ALPINE-CVE-2022-39269

PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users tha...

UBUNTU-CVE-2022-39269

PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users tha...

CVE-2022-39280 Regular expression denial of service in dparse

dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability. A patch has been applied in version...

CVE-2022-29240 Uninitialized memory read in LZ4 decompression leads to authentication bypass in Scylla

Scylla is a real-time big data database that is API-compatible with Apache Cassandra and Amazon DynamoDB. When decompressing CQL frame received from user, Scylla assumes that user-provided uncompressed length is correct. If user provides fake length, that is greater than the real one, part of...

UBUNTU-CVE-2022-39209

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the...

PT-2022-19396 · Fortinet · Fortisoar

Name of the Vulnerable Software and Affected Versions: Fortinet FortiSOAR versions prior to 7.2.1 Description: The issue is related to an improper neutralization of special elements used in an OS command, allowing an authenticated attacker to execute unauthorized code or commands via crafted HTTP...

PT-2022-20564 · Unknown · Activitywatch

Name of the Vulnerable Software and Affected Versions: ActivityWatch versions prior to 0.12.0b2 Description: The issue allows attackers to perform DNS rebinding attacks, giving them full access to the ActivityWatch REST API. This impacts all users running the affected versions of ActivityWatch...

PT-2022-4143 · Atlassian · Jira

Name of the Vulnerable Software and Affected Versions: Atlassian Jira Server and Data Center versions prior to 8.20.8 Description: The issue allows anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting RXSS vulnerability in the "TeamManagement.jspa...

UBUNTU-CVE-2022-24809

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-only credentials can use a malformed OID in a GET-NEXT to the nsVacmAccessTable to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong...

PT-2022-7447 · Net Snmp +8 · Net-Snmp +8

Name of the Vulnerable Software and Affected Versions: net-snmp versions prior to 5.9.2 Description: The issue is related to a NULL pointer dereference in the nsVacmAccessTable component of the net-snmp software. This can be caused by a user with read-write credentials using a malformed OID in a...

GHSA-3FVG-4V2M-98JF JWS and JWT signature validation vulnerability with special characters

Impact Jsrsasign supports JWSJSON Web Signatures and JWTJSON Web Token validation. However JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. For example, even if a string of non Base64URL encoding characters such...

PT-2022-20472 · Minio +1 · Minio +1

Name of the Vulnerable Software and Affected Versions: MinIO versions RELEASE.2019-09-25T18-25-51Z through RELEASE.2022-06-02T02-11-04Z Description: The issue is related to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections...

UBUNTU-CVE-2022-29221

Smarty is a template engine for PHP, facilitating the separation of presentation HTML/CSS from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious block name or include file name. Sites that cannot fully trust template authors shou...

DEBIAN-CVE-2022-29181

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors segfault or reads from unrelated memory. Version 1.13.6...

grafana: directory traversal vulnerability

Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension...

PYSEC-2022-68

Tensorflow is an Open Source Machine Learning Framework. An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations. Both embeddingsize and lookupsize are products of values provided by the user. Hence, a malicious user could trigger overflows in the...

PT-2022-10090 · Unknown · October Cms

Name of the Vulnerable Software and Affected Versions: October CMS versions prior to 1.0.473 and 1.1.6 Description: October CMS is a self-hosted content management system CMS platform based on the Laravel PHP Framework. An attacker with access to the backend can execute PHP code by using the them...

CVE-2022-21667

soketi is an open-source WebSockets server. There is an unhandled case when reading POST requests which results in the server crashing if it could not read the body of a request. In the event that a POST request is sent to any endpoint of the server with an empty body, even unauthenticated with t...

CVE-2021-21408 Access to restricted PHP code by dynamic static class access in smarty

Smarty is a template engine for PHP, facilitating the separation of presentation HTML/CSS from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch...

CVE-2021-21408 Access to restricted PHP code by dynamic static class access in smarty

Smarty is a template engine for PHP, facilitating the separation of presentation HTML/CSS from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch...