Security
Headlines
HeadlinesLatestCVEs

Tag

#ssl

ProcessMaker Privilege Escalation

ProcessMaker versions prior to 3.5.4 were discovered to be susceptible to a remote privilege escalation vulnerability.

Packet Storm
Open in Source
#vulnerability#web#windows#debian#js#php#auth#ssl
CVE-2022-34917: Apache Kafka

A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.

CVE-2022-34746: Zyxel security advisory for insufficient entropy vulnerability of GS1900 series switches

An insufficient entropy vulnerability caused by the improper use of randomness sources with low entropy for RSA key pair generation was found in Zyxel GS1900 series firmware versions prior to V2.70. This vulnerability could allow an unauthenticated attacker to retrieve a private key by factoring the RSA modulus N in the certificate of the web administration interface.

CVE-2022-0143: Downloads - BackStage

When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS)

CVE-2022-40234: Insecure handling of TLS certificates by IBM Spectrum Protect Plus (CVE-2022-40234)

Versions of IBM Spectrum Protect Plus prior to 10.1.12 (excluding 10.1.12) include the private key information for a certificate inside the generated .crt file when uploading a TLS certificate to IBM Spectrum Protect Plus. If this generated .crt file is shared, an attacker can obtain the private key information for the uploaded certificate. IBM X-Force ID: 235718.

CVE-2022-40980

A potential unathenticated file deletion vulnerabilty on Trend Micro Mobile Security for Enterprise 9.8 SP5 could allow an attacker with access to the Management Server to delete files. This issue was resolved in 9.8 SP5 Critical Patch 2.

CVE-2022-40468: GitHub - tinyproxy/tinyproxy: tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems

Tinyproxy commit 84f203f and earlier does not process HTTP request lines in the process_request() function and is using uninitialized buffers. This vulnerability allows attackers to access sensitive information at system runtime.

CVE-2022-40778: MetaDefender ICAP Server - Trust your network traffic - OPSWAT

A stored Cross-Site Scripting (XSS) vulnerability in OPSWAT MetaDefender ICAP Server before 4.13.0 allows attackers to execute arbitrary JavaScript or HTML because of the blocked page response.

CVE-2022-40775: SEGV error · Issue #758 · axiomatic-systems/Bento4

An issue was discovered in Bento4 through 1.6.0-639. A NULL pointer dereference occurs in AP4_StszAtom::WriteFields.

Akeyless Empowers Enterprise Code Security with Comprehensive Secrets Management

By Waqas Meet Akeyless, a secure identity and access management platform that helps organizations manage user identities, passwords, and access control. This is a post from HackRead.com Read the original post: Akeyless Empowers Enterprise Code Security with Comprehensive Secrets Management