250 |
|
Exec Code |
2022-01-19 |
2022-03-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade. |
39 |
CVE-2022-21682 |
22 |
|
Dir. Trav. |
2022-01-13 |
2022-02-10 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
Flatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`. |
40 |
CVE-2022-21664 |
89 |
|
Sql |
2022-01-06 |
2022-04-12 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
41 |
CVE-2022-21663 |
74 |
|
Bypass |
2022-01-06 |
2022-04-12 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
42 |
CVE-2022-21662 |
79 |
|
XSS |
2022-01-06 |
2022-04-12 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
43 |
CVE-2022-21661 |
89 |
|
Sql |
2022-01-06 |
2022-04-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. |
44 |
CVE-2022-21476 |
|
|
|
2022-04-19 |
2022-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). |
45 |
CVE-2022-21449 |
|
|
|
2022-04-19 |
2022-05-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). |
46 |
CVE-2022-21443 |
|
|
DoS |
2022-04-19 |
2022-05-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). |
47 |
CVE-2022-21366 |
|
|
DoS |
2022-01-19 |
2022-05-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). |
48 |
CVE-2022-21365 |
|
|
DoS |
2022-01-19 |
2022-05-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). |
49 |
CVE-2022-21360 |
|
|
DoS |
2022-01-19 |
2022-05-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). |
50 |
CVE-2022-21341 |
|
|
DoS |
2022-01-19 |
2022-05-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). |