Security
Headlines
HeadlinesLatestCVEs

Tag

#dos

CVE-2022-32143

In multiple CODESYS products, file download and upload function allows access to internal files in the working directory e.g. firmware files of the PLC. All requests are processed on the controller only if no level 1 password is configured on the controller or if remote attacker has previously successfully authenticated himself to the controller. A successful Attack may lead to a denial of service, change of local files, or drain of confidential Information. User interaction is not required

CVE
Open in Source
#web#dos#pdf#auth
GHSA-rwqr-c348-m5wr: Denial of Service in aiohttp

aiohttp v3.8.1 was discovered to contain an invalid IPv6 URL which can lead to a Denial of Service (DoS).

GHSA-7r3r-gq8p-v9jj: Improper handling of CSS at-rules in lettersanitizer

### Impact All versions of lettersanitizer below 1.0.2 are affected by a denial of service issue when processing a CSS at-rule `@keyframes`. This package is depended on by [react-letter](https://github.com/mat-sz/react-letter), therefore everyone using react-letter is also at risk. ### Patches The problem has been patched in version 1.0.2. ### Workarounds There is no workaround besides upgrading. ### References The issue was originally reported in the react-letter repository: https://github.com/mat-sz/react-letter/issues/17 ### For more information If you have any questions or comments about this advisory: * Open an issue in [lettersanitizer](https://github.com/mat-sz/lettersanitizer/issues) * Email me at [contact@matsz.dev](mailto:contact@matsz.dev)

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2022-33070: Only shift unsigned values to avoid implementation-specific behavior. by millert · Pull Request #508 · protobuf-c/protobuf-c

Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

CVE-2022-33068: UndefinedBehaviorSanitizer: signed integer overflow · Issue #3557 · harfbuzz/harfbuzz

An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

CVE-2022-31361: Security Advisory: Docebo Community Edition <= 4.0.5 - Swascan

** UNSUPPORTED WHEN ASSIGNED ** Docebo Community Edition v4.0.5 and below was discovered to contain a SQL injection vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVE-2022-33124: nvalid IPv6 URL · Issue #6772 · aio-libs/aiohttp

** DISPUTED ** AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application.

CVE-2022-33067: UndefinedBehaviorSanitizer: invalid shifts · Issue #224 · ckolivas/lrzip

Lrzip v0.651 was discovered to contain multiple invalid arithmetic shifts via the functions get_magic in lrzip.c and Predictor::init in libzpaq/libzpaq.cpp. These vulnerabilities allow attackers to cause a Denial of Service via unspecified vectors.

Red Hat Security Advisory 2022-5029-01

Red Hat Security Advisory 2022-5029-01 - This release of Red Hat build of Eclipse Vert.x 4.2.7 GA includes security updates. Issues addressed include denial of service and deserialization vulnerabilities.