The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2021-38787 | There is an integer overflow in the ION driver /dev/ion of Allwinner R818 SoC Android Q SDK V1.0 that could use the ioctl cmd COMPAT_ION_IOC_SUNXI_FLUSH_RANGE to cause a system crash (denial of service). | HIGH | Jan 19, 2022 |
| CVE-2021-38786 | There is a NULL pointer dereference in media/libcedarc/vdecoder of Allwinner R818 SoC Android Q SDK V1.0, which could cause a media crash (denial of service). | MEDIUM | Jan 19, 2022 |
| CVE-2021-31854 | A command Injection Vulnerability in McAfee Agent (MA) for Windows prior to 5.7.5 allows local users to inject arbitrary shell code into the file cleanup.exe. The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges. | HIGH | Jan 19, 2022 |
| CVE-2021-31821 | When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image | LOW | Jan 19, 2022 |
| CVE-2022-23120 | A code injection vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to escalate privileges and run arbitrary code in the context of root. Please note: an attacker must first obtain access to the target agent in an un-activated and unconfigured state in order to exploit this vulnerability. | MEDIUM | Jan 20, 2022 |
| CVE-2022-23119 | A directory traversal vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to read arbitrary files from the file system. Please note: an attacker must first obtain compromised access to the target Deep Security Manager (DSM) or the target agent must be not yet activated or configured in order to exploit this vulnerability. | MEDIUM | Jan 20, 2022 |
| CVE-2022-23046 | PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the subnet parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php | MEDIUM | Jan 20, 2022 |
| CVE-2022-23045 | PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the Site title parameter while updating the site settings. The Site title setting is injected in several locations which triggers the XSS. | LOW | Jan 20, 2022 |
| CVE-2022-22820 | Due to the lack of media file checks before rendering, it was possible for an attacker to cause abnormal CPU consumption for message recipient by sending specially crafted gif image in LINE for Windows before 7.4. | MEDIUM | Jan 20, 2022 |
| CVE-2022-22769 | The Web server component of TIBCO Software Inc.\'s TIBCO EBX, TIBCO EBX, TIBCO EBX, TIBCO EBX Add-ons, TIBCO EBX Add-ons, TIBCO EBX Add-ons, and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.\'s TIBCO EBX: versions 5.8.124 and below, TIBCO EBX: versions 5.9.3, 5.9.4, 5.9.5, 5.9.6, 5.9.7, 5.9.8, 5.9.9, 5.9.10, 5.9.11, 5.9.12, 5.9.13, 5.9.14, and 5.9.15, TIBCO EBX: versions 6.0.0, 6.0.1, 6.0.2, and 6.0.3, TIBCO EBX Add-ons: versions 3.20.18 and below, TIBCO EBX Add-ons: versions 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, and 4.5.6, TIBCO EBX Add-ons: versions 5.0.0, 5.0.1, 5.1.0, 5.1.1, and 5.2.0, and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 1.1.0 and below. | MEDIUM | Jan 20, 2022 |
| CVE-2022-22733 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions. | MEDIUM | Jan 20, 2022 |
| CVE-2022-21704 | log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update. | LOW | Jan 20, 2022 |
| CVE-2022-21701 | Istio is an open platform to connect, manage, and secure microservices. In versions 1.12.0 and 1.12.1 Istio is vulnerable to a privilege escalation attack. Users who have `CREATE` permission for `gateways.gateway.networking.k8s.io` objects can escalate this privilege to create other resources that they may not have access to, such as `Pod`. This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio Gateway type (gateways.networking.istio.io), which is not vulnerable. Users are advised to upgrade to resolve this issue. Users unable to upgrade should implement any of the following which will prevent this vulnerability: Remove the gateways.gateway.networking.k8s.io CustomResourceDefinition, set PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=true environment variable in Istiod, or remove CREATE permissions for gateways.gateway.networking.k8s.io objects from untrusted users. | MEDIUM | Jan 20, 2022 |
| CVE-2022-21699 | IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade. | MEDIUM | Jan 20, 2022 |
| CVE-2022-21679 | Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1. Istio 1.12 supports the hosts and notHosts fields in authorization policy with a new Envoy API shipped with the 1.12 data plane. A bug in the 1.12.0 and 1.12.1 incorrectly uses the new Envoy API with the 1.11 data plane. This will cause the hosts and notHosts fields to be always matched regardless of the actual value of the host header when mixing 1.12.0/1.12.1 control plane and 1.11 data plane. Users are advised to upgrade or to not mix the 1.12.0/1.12.1 control plane with 1.11 data plane if using hosts or notHosts field in authorization policy. | HIGH | Jan 20, 2022 |
| CVE-2022-21658 | Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn\'t otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don\'t have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions. | LOW | Jan 20, 2022 |
| CVE-2022-21242 | Vulnerability in the Primavera Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Supported versions that are affected are 18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0 and 20.0.0.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera Portfolio Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | MEDIUM | Jan 20, 2022 |
| CVE-2022-0285 | Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.9. | LOW | Jan 20, 2022 |
| CVE-2022-0282 | Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11. | MEDIUM | Jan 20, 2022 |
| CVE-2022-0281 | Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11. | MEDIUM | Jan 20, 2022 |
| CVE-2022-0278 | Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. | LOW | Jan 20, 2022 |
| CVE-2022-0277 | Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11. | MEDIUM | Jan 20, 2022 |
| CVE-2022-0219 | Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46351 | There is an Assertion \'local_tza == ecma_date_local_time_zone_adjustment (date_value)\' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46350 | There is an Assertion \'ecma_is_value_object (value)\' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46349 | There is an Assertion \'type == ECMA_OBJECT_TYPE_GENERAL || type == ECMA_OBJECT_TYPE_PROXY\' failed at /jerry-core/ecma/operations/ecma-objects.c in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46348 | There is an Assertion \'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)\' failed at /jerry-core/ecma/base/ecma-literal-storage.c in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46347 | There is an Assertion \'ecma_object_check_class_name_is_object (obj_p)\' failed at /jerry-core/ecma/operations/ecma-objects.c in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46346 | There is an Assertion \'local_tza == ecma_date_local_time_zone_adjustment (date_value)\' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46345 | There is an Assertion \'cesu8_cursor_p == cesu8_end_p\' failed at /jerry-core/lit/lit-strings.c in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46344 | There is an Assertion \'flags & PARSER_PATTERN_HAS_REST_ELEMENT\' failed at /jerry-core/parser/js/js-parser-expr.c in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46343 | There is an Assertion \'context_p->token.type == LEXER_LITERAL\' failed at /jerry-core/parser/js/js-parser-expr.c in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46342 | There is an Assertion \'ecma_is_lexical_environment (obj_p) || !ecma_op_object_is_fast_array (obj_p)\' failed at /jerry-core/ecma/base/ecma-helpers.c in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46340 | There is an Assertion \'context_p->stack_top_uint8 == SCAN_STACK_TRY_STATEMENT || context_p->stack_top_uint8 == SCAN_STACK_CATCH_STATEMENT\' failed at /parser/js/js-scanner.c(scanner_scan_statement_end) in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46339 | There is an Assertion \'lit_is_valid_cesu8_string (string_p, string_size)\' failed at /base/ecma-helpers-string.c(ecma_new_ecma_string_from_utf8) in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46338 | There is an Assertion \'ecma_is_lexical_environment (object_p)\' failed at /base/ecma-helpers.c(ecma_get_lex_env_type) in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46337 | There is an Assertion \'page_p != NULL\' failed at /parser/js/js-parser-mem.c(parser_list_get) in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46336 | There is an Assertion \'opts & PARSER_CLASS_LITERAL_CTOR_PRESENT\' failed at /parser/js/js-parser-expr.c(parser_parse_class_body) in JerryScript 3.0.0. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46335 | Moddable SDK v11.5.0 was discovered to contain a NULL pointer dereference in the component fx_Function_prototype_hasInstance. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46334 | Moddable SDK v11.5.0 was discovered to contain a stack buffer overflow via the component __interceptor_strcat. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46333 | Moddable SDK v11.5.0 was discovered to contain an invalid memory access vulnerability via the component __asan_memmove. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46332 | Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via xs/sources/xsDataView.c in fxUint8Getter. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46331 | Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsProxy.c in fxProxyGetPrototype. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46330 | Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsDataView.c in fx_ArrayBuffer_prototype_concat. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46329 | Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via the component _fini. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46328 | Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via the component __libc_start_main. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46327 | Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsArray.c in fx_Array_prototype_sort. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46326 | Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via the component __asan_memcpy. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46325 | Espruino 2v10.246 was discovered to contain a stack buffer overflow via src/jsutils.c in vcbprintf. | MEDIUM | Jan 20, 2022 |
| CVE-2021-46324 | Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString. | MEDIUM | Jan 20, 2022 |
