Security Vulnerabilities - CVEs Published In March 2022
In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.
CVSS Score
5.5
EPSS Score
0.007
Published
2022-03-04
When the device is in factory state, it can be access the shell without adb authentication process. The LG ID is LVE-SMP-210010.
CVSS Score
7.8
EPSS Score
0.0
Published
2022-03-04
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
CVSS Score
5.5
EPSS Score
0.0
Published
2022-03-04
DLink DIR850 ET850-1.08TRb03 is affected by an incorrect access control vulnerability through URL redirection to untrusted site.
CVSS Score
6.1
EPSS Score
0.522
Published
2022-03-04
Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
CVSS Score
7.5
EPSS Score
0.911
Published
2022-03-04
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
CVSS Score
8.1
EPSS Score
0.002
Published
2022-03-04
An out-of-bounds (OOB) memory read flaw was found in the Qualcomm IPC router protocol in the Linux kernel. A missing sanity check allows a local attacker to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.
CVSS Score
7.1
EPSS Score
0.0
Published
2022-03-04
A memory leak flaw was found in the Linux kernel in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c, which allows attackers to cause a denial of service (memory consumption). This vulnerability is similar with the older CVE-2019-18808.
CVSS Score
5.5
EPSS Score
0.0
Published
2022-03-04
DLink DIR850 ET850-1.08TRb03 is affected by an incorrect access control vulnerability through an unauthenticated remote configuration download.
CVSS Score
7.5
EPSS Score
0.331
Published
2022-03-04
Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.
CVSS Score
7.3
EPSS Score
0.002
Published
2022-03-04