Total
1619 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-31018 | 1 Lightbend | 1 Play Framework | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been discovered in verions 2.8.3 through 2.8.15 of Play's forms library, in both the Scala and Java APIs. This can occur when using either the `Form#bindFromRequest` method on a JSON request body or the `Form#bind` method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and cause an `OutOfMemoryError`. If executing on the default dispatcher and `akka.jvm-exit-on-fatal-error` is enabled—as it is by default—then this can crash the application process. `Form.bindFromRequest` is vulnerable when using any body parser that produces a type of `AnyContent` or `JsValue` in Scala, or one that can produce a `JsonNode` in Java. This includes Play's default body parser. This vulnerability been patched in version 2.8.16. There is now a global limit on the depth of a JSON object that can be parsed, which can be configured by the user if necessary. As a workaround, applications that do not need to parse a request body of type `application/json` can switch from the default body parser to another body parser that supports only the specific type of body they expect. | |||||
CVE-2021-0092 | 2 Intel, Netapp | 681 Atom C3308, Atom C3336, Atom C3338 and 678 more | 2024-02-28 | 2.1 LOW | 4.4 MEDIUM |
Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access. | |||||
CVE-2022-27181 | 1 F5 | 1 Big-ip Access Policy Manager | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when APM is configured on a virtual server and the associated access profile is configured with APM AAA NTLM Auth, undisclosed requests can cause an increase in internal resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
CVE-2022-29480 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
On F5 BIG-IP 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when multiple route domains are configured, undisclosed requests to big3d can cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
CVE-2022-29866 | 1 Opcfoundation | 1 Ua .net Standard Stack | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
OPC UA .NET Standard Stack 1.04.368 allows a remote attacker to exhaust the memory resources of a server via a crafted request that triggers Uncontrolled Resource Consumption. | |||||
CVE-2022-25326 | 1 Google | 1 Fscrypt | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
fscrypt through v0.3.2 creates a world-writable directory by default when setting up a filesystem, allowing unprivileged users to exhaust filesystem space. We recommend upgrading to fscrypt 0.3.3 or above and adjusting the permissions on existing fscrypt metadata directories where applicable. | |||||
CVE-2022-20760 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
A vulnerability in the DNS inspection handler of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service condition (DoS) on an affected device. This vulnerability is due to a lack of proper processing of incoming requests. An attacker could exploit this vulnerability by sending crafted DNS requests at a high rate to an affected device. A successful exploit could allow the attacker to cause the device to stop responding, resulting in a DoS condition. | |||||
CVE-2021-22100 | 1 Cloudfoundry | 2 Capi-release, Cf-deployment | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
In cloud foundry CAPI versions prior to 1.122, a denial-of-service attack in which a developer can push a service broker that (accidentally or maliciously) causes CC instances to timeout and fail is possible. An attacker can leverage this vulnerability to cause an inability for anyone to push or manage apps. | |||||
CVE-2022-28191 | 1 Nvidia | 1 Virtual Gpu | 2024-02-28 | 4.9 MEDIUM | 5.5 MEDIUM |
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where uncontrolled resource consumption can be triggered by an unprivileged regular user, which may lead to denial of service. | |||||
CVE-2022-24726 | 1 Istio | 1 Istio | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities. | |||||
CVE-2022-22556 | 1 Dell | 3 Powerstore T, Powerstore X, Powerstoreos | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
Dell PowerStore contains an Uncontrolled Resource Consumption Vulnerability in PowerStore User Interface. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the Denial of Service. | |||||
CVE-2021-3737 | 6 Canonical, Fedoraproject, Netapp and 3 more | 17 Ubuntu Linux, Fedora, Hci and 14 more | 2024-02-28 | 7.1 HIGH | 7.5 HIGH |
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability. | |||||
CVE-2022-27182 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2024-02-28 | 4.3 MEDIUM | 5.3 MEDIUM |
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, when BIG-IP packet filters are enabled and a virtual server is configured with the type set to Reject, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
CVE-2022-1797 | 1 Rockwellautomation | 18 Compact Guardlogix 5370, Compact Guardlogix 5370 Firmware, Compact Guardlogix 5380 and 15 more | 2024-02-28 | 7.8 HIGH | 8.6 HIGH |
A malformed Class 3 common industrial protocol message with a cached connection can cause a denial-of-service condition in Rockwell Automation Logix Controllers, resulting in a major nonrecoverable fault. If the target device becomes unavailable, a user would have to clear the fault and redownload the user project file to bring the device back online. | |||||
CVE-2022-27640 | 1 Siemens | 4 Simatic Cp 442-1 Rna, Simatic Cp 442-1 Rna Firmware, Simatic Cp 443-1 Rna and 1 more | 2024-02-28 | 6.1 MEDIUM | 6.5 MEDIUM |
A vulnerability has been identified in SIMATIC CP 442-1 RNA (All versions < V1.5.18), SIMATIC CP 443-1 RNA (All versions < V1.5.18). The affected devices improperly handles excessive ARP broadcast requests. This could allow an attacker to create a denial of service condition by performing ARP storming attacks, which can cause the device to reboot. | |||||
CVE-2022-0695 | 2 Fedoraproject, Radare | 2 Fedora, Radare2 | 2024-02-28 | 4.3 MEDIUM | 5.5 MEDIUM |
Denial of Service in GitHub repository radareorg/radare2 prior to 5.6.4. | |||||
CVE-2022-28691 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when a Real Time Streaming Protocol (RTSP) profile is configured on a virtual server, undisclosed traffic can cause an increase in Traffic Management Microkernel (TMM) resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
CVE-2022-31030 | 3 Debian, Fedoraproject, Linuxfoundation | 3 Debian Linux, Fedora, Containerd | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used. | |||||
CVE-2022-22145 | 1 Yokogawa | 9 Centum Cs 3000, Centum Cs 3000 Entry, Centum Cs 3000 Entry Firmware and 6 more | 2024-02-28 | 4.9 MEDIUM | 8.1 HIGH |
CAMS for HIS Log Server contained in the following Yokogawa Electric products is vulnerable to uncontrolled resource consumption. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00. | |||||
CVE-2022-0489 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 3.5 LOW | 5.7 MEDIUM |
An issue has been discovered in GitLab CE/EE affecting all versions starting with 8.15 . It was possible to trigger a DOS by using the math feature with a specific formula in issue comments. |