Monthly Archive: January 2022

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.0.0 and prior to version 1.3.3, a check was added if the destination file is under a destination directory. However, it...

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.3.0 and prior to version 1.3.3, a check was added if the destination file is under destination directory. However, it is...

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry `../evil.txt` may be extracted in the parent directory of `destFolder`. This leads to arbitrary file...

IBM Security Guardium Insights 3.0 could allow an authenticated user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 205256. Date published : 2022-01-26 https://www.ibm.com/support/pages/node/6550866 https://exchange.xforce.ibmcloud.com/vulnerabilities/205256

IBM Security Guardium Insights 3.0 could allow an authenticated user to perform unauthorized actions due to improper input validation. IBM X-Force ID: 205255. Date published : 2022-01-26 https://www.ibm.com/support/pages/node/6550866 https://exchange.xforce.ibmcloud.com/vulnerabilities/205255

IBM Security Guardium Insights 3.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive...

A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding...

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file’s name during generation of the resulting error message....

Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2. Date published : 2022-01-26 https://huntr.dev/bounties/395fc553-2b90-4e69-ba07-a316e1c06406 https://github.com/crater-invoice/crater/commit/dd324c8bb6b17009f82afe8bc830caec7241e992

In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1...

Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Date published : 2022-01-25 https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s http://www.openwall.com/lists/oss-security/2022/01/25/6

User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Date published : 2022-01-25 https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y http://www.openwall.com/lists/oss-security/2022/01/25/5

lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /|$/ check. Date published : 2022-01-25 https://github.com/exiftool/exiftool/commit/74dbab1d2766d6422bb05b033ac6634bf8d1f582

Microsoft Edge for Android Spoofing Vulnerability. Date published : 2022-01-25 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23258