Total
388 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39227 | 1 Python-jwt Project | 1 Python-jwt | 2024-11-21 | N/A | 9.1 CRITICAL |
| python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds. | |||||
| CVE-2022-38164 | 1 F-secure | 1 Safe | 2024-11-21 | N/A | 6.5 MEDIUM |
| A vulnerability affecting F-Secure SAFE browser for Android and iOS was discovered. A maliciously crafted website could make a phishing attack with URL spoofing as the browser only display certain part of the entire URL. | |||||
| CVE-2022-37709 | 1 Tesla | 3 Model 3, Model 3 Firmware, Tesla | 2024-11-21 | N/A | 5.3 MEDIUM |
| Tesla Model 3 V11.0(2022.4.5.1 6b701552d7a6) Tesla mobile app v4.23 is vulnerable to Authentication Bypass by spoofing. Tesla Model 3's Phone Key authentication is vulnerable to Man-in-the-middle attacks in the BLE channel. It allows attackers to open a door and drive the car away by leveraging access to a legitimate Phone Key. | |||||
| CVE-2022-36331 | 1 Westerndigital | 24 My Cloud, My Cloud Dl2100, My Cloud Dl2100 Firmware and 21 more | 2024-11-21 | N/A | 10.0 CRITICAL |
| Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthenticated attacker to gain access to user data. This issue affects My Cloud OS 5 devices: before 5.25.132; My Cloud Home and My Cloud Home Duo: before 8.13.1-102; SanDisk ibi: before 8.13.1-102. | |||||
| CVE-2022-35957 | 2 Fedoraproject, Grafana | 2 Fedora, Grafana | 2024-11-21 | N/A | 6.6 MEDIUM |
| Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/ | |||||
| CVE-2022-35629 | 1 Rapid7 | 1 Velociraptor | 2024-11-21 | N/A | 5.4 MEDIUM |
| Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2. | |||||
| CVE-2022-33991 | 1 Dproxy-nexgen Project | 1 Dproxy-nexgen | 2024-11-21 | N/A | 5.3 MEDIUM |
| dproxy-nexgen (aka dproxy nexgen) forwards and caches DNS queries with the CD (aka checking disabled) bit set to 1. This leads to disabling of DNSSEC protection provided by upstream resolvers. | |||||
| CVE-2022-32983 | 1 Nic | 1 Knot Resolver | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is an attempt to limit forwarding actions by filters. | |||||
| CVE-2022-32747 | 1 Schneider-electric | 1 Ecostruxure Cybersecurity Admin Expert | 2024-11-21 | N/A | 8.0 HIGH |
| A CWE-290: Authentication Bypass by Spoofing vulnerability exists that could cause legitimate users to be locked out of devices or facilitate backdoor account creation by spoofing a device on the local network. Affected Products: EcoStruxureâ„¢ Cybersecurity Admin Expert (CAE) (Versions prior to 2.2) | |||||
| CVE-2022-32744 | 1 Samba | 1 Samba | 2024-11-21 | N/A | 8.8 HIGH |
| A flaw was found in Samba. The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change other users' passwords, enabling full domain takeover. | |||||
| CVE-2022-31149 | 1 Activitywatch | 1 Activitywatch | 2024-11-21 | N/A | 8.8 HIGH |
| ActivityWatch open-source automated time tracker. Versions prior to 0.12.0b2 are vulnerable to DNS rebinding attacks. This vulnerability impacts everyone running ActivityWatch and gives the attacker full access to the ActivityWatch REST API. Users should upgrade to v0.12.0b2 or later to receive a patch. As a workaround, block DNS lookups that resolve to 127.0.0.1. | |||||
| CVE-2022-30319 | 1 Honeywell | 1 Saia Pg5 Controls Suite | 2024-11-21 | N/A | 8.1 HIGH |
| Saia Burgess Controls (SBC) PCD through 2022-05-06 allows Authentication bypass. According to FSCT-2022-0062, there is a Saia Burgess Controls (SBC) PCD S-Bus authentication bypass issue. The affected components are characterized as: S-Bus (5050/UDP) authentication. The potential impact is: Authentication bypass. The Saia Burgess Controls (SBC) PCD controllers utilize the S-Bus protocol (5050/UDP) for a variety of engineering purposes. It is possible to configure a password in order to restrict access to sensitive engineering functionality. Authentication functions on the basis of a MAC/IP whitelist with inactivity timeout to which an authenticated client's MAC/IP is stored. UDP traffic can be spoofed to bypass the whitelist-based access control. Since UDP is stateless, an attacker capable of passively observing traffic can spoof arbitrary messages using the MAC/IP of an authenticated client. This allows the attacker access to sensitive engineering functionality such as uploading/downloading control logic and manipulating controller configuration. | |||||
| CVE-2022-2368 | 1 Microweber | 1 Microweber | 2024-11-21 | 7.5 HIGH | 6.5 MEDIUM |
| Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20. | |||||
| CVE-2022-2324 | 1 Sonicwall | 1 Email Security | 2024-11-21 | N/A | 7.5 HIGH |
| Improperly Implemented Security Check vulnerability in the SonicWall Hosted Email Security leads to bypass of Capture ATP security service in the appliance. This vulnerability impacts 10.0.17.7319 and earlier versions | |||||
| CVE-2022-2310 | 1 Skyhighsecurity | 1 Secure Web Gateway | 2024-11-21 | N/A | 10.0 CRITICAL |
| An authentication bypass vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.12, 9.x prior to 9.2.23, 8.x prior to 8.2.28, and controlled release 11.x prior to 11.2.1 allows a remote attacker to bypass authentication into the administration User Interface. This is possible because of SWG incorrectly whitelisting authentication bypass methods and using a weak crypto password. This can lead to the attacker logging into the SWG admin interface, without valid credentials, as the super user with complete control over the SWG. | |||||
| CVE-2022-29218 | 1 Rubygems | 1 Rubygems.org | 2024-11-21 | 5.0 MEDIUM | 7.7 HIGH |
| RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accepts gem uploads allowed some gems (with platforms ending in numbers, like `arm64-darwin-21`) to be temporarily replaced in the CDN cache by a malicious package. The bug has been patched, and is believed to have never been exploited, based on an extensive review of logs and existing gems by rubygems. The easiest way to ensure that an application has not been exploited by this vulnerability is to verify all downloaded .gems checksums match the checksum recorded in the RubyGems.org database. RubyGems.org has been patched and is no longer vulnerable to this issue. | |||||
| CVE-2022-29165 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 9.3 HIGH | 10.0 CRITICAL |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable. | |||||
| CVE-2022-26910 | 1 Microsoft | 1 Skype For Business Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Skype for Business and Lync Spoofing Vulnerability | |||||
| CVE-2022-26505 | 2 Debian, Readymedia Project | 2 Debian Linux, Readymedia | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
| A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. | |||||
| CVE-2022-25989 | 1 Anker | 2 Eufy Homebase 2, Eufy Homebase 2 Firmware | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
| An authentication bypass vulnerability exists in the libxm_av.so getpeermac() functionality of Anker Eufy Homebase 2 2.1.8.5h. A specially-crafted DHCP packet can lead to authentication bypass. An attacker can DHCP poison to trigger this vulnerability. | |||||