CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2022(Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-46146 287 Bypass 2022-11-29 2022-12-02
0.0
None ??? ??? ??? ??? ??? ???
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, i someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
2 CVE-2022-44721 Bypass 2022-12-04 2022-12-04
0.0
None ??? ??? ??? ??? ??? ???
CrowdStrike Falcon 6.44.15806 allows an administrative attacker to uninstall Falcon Sensor, bypassing the intended protection mechanism in which uninstallation requires possessing a one-time token. (The sensor is managed at the kernel level.)
3 CVE-2022-44244 287 Bypass 2022-11-09 2022-11-17
0.0
None ??? ??? ??? ??? ??? ???
An authentication bypass in Lin-CMS v0.2.1 allows attackers to escalate privileges to Super Administrator.
4 CVE-2022-44001 306 Bypass 2022-11-17 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in BACKCLICK Professional 5.9.63. User authentication for accessing the CORBA back-end services can be bypassed.
5 CVE-2022-43749 269 Bypass 2022-10-26 2022-10-28
0.0
None ??? ??? ??? ??? ??? ???
Improper privilege management vulnerability in summary report management in Synology Presto File Server before 2.1.2-1601 allows remote authenticated users to bypass security constraint via unspecified vectors.
6 CVE-2022-43690 287 Bypass 2022-11-14 2022-11-17
0.0
None ??? ??? ??? ??? ??? ???
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
7 CVE-2022-43566 269 Bypass 2022-11-04 2022-11-08
0.0
None ??? ??? ??? ??? ??? ???
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more privileged user’s permissions to bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards in the Analytics Workspace. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.
8 CVE-2022-43565 20 Bypass 2022-11-04 2022-11-08
0.0
None ??? ??? ??? ??? ??? ???
In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the ‘tstats command handles Javascript Object Notation (JSON) lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.
9 CVE-2022-43563 20 Bypass 2022-11-04 2022-11-08
0.0
None ??? ??? ??? ??? ??? ???
In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the rex search command handles field names lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.
10 CVE-2022-43408 838 Bypass CSRF 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.
11 CVE-2022-43407 838 Bypass CSRF 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with.
12 CVE-2022-43406 693 Exec Code Bypass 2022-10-19 2022-10-24
0.0
None ??? ??? ??? ??? ??? ???
A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
13 CVE-2022-43405 Exec Code Bypass 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
14 CVE-2022-43404 693 Exec Code Bypass 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
15 CVE-2022-43403 693 Exec Code Bypass 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
16 CVE-2022-43402 693 Exec Code Bypass 2022-10-19 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
17 CVE-2022-43401 693 Exec Code Bypass 2022-10-19 2022-10-31
0.0
None ??? ??? ??? ??? ??? ???
A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
18 CVE-2022-42983 290 Bypass 2022-10-17 2022-10-20
0.0
None ??? ??? ??? ??? ??? ???
anji-plus AJ-Report 0.9.8.6 allows remote attackers to bypass login authentication by spoofing JWT Tokens.
19 CVE-2022-42916 319 Bypass 2022-10-29 2022-11-14
0.0
None ??? ??? ??? ??? ??? ???
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
20 CVE-2022-42793 20 Bypass 2022-11-01 2022-11-03
0.0
None ??? ??? ??? ??? ??? ???
An issue in code signature validation was addressed with improved checks. This issue is fixed in macOS Big Sur 11.7, macOS Ventura 13, iOS 16, iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6. An app may be able to bypass code signing checks.
21 CVE-2022-42785 306 Bypass 2022-11-15 2022-11-21
0.0
None ??? ??? ??? ??? ??? ???
Multiple W&T products of the ComServer Series are prone to an authentication bypass. An unathenticated remote attacker, can log in without knowledge of the password by crafting a modified HTTP GET Request.
22 CVE-2022-42463 287 Bypass 2022-10-14 2022-10-17
0.0
None ??? ??? ??? ??? ??? ???
OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softbus_server in communication subsystem. Attackers can launch attacks on distributed networks by sending Bluetooth rfcomm packets to any remote device and executing arbitrary commands.
23 CVE-2022-42342 125 Bypass 2022-10-14 2022-10-18
0.0
None ??? ??? ??? ??? ??? ???
Adobe Acrobat Reader versions 22.002.20212 (and earlier) and 20.005.30381 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
24 CVE-2022-42327 Bypass 2022-11-01 2022-11-24
0.0
None ??? ??? ??? ??? ??? ???
x86: unintended memory sharing between guests On Intel systems that support the "virtualize APIC accesses" feature, a guest can read and write the global shared xAPIC page by moving the local APIC out of xAPIC mode. Access to this shared page bypasses the expected isolation that should exist between two guests.
25 CVE-2022-42233 287 Bypass 2022-10-20 2022-10-24
0.0
None ??? ??? ??? ??? ??? ???
Tenda 11N with firmware version V5.07.33_cn suffers from an Authentication Bypass vulnerability.
26 CVE-2022-42064 89 Sql Bypass 2022-10-14 2022-10-15
0.0
None ??? ??? ??? ??? ??? ???
Online Diagnostic Lab Management System version 1.0 remote exploit that bypasses login with SQL injection and then uploads a shell.
27 CVE-2022-41974 269 Bypass 2022-10-29 2022-12-01
0.0
None ??? ??? ??? ??? ??? ???
multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.
28 CVE-2022-41919 352 Bypass CSRF 2022-11-22 2022-11-26
0.0
None ??? ??? ??? ??? ??? ???
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf'.
29 CVE-2022-41912 287 Bypass 2022-11-28 2022-12-01
0.0
None ??? ??? ??? ??? ??? ???
The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version.
30 CVE-2022-41890 704 Bypass 2022-11-18 2022-11-22
0.0
None ??? ??? ??? ??? ??? ???
TensorFlow is an open source platform for machine learning. If `BCast::ToShape` is given input larger than an `int32`, it will crash, despite being supposed to handle up to an `int64`. An example can be seen in `tf.experimental.numpy.outer` by passing in large input to the input `b`. We have patched the issue in GitHub commit 8310bf8dd188ff780e7fc53245058215a05bdbe5. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
31 CVE-2022-41889 476 Bypass 2022-11-18 2022-11-22
0.0
None ??? ??? ??? ??? ??? ???
TensorFlow is an open source platform for machine learning. If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a `nullptr`, which is not caught. An example can be seen in `tf.compat.v1.extract_volume_patches` by passing in quantized tensors as input `ksizes`. We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce. The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
32 CVE-2022-41879 1321 Bypass 2022-11-10 2022-11-15
0.0
None ??? ??? ??? ??? ??? ???
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds.
33 CVE-2022-41878 1321 Bypass 2022-11-10 2022-11-15
0.0
None ??? ??? ??? ??? ??? ???
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the `requestKeywordDenylist` option. This issue is fixed in versions 4.10.19, and 5.3.2. If upgrade is not possible, the following Workarounds may be applied: Configure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.
34 CVE-2022-41874 706 Bypass 2022-11-10 2022-11-15
0.0
None ??? ??? ??? ??? ??? ???
Tauri is a framework for building binaries for all major desktop platforms. In versions prior to 1.0.7 and 1.1.2, Tauri is vulnerable to an Incorrectly-Resolved Name. Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it is possible to partially bypass the `fs` scope definition. It is not possible to traverse into arbitrary paths, as the issue is limited to neighboring files and sub folders of already allowed paths. The impact differs on Windows, MacOS and Linux due to different specifications of valid path characters. This bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime. A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. The issue has been patched in versions 1.0.7, 1.1.2 and 1.2.0. As a workaround, disable the dialog and fileDropEnabled component inside the tauri.conf.json.
35 CVE-2022-41799 862 Bypass 2022-10-24 2022-10-24
0.0
None ??? ??? ??? ??? ??? ???
Improper access control vulnerability in GROWI prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series) allows a remote authenticated attacker to bypass access restriction and download the markdown data from the pages set to private by the other users.
36 CVE-2022-41748 276 Bypass 2022-10-10 2022-10-11
0.0
None ??? ??? ??? ??? ??? ???
A registry permissions vulnerability in the Trend Micro Apex One Data Loss Prevention (DLP) module could allow a local attacker with administrative credentials to bypass certain elements of the product's anti-tampering mechanisms on affected installations. Please note: an attacker must first obtain administrative credentials on the target system in order to exploit this vulnerability.
37 CVE-2022-41652 Bypass 2022-11-18 2022-11-21
0.0
None ??? ??? ??? ??? ??? ???
Bypass vulnerability in Quiz And Survey Master plugin <= 7.3.10 on WordPress.
38 CVE-2022-41604 269 Bypass 2022-09-27 2022-09-30
0.0
None ??? ??? ??? ??? ??? ???
Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. This occurs because of weak permissions for the %PROGRAMDATA%\CheckPoint\ZoneAlarm\Data\Updates directory, and a self-protection driver bypass that allows creation of a junction directory. This can be leveraged to perform an arbitrary file move as NT AUTHORITY\SYSTEM.
39 CVE-2022-41155 863 Bypass 2022-11-19 2022-11-23
0.0
None ??? ??? ??? ??? ??? ???
Block BYPASS vulnerability in iQ Block Country plugin <= 1.2.18 on WordPress.
40 CVE-2022-41104 Bypass 2022-11-09 2022-11-11
0.0
None ??? ??? ??? ??? ??? ???
Microsoft Excel Security Feature Bypass Vulnerability.
41 CVE-2022-41099 Bypass 2022-11-09 2022-11-14
0.0
None ??? ??? ??? ??? ??? ???
BitLocker Security Feature Bypass Vulnerability.
42 CVE-2022-41091 Bypass 2022-11-09 2022-11-14
0.0
None ??? ??? ??? ??? ??? ???
Windows Mark of the Web Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-41049.
43 CVE-2022-41049 Bypass 2022-11-09 2022-11-15
0.0
None ??? ??? ??? ??? ??? ???
Windows Mark of the Web Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-41091.
44 CVE-2022-40843 863 Bypass 2022-11-15 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
The Tenda AC1200 V-W15Ev2 V15.11.0.10(1576) router is vulnerable to improper authorization / improper session management that allows the router login page to be bypassed. This leads to authenticated attackers having the ability to read the routers syslog.log file which contains the MD5 password of the Administrator's user account.
45 CVE-2022-40772 269 Bypass 2022-11-23 2022-11-29
0.0
None ??? ??? ??? ??? ??? ???
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.
46 CVE-2022-40716 252 Bypass 2022-09-23 2022-09-26
0.0
None ??? ??? ??? ??? ??? ???
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."
47 CVE-2022-40703 287 Bypass 2022-10-26 2022-10-28
0.0
None ??? ??? ??? ??? ??? ???
CWE-302 Authentication Bypass by Assumed-Immutable Data in AliveCor Kardia App version 5.17.1-754993421 and prior on Android allows an unauthenticated attacker with physical access to the Android device containing the app to bypass application authentication and alter information in the app.
48 CVE-2022-40684 306 Bypass 2022-10-18 2022-10-20
0.0
None ??? ??? ??? ??? ??? ???
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
49 CVE-2022-40664 287 Bypass 2022-10-12 2022-11-18
0.0
None ??? ??? ??? ??? ??? ???
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
50 CVE-2022-40635 913 Exec Code Bypass 2022-09-13 2022-09-16
0.0
None ??? ??? ??? ??? ??? ???
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.
Total number of vulnerabilities : 942   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.