Total
1340 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-28218 | 1 Ciphermail | 1 Webmail Messenger | 2024-11-21 | 5.5 Medium |
| An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA). | ||||
| CVE-2022-27960 | 1 Ofcms Project | 1 Ofcms | 2024-11-21 | 5.4 Medium |
| Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users' personal information. | ||||
| CVE-2022-27958 | 1 Febs-security Project | 1 Febs-security | 2024-11-21 | 5.4 Medium |
| Insecure permissions configured in the userid parameter at /user/getuserprofile of FEBS-Security v1.0 allows attackers to access and arbitrarily modify users' personal information. | ||||
| CVE-2022-27919 | 1 Gradle | 1 Enterprise | 2024-11-21 | 9.8 Critical |
| Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API. | ||||
| CVE-2022-27840 | 1 Samsung | 1 Recovery | 2024-11-21 | 4.4 Medium |
| Improper access control vulnerability in SamsungRecovery prior to version 8.1.43.0 allows local attckers to delete arbitrary files as SamsungRecovery permission. | ||||
| CVE-2022-27652 | 4 Fedoraproject, Kubernetes, Mobyproject and 1 more | 5 Fedora, Cri-o, Moby and 2 more | 2024-11-21 | 5.3 Medium |
| A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. | ||||
| CVE-2022-27651 | 3 Buildah Project, Fedoraproject, Redhat | 4 Buildah, Fedora, Enterprise Linux and 1 more | 2024-11-21 | 6.8 Medium |
| A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity. | ||||
| CVE-2022-27650 | 3 Crun Project, Fedoraproject, Redhat | 4 Crun, Fedora, Enterprise Linux and 1 more | 2024-11-21 | 7.5 High |
| A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. | ||||
| CVE-2022-27649 | 3 Fedoraproject, Podman Project, Redhat | 15 Fedora, Podman, Developer Tools and 12 more | 2024-11-21 | 7.5 High |
| A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. | ||||
| CVE-2022-26855 | 1 Dell | 1 Emc Powerscale Onefs | 2024-11-21 | 5.5 Medium |
| Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service. | ||||
| CVE-2022-26595 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-11-21 | 4.3 Medium |
| Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI. | ||||
| CVE-2022-26235 | 1 Beckmancoulter | 1 Remisol Advance | 2024-11-21 | 7.8 High |
| A vulnerability was discovered in the Remisol Advance v2.0.12.1 and below for the Normand Message Server. On installation, the permissions set by Remisol Advance allow non-privileged users to overwrite and/or manipulate executables and libraries that run as the elevated SYSTEM user on Windows. | ||||
| CVE-2022-25943 | 1 Kingsoft | 1 Wps Office | 2024-11-21 | 7.8 High |
| The installer of WPS Office for Windows versions prior to v11.2.0.10258 fails to configure properly the ACL for the directory where the service program is installed. | ||||
| CVE-2022-25815 | 1 Google | 1 Android | 2024-11-21 | 5.5 Medium |
| PendingIntent hijacking vulnerability in Weather application prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent. | ||||
| CVE-2022-25814 | 1 Google | 1 Android | 2024-11-21 | 5.5 Medium |
| PendingIntent hijacking vulnerability in Wearable Manager Installer prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent. | ||||
| CVE-2022-25804 | 1 Igel | 1 Universal Management Suite | 2024-11-21 | 5.5 Medium |
| An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. Insecure permissions for the serverconfig registry key (under JavaSoft\Prefs\de\igel\rm\config in HKEY_LOCAL_MACHINE\SOFTWARE) allow an unprivileged local attacker to read the encrypted dbuser and dbpassword values for the UMS superuser. | ||||
| CVE-2022-25570 | 1 Clickstudios | 1 Passwordstate | 2024-11-21 | 6.5 Medium |
| In Click Studios (SA) Pty Ltd Passwordstate 9435, users with access to a passwordlist can gain access to additional password lists without permissions. Specifically, an authenticated user who has write permissions to a password list in one folder (with the default permission model) can extend his permissions to all other password lists in the same folder. | ||||
| CVE-2022-25364 | 1 Gradle | 1 Enterprise | 2024-11-21 | 8.1 High |
| In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.) | ||||
| CVE-2022-24769 | 6 Debian, Fedoraproject, Linux and 3 more | 6 Debian Linux, Fedora, Linux Kernel and 3 more | 2024-11-21 | 5.9 Medium |
| Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting. | ||||
| CVE-2022-24343 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 4.3 Medium |
| In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions. | ||||