Vulnerability Detection Pipeline

Upcoming and New QIDs

Browse, filter by detection status, or search by CVE to get visibility into upcoming and new detections (QIDs) for all severities.

Disclaimer: The Vulnerability Detection Pipeline is intended to give users an early insight into some of the CVEs the Qualys Research Team is investigating. It may not show all the CVEs that are actively being investigated. Specific CVE feature requests filed via a Qualys Support case may or may not show up on this page. Please reach out to Qualys Support for status of such support cases.

Detection Status

  • Under investigation: We are researching a detection and will publish one if it is feasible.
  • In development: We are coding a detection and will typically publish it within a few days.
  • Recently published: We have published the detection on the date indicated, and it will typically be available in the KnowledgeBase on shared platforms within a day.

Non-Qualys customers can audit their network for all published vulnerabilities by signing up for a Qualys Free Trial or Qualys Community Edition.

Displaying QID development activity from through last updated:
884 results
CVE
Qualys ID
Title
Severity
  • CVE-2022-42898+
    QID: 181249
    In Development

    Debian Security Update for heimdal (DLA 3206-1)

    Severity
    Critical4
    Qualys ID
    181249
    Vendor Reference
    DLA 3206-1
    CVE Reference
    CVE-2022-42898, CVE-2021-44758, CVE-2022-41916, CVE-2022-3437, CVE-2019-14870, CVE-2021-3671, CVE-2022-44640
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Debian has released a security update for heimdal to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DLA 3206-1 for updates and patch information.
    Patches
    Debian DLA 3206-1
  • CVE-2022-4055
    QID: 904556
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for xdg-utils (11465)

    Severity
    Critical4
    Qualys ID
    904556
    Vendor Reference
    Mariner_2.0_11465
    CVE Reference
    CVE-2022-4055
    CVSS Scores
    Base 7.4 / Temporal 6.8
    Description
    CBL-Mariner 2.0 is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has NOT released a security update for xdg-utils to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    Patch is NOT available for the package.

  • CVE-2022-3970
    QID: 904553
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (11451-1)

    Severity
    Urgent5
    Qualys ID
    904553
    Vendor Reference
    11451-1
    CVE Reference
    CVE-2022-3970
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11451-1
  • CVE-2022-42915
    QID: 904516
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for curl (11411-1)

    Severity
    Urgent5
    Qualys ID
    904516
    Vendor Reference
    11411-1
    CVE Reference
    CVE-2022-42915
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for curl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11411-1
  • CVE-2009-1890
    QID: 904538
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (9755-1)

    Severity
    Critical4
    Qualys ID
    904538
    Vendor Reference
    9755-1
    CVE Reference
    CVE-2009-1890
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for httpd to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 9755-1
  • CVE-2022-43750
    QID: 904554
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (11360-1)

    Severity
    Critical4
    Qualys ID
    904554
    Vendor Reference
    11360-1
    CVE Reference
    CVE-2022-43750
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11360-1
  • CVE-2022-1270
    QID: 181248
    In Development

    Debian Security Update for graphicsmagick (DSA 5288-1)

    Severity
    Critical4
    Qualys ID
    181248
    Vendor Reference
    DSA 5288-1
    CVE Reference
    CVE-2022-1270
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Debian has released a security update for graphicsmagick to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DSA 5288-1 for updates and patch information.
    Patches
    Debian DSA 5288-1
  • CVE-2020-8284+
    QID: 181247
    In Development

    Debian Security Update for inetutils (DLA 3205-1)

    Severity
    Critical4
    Qualys ID
    181247
    Vendor Reference
    DLA 3205-1
    CVE Reference
    CVE-2020-8284, CVE-2022-39028, CVE-2019-0053, CVE-2021-40491
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Debian has released a security update for inetutils to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DLA 3205-1 for updates and patch information.
    Patches
    Debian DLA 3205-1
  • CVE-2022-35737
    QID: 904549
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for sqlite (10466-1)

    Severity
    Critical4
    Qualys ID
    904549
    Vendor Reference
    10466-1
    CVE Reference
    CVE-2022-35737
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for sqlite to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 10466-1
  • CVE-2022-3080
    QID: 904547
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for bind (11009-1)

    Severity
    Critical4
    Qualys ID
    904547
    Vendor Reference
    11009-1
    CVE Reference
    CVE-2022-3080
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for bind to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11009-1
  • CVE-2022-38178
    QID: 904546
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for bind (11011-1)

    Severity
    Critical4
    Qualys ID
    904546
    Vendor Reference
    11011-1
    CVE Reference
    CVE-2022-38178
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for bind to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11011-1
  • CVE-2022-3594
    QID: 904541
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (11270-1)

    Severity
    Critical4
    Qualys ID
    904541
    Vendor Reference
    11270-1
    CVE Reference
    CVE-2022-3594
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11270-1
  • CVE-2022-38177
    QID: 904540
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for bind (11010-1)

    Severity
    Critical4
    Qualys ID
    904540
    Vendor Reference
    11010-1
    CVE Reference
    CVE-2022-38177
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for bind to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11010-1
  • CVE-2022-42916
    QID: 904527
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for curl (11412-1)

    Severity
    Critical4
    Qualys ID
    904527
    Vendor Reference
    11412-1
    CVE Reference
    CVE-2022-42916
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for curl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11412-1
  • CVE-2022-2795
    QID: 904526
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for bind (11008-1)

    Severity
    Critical4
    Qualys ID
    904526
    Vendor Reference
    11008-1
    CVE Reference
    CVE-2022-2795
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for bind to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11008-1
  • CVE-2022-3705
    QID: 904515
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for vim (11362-1)

    Severity
    Critical4
    Qualys ID
    904515
    Vendor Reference
    11362-1
    CVE Reference
    CVE-2022-3705
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for vim to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11362-1
  • CVE-2022-38150+
    QID: 283349
    In Development

    Fedora Security Update for varnish (FEDORA-2022-99c5ddb2ae)

    Severity
    Critical4
    Qualys ID
    283349
    Vendor Reference
    FEDORA-2022-99c5ddb2ae
    CVE Reference
    CVE-2022-38150, CVE-2022-45060, CVE-2022-45059
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for varnish to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-99c5ddb2ae
  • CVE-2022-43995
    QID: 904534
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for sudo (11423-1)

    Severity
    Critical4
    Qualys ID
    904534
    Vendor Reference
    11423-1
    CVE Reference
    CVE-2022-43995
    CVSS Scores
    Base 7.1 / Temporal 6.2
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for sudo to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11423-1
  • CVE-2022-39408
    QID: 904550
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11262-1)

    Severity
    Serious3
    Qualys ID
    904550
    Vendor Reference
    11262-1
    CVE Reference
    CVE-2022-39408
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11262-1
  • CVE-2022-21635
    QID: 904537
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11254-1)

    Severity
    Serious3
    Qualys ID
    904537
    Vendor Reference
    11254-1
    CVE Reference
    CVE-2022-21635
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11254-1
  • CVE-2022-3599
    QID: 904535
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (11303-1)

    Severity
    Serious3
    Qualys ID
    904535
    Vendor Reference
    11303-1
    CVE Reference
    CVE-2022-3599
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11303-1
  • CVE-2022-39410
    QID: 904533
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11263-1)

    Severity
    Serious3
    Qualys ID
    904533
    Vendor Reference
    11263-1
    CVE Reference
    CVE-2022-39410
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11263-1
  • CVE-2022-3597
    QID: 904531
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (11301-1)

    Severity
    Serious3
    Qualys ID
    904531
    Vendor Reference
    11301-1
    CVE Reference
    CVE-2022-3597
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11301-1
  • CVE-2022-3586
    QID: 904545
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (11298-1)

    Severity
    Serious3
    Qualys ID
    904545
    Vendor Reference
    11298-1
    CVE Reference
    CVE-2022-3586
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11298-1
  • CVE-2022-3542
    QID: 904529
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (11159-1)

    Severity
    Serious3
    Qualys ID
    904529
    Vendor Reference
    11159-1
    CVE Reference
    CVE-2022-3542
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11159-1
  • CVE-2022-1184
    QID: 160330
    In Development

    Oracle Enterprise Linux Security Update for unbreakable enterprise kernel-container (ELSA-2022-10023)

    Severity
    Serious3
    Qualys ID
    160330
    Vendor Reference
    ELSA-2022-10023
    CVE Reference
    CVE-2022-1184
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Oracle Enterprise Linux has released a security update for unbreakable enterprise kernel-container to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-10023
    Patches
    Oracle Linux ELSA-2022-10023
  • CVE-2022-1184
    QID: 160329
    In Development

    Oracle Enterprise Linux Security Update for unbreakable enterprise kernel (ELSA-2022-10022)

    Severity
    Serious3
    Qualys ID
    160329
    Vendor Reference
    ELSA-2022-10022
    CVE Reference
    CVE-2022-1184
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Oracle Enterprise Linux has released a security update for unbreakable enterprise kernel to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-10022
    Patches
    Oracle Linux ELSA-2022-10022
  • CVE-2022-21617
    QID: 904552
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11250-1)

    Severity
    Medium2
    Qualys ID
    904552
    Vendor Reference
    11250-1
    CVE Reference
    CVE-2022-21617
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11250-1
  • CVE-2022-21632
    QID: 904551
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11252-1)

    Severity
    Medium2
    Qualys ID
    904551
    Vendor Reference
    11252-1
    CVE Reference
    CVE-2022-21632
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11252-1
  • CVE-2022-39400
    QID: 904536
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11259-1)

    Severity
    Medium2
    Qualys ID
    904536
    Vendor Reference
    11259-1
    CVE Reference
    CVE-2022-39400
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11259-1
  • CVE-2022-21604
    QID: 904532
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11247-1)

    Severity
    Medium2
    Qualys ID
    904532
    Vendor Reference
    11247-1
    CVE Reference
    CVE-2022-21604
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11247-1
  • CVE-2022-21594
    QID: 904530
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11245-1)

    Severity
    Medium2
    Qualys ID
    904530
    Vendor Reference
    11245-1
    CVE Reference
    CVE-2022-21594
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11245-1
  • CVE-2022-21640
    QID: 904528
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11257-1)

    Severity
    Medium2
    Qualys ID
    904528
    Vendor Reference
    11257-1
    CVE Reference
    CVE-2022-21640
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11257-1
  • CVE-2022-21633
    QID: 904524
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11253-1)

    Severity
    Medium2
    Qualys ID
    904524
    Vendor Reference
    11253-1
    CVE Reference
    CVE-2022-21633
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11253-1
  • CVE-2022-21599
    QID: 904523
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11246-1)

    Severity
    Medium2
    Qualys ID
    904523
    Vendor Reference
    11246-1
    CVE Reference
    CVE-2022-21599
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11246-1
  • CVE-2022-21641
    QID: 904522
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11258-1)

    Severity
    Medium2
    Qualys ID
    904522
    Vendor Reference
    11258-1
    CVE Reference
    CVE-2022-21641
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11258-1
  • CVE-2022-21638
    QID: 904521
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11256-1)

    Severity
    Medium2
    Qualys ID
    904521
    Vendor Reference
    11256-1
    CVE Reference
    CVE-2022-21638
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11256-1
  • CVE-2022-21608
    QID: 904520
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11248-1)

    Severity
    Medium2
    Qualys ID
    904520
    Vendor Reference
    11248-1
    CVE Reference
    CVE-2022-21608
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11248-1
  • CVE-2022-21637
    QID: 904517
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11255-1)

    Severity
    Medium2
    Qualys ID
    904517
    Vendor Reference
    11255-1
    CVE Reference
    CVE-2022-21637
    CVSS Scores
    Base 4.9 / Temporal 4.3
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11255-1
  • CVE-2022-41850
    QID: 904519
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (11087-1)

    Severity
    Medium2
    Qualys ID
    904519
    Vendor Reference
    11087-1
    CVE Reference
    CVE-2022-41850
    CVSS Scores
    Base 4.7 / Temporal 4.1
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11087-1
  • CVE-2022-21625
    QID: 904542
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11251-1)

    Severity
    Medium2
    Qualys ID
    904542
    Vendor Reference
    11251-1
    CVE Reference
    CVE-2022-21625
    CVSS Scores
    Base 4.4 / Temporal 3.9
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11251-1
  • CVE-2020-35505
    QID: 904518
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for qemu-kvm (4321-1)

    Severity
    Medium2
    Qualys ID
    904518
    Vendor Reference
    4321-1
    CVE Reference
    CVE-2020-35505
    CVSS Scores
    Base 4.4 / Temporal 3.9
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for qemu-kvm to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 4321-1
  • CVE-2022-39402
    QID: 904555
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11260-1)

    Severity
    Medium2
    Qualys ID
    904555
    Vendor Reference
    11260-1
    CVE Reference
    CVE-2022-39402
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11260-1
  • CVE-2022-21592
    QID: 904544
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11244-1)

    Severity
    Medium2
    Qualys ID
    904544
    Vendor Reference
    11244-1
    CVE Reference
    CVE-2022-21592
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11244-1
  • CVE-2022-21611
    QID: 904548
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11249-1)

    Severity
    Medium2
    Qualys ID
    904548
    Vendor Reference
    11249-1
    CVE Reference
    CVE-2022-21611
    CVSS Scores
    Base 4.1 / Temporal 3.6
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11249-1
  • CVE-2022-39403
    QID: 904543
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (11261-1)

    Severity
    Medium2
    Qualys ID
    904543
    Vendor Reference
    11261-1
    CVE Reference
    CVE-2022-39403
    CVSS Scores
    Base 3.9 / Temporal 3.4
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for mysql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11261-1
  • CVE-2022-35252
    QID: 904539
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for curl (11053-1)

    Severity
    Medium2
    Qualys ID
    904539
    Vendor Reference
    11053-1
    CVE Reference
    CVE-2022-35252
    CVSS Scores
    Base 3.7 / Temporal 3.2
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for curl to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11053-1
  • CVE-2022-3521
    QID: 904525
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (11157-1)

    Severity
    Medium2
    Qualys ID
    904525
    Vendor Reference
    11157-1
    CVE Reference
    CVE-2022-3521
    CVSS Scores
    Base 2.5 / Temporal 2.2
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11157-1
  • CVE-2022-41853
    QID: 377795
    In Development

    Alibaba Cloud Linux Security Update for hsqldb (ALINUX2-SA-2022:0054)

    Severity
    Critical4
    Qualys ID
    377795
    Vendor Reference
    ALINUX2-SA-2022:0054
    CVE Reference
    CVE-2022-41853
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Alibaba Cloud Linux has released a security update for hsqldb to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to Alibaba Cloud Linux security advisory ALINUX2-SA-2022:0054 for updates and patch information.
    Patches
    Alibaba Cloud Linux ALINUX2-SA-2022:0054
  • CVE-2018-3299+
    QID: 20306
    In Development

    Oracle Database 12.2.0.1 Critical OJVM Patch Update - October 2018

    Severity
    Critical4
    Qualys ID
    20306
    Vendor Reference
    CPUOCT2018
    CVE Reference
    CVE-2018-3299, CVE-2018-3259
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.2.01

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUOCT2018 to obtain details about how to deploy the update.

    Patches
    CPUOCT2018
  • CVE-2022-4135
    QID: 690996
    In Development

    Free Berkeley Software Distribution (FreeBSD) Security Update for chromium (8d3838b0-6ca8-11ed-92ce-3065ec8fd3ec)

    Severity
    Critical4
    Qualys ID
    690996
    Vendor Reference
    8d3838b0-6ca8-11ed-92ce-3065ec8fd3ec
    CVE Reference
    CVE-2022-4135
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    FreeBSD has released a security update for chromium to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory 8d3838b0-6ca8-11ed-92ce-3065ec8fd3ec for updates and patch information.
    Patches
    "FreeBSD" 8d3838b0-6ca8-11ed-92ce-3065ec8fd3ec
  • QID: 690994
    In Development

    Free Berkeley Software Distribution (FreeBSD) Security Update for zeek (658b9198-8106-4c3d-a2aa-dc4a0a7cc3b6)

    Severity
    Critical4
    Qualys ID
    690994
    Vendor Reference
    658b9198-8106-4c3d-a2aa-dc4a0a7cc3b6
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    FreeBSD has released a security update for zeek to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory 658b9198-8106-4c3d-a2aa-dc4a0a7cc3b6 for updates and patch information.
    Patches
    "FreeBSD" 658b9198-8106-4c3d-a2aa-dc4a0a7cc3b6
  • CVE-2022-4135
    QID: 377794
    Recently Published

    Google Chrome Prior to 107.0.5304.121 Multiple Vulnerabilities

    Severity
    Critical4
    Qualys ID
    377794
    Date Published
    November 25, 2022
    Vendor Reference
    Google Chrome 107.0.5304.121
    CVE Reference
    CVE-2022-4135
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Chrome has released security updates for Windows, Mac, and Linux to fix the vulnerabilities.


    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Chrome security advisory 107.0.5304.121 for updates and patch information.
    Patches
    Google Chrome 107.0.5304.121
  • QID: 283348
    In Development

    Fedora Security Update for firefox (FEDORA-2022-2321894a60)

    Severity
    Critical4
    Qualys ID
    283348
    Vendor Reference
    FEDORA-2022-2321894a60
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for firefox to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-2321894a60
  • CVE-2020-2510+
    QID: 20305
    Under Investigation

    Oracle Database 12.2.0.1 Critical OJVM Patch Update - January 2020

    Severity
    Critical4
    Qualys ID
    20305
    Vendor Reference
    CPUJAN2020
    CVE Reference
    CVE-2020-2510, CVE-2020-2511, CVE-2020-2512, CVE-2020-2515, CVE-2020-2516, CVE-2020-2517, CVE-2020-2527, CVE-2020-2731, CVE-2020-2568, CVE-2020-2569, CVE-2019-10072, CVE-2018-11784, CVE-2019-0199, CVE-2019-0221, CVE-2019-0232, CVE-2020-2518
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.2.01

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUJAN2020 to obtain details about how to deploy the update.

    Patches
    cpujan2020
  • CVE-2022-3910
    QID: 904514
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (11460)

    Severity
    Critical4
    Qualys ID
    904514
    Vendor Reference
    Mariner_2.0_11460
    CVE Reference
    CVE-2022-3910
    CVSS Scores
    Base 7.8 / Temporal 7.1
    Description
    CBL-Mariner 2.0 is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has NOT released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    Patch is NOT available for the package.

  • CVE-2022-3910
    QID: 904513
    In Development

    Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (11462)

    Severity
    Critical4
    Qualys ID
    904513
    Vendor Reference
    11462
    CVE Reference
    CVE-2022-3910
    CVSS Scores
    Base 7.8 / Temporal 7.1
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has NOT released a security update for kernel to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    Patch is NOT available for the package.

  • CVE-2022-3559
    QID: 199046
    In Development

    Ubuntu Security Notification for Exim Vulnerability (USN-5741-1)

    Severity
    Critical4
    Qualys ID
    199046
    Vendor Reference
    USN-5741-1
    CVE Reference
    CVE-2022-3559
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Ubuntu has released a security update for exim to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5741-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5741-1
  • CVE-2017-9937
    QID: 199047
    In Development

    Ubuntu Security Notification for JBIG-KIT Vulnerability (USN-5742-1)

    Severity
    Serious3
    Qualys ID
    199047
    Vendor Reference
    USN-5742-1
    CVE Reference
    CVE-2017-9937
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Ubuntu has released a security update for jbig-kit to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5742-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5742-1
  • CVE-2022-35016+
    QID: 690995
    In Development

    Free Berkeley Software Distribution (FreeBSD) Security Update for advancecomp (b6a84729-6bd0-11ed-8d9a-b42e991fc52e)

    Severity
    Serious3
    Qualys ID
    690995
    Vendor Reference
    b6a84729-6bd0-11ed-8d9a-b42e991fc52e
    CVE Reference
    CVE-2022-35016, CVE-2022-35017, CVE-2022-35018, CVE-2022-35020, CVE-2022-35015, CVE-2022-35019, CVE-2022-35014
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    FreeBSD has released a security update for advancecomp to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory b6a84729-6bd0-11ed-8d9a-b42e991fc52e for updates and patch information.
    Patches
    "FreeBSD" b6a84729-6bd0-11ed-8d9a-b42e991fc52e
  • QID: 45551
    Under Investigation

    RPM based running processes

    Severity
    Minimal1
    Qualys ID
    45551
    CVSS Scores
    Base / Temporal
    Description
    N/A
    Consequence
    N/A
    Solution
    N/A
  • CVE-2022-37454
    QID: 283345
    In Development

    Fedora Security Update for python3.7 (FEDORA-2022-760d1eac9b)

    Severity
    Urgent5
    Qualys ID
    283345
    Vendor Reference
    FEDORA-2022-760d1eac9b
    CVE Reference
    CVE-2022-37454
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for python3.7 to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-760d1eac9b
  • CVE-2022-37454
    QID: 283344
    In Development

    Fedora Security Update for python3.8 (FEDORA-2022-5fd3e7f635)

    Severity
    Urgent5
    Qualys ID
    283344
    Vendor Reference
    FEDORA-2022-5fd3e7f635
    CVE Reference
    CVE-2022-37454
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for python3.8 to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-5fd3e7f635
  • CVE-2022-37454
    QID: 283343
    In Development

    Fedora Security Update for python3.7 (FEDORA-2022-385d2ea041)

    Severity
    Urgent5
    Qualys ID
    283343
    Vendor Reference
    FEDORA-2022-385d2ea041
    CVE Reference
    CVE-2022-37454
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for python3.7 to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-385d2ea041
  • CVE-2022-3352+
    QID: 181246
    In Development

    Debian Security Update for vim (DLA 3204-1)

    Severity
    Urgent5
    Qualys ID
    181246
    Vendor Reference
    DLA 3204-1
    CVE Reference
    CVE-2022-3352, CVE-2022-0392, CVE-2022-1942, CVE-2022-0318, CVE-2022-1621, CVE-2022-1897, CVE-2022-2000, CVE-2022-3256, CVE-2022-2129, CVE-2022-0696, CVE-2022-1619, CVE-2022-3235, CVE-2022-1785, CVE-2022-0629
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released a security update for vim to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DLA 3204-1 for updates and patch information.
    Patches
    Debian DLA 3204-1
  • CVE-2022-31627
    QID: 38882
    In Development

    Hypertext Preprocessor (PHP) Heap Buffer Overflow Vulnerability (81723)

    Severity
    Critical4
    Qualys ID
    38882
    Vendor Reference
    81723
    CVE Reference
    CVE-2022-31627
    CVSS Scores
    Base 9.8 / Temporal 8.8
    Description
    PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

    In installed version of PHP, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.

    Affected Versions:
    PHP versions 8.1.x prior to 8.1.8

    QID Detection Logic (Unauthenticated):
    This QID checks the HTTP Server header to see if the server is running a vulnerable version of PHP.

    Consequence
    Successful exploitation of this vulnerability could allow a remote attacker to trigger Buffer Overflow and execute arbitrary code on the target system.

    Solution
    Customers are advised to upgrade to the latest version of PHP.
    For more information please refer to Sec Bug 81723 .

    Patches
    81723
  • CVE-2022-40300
    QID: 377793
    Recently Published

    Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus SQL Injection Vulnerability

    Severity
    Critical4
    Qualys ID
    377793
    Date Published
    November 25, 2022
    Vendor Reference
    Zoho ManageEngine Security Advisory
    CVE Reference
    CVE-2022-40300
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    ManageEngine offers enterprise IT management software for your service management, operations management, Active Directory and security needs.

    Multiple SQL Injection vulnerabilities (CVE-2022-40300) were discovered in Password Manager Pro, PAM360 and Access Manager Plus.

    Affected Versions:
    Access Manager Plus 4304 and below

    Password Manager Pro 12120 and below

    PAM360 5550 and below

    QID Detection Logic:
    . Authenticated : This QID checks the product.conf file to check if latest build is installed

    Consequence
    These vulnerabilities can allow an adversary to execute custom queries and access the database table entries using the vulnerable request.

    Solution
    Vendor has released patch. Customers are advised to refer to Zoho ManageEngine Advisory for more details.
    Patches
    Zoho ManageEngine Security Advisory
  • CVE-2022-31625+
    QID: 38883
    In Development

    Hypertext Preprocessor (PHP) Multiple Security Vulnerabilities (81719, 81720)

    Severity
    Critical4
    Qualys ID
    38883
    Vendor Reference
    81719, 81720
    CVE Reference
    CVE-2022-31625, CVE-2022-31626
    CVSS Scores
    Base 8.8 / Temporal 7.9
    Description
    PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

    Affected versions of PHP has multiple vulnerabilities:
    CVE-2022-31626 : mysqlnd/pdo password buffer overflow leading to RCE
    CVE-2022-31625 : Uninitialized array in pg_query_params() leading to RCE

    Affected Versions:
    PHP versions 7.4.x prior to 7.4.30
    PHP versions 8.0.x prior to 8.0.20
    PHP versions 8.1.x prior to 8.1.7

    QID Detection Logic (Unauthenticated):
    This QID checks the HTTP Server header to see if the server is running a vulnerable version of PHP.

    Consequence
    Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the target system.

    Solution
    Customers are advised to upgrade to the latest version of PHP.
    For more information please refer to Sec Bug 81719 and Sec Bug 81720 .

    Patches
    81719, 81720
  • CVE-2022-3551+
    QID: 283347
    In Development

    Fedora Security Update for xorg (FEDORA-2022-5495b36bed)

    Severity
    Critical4
    Qualys ID
    283347
    Vendor Reference
    FEDORA-2022-5495b36bed
    CVE Reference
    CVE-2022-3551, CVE-2022-3550
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Fedora has released a security update for xorg to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-5495b36bed
  • CVE-2022-3551+
    QID: 283346
    In Development

    Fedora Security Update for xorg (FEDORA-2022-9100b7aafd)

    Severity
    Critical4
    Qualys ID
    283346
    Vendor Reference
    FEDORA-2022-9100b7aafd
    CVE Reference
    CVE-2022-3551, CVE-2022-3550
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Fedora has released a security update for xorg to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-9100b7aafd
  • QID: 283342
    In Development

    Fedora Security Update for drupal7 (FEDORA-2022-d209710a36)

    Severity
    Critical4
    Qualys ID
    283342
    Vendor Reference
    FEDORA-2022-d209710a36
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for drupal7 to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-d209710a36
  • QID: 283341
    In Development

    Fedora Security Update for drupal7 (FEDORA-2022-74fe01686a)

    Severity
    Critical4
    Qualys ID
    283341
    Vendor Reference
    FEDORA-2022-74fe01686a
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for drupal7 to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-74fe01686a
  • QID: 283340
    In Development

    Fedora Security Update for drupal7 (FEDORA-2022-12b13cd79f)

    Severity
    Critical4
    Qualys ID
    283340
    Vendor Reference
    FEDORA-2022-12b13cd79f
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for drupal7 to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-12b13cd79f
  • QID: 283339
    In Development

    Fedora Security Update for drupal7 (FEDORA-2022-288e2fa22b)

    Severity
    Critical4
    Qualys ID
    283339
    Vendor Reference
    FEDORA-2022-288e2fa22b
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for drupal7 to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-288e2fa22b
  • CVE-2022-3787
    QID: 160328
    In Development

    Oracle Enterprise Linux Security Update for device-mapper-multipath (ELSA-2022-8453)

    Severity
    Critical4
    Qualys ID
    160328
    Vendor Reference
    ELSA-2022-8453
    CVE Reference
    CVE-2022-3787
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for device-mapper-multipath to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8453
    Patches
    Oracle Linux ELSA-2022-8453
  • CVE-2022-3500
    QID: 160327
    In Development

    Oracle Enterprise Linux Security Update for keylime (ELSA-2022-8444)

    Severity
    Critical4
    Qualys ID
    160327
    Vendor Reference
    ELSA-2022-8444
    CVE Reference
    CVE-2022-3500
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for keylime to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8444
    Patches
    Oracle Linux ELSA-2022-8444
  • CVE-2022-45421+
    QID: 160326
    In Development

    Oracle Enterprise Linux Security Update for firefox (ELSA-2022-8580)

    Severity
    Critical4
    Qualys ID
    160326
    Vendor Reference
    ELSA-2022-8580
    CVE Reference
    CVE-2022-45421, CVE-2022-45418, CVE-2022-45403, CVE-2022-45408, CVE-2022-45409, CVE-2022-45405, CVE-2022-45410, CVE-2022-45420, CVE-2022-45412, CVE-2022-45416, CVE-2022-45406, CVE-2022-45411, CVE-2022-45404
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for firefox to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8580
    Patches
    Oracle Linux ELSA-2022-8580
  • CVE-2022-45421+
    QID: 160325
    In Development

    Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-8561)

    Severity
    Critical4
    Qualys ID
    160325
    Vendor Reference
    ELSA-2022-8561
    CVE Reference
    CVE-2022-45421, CVE-2022-45418, CVE-2022-45408, CVE-2022-45403, CVE-2022-45420, CVE-2022-45405, CVE-2022-45410, CVE-2022-45412, CVE-2022-45416, CVE-2022-45406, CVE-2022-45409, CVE-2022-45411, CVE-2022-45404
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for thunderbird to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8561
    Patches
    Oracle Linux ELSA-2022-8561
  • CVE-2022-41805+
    QID: 150597
    In Development

    WordPress Booster for Woocommerce Plugin: Multiple Vulnerabilities (CVE-2022-41805,CVE-2022-3763,CVE-2022-3762)

    Severity
    Critical4
    Qualys ID
    150597
    Vendor Reference
    CVE-2022-3762, CVE-2022-3763, CVE-2022-41805
    CVE Reference
    CVE-2022-41805, CVE-2022-3763, CVE-2022-3762
    CVSS Scores
    Base 8.1 / Temporal 7.5
    Description
    Booster for WooCommerce is an addon plugin for WooCommerce designed to enhance its functionality through the use of various modules that site owners can enable and disable at any point.

    Booster for WooCommerce contains multiple vulnerabilities:
    CVE-2022-41805: The plugin does not have CSRF checks, allowing attackers to perform CSRF attack.

    CVE-2022-3762: The plugins do not validate files to download in some of its modules, which could allow ShopManager and Admin to download arbitrary files from the server even when they are not supposed to be able to (for example in multisite)

    CVE-2022-3763: The plugins do not have CSRF check in place when deleting files uploaded at the checkout, allowing attackers to make a logged in shop manager or admin delete them via a CSRF attack

    Affected Versions:
    The Booster for WooCommerce WordPress plugin before 5.6.7

    QID Detection Logic:
    This QID sends a HTTP GET request and checks for vulnerable version of WordPress plugin running on the target application.

    Consequence
    Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of the interface or download arbitrary files from the server.

    Solution
    Customers are advised to upgrade to Booster for WooCommerce 5.6.7 or later version to remediate this vulnerability.
    Patches
    CVE-2022-3762, CVE-2022-3763, CVE-2022-41805
  • CVE-2021-20241+
    QID: 199045
    In Development

    Ubuntu Security Notification for ImageMagick Vulnerabilities (USN-5736-1)

    Severity
    Critical4
    Qualys ID
    199045
    Vendor Reference
    USN-5736-1
    CVE Reference
    CVE-2021-20241, CVE-2021-20224, CVE-2021-20246, CVE-2021-20244, CVE-2022-32545, CVE-2021-20312, CVE-2021-39212, CVE-2021-4219, CVE-2021-3574, CVE-2021-20313, CVE-2022-32546, CVE-2022-28463, CVE-2021-20309, CVE-2022-32547, CVE-2021-20245, CVE-2022-1114, CVE-2021-20243
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Ubuntu has released a security update for imagemagick to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5736-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5736-1
  • CVE-2022-42919
    QID: 160324
    In Development

    Oracle Enterprise Linux Security Update for python3.9 (ELSA-2022-8493)

    Severity
    Critical4
    Qualys ID
    160324
    Vendor Reference
    ELSA-2022-8493
    CVE Reference
    CVE-2022-42919
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for python3.9 to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8493
    Patches
    Oracle Linux ELSA-2022-8493
  • CVE-2022-32189
    QID: 770167
    In Development

    Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2022:8534)

    Severity
    Critical4
    Qualys ID
    770167
    Vendor Reference
    RHSA-2022:8534
    CVE Reference
    CVE-2022-32189
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    Red Hat openshift container platform is Red Hat's cloud computing kubernetes application platform solution designed for on-premise or private cloud deployments.

    Security Fix(es):
    • golang: math/big: decoding big.
      Float and big.
      Rat types can panic if the

    Affected Products:

    • Red Hat openshift container platform 4.11 for rhel 8 x86_64
    • Red Hat openshift container platform for power 4.11 for rhel 8 ppc64le
    • Red Hat openshift container platform for ibm z and linuxone 4.11 for rhel 8 s390x
    • Red Hat openshift container platform for arm 64 4.11 aarch64



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8534 for updates and patch information.
    Patches
    Red Hat Enterprise Linux CoreOS RHSA-2022:8534
  • CVE-2022-32189
    QID: 240939
    In Development

    Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2022:8534)

    Severity
    Critical4
    Qualys ID
    240939
    Vendor Reference
    RHSA-2022:8534
    CVE Reference
    CVE-2022-32189
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Red hat openshift container platform is Red Hat's cloud computing kubernetes application platform solution designed for on-premise or private cloud deployments...Security Fix(es):
      golang: math/big: decoding big.
      Float and big.
      Rat types can panic if the.
    Affected Products:
      Red Hat openshift container platform 4.11 for rhel 8 x86_64.
      Red hat openshift container platform for power 4.11 for rhel 8 ppc64le.
      Red hat openshift container platform for ibm z and linuxone 4.11 for rhel 8 s390x.
      Red hat openshift container platform for arm 64 4.11 aarch64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8534 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:8534
  • CVE-2021-2207+
    QID: 20304
    In Development

    Oracle Database 12.2.0.1 Critical OJVM Patch Update - April 2021

    Severity
    Critical4
    Qualys ID
    20304
    Vendor Reference
    CPUAPR2021
    CVE Reference
    CVE-2021-2207, CVE-2021-2175, CVE-2021-2173, CVE-2019-3738, CVE-2019-3739, CVE-2019-3740, CVE-2020-5360, CVE-2021-2234
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.2.01

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUAPR2021 to obtain details about how to deploy the update.

    Patches
    CPUAPR2021
  • CVE-2022-3334
    QID: 150599
    In Development

    WordPress Easy WP SMTP Plugin: PHP Object Injection Vulnerability (CVE-2022-3334)

    Severity
    Critical4
    Qualys ID
    150599
    Vendor Reference
    WPScan Advisory
    CVE Reference
    CVE-2022-3334
    CVSS Scores
    Base 7.2 / Temporal 6.5
    Description
    Easy WP SMTP is a WordPress plugin which allows users to configure and send all outgoing emails via a SMTP server.

    Affected versions of Easy WP SMTP plugin unserialises the content of an imported file, which could lead to PHP object injection issue when an admin imports a malicious file and a suitable gadget chain is present on the blog.

    Affected versions:
    Easy WP SMTP prior to version 1.5.0

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request and checks for vulnerable version of WordPress plugin running on the target application.

    Consequence
    Successful exploitation of this vulnerability could an attacker to compromise Confidentiality, Integrity and Availability of the target application.

    Solution
    Customers are advised to upgrade to Easy WP SMTP 1.5.0 or later to remediate this vulnerability. For more information regarding this vulnerability please refer WPScan Advisory
    Patches
    Easy WP SMTP Downloads
  • CVE-2022-2990+
    QID: 160323
    In Development

    Oracle Enterprise Linux Security Update for podman (ELSA-2022-8431)

    Severity
    Critical4
    Qualys ID
    160323
    Vendor Reference
    ELSA-2022-8431
    CVE Reference
    CVE-2022-2990, CVE-2022-2989
    CVSS Scores
    Base 7.1 / Temporal 6.2
    Description
    Oracle Enterprise Linux has released a security update for podman to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8431
    Patches
    Oracle Linux ELSA-2022-8431
  • CVE-2022-31628+
    QID: 38881
    In Development

    Hypertext Preprocessor (PHP) Multiple Security Vulnerabilities (81726, 81727)

    Severity
    Serious3
    Qualys ID
    38881
    Vendor Reference
    81726, 81727
    CVE Reference
    CVE-2022-31628, CVE-2022-31629
    CVSS Scores
    Base 6.5 / Temporal 5.9
    Description
    PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

    Affected versions of PHP has multiple vulnerabilities:
    CVE-2022-31628 : The vulnerability exists due to infinite loop within the phar uncompressor code when processing "quines" gzip files. A remote attacker can pass a specially crafted archive to the application, consume all available system resources and cause denial of service conditions.

    CVE-2022-31629: The vulnerability exists due to the way PHP handles HTTP variable names. A remote attacker can set a standard insecure cookie in the victim's browser which is treated as a '__Host-' or '__Secure-' cookie by PHP applications.

    Affected Versions:
    PHP versions before 7.4.31
    PHP versions 8.0.0 prior to 8.0.24
    PHP versions 8.1.0 prior to 8.1.11

    QID Detection Logic (Unauthenticated):
    This QID checks the HTTP Server header to see if the server is running a vulnerable version of PHP.

    Consequence
    Successful exploitation of this vulnerability allows a remote attacker to perform a denial of service (DoS) attack or bypass implemented security restrictions.

    Solution
    Customers are advised to upgrade to the latest version of PHP.
    For more information please refer to Sec Bug 81726 and Sec Bug 81727 .

    Patches
    81726, 81727
  • CVE-2022-41839
    QID: 150598
    In Development

    WordPress LoginPress Plugin: Broken Access Control Vulnerability (CVE-2022-41839)

    Severity
    Serious3
    Qualys ID
    150598
    Vendor Reference
    Patchstack
    CVE Reference
    CVE-2022-41839
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    LoginPress Plugin by LoginPress holds a lot of customization fields to change the layout of the login page of WordPress.

    Broken Access Control vulnerability in WordPress LoginPress plugin on WordPress leading to unauth changing of Opt-In or Opt-Out tracking settings.

    Affected Versions:
    WordPress LoginPress Plugin before 1.6.2

    QID Detection Logic:
    This QID sends a HTTP GET request and checks for vulnerable version of WordPress plugin running on the target application.

    Consequence
    Successful exploitation of this vulnerability may allow non-administrators to change Opt-In or Opt-Out tracking settings.

    Solution
    Customers are advised to upgrade to LoginPress Plugin 1.6.2 or later version to remediate this vulnerability.
    Patches
    Patchstack
  • CVE-2022-40130
    QID: 150600
    In Development

    WordPress WP-Polls Plugin: Race Condition Vulnerability (CVE-2022-40130)

    Severity
    Serious3
    Qualys ID
    150600
    Vendor Reference
    Patchstack Advisory
    CVE Reference
    CVE-2022-40130
    CVSS Scores
    Base 3.1 / Temporal 2.7
    Description
    WP-Polls is a WordPress plugin which adds an AJAX poll system to WordPress blog and is extremely customizable via templates and css styles.

    A Race Condition vulnerability exists in WP-Polls plugins which requires subscriber or higher role user authentication for exploitation.

    Affected versions:
    WP-Polls prior to version 2.77.0

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request and checks for vulnerable version of WordPress plugin running on the target application.

    Consequence
    Successful exploitation of this vulnerability could allow an attacker to manipulate voting.

    Solution
    Customers are advised to upgrade to WP-Polls 2.77.0 or later to remediate this vulnerability. For more information regarding this vulnerability please refer Patchstack Advisory
    Patches
    WP-Polls Downloads
  • CVE-2022-25622
    QID: 591199
    Recently Published

    Siemens PROFINET Stack Integrated on Interniche Stack (Update D) Vulnerability (ICSA-22-104-06, SSA-446448)

    Severity
    Critical4
    Qualys ID
    591199
    Date Published
    November 25, 2022
    Vendor Reference
    icsa-22-104-06
    CVE Reference
    CVE-2022-25622
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    AFFECTED PRODUCTS

    The following SIMATIC products are affected
    CFU DIQ (6ES7655-5PX31-1XX0): All versions
    CFU PA (6ES7655-5PX11-0XX0): All versions
    ET200AL IM157-1 PN: All versions
    ET200ecoPN, CM 8x IO-Link, M12-L (6ES7148-6JG00-0BB0): Versions 5.1.1 and later
    ET200ecoPN, DI 8x24VDC, M12-L (6ES7141-6BG00-0BB0): Versions 5.1.1 and later
    ET200ecoPN, DI 16x24VDC, M12-L (6ES7141-6BH00-0BB0): Versions 5.1.1 and later
    ET200ecoPN, DIQ 16x24VDC/2A, M12-L (6ES7143-6BH00-0BB0): Versions 5.1.1 and later
    ET200ecoPN, DQ 8x24VDC/0,5A, M12-L (6ES7142-6BG00-0BB0): Versions 5.1.1 and later
    ET200ecoPN, DQ 8x24VDC/2A, M12-L (6ES7142-6BR00-0BB0): Versions 5.1.1 and later
    ET200MP IM155-5 PN HF (incl. SIPLUS variants): Versions 4.2 and later
    ET200SP IM155-6 MF HF: All versions
    ET200SP IM155-6 PN HA (incl. SIPLUS variants): All versions
    ET200SP IM155-6 PN HF (incl. SIPLUS variants): Versions 4.2 and later
    ET200SP IM155-6 PN/2 HF (incl. SIPLUS variants): Versions 4.2 and later
    ET200SP IM155-6 PN/3 HF (incl. SIPLUS variants): Versions 4.2 and later
    ET 200pro IM154-8 PN/DP CPU(6ES7154-8AB01-0AB0): All versions prior to V3.2.19
    ET 200pro IM154-8F PN/DP CPU(6ES7154-8FB01-0AB0): All versions prior to V3.2.19
    ET 200pro IM154-8FX PN/DP CPU(6ES7154-8FX00-0AB0): All versions prior to V3.2.19
    ET 200S IM151-8 PN/DP CPU(6ES7151-8AB01-0AB0): All versions prior to V3.2.19
    ET 200S IM151-8F PN/DP CPU(6ES7151-8FB01-0AB0): All versions prior to V3.2.19
    PN/MF Coupler (6ES7158-3MU10-0XA0): All versions
    PN/PN Coupler (6ES7158-3AD10-0XA0): Versions 4.2 and later
    S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0): All versions prior to V3.3.19
    S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0): All versions prior to V3.2.19
    S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0): All versions prior to V3.2.19
    S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0): All versions prior to V3.2.19
    S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0): All versions prior to V3.2.19
    S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0): All versions prior to V3.2.19
    S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0): All versions prior to V3.2.19
    S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0): All versions prior to V3.2.19
    S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0): All versions prior to V3.2.19
    S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0): All versions prior to V3.2.19
    S7-400 H V6 CPU family (incl. SIPLUS variants): All versions prior to v6.0.10
    S7-400 PN/DP V7 CPU family (incl. SIPLUS variants): All versions
    S7-410 V8 CPU family (incl. SIPLUS variants): All versions prior to V8.2.3
    S7-410 V8 CPU family (incl. SIPLUS variants): All versions
    S7-410 V10 CPU family (incl. SIPLUS variants): All versions
    S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): All versions prior to v2.0.0
    TDC CP51M1: All versions
    TDC CPU555: All versions
    WinAC RTX: All versions

    The following SINAMICS products are affected
    DCM: All versions with Ethernet interface
    G110M: All versions with Ethernet interface
    G115D: All versions with Ethernet interface
    G120 (incl. SIPLUS variants): All versions with Ethernet interface
    G130: All versions
    G150: All versions
    S110: All versions with Ethernet interface
    S120 (incl. SIPLUS variants): All versions
    S150: All versions
    S210: All versions
    V90: All versions with Ethernet interface
    SIPLUS HCS4200 CIM4210 (6BK1942-1AA00-0AA0): All versions
    SIPLUS HCS4200 CIM4210C (6BK1942-1AA00-0AA1): All versions
    SIPLUS HCS4300 CIM4310 (6BK1943-1AA00-0AA0): All versions
    SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0): Versions 4.2 and later

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    Successful exploitation of this vulnerability could allow a denial-of-service condition.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section icsa-22-104-06 for affected packages and patching details.

    Patches
    SSA-446448:, icsa-22-104-06
  • CVE-2016-3949
    QID: 591197
    Recently Published

    Siemens SIMATIC S7-300 Denial of Service (DoS) Vulnerability (ICSA-16-161-01, SSA-818183)

    Severity
    Critical4
    Qualys ID
    591197
    Date Published
    November 25, 2022
    Vendor Reference
    ICSA-16-161-01
    CVE Reference
    CVE-2016-3949
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    AFFECTED PRODUCTS
    Siemens reports that the vulnerability affects the following products: SIMATIC S7-300 CPUs with Profinet support: All versions prior to V3.2.12, and
    SIMATIC S7-300 CPUs without Profinet support: All versions prior to V3.3.12.

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    An exploit of this vulnerability could cause the affected device to go into defect mode, requiring a cold restart to recover the system.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-16-161-01 for affected packages and patching details.

    Patches
    ICSA-16-161-01, SSA-818183
  • CVE-2018-16561
    QID: 591196
    Recently Published

    Siemens SIMATIC S7-300 CPU Vulnerability (ICSA-19-043-04, SSA-306710)

    Severity
    Critical4
    Qualys ID
    591196
    Date Published
    November 25, 2022
    Vendor Reference
    ICSA-19-043-04
    CVE Reference
    CVE-2018-16561
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    AFFECTED PRODUCTS
    Siemens reports the following SIMATIC S7-300 CPU product is affected: SIMATIC S7-300 CPUs: All versions prior to v3.X.16

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    Successful exploitation of this vulnerability could crash the device being accessed, resulting in a denial-of-service condition.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-19-043-04 for affected packages and patching details.

    Patches
    ICSA-19-043-04, SSA-306710
  • CVE-2022-36361+
    QID: 591211
    Recently Published

    Siemens LOGO! 8 BM Devices Multiple Vulnerabilities (ICSA-22-286-13, SSA-955858)

    Severity
    Urgent5
    Qualys ID
    591211
    Date Published
    November 24, 2022
    Vendor Reference
    icsa-22-286-13
    CVE Reference
    CVE-2022-36361, CVE-2022-36362, CVE-2022-36363
    CVSS Scores
    Base 9.8 / Temporal 8.7
    Description

    AFFECTED PRODUCTS
    Siemens reports these vulnerabilities affect the following LOGO! 8 BM (Base Module) devices:
    LOGO! 8 BM (incl. SIPLUS variants): All versions

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    Successful exploitation of these vulnerabilities could allow an attacker to execute code remotely, put the device into a denial-of-service state, or retrieve parts of the memory.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section icsa-22-286-13 for affected packages and patching details.

  • CVE-2022-31630+
    QID: 38880
    Recently Published

    Hypertext Preprocessor (PHP) Multiple Security Vulnerabilities (81738, 81739)

    Severity
    Urgent5
    Qualys ID
    38880
    Date Published
    November 24, 2022
    Vendor Reference
    81738, 81739
    CVE Reference
    CVE-2022-31630, CVE-2022-37454
    CVSS Scores
    Base 9.8 / Temporal 8.8
    Description
    PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

    CVE-2022-31630: In installed version of PHP, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.
    CVE-2022-37454: The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties.

    Affected Versions:
    PHP versions before 7.4.33
    PHP versions 8.0.0 prior to 8.0.25
    PHP versions 8.1.0 prior to 8.1.12

    QID Detection Logic (Unauthenticated):
    This QID checks the HTTP Server header to see if the server is running a vulnerable version of PHP.

    Consequence
    Successful exploitation of the vulnerability may allow an attacker to crash the PHP process or Denial of Service (DoS) or tackers to execute arbitrary code on the system.

    Solution
    Customers are advised to upgrade to the latest version of PHP.
    For more information please refer to Sec Bug 81739 .

    Patches
    81738, 81739
  • CVE-2022-21587
    QID: 377792
    Under Investigation

    Oracle E-Business Suite Remote Code Execution (RCE) Vulnerability (CPUOCT2022)

    Severity
    Urgent5
    Qualys ID
    377792
    Vendor Reference
    ORACLE E-Business Suite cpuoct2022
    CVE Reference
    CVE-2022-21587
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle E-Business Suite is one of Oracle Corp.'s major product lines. Also known as Oracle EBS, it is an integrated set of business applications for automating customer relationship management (CRM), enterprise resource planning (ERP) and supply chain management (SCM) processes within organizations.

    Affected Products:
    Oracle E-Business Suite versions 12.2.3 - 12.2.11
    QID Detection Logic(Auth):
    QID relied only on the application's self-reported version number.

    Consequence
    Successfully exploiting these vulnerabilities affect confidentiality, integrity and availability of the target system.
    Solution
    Refer to vendor advisory Oracle E-Business Suite OCTOBER 2022.
    Patches
    cpuoct2022
  • CVE-2022-45063
    QID: 283338
    Recently Published

    Fedora Security Update for xterm (FEDORA-2022-8cf76a9ceb)

    Severity
    Urgent5
    Qualys ID
    283338
    Date Published
    November 24, 2022
    Vendor Reference
    FEDORA-2022-8cf76a9ceb
    CVE Reference
    CVE-2022-45063
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for xterm to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-8cf76a9ceb
  • CVE-2022-37454
    QID: 283336
    Recently Published

    Fedora Security Update for python3.8 (FEDORA-2022-7798bf3aa3)

    Severity
    Urgent5
    Qualys ID
    283336
    Date Published
    November 24, 2022
    Vendor Reference
    FEDORA-2022-7798bf3aa3
    CVE Reference
    CVE-2022-37454
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for python3.8 to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-7798bf3aa3
  • CVE-2022-43781
    QID: 150596
    In Development

    Atlassian Bitbucket Server and Data Center: Command Injection Vulnerability (CVE-2022-43781)

    Severity
    Urgent5
    Qualys ID
    150596
    Vendor Reference
    BSERV-13522, Bitbucket Security Advisory
    CVE Reference
    CVE-2022-43781
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Bitbucket is a Git-based source code repository hosting service owned by Atlassian.

    In affected versions of Atlassian Bitbucket Server and Data Center a command injection vulnerability exists in environment variables where an attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled "Allow public signup".

    Affected versions :
    Atlassian Bitbucket Server and Data Center version from 7.0.0 before version 7.6.19
    Atlassian Bitbucket Server and Data Center version from 7.7.0 before version 7.17.12
    Atlassian Bitbucket Server and Data Center version from 7.18.0 before version 7.21.6
    Atlassian Bitbucket Server and Data Center version from 7.22.0 before version 8.0.5
    Atlassian Bitbucket Server and Data Center version from 8.1.0 before version 8.1.5
    Atlassian Bitbucket Server and Data Center version from 8.2.0 before version 8.2.4
    Atlassian Bitbucket Server and Data Center version from 8.3.0 before version 8.3.3
    Atlassian Bitbucket Server and Data Center version from 8.4.0 before version 8.4.2

    QID Detection Logic:(Unauthenticated):
    It checks for vulnerable version of Atlassian Bitbucket Server.

    Consequence
    An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system.
    Solution
    Vendor has released fix for this vulnerability. Customers are advised to refer to Bitbucket Security Advisory for more information pertaining to this vulnerability.

    Patches
    BSERV-13522, Bitbucket Security Advisory
  • QID: 150568
    Under Investigation

    Potential Blind SQL Injection

    Severity
    Urgent5
    Qualys ID
    150568
    CVSS Scores
    Base 9.8 / Temporal 8
    Description
    Blind SQL injection is a specialized type of SQL injection that enables an attacker to modify the syntax of a SQL query in order to retrieve, corrupt, or delete data. A successful exploit manipulates the query's logic. Queries created by concatenating strings with SQL syntax and user-supplied data are prone to this vulnerability. When any part of the string concatenation can be modified, an attacker has the ability to change the meaning of the query.

    Typical detection techniques for SQL injection vulnerabilities use a payload that attempts to produce an SQL error from the web application. Detection based on blind SQL injection uses inference based on the differences among the application's responses to various payloads. Blind SQL does not rely on error messages, which is beneficial when testing web applications that trap errors.

    The WAS scanning engine uses a well-known technique called True / False inference to determine if there is a blind SQL injection vulnerability. Basically, it uses two payloads: one with a True condition and another with a False condition. If there is a blind SQL injection vulnerability, the query with the True condition payload will cause the web application to return a different response than the False condition payload.

    A good example of a True condition payload is ' AND 1=1 (since 1 always equals 1, the condition is true). An example of a False condition payload is ' AND 1=2 (since 1 does not equal 2, the condition is false).

    Say there is a web application with an input that searches customer first names and displays the results inside a table. Assume that if someone searches for John there is one result only. When scanning for blind SQL injection, the scanning engine sends two payloads:
    - True condition payload: John' AND 1=1
    This condition is true, so one record is returned and the output is John, which is the same as if the payload was the name John by itself.
    - False condition payload: John' AND 1=2
    The condition is false, so no records are returned and the output is nothing or a message such as No Results Found.

    Seeing the difference in results, the scanning engine draws the conclusion that there is a blind SQL injection vulnerability.

    Consequence
    The scope of a SQL injection exploit varies greatly. If any SQL statement can be injected into the query, then the attacker has the equivalent access of a database administrator. This access could lead to theft of data, malicious corruption of data, or deletion of data.
    Solution
    SQL injection vulnerabilities can be addressed in three areas: input validation, query creation, and database security.

    All input received from the client side should be validated for correct content. If a value's type or content range is known beforehand, then stricter filters should be applied. For example, an email address should be in a specific format and only contain characters that make it a valid address; or numeric fields like a USA zip code should be limited to five digit values.

    Prepared statements (also referred to as parameterized queries) provide strong protection from SQL injection. Prepared statements are precompiled SQL queries whose parameters can be modified when the query is executed. Prepared statements enforce the logic of the query and will fail if the query cannot be compiled correctly. Programming languages that support prepared statements provide specific functions for creating queries. These functions are more secure than string concatenation for assigning user-supplied data to a query.

    Stored procedures are precompiled queries that reside in the database. Like prepared statements, they also enforce separation of query data and logic. SQL statements that call stored procedures should not be created via string concatenation, otherwise their security benefits are negated.

    SQL injection exploits can be mitigated by the use of Access Control Lists or role-based access within the database. For example, a read-only account would prevent an attacker from modifying data, but would not prevent the user from viewing unauthorized data. Table and row-based access controls potentially minimize the scope of a compromise, but they do not prevent exploits.

    For more information, see the OWASP SQL Injection Prevention Cheat Sheet.

  • CVE-2017-15095+
    QID: 20303
    In Development

    Oracle Database 18c OJVM Critical Patch Update - July 2018

    Severity
    Critical4
    Qualys ID
    20303
    Vendor Reference
    cpujul2018
    CVE Reference
    CVE-2017-15095, CVE-2018-2939, CVE-2018-3004, CVE-2018-3110
    CVSS Scores
    Base 9.9 / Temporal 8.6
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 18c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Patch Availability for Oracle Database 18 - 18.3.0, 18.2.1
    Customers are requested to refer to CPUJUL2018 to obtain details about how to deploy the update.
    Patches
    cpujul2018
  • CVE-2018-11058+
    QID: 20298
    In Development

    Oracle Database 18c Critical OJVM Patch Update - July 2019

    Severity
    Critical4
    Qualys ID
    20298
    Vendor Reference
    CPUJUL2019
    CVE Reference
    CVE-2018-11058, CVE-2019-2776, CVE-2019-2799, CVE-2019-2749, CVE-2019-2753, CVE-2019-2569, CVE-2016-9572, CVE-2019-2484
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 18c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Customers are requested to refer to CPUJUL2019 to obtain details about how to deploy the update.
    Patches
    CPUJUL2019
  • CVE-2020-14743+
    QID: 20297
    In Development

    Oracle Database 18c Critical OJVM Patch Update - October 2020

    Severity
    Critical4
    Qualys ID
    20297
    Vendor Reference
    CPUOCT2020
    CVE Reference
    CVE-2020-14743, CVE-2020-14735, CVE-2020-14734, CVE-2020-9488, CVE-2020-11022, CVE-2020-14742, CVE-2019-12900, CVE-2020-13935, CVE-2016-1000031, CVE-2018-8013, CVE-2017-7658, CVE-2019-11358, CVE-2019-16335, CVE-2020-14745, CVE-2020-14744, CVE-2020-11022, CVE-2020-14740, CVE-2017-5645, CVE-2017-12626, CVE-2018-7489, CVE-2016-5725, CVE-2019-17359, CVE-2020-14743, CVE-2020-11023
    CVSS Scores
    Base 9.8 / Temporal 8.8
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 18c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Customers are requested to refer to CPUOCT2020 to obtain details about how to deploy the update.
    Patches
    CPUOCT2020
  • CVE-2021-2035+
    QID: 20301
    In Development

    Oracle Database 18c OJVM Critical Patch Update - January 2021

    Severity
    Critical4
    Qualys ID
    20301
    Vendor Reference
    CPUJAN2021
    CVE Reference
    CVE-2021-2035, CVE-2021-2018, CVE-2021-2054, CVE-2021-1993, CVE-2021-2045, CVE-2021-2000, CVE-2020-10878, CVE-2020-10543, CVE-2020-12723
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 18c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Customers are requested to refer to CPUJAN2021 to obtain details about how to deploy the update.
    Patches
    CPUJAN2021
  • CVE-2022-3551+
    QID: 199044
    Recently Published

    Ubuntu Security Notification for X.Org X Server Vulnerabilities (USN-5740-1)

    Severity
    Critical4
    Qualys ID
    199044
    Date Published
    November 24, 2022
    Vendor Reference
    USN-5740-1
    CVE Reference
    CVE-2022-3551, CVE-2022-3550
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Ubuntu has released a security update for x.org to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5740-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5740-1
  • CVE-2018-2841
    QID: 20299
    Under Investigation

    Oracle Database 18c Critical OJVM Patch Update - April 2018

    Severity
    Critical4
    Qualys ID
    20299
    Vendor Reference
    cpuapr2018
    CVE Reference
    CVE-2018-2841
    CVSS Scores
    Base 8.5 / Temporal 7.4
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 18c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Patch Availability for Oracle Database 18 - 18.2.0
    Customers are requested to refer to CPUAPR2019 to obtain details about how to deploy the update.
    Patches
    cpuapr2018
  • CVE-2020-2510+
    QID: 20300
    In Development

    Oracle Database 18c Critical OJVM Patch Update - January 2020

    Severity
    Critical4
    Qualys ID
    20300
    Vendor Reference
    CPUJAN2020
    CVE Reference
    CVE-2020-2510, CVE-2020-2511, CVE-2020-2512, CVE-2020-2515, CVE-2020-2516, CVE-2020-2517, CVE-2020-2527, CVE-2020-2731, CVE-2020-2568, CVE-2020-2569, CVE-2019-10072, CVE-2018-11784, CVE-2019-0199, CVE-2019-0221, CVE-2019-0232, CVE-2020-2518
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Oracle Database Patch Set Updates are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 18c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Customers are requested to refer to CPUJAN2020 to obtain details about how to deploy the update.
    Patches
    CPUJAN2020
  • CVE-2018-16558+
    QID: 591210
    Recently Published

    Siemens SIMATIC S7-1500 CPU Improper Input Validation Multiple Vulnerabilities (ICSA-19-036-04, SSA-180635)

    Severity
    Critical4
    Qualys ID
    591210
    Date Published
    November 24, 2022
    Vendor Reference
    ICSA-19-036-04
    CVE Reference
    CVE-2018-16558, CVE-2018-16559
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    AFFECTED PRODUCTS
    The following versions of SIMATIC S7-1500 CPU are affected:
    SIMATIC S7-1500 CPU all versions v1.8.5 and prior, and
    SIMATIC S7-1500 CPU all versions prior to v2.5 down to and including v2.0.

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    Successful exploitation of these vulnerabilities could allow a denial of service condition of the device.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-19-036-04 for affected packages and patching details.

    Patches
    ICSA-19-036-04
  • CVE-2021-37185+
    QID: 591207
    Recently Published

    Siemens SIMATIC Industrial Products Denial of Service (DoS) Multiple Vulnerabilities (ICSA-22-041-01, SSA-838121)

    Severity
    Critical4
    Qualys ID
    591207
    Date Published
    November 24, 2022
    Vendor Reference
    icsa-22-041-01
    CVE Reference
    CVE-2021-37185, CVE-2021-37204, CVE-2021-37205
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    AFFECTED PRODUCTS
    The following versions of Siemens Industrial Products with SIMATIC Firmware, a software platform, are affected:
    SIMATIC Drive Controller family: All versions prior to v2.9.4
    SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): All versions
    SIMATIC ET 200SP Open Controller CPU 1515SP PC2 Ready4Linux: All versions
    SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants): All versions
    SIMATIC S7-1200 CPU family (incl. SIPLUS variants): Version 4.5.0 and all following versions prior to v4.5.2
    SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): Version 2.9.2 and all following versions prior to v2.9.4
    SIMATIC S7-1500 Software Controller: All versions
    SIMATIC S7-PLCSIM Advanced: All versions v4.0 SP1
    TIM 1531 IRC (incl. SIPLUS NET variants): Version 2.2 and all following versions

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to cause a denial-of-service condition.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section icsa-22-041-01 for affected packages and patching details.

    Patches
    icsa-22-041-01, ssa-838121
  • CVE-2017-14435+
    QID: 591206
    Recently Published

    Moxa EDR-810 Web Server strcmp Multiple Denial of Service (DoS) Multiple Vulnerabilities (TALOS-2017-0474)

    Severity
    Critical4
    Qualys ID
    591206
    Date Published
    November 24, 2022
    Vendor Reference
    TALOS-2017-0474
    CVE Reference
    CVE-2017-14435, CVE-2017-14436, CVE-2017-14437
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    AFFECTED PRODUCTS
    Moxa EDR-810 V4.1 build 17030317

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini" without a cookie header to trigger this vulnerability.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section TALOS-2017-0474 for affected packages and patching details.

    Patches
    TALOS-2017-0474
  • CVE-2022-22517
    QID: 591203
    In Development

    CODESYS CODESYS V3 Small Space of Random Values Vulnerability (Advisory 2022-04 V4.0 )

    Severity
    Critical4
    Qualys ID
    591203
    Vendor Reference
    Advisory 2022-04 V4.0
    CVE Reference
    CVE-2022-22517
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Multiple vulnerabilities were discovered in 3S-Smart CodeSYS V3.

    Affected Versions:
    versions prior to V3.5.18.0

    QID Detection Logic:
    The QID checks for App Paths\CODESYS.exe in HKLM in the windows registry to check the vulnerable version of the product.

    Consequence
    CODESYS protocol communication servers generate weak channel IDs, which can be guessed by attackers to disrupt ongoing communication.
    Solution
    The vendor has released a patch version, for more information kindly visit Advisory 2022-04 V4.0
    Patches
    Advisory 2022-04 V4.0
  • CVE-2022-30791+
    QID: 591202
    In Development

    CODESYS CODESYS V3 Uncontrolled Resource Consumption Multiple Vulnerabilities (Advisory 2022-09 V6.0)

    Severity
    Critical4
    Qualys ID
    591202
    Vendor Reference
    Advisory 2022-09 V6.0
    CVE Reference
    CVE-2022-30791, CVE-2022-30792
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Multiple vulnerabilities were discovered in 3S-Smart CodeSYS V3.

    Affected Versions:
    versions prior to V3.5.18.20

    QID Detection Logic:
    The QID checks for App Paths\CODESYS.exe in HKLM in the windows registry to check the vulnerable version of the product.

    Consequence
    An unauthenticated attacker is able to block all available TCP connections or communication channels, to prevent legitimate users or clients from establishing a new connection to the CODESYS runtime system.
    Solution
    The vendor has released a patch version, for more information kindly visit Advisory 2022-09 V6.0
    Patches
    Advisory 2022-09 V6.0
  • CVE-2022-45060+
    QID: 283337
    Recently Published

    Fedora Security Update for varnish (FEDORA-2022-babfbc2622)

    Severity
    Critical4
    Qualys ID
    283337
    Date Published
    November 24, 2022
    Vendor Reference
    FEDORA-2022-babfbc2622
    CVE Reference
    CVE-2022-45060, CVE-2022-45059
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for varnish to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-babfbc2622
  • CVE-2022-27451+
    QID: 199043
    Recently Published

    Ubuntu Security Notification for MariaDB Vulnerabilities (USN-5739-1)

    Severity
    Critical4
    Qualys ID
    199043
    Date Published
    November 24, 2022
    Vendor Reference
    USN-5739-1
    CVE Reference
    CVE-2022-27451, CVE-2022-27379, CVE-2022-27445, CVE-2022-27458, CVE-2022-32091, CVE-2022-32086, CVE-2022-32084, CVE-2022-27381, CVE-2022-27386, CVE-2022-32087, CVE-2022-27449, CVE-2022-32083, CVE-2022-27377, CVE-2022-21427, CVE-2022-27383, CVE-2021-46669, CVE-2018-25032, CVE-2022-27446, CVE-2022-27444, CVE-2022-27452, CVE-2022-27378, CVE-2022-32089, CVE-2022-27376, CVE-2022-27382, CVE-2022-27384, CVE-2022-27380, CVE-2022-32085, CVE-2022-27448, CVE-2022-32081, CVE-2022-27447, CVE-2022-27387, CVE-2022-27455, CVE-2022-27457, CVE-2022-27456, CVE-2022-32088, CVE-2022-32082
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Ubuntu has released a security update for mariadb to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5739-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5739-1
  • CVE-2022-43680
    QID: 199042
    Recently Published

    Ubuntu Security Notification for Expat Vulnerability (USN-5638-3)

    Severity
    Critical4
    Qualys ID
    199042
    Date Published
    November 24, 2022
    Vendor Reference
    USN-5638-3
    CVE Reference
    CVE-2022-43680
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Ubuntu has released a security update for expat to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5638-3 for updates and patch information.
    Patches
    Ubuntu Linux USN-5638-3
  • CVE-2022-1705+
    QID: 160322
    Recently Published

    Oracle Enterprise Linux Security Update for ol8addon (ELSA-2022-24267)

    Severity
    Critical4
    Qualys ID
    160322
    Date Published
    November 24, 2022
    Vendor Reference
    ELSA-2022-24267
    CVE Reference
    CVE-2022-1705, CVE-2022-30633, CVE-2022-32190, CVE-2022-28131, CVE-2022-30630, CVE-2022-32148, CVE-2022-1962, CVE-2022-41716, CVE-2022-32189, CVE-2022-2880, CVE-2022-30635, CVE-2022-30632, CVE-2022-30631, CVE-2022-2879, CVE-2022-41715, CVE-2022-27664
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for ol8addon to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-24267
    Patches
    Oracle Linux ELSA-2022-24267
  • CVE-2022-31630
    QID: 150595
    In Development

    PHP Insufficient Input Validation Vulnerability (CVE-2022-31630)

    Severity
    Critical4
    Qualys ID
    150595
    Vendor Reference
    Sec Bug 81739
    CVE Reference
    CVE-2022-31630
    CVSS Scores
    Base 7.1 / Temporal 6.2
    Description
    PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

    In installed version of PHP, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.

    Affected Versions:
    PHP versions before 7.4.33
    PHP versions 8.0.0 prior to 8.0.25
    PHP versions 8.1.0 prior to 8.1.12

    QID Detection Logic (Unauthenticated):
    This QID checks the HTTP Server header to see if the server is running a vulnerable version of PHP.

    Consequence
    Successful exploitation of the vulnerability may allow an attacker to crash the PHP process or Denial of Service (DoS) or disclosure of confidential information.

    Solution
    Customers are advised to upgrade to the latest version of PHP.
    For more information please refer to Sec Bug 81739 .

    Patches
    Sec Bug 81739
  • CVE-2019-2956+
    QID: 20302
    Under Investigation

    Oracle Database 18c OJVM Critical Patch Update - October 2019

    Severity
    Critical4
    Qualys ID
    20302
    Vendor Reference
    cpuoct2019
    CVE Reference
    CVE-2019-2956, CVE-2019-2913, CVE-2019-2939, CVE-2018-2875, CVE-2019-2734, CVE-2018-11784, CVE-2019-2954, CVE-2019-2955, CVE-2019-2940, CVE-2019-2909
    CVSS Scores
    Base 6.8 / Temporal 5.9
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 18c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Patch Availability for Oracle Database 18 - 18.8.0.0.191015, 18.7.1.0.191015, 18.6.2.0.191015
    Customers are requested to refer to CPUOCT2019 to obtain details about how to deploy the update.
    Patches
    cpuoct2019
  • CVE-2021-46854
    QID: 181245
    Recently Published

    Debian Security Update for proftpd-dfsg (CVE-2021-46854)

    Severity
    Serious3
    Qualys ID
    181245
    Date Published
    November 24, 2022
    Vendor Reference
    CVE-2021-46854
    CVE Reference
    CVE-2021-46854
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Debian has released a security update for proftpd-dfsg to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory CVE-2021-46854 for updates and patch information.
    Patches
    Debian CVE-2021-46854
  • CVE-2021-40404
    QID: 591209
    Recently Published

    Reolink RLC-410W cgiserver.cgi Login authentication bypass Vulnerability (TALOS-2021-1420)

    Severity
    Serious3
    Qualys ID
    591209
    Date Published
    November 24, 2022
    Vendor Reference
    TALOS-2021-1420
    CVE Reference
    CVE-2021-40404
    CVSS Scores
    Base 6.5 / Temporal 6
    Description

    AFFECTED PRODUCTS
    Reolink RLC-410W v3.0.0.136_20121102

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    An authentication bypass vulnerability exists in the cgiserver.cgi Login functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to authentication bypass. An attacker can send an HTTP request to trigger this vulnerability.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section TALOS-2021-1420 for affected packages and patching details.

  • CVE-2022-40631
    QID: 591205
    Recently Published

    Siemens SCALANCE X-200 and X-200IRT Families Cross-Site Scripting (XSS) Vulnerability (ICSA-22-286-15, ssa-501891)

    Severity
    Serious3
    Qualys ID
    591205
    Date Published
    November 24, 2022
    Vendor Reference
    icsa-22-286-15
    CVE Reference
    CVE-2022-40631
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description

    AFFECTED PRODUCTS
    The following versions of SCALANCE X-200 and X-200IRT devices, industrial ethernet switches, are affected:
    SCALANCE X200-4P IRT (6GK5200-4AH00-2BA3): All versions prior to V5.5.0
    SCALANCE X201-3P IRT (6GK5201-3BH00-2BA3): All versions prior to V5.5.0
    SCALANCE X201-3P IRT PRO (6GK5201-3JR00-2BA6): All versions prior to V5.5.0
    SCALANCE X202-2IRT (6GK5202-2BB10-2BA3): All versions prior to V5.5.0
    SCALANCE X202-2P IRT (6GK5202-2BH00-2BA3): All versions prior to V5.5.0
    SCALANCE X202-2P IRT PRO (6GK5202-2JR00-2BA6): All versions prior to V5.5.0
    SCALANCE X204-2 (6GK5204-2BB10-2AA3): All versions prior to V5.2.5
    SCALANCE X204-2FM (6GK5204-2BB11-2AA3): All versions prior to V5.2.5
    SCALANCE X204-2LD (6GK5204-2BC10-2AA3): All versions prior to V5.2.5
    SCALANCE X204-2LD TS (6GK5204-2BC10-2CA2): All versions prior to V5.2.5
    SCALANCE X204-2TS (6GK5204-2BB10-2CA2): All versions prior to V5.2.5
    SCALANCE X204IRT (6GK5204-0BA00-2BA3): All versions prior to V5.5.0
    SCALANCE X204IRT PRO (6GK5204-0JA00-2BA6): All versions prior to V5.5.0
    SCALANCE X206-1 (6GK5206-1BB10-2AA3): All versions prior to V5.2.5
    SCALANCE X206-1LD (6GK5206-1BC10-2AA3): All versions prior to V5.2.5
    SCALANCE X208 (6GK5208-0BA10-2AA3): All versions prior to V5.2.5
    SCALANCE X208PRO (6GK5208-0HA10-2AA6): All versions prior to V5.2.5
    SCALANCE X212-2 (6GK5212-2BB00-2AA3): All versions prior to V5.2.5
    SCALANCE X212-2LD (6GK5212-2BC00-2AA3): All versions prior to V5.2.5
    SCALANCE X216 (6GK5216-0BA00-2AA3): All versions prior to V5.2.5
    SCALANCE X224 (6GK5224-0BA00-2AA3): All versions prior to V5.2.5
    SCALANCE XF201-3P IRT (6GK5201-3BH00-2BD2): All versions prior to V5.5.0
    SCALANCE XF202-2P IRT (6GK5202-2BH00-2BD2): All versions prior to V5.5.0
    SCALANCE XF204 (6GK5204-0BA00-2AF2): All versions prior to V5.2.5
    SCALANCE XF204-2 (6GK5204-2BC00-2AF2): All versions prior to V5.2.5
    SCALANCE XF204-2BA IRT (6GK5204-2AA00-2BD2): All versions prior to V5.5.0
    SCALANCE XF204IRT (6GK5204-0BA00-2BF2): All versions prior to V5.5.0
    SCALANCE XF206-1 (6GK5206-1BC00-2AF2): All versions prior to V5.2.5
    SCALANCE XF208 (6GK5208-0BA00-2AF2): All versions prior to V5.2.5
    SIPLUS NET SCALANCE X202-2P IRT (6AG1202-2BH00-2BA3): All versions prior to V5.5.0

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    Successful exploitation of this vulnerability could allow an attacker to steal session cookies and hijack a session.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section icsa-22-286-15 for affected packages and patching details.

    Patches
    icsa-22-286-15, ssa-501891
  • CVE-2022-41858
    QID: 181244
    Recently Published

    Debian Security Update for linux (CVE-2022-41858)

    Severity
    Serious3
    Qualys ID
    181244
    Date Published
    November 24, 2022
    Vendor Reference
    CVE-2022-41858
    CVE Reference
    CVE-2022-41858
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Debian has released a security update for linux to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory CVE-2022-41858 for updates and patch information.
    Patches
    Debian CVE-2022-41858
  • CVE-2016-3963
    QID: 591208
    Recently Published

    Siemens SCALANCE S613 Denial of Service (DoS) Vulnerability (ICSA-16-103-02, SSA-751155)

    Severity
    Serious3
    Qualys ID
    591208
    Date Published
    November 24, 2022
    Vendor Reference
    ICSA-16-103-02
    CVE Reference
    CVE-2016-3963
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description

    AFFECTED PRODUCTS
    The following Siemens SCALANCE versions are affected:
    SCALANCE S613 (MLFB: 6GK5613-0BA00-2AA3): All versions.

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    An attacker exploiting this vulnerability can cause the device to enter a state that requires a manual reboot to recover.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-16-103-02 for affected packages and patching details.

    Patches
    ICSA-16-103-02
  • CVE-2022-38157+
    QID: 591204
    In Development

    MOXA VPort Series Improper Input Validation Multiple Vulnerabilities (MPSA-221102)

    Severity
    Serious3
    Qualys ID
    591204
    Vendor Reference
    MPSA-221102
    CVE Reference
    CVE-2022-38157, CVE-2022-38158, CVE-2022-38159
    CVSS Scores
    Base 0 / Temporal 0
    Description

    AFFECTED PRODUCTS
    VPort P16-1MP-M12 Firmware Version v1.3 or lower.
    VPort P16-1MP-M12-IR Firmware Version v1.4 or lower.
    VPort P06-1MP-M12 Firmware Version v2.6 or lower.

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    Successful exploitation of the improper input validation control could allow a remote attacker to cause the RTSP service to crash.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section MPSA-221102 for affected packages and patching details.

    Patches
    MPSA-221102
  • CVE-2019-12418+
    QID: 20291
    In Development

    Oracle Database 18c Critical OJVM Patch Update - April 2020

    Severity
    Urgent5
    Qualys ID
    20291
    Vendor Reference
    CPUAPR2020
    CVE Reference
    CVE-2019-12418, CVE-2019-17563, CVE-2019-18197, CVE-2019-2756, CVE-2019-2759, CVE-2019-2852, CVE-2019-2853, CVE-2020-2734, CVE-2020-2735, CVE-2020-2737, CVE-2020-2754, CVE-2020-2755, CVE-2020-2756, CVE-2020-2757, CVE-2020-2773, CVE-2020-2781, CVE-2020-2800, CVE-2020-2803, CVE-2020-2805, CVE-2020-2830
    CVSS Scores
    Base 8.3 / Temporal 7.2
    Description
    Oracle Database Patch Set Updates are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 18c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Customers are requested to refer to CPUAPR2020 to obtain details about how to deploy the update.
    Patches
    CPUAPR2020
  • CVE-2019-2444+
    QID: 20296
    In Development

    Oracle Database 18c Critical OJVM Patch Update - January 2019

    Severity
    Urgent5
    Qualys ID
    20296
    Vendor Reference
    cpujan2019
    CVE Reference
    CVE-2019-2444, CVE-2019-2406, CVE-2019-2547
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 18c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Patch Availability for Oracle Database 18 - 18.5.0, 18.4.1, 18.3.2
    Customers are requested to refer to CPUJAN2019 to obtain details about how to deploy the update.
    Patches
    cpujan2019
  • CVE-2018-11058+
    QID: 20295
    Recently Published

    Oracle Database 19c Critical OJVM Patch Update - July 2019

    Severity
    Critical4
    Qualys ID
    20295
    Date Published
    November 24, 2022
    Vendor Reference
    CPUJUL2019
    CVE Reference
    CVE-2018-11058, CVE-2019-2776, CVE-2019-2749
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Customers are requested to refer to CPUJUL2019 to obtain details about how to deploy the update.
    Patches
    CPUJUL2019
  • CVE-2020-2969+
    QID: 20292
    In Development

    Oracle Database 12.2.0.1 Critical OJVM Patch Update - July 2020

    Severity
    Critical4
    Qualys ID
    20292
    Vendor Reference
    CPUJUL2020
    CVE Reference
    CVE-2020-2969, CVE-2020-2978, CVE-2019-13990, CVE-2019-17569, CVE-2020-2968, CVE-2016-1000031
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.2.01

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUJUL2020 to obtain details about how to deploy the update.

    Patches
    CPUJUL2020
  • CVE-2016-1000031+
    QID: 20288
    Recently Published

    Oracle Database 19c Critical OJVM Patch Update - October 2020

    Severity
    Critical4
    Qualys ID
    20288
    Date Published
    November 24, 2022
    Vendor Reference
    CPUOCT2020
    CVE Reference
    CVE-2016-1000031, CVE-2017-7658, CVE-2018-8013, CVE-2019-11358, CVE-2019-11922, CVE-2019-12900, CVE-2019-16335, CVE-2019-17543, CVE-2020-11022, CVE-2020-11023, CVE-2020-13935, CVE-2020-14734, CVE-2020-14735, CVE-2020-14742, CVE-2020-14743, CVE-2020-14744, CVE-2020-14745, CVE-2020-14901, CVE-2020-9488, CVE-2020-14901
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUOCT2020 to obtain details about how to deploy the update.
    Patches
    CPUOCT2020
  • CVE-2017-10282+
    QID: 20294
    In Development

    Oracle Database 12.2.0.1 Critical OJVM Patch Update - January 2018

    Severity
    Critical4
    Qualys ID
    20294
    Vendor Reference
    CPUJAN2018
    CVE Reference
    CVE-2017-10282, CVE-2018-2680, CVE-2017-12617
    CVSS Scores
    Base 9.1 / Temporal 7.9
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.2.01

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUJAN2018 to obtain details about how to deploy the update.

    Patches
    CPUJAN2018
  • CVE-2019-2571+
    QID: 20293
    In Development

    Oracle Database 12.2.0.1 Critical OJVM Patch Update - April 2019

    Severity
    Critical4
    Qualys ID
    20293
    Vendor Reference
    CPUAPR2019
    CVE Reference
    CVE-2019-2571, CVE-2019-2582, CVE-2019-2517, CVE-2019-2516, CVE-2019-2619, CVE-2019-2518
    CVSS Scores
    Base 9.1 / Temporal 7.9
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.2.01

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUAPR2019 to obtain details about how to deploy the update.

    Patches
    CPUAPR2019
  • CVE-2020-2510+
    QID: 20287
    Recently Published

    Oracle Database 19c OJVM Critical Patch Update - January 2020

    Severity
    Critical4
    Qualys ID
    20287
    Date Published
    November 24, 2022
    Vendor Reference
    CPUJAN2020
    CVE Reference
    CVE-2020-2510, CVE-2020-2511, CVE-2020-2512, CVE-2020-2515, CVE-2020-2516, CVE-2020-2517, CVE-2020-2527, CVE-2020-2731, CVE-2020-2568, CVE-2020-2569, CVE-2019-10072, CVE-2018-11784, CVE-2019-0199, CVE-2019-0221, CVE-2019-0232, CVE-2020-2518
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    OJVM Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Customers are requested to refer to CPUJAN2020 to obtain details about how to deploy the update.
    Patches
    CPUJAN2020
  • CVE-2022-27241
    QID: 591200
    In Development

    Siemens Mendix (Update B) Sensitive Information Disclosure Vulnerability (icsa-22-104-07, SSA-414513)

    Severity
    Critical4
    Qualys ID
    591200
    Vendor Reference
    icsa-22-104-07
    CVE Reference
    CVE-2022-27241
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description

    AFFECTED PRODUCTS
    The following versions of Mendix, a software platform to build mobile and web applications, are affected:
    Mendix applications using Mendix 7: All versions prior to 7.23.31
    Mendix applications using Mendix 8: All versions prior to 8.18.18
    Mendix applications using Mendix 9: All versions prior to 9.11
    Mendix applications using Mendix 9 (v9.6): All versions prior to 9.6.12

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of Siemens using registry "HKLM\SOFTWARE\Siemens"

    Consequence
    Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to read sensitive data.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section icsa-22-104-07 for affected packages and patching details.

    Patches
    icsa-22-104-07, ssa-414513
  • CVE-2021-35619+
    QID: 20290
    In Development

    Oracle Database 12.2.0.1 Critical OJVM Patch Update - October 2021

    Severity
    Critical4
    Qualys ID
    20290
    Vendor Reference
    CPUOCT2021
    CVE Reference
    CVE-2021-35619, CVE-2021-2332, CVE-2021-35551, CVE-2021-35557, CVE-2021-35558, CVE-2021-35576, CVE-2021-29425, CVE-2021-35579, CVE-2020-27824, CVE-2021-25122
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 12.2.01

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUOct2021 to obtain details about how to deploy the update.

    Patches
    CPUOCT2021
  • CVE-2022-21247+
    QID: 20289
    Recently Published

    Oracle Database 19c Critical OJVM Patch Update - January 2022

    Severity
    Critical4
    Qualys ID
    20289
    Date Published
    November 24, 2022
    Vendor Reference
    CPUJAN2022
    CVE Reference
    CVE-2022-21247, CVE-2021-45105, CVE-2022-21393, CVE-2022-21393, CVE-2022-21349, CVE-2022-21291, CVE-2022-21305, CVE-2022-21360, CVE-2022-21365, CVE-2022-21282, CVE-2022-21296, CVE-2022-21299, CVE-2022-21271, CVE-2022-21283, CVE-2022-21293, CVE-2022-21294, CVE-2022-21340, CVE-2022-21341, CVE-2022-21248
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUJan2022 to obtain details about how to deploy the update.

    Patches
    CPUJAN2022
  • CVE-2017-3737
    QID: 591201
    In Development

    Siemens WinCC (TIA Portal), IPC Diagbase and Simatic Step 7 (TIA Portal) Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (SSA-179516)

    Severity
    Serious3
    Qualys ID
    591201
    Vendor Reference
    SSA-179516
    CVE Reference
    CVE-2017-3737
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Several Siemens industrial products are affected by a vulnerability in OpenSSL, that could result in data being sent out unencrypted by the SSL/TLS record layer.

    AFFECTED PRODUCTS
    SIMATIC IPC DiagBase: all versions prior to V2.1.1.0
    SIMATIC WinCC (TIA Portal): all versions prior to V13 SP2 Update 2
    SIMATIC WinCC (TIA Portal): all versions prior to V14 SP1 Update 6
    SIMATIC WinCC (TIA Portal): all versions prior to V15 Update 2
    SIMATIC STEP 7 (TIA Portal) v13: all versions prior to V13 SP2 Update 2
    SIMATIC STEP 7 (TIA Portal) v14: all versions prior to V14 SP1 Update 6
    SIMATIC STEP 7 (TIA Portal) v15: all versions prior to V15 Update 2

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of Siemens using registry "HKLM\SOFTWARE\Siemens"

    Consequence
    Successful exploitation of the vulnerability could allow compromising confidentiality of data by transmitting it unencrypted over the network.
    Solution
    https://cert-portal.siemens.com/productcert/pdf/ssa-179516.pdf
    Patches
    SSA-179516
  • CVE-2021-22569+
    QID: 20285
    Recently Published

    Oracle Database 19c Critical OJVM Patch Update - April 2022

    Severity
    Urgent5
    Qualys ID
    20285
    Date Published
    November 24, 2022
    Vendor Reference
    CPUAPR2022
    CVE Reference
    CVE-2021-22569, CVE-2022-21410, CVE-2021-2464, CVE-2022-21498, CVE-2021-42340, CVE-2022-21449, CVE-2022-21476, CVE-2022-21426, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443, CVE-2022-23990, CVE-2022-23852, CVE-2022-21411
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUAPR2022 to obtain details about how to deploy the update.

    Patches
    CPUAPR2022
  • CVE-2018-7489+
    QID: 20284
    In Development

    Oracle Database 18c Critical OJVM Patch Update - October 2018

    Severity
    Critical4
    Qualys ID
    20284
    Vendor Reference
    CPUOCT2018
    CVE Reference
    CVE-2018-7489, CVE-2018-3259
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 18c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUOCT2018 to obtain details about how to deploy the update.

    Patches
    cpuoct2018
  • CVE-2019-2571+
    QID: 20282
    In Development

    Oracle Database 18c Critical OJVM Patch Update - April 2019

    Severity
    Critical4
    Qualys ID
    20282
    Vendor Reference
    CPUAPR2019
    CVE Reference
    CVE-2019-2571, CVE-2019-2582, CVE-2019-2517, CVE-2019-2516, CVE-2019-2619, CVE-2019-2518
    CVSS Scores
    Base 9.1 / Temporal 7.9
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 18c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUAPR2019 to obtain details about how to deploy the update.

    Patches
    CPUAPR2019
  • CVE-2019-12418+
    QID: 20283
    Recently Published

    Oracle Database 19c Critical OJVM Patch Update - April 2020

    Severity
    Critical4
    Qualys ID
    20283
    Date Published
    November 24, 2022
    Vendor Reference
    CPUAPR2020
    CVE Reference
    CVE-2019-12418, CVE-2019-17563, CVE-2019-18197, CVE-2019-2756, CVE-2019-2759, CVE-2019-2852, CVE-2019-2853, CVE-2020-2734, CVE-2020-2735, CVE-2020-2737, CVE-2020-2754, CVE-2020-2755, CVE-2020-2756, CVE-2020-2757, CVE-2020-2773, CVE-2020-2781, CVE-2020-2800, CVE-2020-2803, CVE-2020-2805, CVE-2020-2830
    CVSS Scores
    Base 8.3 / Temporal 7.2
    Description
    Oracle Database Patch Set Updates are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Customers are requested to refer to CPUAPR2020 to obtain details about how to deploy the update.
    Patches
    CPUAPR2020
  • CVE-2022-20854
    QID: 317280
    In Development

    Cisco Firepower Threat Defense (FTD) Software SSH Denial of Service (DoS) Vulnerability (cisco-sa-fmc-dos-OwEunWJN)

    Severity
    Critical4
    Qualys ID
    317280
    Vendor Reference
    cisco-sa-fmc-dos-OwEunWJN
    CVE Reference
    CVE-2022-20854
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    A vulnerability in the processing of SSH connections of Cisco Firepower Threat Defense (FTD) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

    Affected Products
    This vulnerability affects Cisco products if they are running a vulnerable release of Cisco FTD Software that is in the default configuration. From 6.1.0 prior to 7.0.5 QID Detection Logic (Authenticated):
    This QID will check the version retrieved via Unix Auth using "show version" command.

    Consequence
    A successful exploit could allow the attacker to cause resource exhaustion, resulting in a reboot on the affected device.

    Solution

    Customers are advised to refer to cisco-sa-fmc-dos-OwEunWJN for more information.

    Patches
    cisco-sa-fmc-dos-OwEunWJN
  • CVE-2021-20271+
    QID: 330113
    In Development

    IBM AIX Multiple Vulnerabilities due to RPM (rpm_advisory)

    Severity
    Critical4
    Qualys ID
    330113
    Vendor Reference
    rpm_advisory
    CVE Reference
    CVE-2021-20271, CVE-2021-3421, CVE-2021-20266
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    AIX is vulnerable to arbitrary code execution (CVE-2021-20271), RPM database corruption (CVE-2021-3421), and denial of service (CVE-2021-20266) due to RPM. RPM is used by AIX for package management.

    Affected Versions:
    AIX 7.1, 7.2,7.3

    QID Detection logic:
    This QID checks for the vulnerable versions of AIX.

    Consequence
    A successful exploit could lead to denial of service, arbritrary code execution and rpm database corruption.

    Solution
    The vendor has released fixes to resolve this vulnerability. Refer to AIX rpm_advisory to obtain more information.
    Patches
    rpm_advisory
  • CVE-2021-20587+
    QID: 591195
    In Development

    Mitsubishi Electric FA Engineering Software Products (Update F) Multiple Vulnerabilities (ICSA-21-049-02)

    Severity
    Urgent5
    Qualys ID
    591195
    Vendor Reference
    ICSA-21-049-02
    CVE Reference
    CVE-2021-20587, CVE-2021-20588
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Vulnerabilities: Heap-based Buffer Overflow, Improper Handling of Length Parameter Inconsistency

    AFFECTED PRODUCTS
    CW Configurator, Versions 1.011M and prior
    MELSOFT Navigator, Versions 2.74C and prior

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of using passive scanning

    Consequence
    Successful exploitation of these vulnerabilities may cause a denial-of-service.
    Solution
    https://www.cisa.gov/uscert/ics/advisories/icsa-21-049-02
    Patches
    ICSA-21-049-02
  • CVE-2020-2969+
    QID: 20281
    Recently Published

    Oracle Database 19c Critical OJVM Patch Update - July 2020

    Severity
    Critical4
    Qualys ID
    20281
    Date Published
    November 24, 2022
    Vendor Reference
    CPUJUL2020
    CVE Reference
    CVE-2020-2969, CVE-2020-2978, CVE-2019-13990, CVE-2019-17569, CVE-2020-2968, CVE-2016-1000031
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUJUL2020 to obtain details about how to deploy the update.

    Patches
    CPUJUL2020
  • CVE-2022-36881
    QID: 770166
    Recently Published

    Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2022:7865)

    Severity
    Critical4
    Qualys ID
    770166
    Date Published
    November 24, 2022
    Vendor Reference
    RHSA-2022:7865
    CVE Reference
    CVE-2022-36881
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description

    Red Hat openshift container platform is Red Hat's cloud computing kubernetes application platform solution designed for on-premise or private cloud deployments.

    Security Fix(es):
    • jenkins-plugin: man-in-the-middle (mitm) in

    Affected Products:

    • Red Hat openshift container platform 4.10 for rhel 8 x86_64
    • Red Hat openshift container platform for power 4.10 for rhel 8 ppc64le
    • Red Hat openshift container platform for ibm z and linuxone 4.10 for rhel 8 s390x
    • Red Hat openshift container platform for arm 64 4.10 aarch64



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:7865 for updates and patch information.
    Patches
    Red Hat Enterprise Linux CoreOS RHSA-2022:7865
  • CVE-2022-24309
    QID: 591198
    In Development

    Siemens Mendix XPath Constraint Vulnerability (SSA-148641)

    Severity
    Critical4
    Qualys ID
    591198
    Vendor Reference
    SSA-148641
    CVE Reference
    CVE-2022-24309
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    A XPath Constraint vulnerability in the Mendix Runtime was discovered, that can affect the running applications.

    AFFECTED PRODUCTS
    The following versions of Mendix, a software platform to build mobile and web applications, are affected:
    Mendix applications using Mendix 7: All versions prior to 7.23.29
    Mendix applications using Mendix 8: All versions prior to 8.18.16
    Mendix applications using Mendix 9: All versions

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of Siemens using registry "HKLM\SOFTWARE\Siemens"

    Consequence
    The vulnerability could allow a malicious user to deduce contents of inaccessible attributes and modify sensitive data.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section SSA-148641 for affected packages and patching details.

    Patches
    SSA-148641
  • CVE-2022-20947
    QID: 317279
    Recently Published

    Cisco Firepower Threat Defense (FTD) Software Dynamic Access Policies Denial of Service (DoS) Vulnerability (cisco-sa-asa-ftd-dap-dos-GhYZBxDU)

    Severity
    Critical4
    Qualys ID
    317279
    Date Published
    November 24, 2022
    Vendor Reference
    cisco-sa-asa-ftd-dap-dos-GhYZBxDU
    CVE Reference
    CVE-2022-20947
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    A vulnerability in dynamic access policies (DAP) functionality of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

    Affected Products
    This vulnerability affects Cisco products if they are running a vulnerable release of Cisco Firepower Threat Defense (FTD) Software:

    QID Detection Logic (Authenticated):
    This QID will check the version retrieved via Unix Auth using "show version" command.
    Note: This QID only works in diagnostic console mode. Workaround commands need to be run in expert mode. Hence QID is kept as practice.

    Consequence
    A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

    Solution

    Customers are advised to refer to cisco-sa-ssl-client-dos-cCrQPkA for more information.

    Patches
    cisco-sa-asa-ftd-dap-dos-GhYZBxDU
  • CVE-2022-21587
    QID: 730670
    Under Investigation

    Oracle E-Business Suite Multiple Vulnerabilities (CPUOCT2022)

    Severity
    Urgent5
    Qualys ID
    730670
    Vendor Reference
    ORACLE E-Business Suite cpuoct2022
    CVE Reference
    CVE-2022-21587
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle E-Business Suite is one of Oracle Corp.'s major product lines. Also known as Oracle EBS, it is an integrated set of business applications for automating customer relationship management (CRM), enterprise resource planning (ERP) and supply chain management (SCM) processes within organizations.

    Affected Products:
    Oracle E-Business Suite versions 12.2.3 - 12.2.11
    QID Detection Logic(UnAuth):
    QID relied only on the application's self-reported version number.

    Consequence
    Successfully exploiting these vulnerabilities affect confidentiality, integrity and availability of the target system.
    Solution
    Refer to vendor advisory Oracle E-Business Suite OCTOBER 2022.
    Patches
    cpuoct2022
  • CVE-2019-2518
    QID: 20280
    Recently Published

    Oracle Database 19c Critical OJVM Patch Update - April 2019

    Severity
    Critical4
    Qualys ID
    20280
    Date Published
    November 24, 2022
    Vendor Reference
    CPUAPR2019
    CVE Reference
    CVE-2019-2518
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUAPR2019 to obtain details about how to deploy the update.

    Patches
    CPUAPR2019
  • CVE-2020-29040
    QID: 377780
    Under Investigation

    Citrix XenServer Security Updates (CTX286511)

    Severity
    Serious3
    Qualys ID
    377780
    Vendor Reference
    CTX286511
    CVE Reference
    CVE-2020-29040
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    A security issue has been identified that may allow privileged code running in a guest VM to compromise the host. This issue is limited to only those guest VMs where the host administrator has explicitly assigned a PCI passthrough device to the guest VM.

    Affected Products:
    Citrix XenServer 7.1 LTSR, Citrix XenServer 7.0 Note: This QID will detect only for Citrix XenServer 7.1 LTSR ,Citrix XenServer 7.0

    QID Detection Logic (Authenticated):
    OS:Citrix XenServer
    The QID checks if Hotfixes is applied on the vulnerable versions of Citrix XenServer.

    Consequence
    Vulnerable version may allow privileged code running in a guest VM to compromise the host.
    Solution

    Hotfixes have been released for Citrix XenServer to address these issues. Refer to CTX286511 to obtain more information.

    Patches
    CTX286511
  • QID: 45549
    Under Investigation

    Netlogon Remote Protocol Remote Procedure Call (RPC) Seal is Enabled

    Severity
    Minimal1
    Qualys ID
    45549
    CVSS Scores
    Base / Temporal
    Description
    The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain, and relationships among domain controllers (DCs) and domains.

    The Windows host has "enforcement mode" enabled for Netlogon secure channel connections.

    QID Detection Logic (authenticated):
    This QID checks the registry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" and value "RequireSeal" to see if Enforcement Mode is enabled on the host.

    Consequence
    N/A
    Solution
    N/A
  • CVE-2020-29479+
    QID: 377779
    Under Investigation

    Citrix XenServer Security Updates (CTX286756)

    Severity
    Serious3
    Qualys ID
    377779
    Vendor Reference
    CTX286756
    CVE Reference
    CVE-2020-29479, CVE-2020-29480, CVE-2020-29481, CVE-2020-29482, CVE-2020-29485, CVE-2020-29486, CVE-2020-29487, CVE-2020-29568, CVE-2020-29569, CVE-2020-29570
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    Several security issues have been identified: CVE-2020-29479 : An attacker with the ability to execute privileged mode code in a guest can compromise the host CVE-2020-29480 : An attacker with the ability to execute privileged mode code in a guest can read non-sensitive metadata about another guest. CVE-2020-29481 : An attacker with the ability to execute privileged mode code in a guest can read data previously shared, using the Xenstore API, between two other guests. CVE-2020-29482 : An attacker with the ability to execute privileged mode code in a guest can perform a denial of service attack against the host. CVE-2020-29485 : An attacker with the ability to execute privileged mode code in a guest can perform a denial of service attack against the host. CVE-2020-29486 : An attacker with the ability to execute privileged mode code in a guest can perform a denial of service attack against the host or a selected other VM. CVE-2020-29487 : An attacker with the ability to execute privileged mode code in a guest can perform a denial of service attack against the host. CVE-2020-29568 : An attacker with the ability to execute privileged mode code in a guest can perform a denial of service attack against the host. CVE-2020-29569 : An attacker with the ability to execute privileged mode code in a guest can perform a denial of service attack against the host. CVE-2020-29570 : An attacker with the ability to execute privileged mode code in a guest can perform a denial of service attack against the host.

    Affected Products:
    Citrix XenServer 7.1 LTSR, Citrix XenServer 7.0 Note: This QID will detect only for Citrix XenServer 7.1 LTSR ,Citrix XenServer 7.0

    QID Detection Logic (Authenticated):
    OS:Citrix XenServer
    The QID checks if Hotfixes is applied on the vulnerable versions of Citrix XenServer.

    Consequence
    Vulnerable version could allow privileged code running in a guest VM to compromise the host or cause a denial of service.
    Solution

    Hotfixes have been released for Citrix XenServer to address these issues. Refer to CTX286756 to obtain more information.

    Patches
    CTX286756
  • CVE-2021-27379+
    QID: 377778
    Under Investigation

    Citrix XenServer Security Updates (CTX316324)

    Severity
    Serious3
    Qualys ID
    377778
    Vendor Reference
    CTX316324
    CVE Reference
    CVE-2021-27379, CVE-2021-28692, CVE-2021-0089, CVE-2021-26313
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description

    Security issues have been identified that affect Citrix Xenserver : CVE-2021-27379 : privileged code in a guest VM may cause the host to crash or become unresponsive. CVE-2021-28692 : privileged code in a guest VM may cause the host to crash or become unresponsive. CVE-2021-0089/CVE-2021-26313 : malicious code running on a CPU could infer the value of registers or memory belonging to other processes running on that CPU.

    Affected Products:
    Citrix XenServer 7.1 LTSR CU2
    Note: This QID will detect only for Citrix XenServer 7.1 LTSR

    QID Detection Logic (Authenticated):
    OS:Citrix XenServer
    The QID checks if Hotfixes is applied on the vulnerable versions of Citrix XenServer.

    Consequence
    Vulnerable version could allow privileged code in a guest VM to cause the host to cash or become unresponsive.
    Solution

    Hotfixes have been released for Citrix XenServer to address these issues. Refer to CTX316324 to obtain more information.

    Patches
    CTX316324
  • CVE-2022-23034+
    QID: 377775
    Under Investigation

    Security Advisory for Citrix XenServer (CTX337526)

    Severity
    Serious3
    Qualys ID
    377775
    Vendor Reference
    CTX337526
    CVE Reference
    CVE-2022-23034, CVE-2022-23035, CVE-2021-0145
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description

    Several security issues have been identified that affect Citrix XenServer: CVE-2022-23034 : An issue has been identified that may allow privileged code in a PV guest VM to cause the host to crash. CVE-2022-23035 : An issue has been identified that may allow privileged code in a guest VM to cause the host to crash. This issue only affects systems where the malicious guest VM has had a physical PCI device assigned through to it by the host administrator using the PCI passthrough feature. CVE-2021-0145 : Intel has disclosed an issue that affects Intel CPU hardware together with corresponding microcode updates. Although this is not an issue in the Citrix Hypervisor product itself, Citrix is releasing hotfixes that include the updated microcode together with the product changes needed to support the new microcode.

    Affected Products:
    Citrix XenServer 7.1 CU2 LTSR Note: This QID will detect only for Citrix XenServer 7.1 LTSR

    QID Detection Logic (Authenticated):
    OS:Citrix XenServer
    The QID checks if Hotfixes is applied on the vulnerable versions of Citrix XenServer.

    Consequence
    Vulnerable version could allow privileged code in a guest VM to cause the host to crash.
    Solution

    Hotfixes have been released for Citrix XenServer to address these issues. Refer to CTX337526 to obtain more information.

    Patches
    CTX337526
  • CVE-2021-25122+
    QID: 730668
    Recently Published

    Apache Tomcat Request mix-up with h2c Vulnerability (CVE-2021-25122)

    Severity
    Urgent5
    Qualys ID
    730668
    Date Published
    November 24, 2022
    Vendor Reference
    Apache_Tomcat_9.0.43
    CVE Reference
    CVE-2021-25122, CVE-2020-9484, CVE-2021-25329
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published non-upgrade mitigations for CVE-2020-9484 also apply to this issue.

    Affected versions:
    Apache Tomcat 9.0.0.M1 to 9.0.41

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2021-42340
    QID: 730667
    Recently Published

    Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2021-42340)

    Severity
    Urgent5
    Qualys ID
    730667
    Date Published
    November 24, 2022
    Vendor Reference
    Apache_Tomcat_9.0.54
    CVE Reference
    CVE-2021-42340
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

    Affected versions:
    Apache Tomcat 9.0.40 to 9.0.53

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2021-25329+
    QID: 730662
    Recently Published

    Apache Tomcat Request mix-up with h2c Vulnerability (CVE-2021-25122)

    Severity
    Urgent5
    Qualys ID
    730662
    Date Published
    November 24, 2022
    Vendor Reference
    Apache_Tomcat_8.5.63
    CVE Reference
    CVE-2021-25329, CVE-2021-25122, CVE-2020-9484
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published non-upgrade mitigations for CVE-2020-9484 also apply to this issue.

    Affected versions:
    Apache Tomcat 8.5.0 to 8.5.61

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2021-42340
    QID: 730661
    Recently Published

    Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2021-42340)

    Severity
    Urgent5
    Qualys ID
    730661
    Date Published
    November 24, 2022
    Vendor Reference
    Apache_Tomcat_8.5.72
    CVE Reference
    CVE-2021-42340
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

    Affected versions:
    Apache Tomcat 8.5.60 to 8.5.71

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2021-43980
    QID: 730665
    Recently Published

    Apache Tomcat Information Disclosure Vulnerability (CVE-2021-43980)

    Severity
    Critical4
    Qualys ID
    730665
    Date Published
    November 24, 2022
    Vendor Reference
    Apache_Tomcat_9.0.62
    CVE Reference
    CVE-2021-43980
    CVSS Scores
    Base 3.7 / Temporal 3.2
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

    Affected versions:
    Apache Tomcat 9.0.0-M1 to 9.0.60

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2021-43980
    QID: 730659
    Recently Published

    Apache Tomcat Information Disclosure Vulnerability (CVE-2021-43980)

    Severity
    Critical4
    Qualys ID
    730659
    Date Published
    November 24, 2022
    Vendor Reference
    Apache_Tomcat_8.5.78
    CVE Reference
    CVE-2021-43980
    CVSS Scores
    Base 3.7 / Temporal 3.2
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

    Affected versions:
    Apache Tomcat 8.5.0 to 8.5.77

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-42252
    QID: 730663
    Recently Published

    Apache Tomcat request smuggling Vulnerability (CVE-2022-42252)

    Severity
    Medium2
    Qualys ID
    730663
    Date Published
    November 24, 2022
    Vendor Reference
    Apache_Tomcat_9.0.68
    CVE Reference
    CVE-2022-42252
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (not the default), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

    Affected versions:
    Apache Tomcat 9.0.0-M1 to 9.0.67

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-42252
    QID: 730657
    Recently Published

    Apache Tomcat request smuggling Vulnerability (CVE-2022-42252)

    Severity
    Medium2
    Qualys ID
    730657
    Date Published
    November 24, 2022
    Vendor Reference
    Apache_Tomcat_8.5.83
    CVE Reference
    CVE-2022-42252
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

    Affected versions:
    Apache Tomcat 8.5.0 to 8.5.82

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-23181+
    QID: 730666
    Recently Published

    Apache Tomcat Local Privilege Escalation Vulnerability (CVE-2020-9484)

    Severity
    Medium2
    Qualys ID
    730666
    Date Published
    November 24, 2022
    Vendor Reference
    Apache_Tomcat_9.0.58
    CVE Reference
    CVE-2022-23181, CVE-2020-9484
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

    Affected versions:
    Apache Tomcat 9.0.35 to 9.0.56

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-23181+
    QID: 730660
    Recently Published

    Apache Tomcat Local Privilege Escalation Vulnerability (CVE-2020-9484)

    Severity
    Medium2
    Qualys ID
    730660
    Date Published
    November 24, 2022
    Vendor Reference
    Apache_Tomcat_8.5.75
    CVE Reference
    CVE-2022-23181, CVE-2020-9484
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

    Affected versions:
    Apache Tomcat 8.5.55 to 8.5.73

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-34305
    QID: 730664
    Recently Published

    Apache Tomcat Cross-Site Scripting (XSS) in examples web application Vulnerability (CVE-2022-34305)

    Severity
    Medium2
    Qualys ID
    730664
    Date Published
    November 24, 2022
    Vendor Reference
    Apache_Tomcat_9.0.65
    CVE Reference
    CVE-2022-34305
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

    Affected versions:
    Apache Tomcat 9.0.30 to 9.0.64

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-34305
    QID: 730658
    Recently Published

    Apache Tomcat Cross-Site Scripting (XSS) in examples web application Vulnerability (CVE-2022-34305)

    Severity
    Medium2
    Qualys ID
    730658
    Date Published
    November 24, 2022
    Vendor Reference
    Apache_Tomcat_8.5.82
    CVE Reference
    CVE-2022-34305
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

    Affected versions:
    Apache Tomcat 8.5.50 to 8.5.81

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-3386+
    QID: 591182
    Recently Published

    Advantech R-SeeNet Multiple Vulnerabilities (ICSA-22-291-01) (CVE-2022-3386,CVE-2022-3385)

    Severity
    Urgent5
    Qualys ID
    591182
    Date Published
    November 24, 2022
    Vendor Reference
    ICSA-22-291-01
    CVE Reference
    CVE-2022-3386, CVE-2022-3385
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description

    AFFECTED PRODUCTS
    The following versions of R-SeeNet, a monitoring application, are affected:
    R-SeeNet Version 2.4.17 and prior

    QID Detection Logic (Authenticated)
    QID checks for the Vulnerable version using windows registry keys

    Consequence
    Successful exploitation of these vulnerabilities could result in an unauthorized attacker remotely deleting files on the system or allowing remote code execution.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-22-291-01 for affected packages and patching details.

    Patches
    ICSA-22-291-01
  • QID: 150594
    Recently Published

    Spring Boot Misconfiguration: Actuator Endpoint Security Disabled

    Severity
    Serious3
    Qualys ID
    150594
    Date Published
    November 24, 2022
    CVSS Scores
    Base 7.5 / Temporal 7
    Description
    Spring Boot Actuator is a sub-project of Spring Boot. Actuator is mainly used to expose operational information about the running application.

    There are different built-in Actuators which may expose sensitive data and are labeled as "sensitive". This web application is configured with (management.endpoints.web.expose=* or management.endpoints.web.exposure.include=*) that is exposing all Spring Boot Actuator endpoints without authentication, causing significant problems with security.

    Consequence
    Successful exploitation would lead to Information Disclosure vulnerability, which can help the attacker carry out further attacks and obtain sensitive information.

    Solution
    Make sure you only enable the Spring Boot Actuator endpoints that you really need and restrict access to these endpoints. It's recommended to enable security for Spring Boot Actuator endpoints using the following configuration (in the Spring properties file): management.security.enabled=true
  • CVE-2022-3387
    QID: 591181
    Recently Published

    Advantech R-SeeNet Multiple Vulnerabilities (ICSA-22-291-01) (CVE-2022-3387)

    Severity
    Serious3
    Qualys ID
    591181
    Date Published
    November 24, 2022
    Vendor Reference
    ICSA-22-291-01
    CVE Reference
    CVE-2022-3387
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description

    AFFECTED PRODUCTS
    The following versions of R-SeeNet, a monitoring application, are affected:
    R-SeeNet Version 2.4.19 and prior

    QID Detection Logic (Authenticated)
    QID checks for the Vulnerable version using windows registry keys

    Consequence
    Successful exploitation of these vulnerabilities could result in an unauthorized attacker remotely deleting files on the system or allowing remote code execution.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-22-291-01 for affected packages and patching details.

    Patches
    ICSA-22-291-01
  • CVE-2021-31894
    QID: 591174
    Recently Published

    Siemens SIMATIC PCS 7, Step 7, Starter Incorrect Permission Assignment Vulnerability (SSA-661034)

    Severity
    Critical4
    Qualys ID
    591174
    Date Published
    November 24, 2022
    Vendor Reference
    SSA-661034
    CVE Reference
    CVE-2021-31894
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description

    AFFECTED PRODUCTS
    The following Siemens products are affected:
    SIMATIC PCS 7 V8.2 and earlier All versions
    SIMATIC STEP 7 V5.X All versions prior to V5.7
    SINAMICS STARTER (containing STEP 7 OEM version) All versions prior to V5.4 SP2 HF1

    QID Detection Logic (Authenticated):
    QID checks for the Vulnerable version of Siemens using registry "HKLM\SOFTWARE\Siemens"

    Consequence
    Successful exploitation of this vulnerability could allow an attacker to change the content of certain metafiles and subsequently manipulate the parameters or behavior of devices configured by the affected software products.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section SSA-661034 for affected packages and patching details.Workaround:
    The vendor has advised restricting access to the engineering station to trusted users only.

    Patches
    SSA-661034
  • CVE-2020-14521
    QID: 591145
    Recently Published

    Mitsubishi Electric Factory Automation Engineering Products (Update H) Denial of Service (DoS) Vulnerability (ICSA-20-212-04)

    Severity
    Urgent5
    Qualys ID
    591145
    Date Published
    November 24, 2022
    Vendor Reference
    icsa-20-212-04
    CVE Reference
    CVE-2020-14521
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    AFFECTED PRODUCTS
    The following products and versions are affected:
    M_CommDTM-IO-Link, Versions 1.03D and prior versions
    MELSOFT iQ AppPortal 1.17T and prior versions

    QID Detection Logic (Authenticated)
    QID checks for the Vulnerable version using windows registry keys

    Consequence
    Successful exploitation of this vulnerability may allow an attacker to obtain unauthorized information, modify information, and cause a denial-of-service condition.
    Solution

    Customers are advised to refer to CERT MITIGATIONS section ICSA-20-212-04 for affected packages and patching details.

    Patches
    icsa-20-212-04
  • CVE-2022-45408+
    QID: 940848
    Recently Published

    AlmaLinux Security Update for firefox (ALSA-2022:8580)

    Severity
    Critical4
    Qualys ID
    940848
    Date Published
    November 23, 2022
    Vendor Reference
    ALSA-2022:8580
    CVE Reference
    CVE-2022-45408, CVE-2022-45416, CVE-2022-45409, CVE-2022-45405, CVE-2022-45410, CVE-2022-45412, CVE-2022-45420, CVE-2022-45404, CVE-2022-45411, CVE-2022-45418, CVE-2022-45403, CVE-2022-45421, CVE-2022-45406
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    AlmaLinux has released a security update for firefox to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8580 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8580
  • CVE-2022-41741+
    QID: 181243
    Recently Published

    Debian Security Update for nginx (DLA 3203-1)

    Severity
    Critical4
    Qualys ID
    181243
    Date Published
    November 23, 2022
    Vendor Reference
    DLA 3203-1
    CVE Reference
    CVE-2022-41741, CVE-2021-3618, CVE-2022-41742
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Debian has released a security update for nginx to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DLA 3203-1 for updates and patch information.
    Patches
    Debian DLA 3203-1
  • CVE-2022-2085+
    QID: 710680
    Recently Published

    Gentoo Linux GPL Ghostscript Multiple Vulnerabilities (GLSA 202211-11)

    Severity
    Urgent5
    Qualys ID
    710680
    Date Published
    November 23, 2022
    Vendor Reference
    GLSA 202211-11
    CVE Reference
    CVE-2022-2085, CVE-2021-3781
    CVSS Scores
    Base 9.9 / Temporal 8.6
    Description
    Gentoo has released a security update for gpl ghostscript to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Gentoo security advisory GLSA 202211-11 for updates and patch information.
    Patches
    Gentoo GLSA 202211-11
  • CVE-2022-45420+
    QID: 710686
    Recently Published

    Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202211-06)

    Severity
    Urgent5
    Qualys ID
    710686
    Date Published
    November 23, 2022
    Vendor Reference
    GLSA 202211-06
    CVE Reference
    CVE-2022-45420, CVE-2022-40674, CVE-2022-45419, CVE-2022-45408, CVE-2022-45421, CVE-2022-45409, CVE-2022-45406, CVE-2022-45413, CVE-2022-45412, CVE-2022-45407, CVE-2022-45416, CVE-2022-45410, CVE-2022-45411, CVE-2022-45405, CVE-2022-45404, CVE-2022-45417, CVE-2022-45418, CVE-2022-45403, CVE-2022-45415
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Gentoo has released a security update for mozilla firefox to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Gentoo security advisory GLSA 202211-06 for updates and patch information.
    Patches
    Gentoo GLSA 202211-06
  • CVE-2022-39377
    QID: 710685
    Recently Published

    Gentoo Linux sysstat Arbitrary Code Execution Vulnerability (GLSA 202211-07)

    Severity
    Urgent5
    Qualys ID
    710685
    Date Published
    November 23, 2022
    Vendor Reference
    GLSA 202211-07
    CVE Reference
    CVE-2022-39377
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Gentoo has released a security update for sysstat to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Gentoo security advisory GLSA 202211-07 for updates and patch information.
    Patches
    Gentoo GLSA 202211-07
  • CVE-2022-31630+
    QID: 710684
    Recently Published

    Gentoo Linux Hypertext Preprocessor (PHP) Multiple Vulnerabilities (GLSA 202211-03)

    Severity
    Urgent5
    Qualys ID
    710684
    Date Published
    November 23, 2022
    Vendor Reference
    GLSA 202211-03
    CVE Reference
    CVE-2022-31630, CVE-2022-31628, CVE-2022-31629, CVE-2022-37454
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Gentoo has released a security update for php to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Gentoo security advisory GLSA 202211-03 for updates and patch information.
    Patches
    Gentoo GLSA 202211-03
  • CVE-2021-23437+
    QID: 710682
    Recently Published

    Gentoo Linux Pillow Multiple Vulnerabilities (GLSA 202211-10)

    Severity
    Urgent5
    Qualys ID
    710682
    Date Published
    November 23, 2022
    Vendor Reference
    GLSA 202211-10
    CVE Reference
    CVE-2021-23437, CVE-2021-34552, CVE-2022-22815, CVE-2022-24303, CVE-2022-45199, CVE-2022-45198, CVE-2022-22817, CVE-2022-22816
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Gentoo has released a security update for pillow to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Gentoo security advisory GLSA 202211-10 for updates and patch information.
    Patches
    Gentoo GLSA 202211-10
  • CVE-2022-39319+
    QID: 199041
    Recently Published

    Ubuntu Security Notification for FreeRDP Vulnerabilities (USN-5734-1)

    Severity
    Urgent5
    Qualys ID
    199041
    Date Published
    November 23, 2022
    Vendor Reference
    USN-5734-1
    CVE Reference
    CVE-2022-39319, CVE-2022-39283, CVE-2022-39347, CVE-2022-39317, CVE-2022-39320, CVE-2022-39318, CVE-2022-39282, CVE-2022-39316
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Ubuntu has released a security update for freerdp to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5734-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5734-1
  • CVE-2022-26377+
    QID: 160309
    Recently Published

    Oracle Enterprise Linux Security Update for httpd (ELSA-2022-8067)

    Severity
    Urgent5
    Qualys ID
    160309
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8067
    CVE Reference
    CVE-2022-26377, CVE-2022-29404, CVE-2022-22719, CVE-2022-22721, CVE-2022-30556, CVE-2022-31813, CVE-2022-28615, CVE-2022-30522, CVE-2022-23943, CVE-2022-28614
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Enterprise Linux has released a security update for httpd to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8067
    Patches
    Oracle Linux ELSA-2022-8067
  • CVE-2022-31625+
    QID: 160289
    Recently Published

    Oracle Enterprise Linux Security Update for Hypertext Preprocessor (PHP) (ELSA-2022-8197)

    Severity
    Urgent5
    Qualys ID
    160289
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8197
    CVE Reference
    CVE-2022-31625, CVE-2021-21708
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Enterprise Linux has released a security update for php to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8197
    Patches
    Oracle Linux ELSA-2022-8197
  • CVE-2022-27405+
    QID: 160280
    Recently Published

    Oracle Enterprise Linux Security Update for freetype (ELSA-2022-8340)

    Severity
    Urgent5
    Qualys ID
    160280
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8340
    CVE Reference
    CVE-2022-27405, CVE-2022-27404, CVE-2022-27406
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Enterprise Linux has released a security update for freetype to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8340
    Patches
    Oracle Linux ELSA-2022-8340
  • CVE-2022-37434
    QID: 160264
    Recently Published

    Oracle Enterprise Linux Security Update for rsync (ELSA-2022-8291)

    Severity
    Urgent5
    Qualys ID
    160264
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8291
    CVE Reference
    CVE-2022-37434
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Enterprise Linux has released a security update for rsync security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8291
    Patches
    Oracle Linux ELSA-2022-8291
  • CVE-2021-3677+
    QID: 710683
    Recently Published

    Gentoo Linux PostgreSQL Multiple Vulnerabilities (GLSA 202211-04)

    Severity
    Critical4
    Qualys ID
    710683
    Date Published
    November 23, 2022
    Vendor Reference
    GLSA 202211-04
    CVE Reference
    CVE-2021-3677, CVE-2021-23222, CVE-2022-2625, CVE-2021-32027, CVE-2021-32028, CVE-2021-23214, CVE-2022-1552
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Gentoo has released a security update for postgresql to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Gentoo security advisory GLSA 202211-04 for updates and patch information.
    Patches
    Gentoo GLSA 202211-04
  • CVE-2022-1049
    QID: 160316
    Recently Published

    Oracle Enterprise Linux Security Update for pcs (ELSA-2022-10007)

    Severity
    Critical4
    Qualys ID
    160316
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-10007
    CVE Reference
    CVE-2022-1049
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Oracle Enterprise Linux has released a security update for pcs to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-10007
    Patches
    Oracle Linux ELSA-2022-10007
  • CVE-2022-26709+
    QID: 160305
    Recently Published

    Oracle Enterprise Linux Security Update for webkit2gtk3 (ELSA-2022-8054)

    Severity
    Critical4
    Qualys ID
    160305
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8054
    CVE Reference
    CVE-2022-26709, CVE-2022-22629, CVE-2022-22624, CVE-2022-26717, CVE-2022-26716, CVE-2022-26700, CVE-2022-30293, CVE-2022-26719, CVE-2022-26710, CVE-2022-22628, CVE-2022-22662
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Oracle Enterprise Linux has released a security update for webkit2gtk3 security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8054
    Patches
    Oracle Linux ELSA-2022-8054
  • CVE-2022-21713+
    QID: 160278
    Recently Published

    Oracle Enterprise Linux Security Update for grafana (ELSA-2022-8057)

    Severity
    Critical4
    Qualys ID
    160278
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8057
    CVE Reference
    CVE-2022-21713, CVE-2022-21673, CVE-2022-30631, CVE-2022-1705, CVE-2022-30630, CVE-2022-21703, CVE-2022-21702, CVE-2022-28131, CVE-2022-30635, CVE-2022-32148, CVE-2022-1962, CVE-2021-23648, CVE-2022-21698, CVE-2022-30632, CVE-2022-30633
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Oracle Enterprise Linux has released a security update for grafana to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8057
    Patches
    Oracle Linux ELSA-2022-8057
  • CVE-2022-30550
    QID: 160276
    Recently Published

    Oracle Enterprise Linux Security Update for dovecot security and enhancement update (ELSA-2022-8208)

    Severity
    Critical4
    Qualys ID
    160276
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8208
    CVE Reference
    CVE-2022-30550
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Oracle Enterprise Linux has released a security update for dovecot security and enhancement update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8208
    Patches
    Oracle Linux ELSA-2022-8208
  • CVE-2022-45409+
    QID: 940847
    Recently Published

    AlmaLinux Security Update for thunderbird (ALSA-2022:8561)

    Severity
    Critical4
    Qualys ID
    940847
    Date Published
    November 23, 2022
    Vendor Reference
    ALSA-2022:8561
    CVE Reference
    CVE-2022-45409, CVE-2022-45418, CVE-2022-45405, CVE-2022-45412, CVE-2022-45403, CVE-2022-45404, CVE-2022-45406, CVE-2022-45411, CVE-2022-45421, CVE-2022-45410, CVE-2022-45420, CVE-2022-45416, CVE-2022-45408
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    AlmaLinux has released a security update for thunderbird to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8561 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8561
  • CVE-2022-45408+
    QID: 710687
    Recently Published

    Gentoo Linux Mozilla Thunderbird Multiple Vulnerabilities (GLSA 202211-05)

    Severity
    Critical4
    Qualys ID
    710687
    Date Published
    November 23, 2022
    Vendor Reference
    GLSA 202211-05
    CVE Reference
    CVE-2022-45408, CVE-2022-45412, CVE-2022-45404, CVE-2022-45421, CVE-2022-45409, CVE-2022-45418, CVE-2022-45416, CVE-2022-45420, CVE-2022-45406, CVE-2022-45403, CVE-2022-45410, CVE-2022-45411, CVE-2022-45405
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Gentoo has released a security update for mozilla thunderbird to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Gentoo security advisory GLSA 202211-05 for updates and patch information.
    Patches
    Gentoo GLSA 202211-05
  • CVE-2022-41925
    QID: 690993
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for tailscale (e0f26ac5-6a17-11ed-93e7-901b0e9408dc)

    Severity
    Critical4
    Qualys ID
    690993
    Date Published
    November 23, 2022
    Vendor Reference
    e0f26ac5-6a17-11ed-93e7-901b0e9408dc
    CVE Reference
    CVE-2022-41925
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    FreeBSD has released a security update for tailscale to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory e0f26ac5-6a17-11ed-93e7-901b0e9408dc for updates and patch information.
    Patches
    "FreeBSD" e0f26ac5-6a17-11ed-93e7-901b0e9408dc
  • CVE-2022-42898
    QID: 283334
    Recently Published

    Fedora Security Update for krb5 (FEDORA-2022-88cefef88c)

    Severity
    Critical4
    Qualys ID
    283334
    Date Published
    November 23, 2022
    Vendor Reference
    FEDORA-2022-88cefef88c
    CVE Reference
    CVE-2022-42898
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for krb5 to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-88cefef88c
  • CVE-2022-42898
    QID: 283333
    Recently Published

    Fedora Security Update for krb5 (FEDORA-2022-78038a4441)

    Severity
    Critical4
    Qualys ID
    283333
    Date Published
    November 23, 2022
    Vendor Reference
    FEDORA-2022-78038a4441
    CVE Reference
    CVE-2022-42898
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for krb5 to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-78038a4441
  • CVE-2022-42898
    QID: 283332
    Recently Published

    Fedora Security Update for samba (FEDORA-2022-d680c70ebe)

    Severity
    Critical4
    Qualys ID
    283332
    Date Published
    November 23, 2022
    Vendor Reference
    FEDORA-2022-d680c70ebe
    CVE Reference
    CVE-2022-42898
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for samba to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-d680c70ebe
  • CVE-2022-45403+
    QID: 240938
    Recently Published

    Red Hat Update for firefox (RHSA-2022:8580)

    Severity
    Critical4
    Qualys ID
    240938
    Date Published
    November 23, 2022
    Vendor Reference
    RHSA-2022:8580
    CVE Reference
    CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla firefox is an open-source web browser, designed for standards compliance, performance, and portability...Security Fix(es):
      mozilla: service workers might have learned size of cross-origin media files (cve-2022-45403).
      Mozilla: fullscreen notification bypass (cve-2022-45404).
      Mozilla: use-after-free in inputstream implementation (cve-2022-45405).
      Mozilla: use-after-free of a javascript realm (cve-2022-45406).
      Mozilla: fullscreen notification bypass via windowname (cve-2022-45408).
      Mozilla: use-after-free in garbage collection (cve-2022-45409).
      Mozilla: memory safety bugs fixed in firefox 107 and firefox esr 102.5 (cve-2022-45421).
      Mozilla: serviceworker-intercepted requests bypassed samesite cookie policy (cve-2022-45410).
      Mozilla: cross-site tracing was possible via non-standard override headers (cve-2022-45411).
      Mozilla: symlinks may resolve to partially uninitialized buffers (cve-2022-45412).
      Mozilla: keystroke side-channel leakage (cve-2022-45416).
      Mozilla: custom mouse cursor could have been drawn over browser ui (cve-2022-45418).
      Mozilla: iframe contents could be rendered outside the iframe (cve-2022-45420).
    <H2></H2>
      Red Hat enterprise linux for x86_64 9 x86_64.
      Red hat enterprise linux for ibm z systems 9 s390x.
      Red hat enterprise linux for power, little endian 9 ppc64le.
      Red hat enterprise linux for arm 64 9 aarch64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8580 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:8580
  • CVE-2022-45412+
    QID: 160321
    Recently Published

    Oracle Enterprise Linux Security Update for firefox (ELSA-2022-8554)

    Severity
    Critical4
    Qualys ID
    160321
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8554
    CVE Reference
    CVE-2022-45412, CVE-2022-45408, CVE-2022-45420, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45416, CVE-2022-45421, CVE-2022-45403, CVE-2022-45410, CVE-2022-45409, CVE-2022-45418, CVE-2022-45411
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for firefox to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8554
    Patches
    Oracle Linux ELSA-2022-8554
  • CVE-2022-45412+
    QID: 160319
    Recently Published

    Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-8547)

    Severity
    Critical4
    Qualys ID
    160319
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8547
    CVE Reference
    CVE-2022-45412, CVE-2022-45404, CVE-2022-45408, CVE-2022-45420, CVE-2022-45406, CVE-2022-45405, CVE-2022-45416, CVE-2022-45421, CVE-2022-45403, CVE-2022-45410, CVE-2022-45409, CVE-2022-45418, CVE-2022-45411
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for thunderbird to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8547
    Patches
    Oracle Linux ELSA-2022-8547
  • CVE-2022-0396+
    QID: 160313
    Recently Published

    Oracle Enterprise Linux Security Update for bind (ELSA-2022-8068)

    Severity
    Critical4
    Qualys ID
    160313
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8068
    CVE Reference
    CVE-2022-0396, CVE-2021-25220
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for bind to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8068
    Patches
    Oracle Linux ELSA-2022-8068
  • CVE-2022-2132+
    QID: 160307
    Recently Published

    Oracle Enterprise Linux Security Update for dpdk (ELSA-2022-8263)

    Severity
    Critical4
    Qualys ID
    160307
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8263
    CVE Reference
    CVE-2022-2132, CVE-2022-28199, CVE-2021-3839
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for dpdk security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8263
    Patches
    Oracle Linux ELSA-2022-8263
  • CVE-2021-25220
    QID: 160287
    Recently Published

    Oracle Enterprise Linux Security Update for dhcp security and enhancement update (ELSA-2022-8385)

    Severity
    Critical4
    Qualys ID
    160287
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8385
    CVE Reference
    CVE-2021-25220
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for dhcp security and enhancement update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8385
    Patches
    Oracle Linux ELSA-2022-8385
  • CVE-2021-3611+
    QID: 160273
    Recently Published

    Oracle Enterprise Linux Security Update for qemu-kvm (ELSA-2022-7967)

    Severity
    Critical4
    Qualys ID
    160273
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-7967
    CVE Reference
    CVE-2021-3611, CVE-2021-4158, CVE-2021-3750, CVE-2021-3507
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Oracle Enterprise Linux has released a security update for qemu-kvm to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-7967
    Patches
    Oracle Linux ELSA-2022-7967
  • CVE-2022-42919
    QID: 283335
    Recently Published

    Fedora Security Update for python3.10 (FEDORA-2022-462f39dd2f)

    Severity
    Critical4
    Qualys ID
    283335
    Date Published
    November 23, 2022
    Vendor Reference
    FEDORA-2022-462f39dd2f
    CVE Reference
    CVE-2022-42919
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for python3.10 to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-462f39dd2f
  • CVE-2021-31566+
    QID: 181241
    Recently Published

    Debian Security Update for libarchive (DLA 3202-1)

    Severity
    Critical4
    Qualys ID
    181241
    Date Published
    November 23, 2022
    Vendor Reference
    DLA 3202-1
    CVE Reference
    CVE-2021-31566, CVE-2019-19221, CVE-2021-23177
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Debian has released a security update for libarchive to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DLA 3202-1 for updates and patch information.
    Patches
    Debian DLA 3202-1
  • CVE-2022-42919
    QID: 160320
    Recently Published

    Oracle Enterprise Linux Security Update for python39:3.9 (ELSA-2022-8492)

    Severity
    Critical4
    Qualys ID
    160320
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8492
    CVE Reference
    CVE-2022-42919
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for python39:3.9 to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8492
    Patches
    Oracle Linux ELSA-2022-8492
  • CVE-2022-29162
    QID: 160310
    Recently Published

    Oracle Enterprise Linux Security Update for runc (ELSA-2022-8090)

    Severity
    Critical4
    Qualys ID
    160310
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8090
    CVE Reference
    CVE-2022-29162
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for runc to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8090
    Patches
    Oracle Linux ELSA-2022-8090
  • CVE-2022-25309+
    QID: 160304
    Recently Published

    Oracle Enterprise Linux Security Update for fribidi (ELSA-2022-8011)

    Severity
    Critical4
    Qualys ID
    160304
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8011
    CVE Reference
    CVE-2022-25309, CVE-2022-25308, CVE-2022-25310
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for fribidi to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8011
    Patches
    Oracle Linux ELSA-2022-8011
  • CVE-2022-2319+
    QID: 160298
    Recently Published

    Oracle Enterprise Linux Security Update for xorg-x11-server-xwayland (ELSA-2022-8222)

    Severity
    Critical4
    Qualys ID
    160298
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8222
    CVE Reference
    CVE-2022-2319, CVE-2022-2320
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for xorg-x11-server-xwayland to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8222
    Patches
    Oracle Linux ELSA-2022-8222
  • CVE-2022-26125
    QID: 160297
    Recently Published

    Oracle Enterprise Linux Security Update for frr (ELSA-2022-8112)

    Severity
    Critical4
    Qualys ID
    160297
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8112
    CVE Reference
    CVE-2022-26125
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for frr to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8112
    Patches
    Oracle Linux ELSA-2022-8112
  • CVE-2022-1304
    QID: 160283
    Recently Published

    Oracle Enterprise Linux Security Update for e2fsprogs (ELSA-2022-8361)

    Severity
    Critical4
    Qualys ID
    160283
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8361
    CVE Reference
    CVE-2022-1304
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for e2fsprogs to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8361
    Patches
    Oracle Linux ELSA-2022-8361
  • CVE-2022-24735+
    QID: 160274
    Recently Published

    Oracle Enterprise Linux Security Update for redis (ELSA-2022-8096)

    Severity
    Critical4
    Qualys ID
    160274
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8096
    CVE Reference
    CVE-2022-24735, CVE-2022-24736
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for redis security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8096
    Patches
    Oracle Linux ELSA-2022-8096
  • CVE-2022-1048+
    QID: 160270
    Recently Published

    Oracle Enterprise Linux Security Update for kernel (ELSA-2022-8267)

    Severity
    Critical4
    Qualys ID
    160270
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8267
    CVE Reference
    CVE-2022-1048, CVE-2022-29581, CVE-2022-21123, CVE-2022-2639, CVE-2022-23825, CVE-2022-1353, CVE-2022-20368, CVE-2022-0854, CVE-2022-1998, CVE-2022-1280, CVE-2022-26373, CVE-2022-21125, CVE-2020-36516, CVE-2022-39190, CVE-2022-1679, CVE-2022-1184, CVE-2022-29900, CVE-2022-0617, CVE-2022-21499, CVE-2022-21166, CVE-2022-28893, CVE-2021-3640, CVE-2022-1852, CVE-2022-24448, CVE-2022-0168, CVE-2022-28390, CVE-2022-2586, CVE-2022-1016, CVE-2022-23816, CVE-2022-36946, CVE-2022-29901
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for kernel to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8267
    Patches
    Oracle Linux ELSA-2022-8267
  • CVE-2022-2319+
    QID: 160269
    Recently Published

    Oracle Enterprise Linux Security Update for xorg-x11-server (ELSA-2022-8221)

    Severity
    Critical4
    Qualys ID
    160269
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8221
    CVE Reference
    CVE-2022-2319, CVE-2022-2320
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for xorg-x11-server security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8221
    Patches
    Oracle Linux ELSA-2022-8221
  • CVE-2022-25255
    QID: 160265
    Recently Published

    Oracle Enterprise Linux Security Update for qt5 (ELSA-2022-8022)

    Severity
    Critical4
    Qualys ID
    160265
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8022
    CVE Reference
    CVE-2022-25255
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Oracle Enterprise Linux has released a security update for qt5 security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8022
    Patches
    Oracle Linux ELSA-2022-8022
  • CVE-2021-28861+
    QID: 160271
    Recently Published

    Oracle Enterprise Linux Security Update for python3.9 (ELSA-2022-8353)

    Severity
    Critical4
    Qualys ID
    160271
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8353
    CVE Reference
    CVE-2021-28861, CVE-2015-20107
    CVSS Scores
    Base 7.6 / Temporal 6.6
    Description
    Oracle Enterprise Linux has released a security update for python3.9 to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8353
    Patches
    Oracle Linux ELSA-2022-8353
  • CVE-2022-42898+
    QID: 181242
    Recently Published

    Debian Security Update for heimdal (DSA 5287-1)

    Severity
    Critical4
    Qualys ID
    181242
    Date Published
    November 23, 2022
    Vendor Reference
    DSA 5287-1
    CVE Reference
    CVE-2022-42898, CVE-2022-41916, CVE-2022-3437, CVE-2021-3671, CVE-2021-44758, CVE-2022-44640
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Debian has released a security update for heimdal to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DSA 5287-1 for updates and patch information.
    Patches
    Debian DSA 5287-1
  • CVE-2022-27775
    QID: 160308
    Recently Published

    Oracle Enterprise Linux Security Update for curl (ELSA-2022-8299)

    Severity
    Critical4
    Qualys ID
    160308
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8299
    CVE Reference
    CVE-2022-27775
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for curl to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8299
    Patches
    Oracle Linux ELSA-2022-8299
  • CVE-2022-30631+
    QID: 160306
    Recently Published

    Oracle Enterprise Linux Security Update for grafana-pcp (ELSA-2022-8250)

    Severity
    Critical4
    Qualys ID
    160306
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8250
    CVE Reference
    CVE-2022-30631, CVE-2022-1705, CVE-2022-30630, CVE-2022-30635, CVE-2022-32148, CVE-2022-30632
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for grafana-pcp to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8250
    Patches
    Oracle Linux ELSA-2022-8250
  • CVE-2022-0996+
    QID: 160301
    Recently Published

    Oracle Enterprise Linux Security Update for 389-ds-base (ELSA-2022-8162)

    Severity
    Critical4
    Qualys ID
    160301
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8162
    CVE Reference
    CVE-2022-0996, CVE-2022-2850, CVE-2022-0918
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for 389-ds-base to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8162
    Patches
    Oracle Linux ELSA-2022-8162
  • CVE-2022-0934
    QID: 160296
    Recently Published

    Oracle Enterprise Linux Security Update for dnsmasq (ELSA-2022-8070)

    Severity
    Critical4
    Qualys ID
    160296
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8070
    CVE Reference
    CVE-2022-0934
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for dnsmasq security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8070
    Patches
    Oracle Linux ELSA-2022-8070
  • CVE-2022-32189
    QID: 160295
    Recently Published

    Oracle Enterprise Linux Security Update for image builder (ELSA-2022-7950)

    Severity
    Critical4
    Qualys ID
    160295
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-7950
    CVE Reference
    CVE-2022-32189
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for image builder to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-7950
    Patches
    Oracle Linux ELSA-2022-7950
  • CVE-2021-34558+
    QID: 160293
    Recently Published

    Oracle Enterprise Linux Security Update for podman (ELSA-2022-7954)

    Severity
    Critical4
    Qualys ID
    160293
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-7954
    CVE Reference
    CVE-2021-34558, CVE-2020-28852, CVE-2020-28851, CVE-2021-33197, CVE-2021-20199, CVE-2022-27191, CVE-2021-20291, CVE-2021-4024
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for podman security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-7954
    Patches
    Oracle Linux ELSA-2022-7954
  • CVE-2022-24795
    QID: 160291
    Recently Published

    Oracle Enterprise Linux Security Update for yajl (ELSA-2022-8252)

    Severity
    Critical4
    Qualys ID
    160291
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8252
    CVE Reference
    CVE-2022-24795
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for yajl to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8252
    Patches
    Oracle Linux ELSA-2022-8252
  • CVE-2022-2309
    QID: 160286
    Recently Published

    Oracle Enterprise Linux Security Update for python-lxml (ELSA-2022-8226)

    Severity
    Critical4
    Qualys ID
    160286
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8226
    CVE Reference
    CVE-2022-2309
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for python-lxml to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8226
    Patches
    Oracle Linux ELSA-2022-8226
  • CVE-2021-33195+
    QID: 160285
    Recently Published

    Oracle Enterprise Linux Security Update for buildah (ELSA-2022-8008)

    Severity
    Critical4
    Qualys ID
    160285
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8008
    CVE Reference
    CVE-2021-33195, CVE-2021-33198, CVE-2022-2990, CVE-2021-33197, CVE-2022-27191, CVE-2022-2989, CVE-2021-20291
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for buildah security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8008
    Patches
    Oracle Linux ELSA-2022-8008
  • CVE-2021-20291+
    QID: 160277
    Recently Published

    Oracle Enterprise Linux Security Update for skopeo (ELSA-2022-7955)

    Severity
    Critical4
    Qualys ID
    160277
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-7955
    CVE Reference
    CVE-2021-20291, CVE-2021-33198
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for skopeo security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-7955
    Patches
    Oracle Linux ELSA-2022-7955
  • CVE-2021-46828
    QID: 160272
    Recently Published

    Oracle Enterprise Linux Security Update for libtirpc (ELSA-2022-8400)

    Severity
    Critical4
    Qualys ID
    160272
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8400
    CVE Reference
    CVE-2021-46828
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for libtirpc to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8400
    Patches
    Oracle Linux ELSA-2022-8400
  • CVE-2018-25032
    QID: 160262
    Recently Published

    Oracle Enterprise Linux Security Update for mingw-zlib (ELSA-2022-8420)

    Severity
    Critical4
    Qualys ID
    160262
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8420
    CVE Reference
    CVE-2018-25032
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Enterprise Linux has released a security update for mingw-zlib to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8420
    Patches
    Oracle Linux ELSA-2022-8420
  • CVE-2022-43995
    QID: 710681
    Recently Published

    Gentoo Linux sudo Heap-Based Buffer Overread Vulnerability (GLSA 202211-08)

    Severity
    Critical4
    Qualys ID
    710681
    Date Published
    November 23, 2022
    Vendor Reference
    GLSA 202211-08
    CVE Reference
    CVE-2022-43995
    CVSS Scores
    Base 7.1 / Temporal 6.2
    Description
    Gentoo has released a security update for sudo to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Gentoo security advisory GLSA 202211-08 for updates and patch information.
    Patches
    Gentoo GLSA 202211-08
  • CVE-2022-2990+
    QID: 160318
    Recently Published

    Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2022-7822)

    Severity
    Critical4
    Qualys ID
    160318
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-7822
    CVE Reference
    CVE-2022-2990, CVE-2022-2989
    CVSS Scores
    Base 7.1 / Temporal 6.2
    Description
    Oracle Enterprise Linux has released a security update for container-tools:ol8 to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-7822
    Patches
    Oracle Linux ELSA-2022-7822
  • CVE-2022-22844+
    QID: 160275
    Recently Published

    Oracle Enterprise Linux Security Update for libtiff (ELSA-2022-8194)

    Severity
    Critical4
    Qualys ID
    160275
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8194
    CVE Reference
    CVE-2022-22844, CVE-2022-0562, CVE-2022-1355, CVE-2022-0891, CVE-2022-1354, CVE-2022-0561, CVE-2022-0909, CVE-2022-0924, CVE-2022-0908, CVE-2022-0865
    CVSS Scores
    Base 7.1 / Temporal 6.2
    Description
    Oracle Enterprise Linux has released a security update for libtiff to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8194
    Patches
    Oracle Linux ELSA-2022-8194
  • CVE-2022-1348
    QID: 160315
    Recently Published

    Oracle Enterprise Linux Security Update for logrotate (ELSA-2022-8393)

    Severity
    Serious3
    Qualys ID
    160315
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8393
    CVE Reference
    CVE-2022-1348
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Oracle Enterprise Linux has released a security update for logrotate to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8393
    Patches
    Oracle Linux ELSA-2022-8393
  • CVE-2022-30698+
    QID: 160302
    Recently Published

    Oracle Enterprise Linux Security Update for unbound (ELSA-2022-8062)

    Severity
    Serious3
    Qualys ID
    160302
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8062
    CVE Reference
    CVE-2022-30698, CVE-2022-30699
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Oracle Enterprise Linux has released a security update for unbound to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8062
    Patches
    Oracle Linux ELSA-2022-8062
  • CVE-2022-27337
    QID: 160300
    Recently Published

    Oracle Enterprise Linux Security Update for poppler (ELSA-2022-8151)

    Severity
    Serious3
    Qualys ID
    160300
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8151
    CVE Reference
    CVE-2022-27337
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Oracle Enterprise Linux has released a security update for poppler security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8151
    Patches
    Oracle Linux ELSA-2022-8151
  • CVE-2022-1706
    QID: 160290
    Recently Published

    Oracle Enterprise Linux Security Update for ignition (ELSA-2022-8126)

    Severity
    Serious3
    Qualys ID
    160290
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8126
    CVE Reference
    CVE-2022-1706
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Oracle Enterprise Linux has released a security update for ignition to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8126
    Patches
    Oracle Linux ELSA-2022-8126
  • CVE-2022-2211
    QID: 160288
    Recently Published

    Oracle Enterprise Linux Security Update for virt-v2v (ELSA-2022-7968)

    Severity
    Serious3
    Qualys ID
    160288
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-7968
    CVE Reference
    CVE-2022-2211
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Oracle Enterprise Linux has released a security update for virt-v2v to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-7968
    Patches
    Oracle Linux ELSA-2022-7968
  • CVE-2022-2211
    QID: 160282
    Recently Published

    Oracle Enterprise Linux Security Update for guestfs-tools (ELSA-2022-7959)

    Severity
    Serious3
    Qualys ID
    160282
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-7959
    CVE Reference
    CVE-2022-2211
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Oracle Enterprise Linux has released a security update for guestfs-tools to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-7959
    Patches
    Oracle Linux ELSA-2022-7959
  • CVE-2022-2211
    QID: 160266
    Recently Published

    Oracle Enterprise Linux Security Update for libguestfs (ELSA-2022-7958)

    Severity
    Serious3
    Qualys ID
    160266
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-7958
    CVE Reference
    CVE-2022-2211
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Oracle Enterprise Linux has released a security update for libguestfs to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-7958
    Patches
    Oracle Linux ELSA-2022-7958
  • CVE-2022-4095
    QID: 181240
    Recently Published

    Debian Security Update for linux (CVE-2022-4095)

    Severity
    Serious3
    Qualys ID
    181240
    Date Published
    November 23, 2022
    Vendor Reference
    CVE-2022-4095
    CVE Reference
    CVE-2022-4095
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Debian has released a security update for linux to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory CVE-2022-4095 for updates and patch information.
    Patches
    Debian CVE-2022-4095
  • CVE-2021-46195
    QID: 160317
    Recently Published

    Oracle Enterprise Linux Security Update for mingw-gcc (ELSA-2022-8415)

    Severity
    Serious3
    Qualys ID
    160317
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8415
    CVE Reference
    CVE-2021-46195
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Oracle Enterprise Linux has released a security update for mingw-gcc security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8415
    Patches
    Oracle Linux ELSA-2022-8415
  • CVE-2022-32990+
    QID: 160314
    Recently Published

    Oracle Enterprise Linux Security Update for gimp security and enhancement update (ELSA-2022-7978)

    Severity
    Serious3
    Qualys ID
    160314
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-7978
    CVE Reference
    CVE-2022-32990, CVE-2022-30067
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Oracle Enterprise Linux has released a security update for gimp security and enhancement update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-7978
    Patches
    Oracle Linux ELSA-2022-7978
  • CVE-2020-23903
    QID: 160312
    Recently Published

    Oracle Enterprise Linux Security Update for speex (ELSA-2022-7979)

    Severity
    Serious3
    Qualys ID
    160312
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-7979
    CVE Reference
    CVE-2020-23903
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Oracle Enterprise Linux has released a security update for speex to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-7979
    Patches
    Oracle Linux ELSA-2022-7979
  • CVE-2021-44269
    QID: 160311
    Recently Published

    Oracle Enterprise Linux Security Update for wavpack (ELSA-2022-8139)

    Severity
    Serious3
    Qualys ID
    160311
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8139
    CVE Reference
    CVE-2021-44269
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Oracle Enterprise Linux has released a security update for wavpack to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8139
    Patches
    Oracle Linux ELSA-2022-8139
  • CVE-2021-0561
    QID: 160294
    Recently Published

    Oracle Enterprise Linux Security Update for flac (ELSA-2022-8078)

    Severity
    Serious3
    Qualys ID
    160294
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8078
    CVE Reference
    CVE-2021-0561
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Oracle Enterprise Linux has released a security update for flac to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8078
    Patches
    Oracle Linux ELSA-2022-8078
  • CVE-2022-1122
    QID: 160292
    Recently Published

    Oracle Enterprise Linux Security Update for openjpeg2 (ELSA-2022-8207)

    Severity
    Serious3
    Qualys ID
    160292
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8207
    CVE Reference
    CVE-2022-1122
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Oracle Enterprise Linux has released a security update for openjpeg2 to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8207
    Patches
    Oracle Linux ELSA-2022-8207
  • CVE-2022-23645
    QID: 160279
    Recently Published

    Oracle Enterprise Linux Security Update for swtpm (ELSA-2022-8100)

    Severity
    Serious3
    Qualys ID
    160279
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8100
    CVE Reference
    CVE-2022-23645
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Oracle Enterprise Linux has released a security update for swtpm security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8100
    Patches
    Oracle Linux ELSA-2022-8100
  • CVE-2021-22570
    QID: 160267
    Recently Published

    Oracle Enterprise Linux Security Update for protobuf (ELSA-2022-7970)

    Severity
    Serious3
    Qualys ID
    160267
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-7970
    CVE Reference
    CVE-2021-22570
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Oracle Enterprise Linux has released a security update for protobuf to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-7970
    Patches
    Oracle Linux ELSA-2022-7970
  • CVE-2022-33068
    QID: 160263
    Recently Published

    Oracle Enterprise Linux Security Update for harfbuzz (ELSA-2022-8384)

    Severity
    Serious3
    Qualys ID
    160263
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8384
    CVE Reference
    CVE-2022-33068
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Oracle Enterprise Linux has released a security update for harfbuzz to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8384
    Patches
    Oracle Linux ELSA-2022-8384
  • CVE-2022-32746
    QID: 160268
    Recently Published

    Oracle Enterprise Linux Security Update for libldb (ELSA-2022-8318)

    Severity
    Serious3
    Qualys ID
    160268
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8318
    CVE Reference
    CVE-2022-32746
    CVSS Scores
    Base 5.4 / Temporal 4.7
    Description
    Oracle Enterprise Linux has released a security update for libldb to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8318
    Patches
    Oracle Linux ELSA-2022-8318
  • CVE-2022-1328
    QID: 160299
    Recently Published

    Oracle Enterprise Linux Security Update for mutt (ELSA-2022-8219)

    Severity
    Serious3
    Qualys ID
    160299
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8219
    CVE Reference
    CVE-2022-1328
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    Oracle Enterprise Linux has released a security update for mutt to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8219
    Patches
    Oracle Linux ELSA-2022-8219
  • CVE-2021-28153
    QID: 160284
    Recently Published

    Oracle Enterprise Linux Security Update for mingw-glib2 (ELSA-2022-8418)

    Severity
    Serious3
    Qualys ID
    160284
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8418
    CVE Reference
    CVE-2021-28153
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    Oracle Enterprise Linux has released a security update for mingw-glib2 security and bug fix update to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8418
    Patches
    Oracle Linux ELSA-2022-8418
  • CVE-2022-32742
    QID: 160303
    Recently Published

    Oracle Enterprise Linux Security Update for samba (ELSA-2022-8317)

    Severity
    Medium2
    Qualys ID
    160303
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8317
    CVE Reference
    CVE-2022-32742
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    Oracle Enterprise Linux has released a security update for samba to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8317
    Patches
    Oracle Linux ELSA-2022-8317
  • CVE-2022-0897
    QID: 160281
    Recently Published

    Oracle Enterprise Linux Security Update for libvirt (ELSA-2022-8003)

    Severity
    Medium2
    Qualys ID
    160281
    Date Published
    November 23, 2022
    Vendor Reference
    ELSA-2022-8003
    CVE Reference
    CVE-2022-0897
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    Oracle Enterprise Linux has released a security update for libvirt to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8003
    Patches
    Oracle Linux ELSA-2022-8003
  • CVE-2021-2035+
    QID: 20286
    Recently Published

    Oracle Database 19c OJVM Critical Patch Update - January 2021

    Severity
    Critical4
    Qualys ID
    20286
    Date Published
    November 23, 2022
    Vendor Reference
    CPUJAN2021
    CVE Reference
    CVE-2021-2035, CVE-2021-2018, CVE-2021-2054, CVE-2021-1993, CVE-2021-2045, CVE-2021-2000, CVE-2020-10878, CVE-2020-10543, CVE-2020-12723
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    OJVM Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.
    Solution
    Customers are requested to refer to CPUJAN2021 to obtain details about how to deploy the update.
    Patches
    CPUJAN2021
  • QID: 377790
    Recently Published

    F5 BIG-IP improvements (K05403841)

    Severity
    Critical4
    Qualys ID
    377790
    Date Published
    November 23, 2022
    Vendor Reference
    K05403841
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description

    Vulnerable Component: BIG-IP ASM,LTM,APM

    Affected Versions:
    17.0.0
    16.1.0 - 16.1.3
    15.1.0 - 15.1.8
    14.1.0 - 14.1.5
    13.1.0 - 13.1.5

    QID Detection Logic(Authenticated):
    This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.

    Consequence
    While an attacker with Advanced Shell (bash) access to the BIG-IP or BIG-IQ system may be able to use these issues to execute arbitrary system commands, create or delete files, or disable services, F5 knows of no ways an attacker would be able to take advantage of these issues at this time. In default, recommended or supported deployments, only Administrator role users and the root user are granted bash access on the BIG-IP or BIG-IQ system, and these users already have full access to the local system.

    Solution
    For more information about patch details please refer to K05403841
    Patches
    K05403841
  • CVE-2022-20947
    QID: 317277
    Recently Published

    Cisco Adaptive Security Appliance (ASA) Software Dynamic Access Policies Denial of Service (DoS) Vulnerability (cisco-sa-asa-ftd-dap-dos-GhYZBxDU)

    Severity
    Critical4
    Qualys ID
    317277
    Date Published
    November 23, 2022
    Vendor Reference
    cisco-sa-asa-ftd-dap-dos-GhYZBxDU
    CVE Reference
    CVE-2022-20947
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    A vulnerability in dynamic access policies (DAP) functionality of Cisco Adaptive Security Appliance (ASA) Software Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

    This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software and all of the following conditions are true:
    Remote access SSL VPN is enabled.
    HostScan is enabled.
    At least one custom DAP is configured.

    Affected Versions
    From 9.6.1 Prior to 9.8.4.44
    From 9.9.1 Prior to 9.12.4.38
    From 9.13.1 Prior to 9.14.3.18
    From 9.15.1 Prior to 9.15.1.21
    From 9.16.1 Prior to 9.16.2.13
    From 9.17.1 Prior to 9.17.1.13

    QID Detection Logic (Authenticated):
    The check matches Cisco ASA OS version retrieved via Unix Auth using "version" command.

    Consequence
    A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

    Solution

    Customers are advised to refer to cisco-sa-asa-ftd-dap-dos-GhYZBxDU#fs for more information.

    Patches
    cisco-sa-asa-ftd-dap-dos-GhYZBxDU#fs
  • CVE-2021-33149
    QID: 377791
    Recently Published

    F5 BIG-IP Intel processor Vulnerability cve-2021-33149 (K11601010)

    Severity
    Serious3
    Qualys ID
    377791
    Date Published
    November 23, 2022
    Vendor Reference
    K11601010
    CVE Reference
    CVE-2021-33149
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Observable behavioral discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.CVE-2021-33149

    Vulnerable Component: BIG-IP ASM,LTM,APM

    Affected Versions:
    17.0.0
    16.1.0 - 16.1.3
    15.1.0 - 15.1.7
    14.1.0 - 14.1.5
    13.1.0 - 13.1.5

    QID Detection Logic(Authenticated):
    This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.

    Consequence
    This vulnerability may allow an authorized user to potentially enable information disclosure through local access.

    Solution
    For more information about patch details please refer to K11601010
    Patches
    K11601010
  • CVE-2022-20938
    QID: 317278
    Recently Published

    Cisco Firepower Management Center (FMC) Software Extensible Markup Language (XML) External Entity (XEE) Injection Vulnerability (cisco-sa-fmc-xxe-MzPC4bYd)

    Severity
    Serious3
    Qualys ID
    317278
    Date Published
    November 23, 2022
    Vendor Reference
    cisco-sa-fmc-xxe-MzPC4bYd
    CVE Reference
    CVE-2022-20938
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    A vulnerability in the module import function of the administrative interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view sensitive information.

    Affected Products
    This vulnerability affects Cisco products if they are running a vulnerable release of Cisco FMC Software. 6.1.0 prior to version 6.4.0.16
    6.5.0 prior to version 6.6.7
    6.7.0 prior to version 7.0.5
    7.1.0 prior to version 7.2.0

    QID Detection Logic (Authenticated):
    This QID will check the version retrieved via Unix Auth using "show version" command.

    Consequence
    A successful exploit could allow the attacker to read sensitive data that would normally not be revealed.

    Solution

    Customers are advised to refer to cisco-sa-fmc-xxe-MzPC4bYd for more information.

    Patches
    cisco-sa-fmc-xxe-MzPC4bYd
  • CVE-2021-2351+
    QID: 20279
    Recently Published

    Oracle Database 19c Critical OJVM Patch Update - July 2021

    Severity
    Urgent5
    Qualys ID
    20279
    Date Published
    November 23, 2022
    Vendor Reference
    CPUJUL2021
    CVE Reference
    CVE-2021-2351, CVE-2021-2328, CVE-2021-2329, CVE-2021-2337, CVE-2020-27193, CVE-2020-26870, CVE-2021-2460, CVE-2021-2333, CVE-2019-17545, CVE-2021-2330, CVE-2020-7760, CVE-2021-2438, CVE-2021-2334, CVE-2021-2335, CVE-2021-2336
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUJUL2021 to obtain details about how to deploy the update.

    Patches
    CPUJUL2021
  • CVE-2021-2207+
    QID: 20278
    Recently Published

    Oracle Database 19c Critical OJVM Patch Update - April 2021

    Severity
    Critical4
    Qualys ID
    20278
    Date Published
    November 23, 2022
    Vendor Reference
    CPUAPR2021
    CVE Reference
    CVE-2021-2207, CVE-2021-2175, CVE-2021-2173, CVE-2019-3738, CVE-2019-3739, CVE-2019-3740, CVE-2020-5360, CVE-2020-17527, CVE-2020-13943, CVE-2020-9484, CVE-2021-2245, CVE-2021-2234
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUAPR2021 to obtain details about how to deploy the update.

    Patches
    CPUAPR2021
  • CVE-2021-35619+
    QID: 20276
    Recently Published

    Oracle Database 19c Critical OJVM Patch Update - October 2021

    Severity
    Critical4
    Qualys ID
    20276
    Date Published
    November 23, 2022
    Vendor Reference
    CPUOCT21
    CVE Reference
    CVE-2021-35619, CVE-2021-2332, CVE-2021-35551, CVE-2021-35557, CVE-2021-35558, CVE-2021-35576, CVE-2021-29425, CVE-2021-35579, CVE-2020-27824, CVE-2021-25122
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUOCT2021 to obtain details about how to deploy the update.

    Patches
    CPUOCT21
  • CVE-2022-20928
    QID: 317270
    Recently Published

    Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software Virtual Private Network (VPN) Authorization Bypass Vulnerability (cisco-sa-asa-ftd-vp-authz-N2GckjN6)

    Severity
    Serious3
    Qualys ID
    317270
    Date Published
    November 23, 2022
    Vendor Reference
    cisco-sa-asa-ftd-vp-authz-N2GckjN6
    CVE Reference
    CVE-2022-20928
    CVSS Scores
    Base 5.8 / Temporal 5.1
    Description
    A vulnerability in the authentication and authorization flows for VPN connections in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish a connection as a different user.

    Note: We are not checking "VPN with multi-factor authentication (MFA) enabled" status in this QID hence kept Vuln Category as Practice.

    Affected Products
    At the time of publication, this vulnerability affected Cisco products if they were running a vulnerable release of Cisco ASA Software or Cisco FTD Software and had VPN with multi-factor authentication (MFA) enabled. From 9.6.1 Prior to 9.8.4.46
    From 9.9.1 Prior to 9.12.4.40
    From 9.13.1 Prior to 9.14.4.7
    From 9.15.1 Prior to 9.16.3
    From 9.17.1 Prior to 9.17.1.9

    QID Detection Logic (Authenticated):
    The check matches Cisco ASA OS version retrieved via Unix Auth using "version" command.

    Consequence
    A successful exploit could allow the attacker to establish a VPN connection with access privileges from a different user.
    Solution

    Customers are advised to refer to cisco-sa-asa-ftd-vp-authz-N2GckjN6 for more information.

    Patches
    cisco-sa-asa-ftd-vp-authz-N2GckjN6
  • CVE-2021-43980
    QID: 730650
    Recently Published

    Apache Tomcat Information Disclosure Vulnerability (CVE-2021-43980)

    Severity
    Critical4
    Qualys ID
    730650
    Date Published
    November 23, 2022
    Vendor Reference
    Apache_Tomcat_10.1.0-M14
    CVE Reference
    CVE-2021-43980
    CVSS Scores
    Base 3.7 / Temporal 3.2
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

    Affected versions:
    Apache Tomcat 10.1.0-M1 to 10.1.0-M12

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2021-43980
    QID: 730647
    Recently Published

    Apache Tomcat Information Disclosure Vulnerability (CVE-2021-43980)

    Severity
    Critical4
    Qualys ID
    730647
    Date Published
    November 23, 2022
    Vendor Reference
    Apache_Tomcat_10.0.20
    CVE Reference
    CVE-2021-43980
    CVSS Scores
    Base 3.7 / Temporal 3.2
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

    Affected versions:
    Apache Tomcat 10.0.0-M1 to 10.0.18

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-42252
    QID: 730648
    Recently Published

    Apache Tomcat request smuggling Vulnerability (CVE-2022-42252)

    Severity
    Medium2
    Qualys ID
    730648
    Date Published
    November 23, 2022
    Vendor Reference
    Apache_Tomcat_10.1.1
    CVE Reference
    CVE-2022-42252
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (not the default), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

    Affected versions:
    Apache Tomcat 10.1.0-M1 to 10.1.0

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-42252
    QID: 730644
    Recently Published

    Apache Tomcat request smuggling Vulnerability (CVE-2022-42252)

    Severity
    Medium2
    Qualys ID
    730644
    Date Published
    November 23, 2022
    Vendor Reference
    Apache_Tomcat_10.0.27
    CVE Reference
    CVE-2022-42252
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (not the default), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

    Affected versions:
    Apache Tomcat 10.0.0-M1 to 10.0.26

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-23181+
    QID: 730651
    Recently Published

    Apache Tomcat Local Privilege Escalation Vulnerability (CVE-2020-9484)

    Severity
    Medium2
    Qualys ID
    730651
    Date Published
    November 23, 2022
    Vendor Reference
    Apache_Tomcat_10.1.0-M10
    CVE Reference
    CVE-2022-23181, CVE-2020-9484
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

    Affected versions:
    Apache Tomcat 10.1.0-M1 to 10.1.0-M8

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2020-9484+
    QID: 730646
    Recently Published

    Apache Tomcat Local Privilege Escalation Vulnerability (CVE-2020-9484)

    Severity
    Medium2
    Qualys ID
    730646
    Date Published
    November 23, 2022
    Vendor Reference
    Apache_Tomcat_10.0.16
    CVE Reference
    CVE-2020-9484, CVE-2022-23181
    CVSS Scores
    Base 7 / Temporal 6.1
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

    Affected versions:
    Apache Tomcat 10.0.0-M5 to 10.0.14

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-34305
    QID: 730649
    Recently Published

    Apache Tomcat Cross-Site Scripting (XSS) in examples web application Vulnerability (CVE-2022-34305)

    Severity
    Medium2
    Qualys ID
    730649
    Date Published
    November 23, 2022
    Vendor Reference
    Apache_Tomcat_10.1.0-M17
    CVE Reference
    CVE-2022-34305
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

    Affected versions:
    Apache Tomcat 10.1.0-M1 to 10.1.0-M16

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-34305
    QID: 730645
    Recently Published

    Apache Tomcat Cross-Site Scripting (XSS) in examples web application Vulnerability (CVE-2022-34305)

    Severity
    Medium2
    Qualys ID
    730645
    Date Published
    November 23, 2022
    Vendor Reference
    Apache_Tomcat_10.0.23
    CVE Reference
    CVE-2022-34305
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

    The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

    Affected versions:
    Apache Tomcat 10.0.0-M1 to 10.0.22

    QID Detection Logic (Unauthenticated):
    This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host.

    Consequence
    Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

    Solution
    Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory.

    Patches
    Apache Tomcat
  • CVE-2022-41853
    QID: 160259
    Recently Published

    Oracle Enterprise Linux Security Update for hsqldb (ELSA-2022-8560)

    Severity
    Urgent5
    Qualys ID
    160259
    Date Published
    November 22, 2022
    Vendor Reference
    ELSA-2022-8560
    CVE Reference
    CVE-2022-41853
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Enterprise Linux has released a security update for hsqldb to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8560
    Patches
    Oracle Linux ELSA-2022-8560
  • CVE-2022-45409+
    QID: 940846
    Recently Published

    AlmaLinux Security Update for firefox (ALSA-2022:8554)

    Severity
    Critical4
    Qualys ID
    940846
    Date Published
    November 22, 2022
    Vendor Reference
    ALSA-2022:8554
    CVE Reference
    CVE-2022-45409, CVE-2022-45418, CVE-2022-45405, CVE-2022-45412, CVE-2022-45403, CVE-2022-45404, CVE-2022-45406, CVE-2022-45411, CVE-2022-45421, CVE-2022-45410, CVE-2022-45420, CVE-2022-45416, CVE-2022-45408
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    AlmaLinux has released a security update for firefox to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8554 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8554
  • CVE-2022-45409+
    QID: 940845
    Recently Published

    AlmaLinux Security Update for thunderbird (ALSA-2022:8547)

    Severity
    Critical4
    Qualys ID
    940845
    Date Published
    November 22, 2022
    Vendor Reference
    ALSA-2022:8547
    CVE Reference
    CVE-2022-45409, CVE-2022-45418, CVE-2022-45405, CVE-2022-45412, CVE-2022-45403, CVE-2022-45404, CVE-2022-45406, CVE-2022-45411, CVE-2022-45421, CVE-2022-45410, CVE-2022-45420, CVE-2022-45416, CVE-2022-45408
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    AlmaLinux has released a security update for thunderbird to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8547 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8547
  • CVE-2022-45409+
    QID: 160261
    Recently Published

    Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-8555)

    Severity
    Critical4
    Qualys ID
    160261
    Date Published
    November 22, 2022
    Vendor Reference
    ELSA-2022-8555
    CVE Reference
    CVE-2022-45409, CVE-2022-45418, CVE-2022-45405, CVE-2022-45412, CVE-2022-45403, CVE-2022-45404, CVE-2022-45421, CVE-2022-45406, CVE-2022-45411, CVE-2022-45410, CVE-2022-45420, CVE-2022-45416, CVE-2022-45408
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for thunderbird to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8555
    Patches
    Oracle Linux ELSA-2022-8555
  • CVE-2022-45409+
    QID: 160260
    Recently Published

    Oracle Enterprise Linux Security Update for firefox (ELSA-2022-8552)

    Severity
    Critical4
    Qualys ID
    160260
    Date Published
    November 22, 2022
    Vendor Reference
    ELSA-2022-8552
    CVE Reference
    CVE-2022-45409, CVE-2022-45418, CVE-2022-45412, CVE-2022-45405, CVE-2022-45403, CVE-2022-45404, CVE-2022-45406, CVE-2022-45411, CVE-2022-45421, CVE-2022-45410, CVE-2022-45420, CVE-2022-45416, CVE-2022-45408
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Oracle Enterprise Linux has released a security update for firefox to fix the vulnerabilities.
    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows an attacker to compromise the system.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch.Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2022-8552
    Patches
    Oracle Linux ELSA-2022-8552
  • CVE-2022-37454
    QID: 283331
    Recently Published

    Fedora Security Update for python3.6 (FEDORA-2022-104076b1d8)

    Severity
    Urgent5
    Qualys ID
    283331
    Date Published
    November 22, 2022
    Vendor Reference
    FEDORA-2022-104076b1d8
    CVE Reference
    CVE-2022-37454
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for python3.6 to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-104076b1d8
  • CVE-2022-37454
    QID: 283330
    Recently Published

    Fedora Security Update for python3.6 (FEDORA-2022-004b185fa4)

    Severity
    Urgent5
    Qualys ID
    283330
    Date Published
    November 22, 2022
    Vendor Reference
    FEDORA-2022-004b185fa4
    CVE Reference
    CVE-2022-37454
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for python3.6 to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-004b185fa4
  • CVE-2022-41853
    QID: 240937
    Recently Published

    Red Hat Update for hsqldb (RHSA-2022:8560)

    Severity
    Urgent5
    Qualys ID
    240937
    Date Published
    November 22, 2022
    Vendor Reference
    RHSA-2022:8560
    CVE Reference
    CVE-2022-41853
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    The hsqldb packages provide a relational database management system written in java.
    The hyper structured query language database (hsqldb) contains a jdbc driver to support a subset of ansi-92 sql...Security Fix(es):
      hsqldb: untrusted input may lead to rce attack (cve-2022-41853).
    Affected Products:
      Red Hat enterprise linux server 7 x86_64.
      Red hat enterprise linux workstation 7 x86_64.
      Red hat enterprise linux desktop 7 x86_64.
      Red hat enterprise linux for ibm z systems 7 s390x.
      Red hat enterprise linux for power, big endian 7 ppc64.
      Red hat enterprise linux for scientific computing 7 x86_64.
      Red hat enterprise linux for power, little endian 7 ppc64le.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8560 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:8560
  • CVE-2022-3373+
    QID: 502601
    Recently Published

    Alpine Linux Security Update for qt5-qtwebengine

    Severity
    Urgent5
    Qualys ID
    502601
    Date Published
    November 22, 2022
    Vendor Reference
    qt5-qtwebengine
    CVE Reference
    CVE-2022-3373, CVE-2022-3445, CVE-2022-3885, CVE-2022-3887, CVE-2022-3889, CVE-2022-3890
    CVSS Scores
    Base 9.6 / Temporal 8.3
    Description
    Alpine Linux has released a security update for qt5-qtwebengine to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.16


    Affected Package versions prior to 5.15.3_git20220505-r5.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory qt5-qtwebengine for updates and patch information.
    Patches
    Alpine Linux qt5-qtwebengine-5.15.3_git20220505-r5
  • CVE-2022-43782
    QID: 730672
    Recently Published

    Atlassian Crowd Security Misconfiguration Vulnerability

    Severity
    Critical4
    Qualys ID
    730672
    Date Published
    November 22, 2022
    Vendor Reference
    Atlassian Crowd Security Advisory
    CVE Reference
    CVE-2022-43782
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Atlassian Crowd is vulnerable to security misconfiguration vulnerability. All versions released after 3.0.0 are affected but only if both of the following conditions are met:
    1. The vulnerability concerns only new installations of affected versions: if you upgraded from an earlier version, for example version 2.9.1, to version 3.0.0 or later, your instance is not affected.
    2. An IP address has been added to the Remote Address configuration of the crowd application (which is none by default in versions after 3.0.0)

    Affected Versions:
    Crowd 3.0.0 - Crowd 3.7.2
    Crowd 4.0.0 - Crowd 4.4.3
    Crowd 5.0.0 - Crowd 5.0.2

    QID Detection Logic (Unauthenticated):
    This QID checks for vulnerable version of Atlassian Crowd by sending an HTTP GET request to login.action endpoint.

    Note: QID is kept potential because only new installations of Atlassian Crowd are vulnerable, if you upgraded from earlier version, you're not affected.

    Consequence
    The vulnerability allows an attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check. This would allow the attacker to call privileged endpoints in Crowd's REST API under the usermanagement path.

    Solution
    Vendor has released patch, for more information please refer to Atlassian Crowd Security Advisory

    Patches
    Atlassian Crowd Security Advisory
  • CVE-2022-39260+
    QID: 199040
    Recently Published

    Ubuntu Security Notification for Git Vulnerabilities (USN-5686-3)

    Severity
    Critical4
    Qualys ID
    199040
    Date Published
    November 22, 2022
    Vendor Reference
    USN-5686-3
    CVE Reference
    CVE-2022-39260, CVE-2022-39253
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Ubuntu has released a security update for git to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5686-3 for updates and patch information.
    Patches
    Ubuntu Linux USN-5686-3
  • CVE-2022-42898
    QID: 502602
    Recently Published

    Alpine Linux Security Update for krb5

    Severity
    Critical4
    Qualys ID
    502602
    Date Published
    November 22, 2022
    Vendor Reference
    krb5
    CVE Reference
    CVE-2022-42898
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Alpine Linux has released a security update for krb5 to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.15
    Alpine Linux 3.16


    Affected Package versions prior to 1.19.4-r0.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory krb5 for updates and patch information.
    Patches
    Alpine Linux krb5-1.19.4-r0
  • CVE-2022-3162+
    QID: 283329
    Recently Published

    Fedora Security Update for kubernetes (FEDORA-2022-2004702d98)

    Severity
    Critical4
    Qualys ID
    283329
    Date Published
    November 22, 2022
    Vendor Reference
    FEDORA-2022-2004702d98
    CVE Reference
    CVE-2022-3162, CVE-2022-3294
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for kubernetes to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-2004702d98
  • CVE-2022-45403+
    QID: 240936
    Recently Published

    Red Hat Update for thunderbird (RHSA-2022:8561)

    Severity
    Critical4
    Qualys ID
    240936
    Date Published
    November 22, 2022
    Vendor Reference
    RHSA-2022:8561
    CVE Reference
    CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla thunderbird is a standalone mail and newsgroup client...Security Fix(es):
      mozilla: service workers might have learned size of cross-origin media files (cve-2022-45403).
      Mozilla: fullscreen notification bypass (cve-2022-45404).
      Mozilla: use-after-free in inputstream implementation (cve-2022-45405).
      Mozilla: use-after-free of a javascript realm (cve-2022-45406).
      Mozilla: fullscreen notification bypass via windowname (cve-2022-45408).
      Mozilla: use-after-free in garbage collection (cve-2022-45409).
      Mozilla: memory safety bugs fixed in firefox 107 and firefox esr 102.5 (cve-2022-45421).
      Mozilla: serviceworker-intercepted requests bypassed samesite cookie policy (cve-2022-45410).
      Mozilla: cross-site tracing was possible via non-standard override headers (cve-2022-45411).
      Mozilla: symlinks may resolve to partially uninitialized buffers (cve-2022-45412).
      Mozilla: keystroke side-channel leakage (cve-2022-45416).
      Mozilla: custom mouse cursor could have been drawn over browser ui (cve-2022-45418).
      Mozilla: iframe contents could be rendered outside the iframe (cve-2022-45420).
    Affected Products:
      Red Hat enterprise linux for x86_64 9 x86_64.
      Red hat enterprise linux for ibm z systems 9 s390x.
      Red hat enterprise linux for power, little endian 9 ppc64le.
      Red hat enterprise linux for arm 64 9 aarch64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8561 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:8561
  • CVE-2022-45403+
    QID: 240935
    Recently Published

    Red Hat Update for thunderbird (RHSA-2022:8547)

    Severity
    Critical4
    Qualys ID
    240935
    Date Published
    November 22, 2022
    Vendor Reference
    RHSA-2022:8547
    CVE Reference
    CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla thunderbird is a standalone mail and newsgroup client...Security Fix(es):
      mozilla: service workers might have learned size of cross-origin media files (cve-2022-45403).
      Mozilla: fullscreen notification bypass (cve-2022-45404).
      Mozilla: use-after-free in inputstream implementation (cve-2022-45405).
      Mozilla: use-after-free of a javascript realm (cve-2022-45406).
      Mozilla: fullscreen notification bypass via windowname (cve-2022-45408).
      Mozilla: use-after-free in garbage collection (cve-2022-45409).
      Mozilla: memory safety bugs fixed in firefox 107 and firefox esr 102.5 (cve-2022-45421).
      Mozilla: serviceworker-intercepted requests bypassed samesite cookie policy (cve-2022-45410).
      Mozilla: cross-site tracing was possible via non-standard override headers (cve-2022-45411).
      Mozilla: symlinks may resolve to partially uninitialized buffers (cve-2022-45412).
      Mozilla: keystroke side-channel leakage (cve-2022-45416).
      Mozilla: custom mouse cursor could have been drawn over browser ui (cve-2022-45418).
      Mozilla: iframe contents could be rendered outside the iframe (cve-2022-45420).
    <H2></H2>
      Red Hat enterprise linux for x86_64 8 x86_64.
      Red hat enterprise linux for ibm z systems 8 s390x.
      Red hat enterprise linux for power, little endian 8 ppc64le.
      Red hat enterprise linux for arm 64 8 aarch64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8547 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:8547
  • CVE-2022-45403+
    QID: 240934
    Recently Published

    Red Hat Update for thunderbird (RHSA-2022:8555)

    Severity
    Critical4
    Qualys ID
    240934
    Date Published
    November 22, 2022
    Vendor Reference
    RHSA-2022:8555
    CVE Reference
    CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla thunderbird is a standalone mail and newsgroup client...Security Fix(es):
      mozilla: service workers might have learned size of cross-origin media files (cve-2022-45403).
      Mozilla: fullscreen notification bypass (cve-2022-45404).
      Mozilla: use-after-free in inputstream implementation (cve-2022-45405).
      Mozilla: use-after-free of a javascript realm (cve-2022-45406).
      Mozilla: fullscreen notification bypass via windowname (cve-2022-45408).
      Mozilla: use-after-free in garbage collection (cve-2022-45409).
      Mozilla: memory safety bugs fixed in firefox 107 and firefox esr 102.5 (cve-2022-45421).
      Mozilla: serviceworker-intercepted requests bypassed samesite cookie policy (cve-2022-45410).
      Mozilla: cross-site tracing was possible via non-standard override headers (cve-2022-45411).
      Mozilla: symlinks may resolve to partially uninitialized buffers (cve-2022-45412).
      Mozilla: keystroke side-channel leakage (cve-2022-45416).
      Mozilla: custom mouse cursor could have been drawn over browser ui (cve-2022-45418).
      Mozilla: iframe contents could be rendered outside the iframe (cve-2022-45420).
    Affected Products:
      Red Hat enterprise linux server 7 x86_64.
      Red hat enterprise linux workstation 7 x86_64.
      Red hat enterprise linux desktop 7 x86_64.
      Red hat enterprise linux for power, little endian 7 ppc64le.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8555 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:8555
  • CVE-2022-45403+
    QID: 240933
    Recently Published

    Red Hat Update for firefox (RHSA-2022:8549)

    Severity
    Critical4
    Qualys ID
    240933
    Date Published
    November 22, 2022
    Vendor Reference
    RHSA-2022:8549
    CVE Reference
    CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Red Hat has released a security update for firefox to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8549 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:8549
  • CVE-2022-45403+
    QID: 240932
    Recently Published

    Red Hat Update for thunderbird (RHSA-2022:8545)

    Severity
    Critical4
    Qualys ID
    240932
    Date Published
    November 22, 2022
    Vendor Reference
    RHSA-2022:8545
    CVE Reference
    CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla thunderbird is a standalone mail and newsgroup client...Security Fix(es):
      mozilla: service workers might have learned size of cross-origin media files (cve-2022-45403).
      Mozilla: fullscreen notification bypass (cve-2022-45404).
      Mozilla: use-after-free in inputstream implementation (cve-2022-45405).
      Mozilla: use-after-free of a javascript realm (cve-2022-45406).
      Mozilla: fullscreen notification bypass via windowname (cve-2022-45408).
      Mozilla: use-after-free in garbage collection (cve-2022-45409).
      Mozilla: memory safety bugs fixed in firefox 107 and firefox esr 102.5 (cve-2022-45421).
      Mozilla: serviceworker-intercepted requests bypassed samesite cookie policy (cve-2022-45410).
      Mozilla: cross-site tracing was possible via non-standard override headers (cve-2022-45411).
      Mozilla: symlinks may resolve to partially uninitialized buffers (cve-2022-45412).
      Mozilla: keystroke side-channel leakage (cve-2022-45416).
      Mozilla: custom mouse cursor could have been drawn over browser ui (cve-2022-45418).
      Mozilla: iframe contents could be rendered outside the iframe (cve-2022-45420).
    Affected Products:
      Red Hat enterprise linux for x86_64 - extended update support 8.6 x86_64.
      Red hat enterprise linux server - aus 8.6 x86_64.
      Red hat enterprise linux for ibm z systems - extended update support 8.6 s390x.
      Red hat enterprise linux for power, little endian - extended update support 8.6 ppc64le.
      Red hat enterprise linux server - tus 8.6 x86_64.
      Red hat enterprise linux for arm 64 - extended update support 8.6 aarch64.
      Red hat enterprise linux server for power le - update services for sap solutions 8.6 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 8.6 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8545 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:8545
  • CVE-2022-45403+
    QID: 240931
    Recently Published

    Red Hat Update for firefox (RHSA-2022:8548)

    Severity
    Critical4
    Qualys ID
    240931
    Date Published
    November 22, 2022
    Vendor Reference
    RHSA-2022:8548
    CVE Reference
    CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Red Hat has released a security update for firefox to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8548 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:8548
  • CVE-2022-45403+
    QID: 240930
    Recently Published

    Red Hat Update for firefox (RHSA-2022:8552)

    Severity
    Critical4
    Qualys ID
    240930
    Date Published
    November 22, 2022
    Vendor Reference
    RHSA-2022:8552
    CVE Reference
    CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla firefox is an open-source web browser, designed for standards compliance, performance, and portability...Security Fix(es):
      mozilla: service workers might have learned size of cross-origin media files (cve-2022-45403).
      Mozilla: fullscreen notification bypass (cve-2022-45404).
      Mozilla: use-after-free in inputstream implementation (cve-2022-45405).
      Mozilla: use-after-free of a javascript realm (cve-2022-45406).
      Mozilla: fullscreen notification bypass via windowname (cve-2022-45408).
      Mozilla: use-after-free in garbage collection (cve-2022-45409).
      Mozilla: memory safety bugs fixed in firefox 107 and firefox esr 102.5 (cve-2022-45421).
      Mozilla: serviceworker-intercepted requests bypassed samesite cookie policy (cve-2022-45410).
      Mozilla: cross-site tracing was possible via non-standard override headers (cve-2022-45411).
      Mozilla: symlinks may resolve to partially uninitialized buffers (cve-2022-45412).
      Mozilla: keystroke side-channel leakage (cve-2022-45416).
      Mozilla: custom mouse cursor could have been drawn over browser ui (cve-2022-45418).
      Mozilla: iframe contents could be rendered outside the iframe (cve-2022-45420).
    Affected Products:
      Red Hat enterprise linux server 7 x86_64.
      Red hat enterprise linux workstation 7 x86_64.
      Red hat enterprise linux desktop 7 x86_64.
      Red hat enterprise linux for ibm z systems 7 s390x.
      Red hat enterprise linux for power, big endian 7 ppc64.
      Red hat enterprise linux for power, little endian 7 ppc64le.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8552 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:8552
  • CVE-2022-45403+
    QID: 240929
    Recently Published

    Red Hat Update for thunderbird (RHSA-2022:8544)

    Severity
    Critical4
    Qualys ID
    240929
    Date Published
    November 22, 2022
    Vendor Reference
    RHSA-2022:8544
    CVE Reference
    CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla thunderbird is a standalone mail and newsgroup client...Security Fix(es):
      mozilla: service workers might have learned size of cross-origin media files (cve-2022-45403).
      Mozilla: fullscreen notification bypass (cve-2022-45404).
      Mozilla: use-after-free in inputstream implementation (cve-2022-45405).
      Mozilla: use-after-free of a javascript realm (cve-2022-45406).
      Mozilla: fullscreen notification bypass via windowname (cve-2022-45408).
      Mozilla: use-after-free in garbage collection (cve-2022-45409).
      Mozilla: memory safety bugs fixed in firefox 107 and firefox esr 102.5 (cve-2022-45421).
      Mozilla: serviceworker-intercepted requests bypassed samesite cookie policy (cve-2022-45410).
      Mozilla: cross-site tracing was possible via non-standard override headers (cve-2022-45411).
      Mozilla: symlinks may resolve to partially uninitialized buffers (cve-2022-45412).
      Mozilla: keystroke side-channel leakage (cve-2022-45416).
      Mozilla: custom mouse cursor could have been drawn over browser ui (cve-2022-45418).
      Mozilla: iframe contents could be rendered outside the iframe (cve-2022-45420).
    Affected Products:
      Red Hat enterprise linux for x86_64 - extended update support 8.4 x86_64.
      Red hat enterprise linux server - aus 8.4 x86_64.
      Red hat enterprise linux for ibm z systems - extended update support 8.4 s390x.
      Red hat enterprise linux for power, little endian - extended update support 8.4 ppc64le.
      Red hat enterprise linux server - tus 8.4 x86_64.
      Red hat enterprise linux for arm 64 - extended update support 8.4 aarch64.
      Red hat enterprise linux server for power le - update services for sap solutions 8.4 ppc64le.
      Red hat enterprise linux for x86_64 - update services for sap solutions 8.4 x86_64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8544 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:8544
  • CVE-2022-45403+
    QID: 240928
    Recently Published

    Red Hat Update for firefox (RHSA-2022:8554)

    Severity
    Critical4
    Qualys ID
    240928
    Date Published
    November 22, 2022
    Vendor Reference
    RHSA-2022:8554
    CVE Reference
    CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Mozilla firefox is an open-source web browser, designed for standards compliance, performance, and portability...Security Fix(es):
      mozilla: service workers might have learned size of cross-origin media files (cve-2022-45403).
      Mozilla: fullscreen notification bypass (cve-2022-45404).
      Mozilla: use-after-free in inputstream implementation (cve-2022-45405).
      Mozilla: use-after-free of a javascript realm (cve-2022-45406).
      Mozilla: fullscreen notification bypass via windowname (cve-2022-45408).
      Mozilla: use-after-free in garbage collection (cve-2022-45409).
      Mozilla: memory safety bugs fixed in firefox 107 and firefox esr 102.5 (cve-2022-45421).
      Mozilla: serviceworker-intercepted requests bypassed samesite cookie policy (cve-2022-45410).
      Mozilla: cross-site tracing was possible via non-standard override headers (cve-2022-45411).
      Mozilla: symlinks may resolve to partially uninitialized buffers (cve-2022-45412).
      Mozilla: keystroke side-channel leakage (cve-2022-45416).
      Mozilla: custom mouse cursor could have been drawn over browser ui (cve-2022-45418).
      Mozilla: iframe contents could be rendered outside the iframe (cve-2022-45420).
    Affected Products:
      Red Hat enterprise linux for x86_64 8 x86_64.
      Red hat enterprise linux for ibm z systems 8 s390x.
      Red hat enterprise linux for power, little endian 8 ppc64le.
      Red hat enterprise linux for arm 64 8 aarch64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:8554 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:8554
  • CVE-2022-1270
    QID: 181239
    Recently Published

    Debian Security Update for graphicsmagick (DLA 3200-1)

    Severity
    Critical4
    Qualys ID
    181239
    Date Published
    November 22, 2022
    Vendor Reference
    DLA 3200-1
    CVE Reference
    CVE-2022-1270
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Debian has released a security update for graphicsmagick to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DLA 3200-1 for updates and patch information.
    Patches
    Debian DLA 3200-1
  • CVE-2022-31160
    QID: 283328
    Recently Published

    Fedora Security Update for js (FEDORA-2022-22d8ba36d0)

    Severity
    Serious3
    Qualys ID
    283328
    Date Published
    November 22, 2022
    Vendor Reference
    FEDORA-2022-22d8ba36d0
    CVE Reference
    CVE-2022-31160
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    Fedora has released a security update for js to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-22d8ba36d0
  • CVE-2022-31160
    QID: 283327
    Recently Published

    Fedora Security Update for js (FEDORA-2022-1a01ed37e2)

    Severity
    Serious3
    Qualys ID
    283327
    Date Published
    November 22, 2022
    Vendor Reference
    FEDORA-2022-1a01ed37e2
    CVE Reference
    CVE-2022-31160
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    Fedora has released a security update for js to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-1a01ed37e2
  • CVE-2020-0499+
    QID: 199039
    Recently Published

    Ubuntu Security Notification for FLAC Vulnerabilities (USN-5733-1)

    Severity
    Serious3
    Qualys ID
    199039
    Date Published
    November 22, 2022
    Vendor Reference
    USN-5733-1
    CVE Reference
    CVE-2020-0499, CVE-2017-6888, CVE-2021-0561
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Ubuntu has released a security update for flac to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5733-1 for updates and patch information.
    Patches
    Ubuntu Linux USN-5733-1
  • CVE-2022-42898
    QID: 181238
    Recently Published

    Debian Security Update for krb5 (DSA 5286-1)

    Severity
    Critical4
    Qualys ID
    181238
    Date Published
    November 22, 2022
    Vendor Reference
    DSA 5286-1
    CVE Reference
    CVE-2022-42898
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Debian has released a security update for krb5 to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DSA 5286-1 for updates and patch information.
    Patches
    Debian DSA 5286-1
  • CVE-2022-25310+
    QID: 940825
    Recently Published

    AlmaLinux Security Update for fribidi (ALSA-2022:8011)

    Severity
    Critical4
    Qualys ID
    940825
    Date Published
    November 22, 2022
    Vendor Reference
    ALSA-2022:8011
    CVE Reference
    CVE-2022-25310, CVE-2022-25309, CVE-2022-25308
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    AlmaLinux has released a security update for fribidi to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8011 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8011
  • CVE-2022-28766
    QID: 377783
    Recently Published

    Zoom VDI DLL Injection Vulnerability (ZSB-22027)

    Severity
    Critical4
    Qualys ID
    377783
    Date Published
    November 22, 2022
    Vendor Reference
    ZSB-22027
    CVE Reference
    CVE-2022-28766
    CVSS Scores
    Base 7.3 / Temporal 6.4
    Description
    Zoom provides video communications with a cloud platform for video and audio conferencing, chat, and webinars across mobile, desktop, and room systems.

    CVE-2022-28766: A local low-privileged user could exploit this vulnerability to run arbitrary code in the context of the Zoom client. Affected Versions:
    Zoom VDI Windows Meeting Client for Windows (32-bit) prior to 5.12.6

    QID Detection Logic:
    This authenticated QID detects vulnerable Zoom VDI Windows Meeting Clients prior to version 5.12.6 on Windows

    Consequence
    Successful exploitation of this vulnerability may allow local attacker to run malicious code using the context of a legitimate process and gains several advantages, especially the ability to access the processes memory and permissions.
    Solution
    Customers are advised to upgrade to Zoom VDI Windows Meeting Clients 5.12.6 or later to remediate these vulnerabilities.

    Patches
    ZSB-22027
  • CVE-2022-28766
    QID: 377777
    Recently Published

    Zoom Client for Meetings Multiple Security Vulnerabilities (ZSB-22027)

    Severity
    Critical4
    Qualys ID
    377777
    Date Published
    November 22, 2022
    Vendor Reference
    ZSB-22027
    CVE Reference
    CVE-2022-28766
    CVSS Scores
    Base 7.3 / Temporal 6.4
    Description
    Zoom provides video communications with a cloud platform for video and audio conferencing, chat, and webinars across mobile, desktop, and room systems.

    Affected Versions:
    Zoom Client for Meetings for Windows (32-bit) prior to 5.12.6 QID Detection Logic (Authenticated):
    This authenticated QID detects vulnerable Zoom Client prior to version 5.12.6(Windows)

    Consequence
    A local low-privileged user could exploit this vulnerability to run arbitrary code in the context of the Zoom client.

    Solution
    Customers are advised to upgrade to Zoom Client 5.12.6(Windows) or later to remediate these vulnerabilities.

    Patches
    ZSB-22027
  • CVE-2022-2990+
    QID: 940780
    Recently Published

    AlmaLinux Security Update for container-tools:rhel8 (ALSA-2022:7822)

    Severity
    Critical4
    Qualys ID
    940780
    Date Published
    November 22, 2022
    Vendor Reference
    ALSA-2022:7822
    CVE Reference
    CVE-2022-2990, CVE-2022-2989
    CVSS Scores
    Base 7.1 / Temporal 6.2
    Description
    AlmaLinux has released a security update for container-tools:rhel8 to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:7822 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:7822
  • CVE-2021-45943+
    QID: 20274
    Recently Published

    Oracle Database 19c Critical OJVM Patch Update - July 2022

    Severity
    Critical4
    Qualys ID
    20274
    Date Published
    November 22, 2022
    Vendor Reference
    CPUJUL22
    CVE Reference
    CVE-2021-45943, CVE-2022-21432, CVE-2022-0839, CVE-2020-26185, CVE-2022-21565, CVE-2020-26184, CVE-2020-35169
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Oracle Database quarterly patches are proactive cumulative patches containing recommended bug fixes that are released on a regular schedule.

    Affected Software:
    Oracle Database 19c

    QID Detection Logic (Authenticated):
    Authentication via Oracle Database:
    This QID reviews the Oracle output from the table name DBA_REGISTRY_SQLPATCH for patch information.

    Consequence
    Successful exploitation could allow an attacker to compromise the database.

    Solution
    Customers are requested to refer to CPUJUL2022 to obtain details about how to deploy the update.

    Patches
    CPUJUL2022
  • CVE-2022-20962
    QID: 317261
    Recently Published

    Cisco Identity Services Engine (ISE) Path Traversal Vulnerability (cisco-sa-ise-path-trav-f6M7cs6r)

    Severity
    Serious3
    Qualys ID
    317261
    Date Published
    November 22, 2022
    Vendor Reference
    cisco-sa-ise-path-trav-f6M7cs6r
    CVE Reference
    CVE-2022-20962
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    A vulnerability in the Localdisk Management feature of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to make unauthorized changes to the file system of an affected device.

    Affected Products
    Cisco ISE following vulnerable versions:
    From 3.1 Prior to 3.1 patch 4
    QID Detection Logic (Authenticated):
    The check matches the Cisco ISE version and ise_patch retrieved via Unix Auth using "show version" command.

    Consequence
    A successful exploit could allow the attacker to upload malicious files to arbitrary locations within the file system.

    Solution

    Customers are advised to refer to cisco-sa-ise-path-trav-f6M7cs6r for more information.

    Patches
    cisco-sa-ise-path-trav-f6M7cs6r
  • CVE-2022-43781
    QID: 730671
    Recently Published

    Atlassian Bitbucket Server and Data Center Command Injection Vulnerability

    Severity
    Critical4
    Qualys ID
    730671
    Date Published
    November 21, 2022
    Vendor Reference
    Atlassian Bitbucket Security Advisory
    CVE Reference
    CVE-2022-43781
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system (CVE-2022-43781).

    Affected Versions:
    Atlassian Bitbucket Server and Data Center version 7.0 to 7.5 (all versions)
    Atlassian Bitbucket Server and Data Center version 7.6.0 to 7.6.18
    Atlassian Bitbucket Server and Data Center version 7.7 to 7.16 (all versions)
    Atlassian Bitbucket Server and Data Center version 7.17.0 to 7.17.11
    Atlassian Bitbucket Server and Data Center version 7.18 to 7.20 (all versions)
    Atlassian Bitbucket Server and Data Center version 7.21.0 to 7.21.5
    Atlassian Bitbucket Server and Data Center version If mesh.enabled=false is set in bitbucket.properties:
    Atlassian Bitbucket Server and Data Center version 8.0.0 to 8.0.4
    Atlassian Bitbucket Server and Data Center version 8.1.0 to 8.1.4
    Atlassian Bitbucket Server and Data Center version 8.2.0 to 8.2.3
    Atlassian Bitbucket Server and Data Center version 8.3.0 to 8.3.2
    Atlassian Bitbucket Server and Data Center version 8.4.0 to 8.4.1

    Detection Logic:
    QID checks for vulnerable versions of Atlassian Bitbucket Server by sending a GET request to /login endpoint.

    Note: QID is kept potential as there are temporary mitigations and version 8.x are only vulnerable if mesh.enabled=false is set in bitbucket.properties.

    Consequence
    Successful exploitation of the vulnerability may lead to remote code execution.

    Solution
    Vendor has released patch, for more information please refer to Atlassian Bitbucket Security Advisory

    Workaround:
    If you're unable to upgrade your Bitbucket instance, a temporary mitigation step is to disable "Public Signup". Disabling public signup would change the attack vector from an unauthenticated attack to an authenticated one which would reduce the risk of exploitation. To disable this setting, go to Administration > Authentication and clear the Allow public sign up checkbox.

    ADMIN or SYS_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled. For this reason, this mitigation should be treated as a temporary step and customers are recommended to upgrade to a fixed version as soon as possible.

    Patches
    Atlassian Bitbucket Security Advisory
  • CVE-2022-45063
    QID: 283325
    Recently Published

    Fedora Security Update for xterm (FEDORA-2022-681bbe67b6)

    Severity
    Urgent5
    Qualys ID
    283325
    Date Published
    November 21, 2022
    Vendor Reference
    FEDORA-2022-681bbe67b6
    CVE Reference
    CVE-2022-45063
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for xterm to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-681bbe67b6
  • CVE-2022-3821
    QID: 283326
    Recently Published

    Fedora Security Update for systemd (FEDORA-2022-8ac4104a02)

    Severity
    Serious3
    Qualys ID
    283326
    Date Published
    November 21, 2022
    Vendor Reference
    FEDORA-2022-8ac4104a02
    CVE Reference
    CVE-2022-3821
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Fedora has released a security update for systemd to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-8ac4104a02
  • CVE-2021-3782
    QID: 904509
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for wayland (11024-1)

    Severity
    Urgent5
    Qualys ID
    904509
    Date Published
    November 21, 2022
    Vendor Reference
    11024-1
    CVE Reference
    CVE-2021-3782
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has released a security update for wayland to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    CBL-Mariner has issued updated packages to fix this vulnerability. For more information about the vulnerability and obtaining patches, refer to the following CBL-Mariner security advisories:https://github.com/microsoft/CBL-Mariner/releases

    Patches
    CBL-Mariner Linux 11024-1
  • CVE-2022-30293+
    QID: 940844
    Recently Published

    AlmaLinux Security Update for webkit2gtk3 (ALSA-2022:8054)

    Severity
    Critical4
    Qualys ID
    940844
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8054
    CVE Reference
    CVE-2022-30293, CVE-2022-22629, CVE-2022-26710, CVE-2022-26716, CVE-2022-22624, CVE-2022-26719, CVE-2022-26700, CVE-2022-26709, CVE-2022-22662, CVE-2022-22628, CVE-2022-26717
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    AlmaLinux has released a security update for webkit2gtk3 to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8054 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8054
  • CVE-2022-23824+
    QID: 502600
    Recently Published

    Alpine Linux Security Update for xen

    Severity
    Critical4
    Qualys ID
    502600
    Date Published
    November 21, 2022
    Vendor Reference
    xen
    CVE Reference
    CVE-2022-23824, CVE-2022-33743, CVE-2022-33744, CVE-2022-33746, CVE-2022-33747, CVE-2022-33748, CVE-2022-33749, CVE-2022-42309, CVE-2022-42310, CVE-2022-42311, CVE-2022-42312, CVE-2022-42313, CVE-2022-42314, CVE-2022-42315, CVE-2022-42316, CVE-2022-42317, CVE-2022-42318, CVE-2022-42319, CVE-2022-42320, CVE-2022-42321, CVE-2022-42322, CVE-2022-42323, CVE-2022-42324, CVE-2022-42325, CVE-2022-42326, CVE-2022-42327
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Alpine Linux has released a security update for xen to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.14


    Affected Package versions prior to 4.15.4-r0.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory xen for updates and patch information.
    Patches
    Alpine Linux xen-4.15.4-r0
  • CVE-2022-29901+
    QID: 199037
    Recently Published

    Ubuntu Security Notification for Linux kernel Vulnerabilities (USN-5728-2)

    Severity
    Critical4
    Qualys ID
    199037
    Date Published
    November 21, 2022
    Vendor Reference
    USN-5728-2
    CVE Reference
    CVE-2022-29901, CVE-2022-42719, CVE-2022-3635, CVE-2022-40768, CVE-2022-3625, CVE-2022-3028, CVE-2022-42703, CVE-2022-20422, CVE-2022-41222, CVE-2022-2978, CVE-2022-2153, CVE-2022-39188
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Ubuntu has released a security update for linux to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5728-2 for updates and patch information.
    Patches
    Ubuntu Linux USN-5728-2
  • CVE-2022-42919
    QID: 283324
    Recently Published

    Fedora Security Update for python3.9 (FEDORA-2022-b17bf30e88)

    Severity
    Critical4
    Qualys ID
    283324
    Date Published
    November 21, 2022
    Vendor Reference
    FEDORA-2022-b17bf30e88
    CVE Reference
    CVE-2022-42919
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for python3.9 to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-b17bf30e88
  • CVE-2022-39190+
    QID: 199038
    Recently Published

    Ubuntu Security Notification for Linux kernel Vulnerabilities (USN-5729-2)

    Severity
    Critical4
    Qualys ID
    199038
    Date Published
    November 21, 2022
    Vendor Reference
    USN-5729-2
    CVE Reference
    CVE-2022-39190, CVE-2022-3625, CVE-2022-40768, CVE-2022-3028, CVE-2022-3635, CVE-2022-20422, CVE-2022-2978, CVE-2022-2905
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Ubuntu has released a security update for linux to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5729-2 for updates and patch information.
    Patches
    Ubuntu Linux USN-5729-2
  • CVE-2022-40768+
    QID: 199036
    Recently Published

    Ubuntu Security Notification for Linux kernel (GCP) Vulnerabilities (USN-5727-2)

    Severity
    Critical4
    Qualys ID
    199036
    Date Published
    November 21, 2022
    Vendor Reference
    USN-5727-2
    CVE Reference
    CVE-2022-40768, CVE-2022-3635, CVE-2022-3028, CVE-2022-20422, CVE-2022-2978, CVE-2022-2153, CVE-2022-36879
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Ubuntu has released a security update for linux to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Ubuntu security advisory USN-5727-2 for updates and patch information.
    Patches
    Ubuntu Linux USN-5727-2
  • CVE-2022-41916
    QID: 904511
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for heimdal (11457)

    Severity
    Critical4
    Qualys ID
    904511
    Date Published
    November 21, 2022
    Vendor Reference
    Mariner_2.0_11457
    CVE Reference
    CVE-2022-41916
    CVSS Scores
    Base 7.5 / Temporal 6.9
    Description
    CBL-Mariner 2.0 is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has NOT released a security update for heimdal to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    Patch is NOT available for the package.

  • CVE-2022-41916
    QID: 904510
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for heimdal (11459)

    Severity
    Critical4
    Qualys ID
    904510
    Date Published
    November 21, 2022
    Vendor Reference
    11459
    CVE Reference
    CVE-2022-41916
    CVSS Scores
    Base 7.5 / Temporal 6.9
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has NOT released a security update for heimdal to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    Patch is NOT available for the package.

  • CVE-2022-42252
    QID: 690992
    Recently Published

    Free Berkeley Software Distribution (FreeBSD) Security Update for tomcat (556fdf03-6785-11ed-953b-002b67dfc673)

    Severity
    Critical4
    Qualys ID
    690992
    Date Published
    November 21, 2022
    Vendor Reference
    556fdf03-6785-11ed-953b-002b67dfc673
    CVE Reference
    CVE-2022-42252
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    FreeBSD has released a security update for tomcat to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to FreeBSD security advisory 556fdf03-6785-11ed-953b-002b67dfc673 for updates and patch information.
    Patches
    "FreeBSD" 556fdf03-6785-11ed-953b-002b67dfc673
  • CVE-2019-14870+
    QID: 502599
    Recently Published

    Alpine Linux Security Update for heimdal

    Severity
    Critical4
    Qualys ID
    502599
    Date Published
    November 21, 2022
    Vendor Reference
    heimdal
    CVE Reference
    CVE-2019-14870, CVE-2021-3671, CVE-2021-44758, CVE-2022-3437, CVE-2022-41916, CVE-2022-42898, CVE-2022-44640
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Alpine Linux has released a security update for heimdal to fix the vulnerabilities.

    Affected versions:
    Alpine Linux 3.14


    Affected Package versions prior to 7.7.1-r0.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Alpine Linux advisory heimdal for updates and patch information.
    Patches
    Alpine Linux heimdal-7.7.1-r0
  • CVE-2022-45380
    QID: 904512
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for junit (11458)

    Severity
    Serious3
    Qualys ID
    904512
    Date Published
    November 21, 2022
    Vendor Reference
    Mariner_2.0_11458
    CVE Reference
    CVE-2022-45380
    CVSS Scores
    Base 5.4 / Temporal 5
    Description
    CBL-Mariner 2.0 is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has NOT released a security update for junit to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    Patch is NOT available for the package.

  • CVE-2022-22719+
    QID: 940823
    Recently Published

    AlmaLinux Security Update for httpd (ALSA-2022:8067)

    Severity
    Urgent5
    Qualys ID
    940823
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8067
    CVE Reference
    CVE-2022-22719, CVE-2022-26377, CVE-2022-23943, CVE-2022-22721, CVE-2022-30556, CVE-2022-30522, CVE-2022-31813, CVE-2022-29404, CVE-2022-28614, CVE-2022-28615
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    AlmaLinux has released a security update for httpd to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8067 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8067
  • CVE-2022-31625+
    QID: 940810
    Recently Published

    AlmaLinux Security Update for Hypertext Preprocessor (PHP) (ALSA-2022:8197)

    Severity
    Urgent5
    Qualys ID
    940810
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8197
    CVE Reference
    CVE-2022-31625, CVE-2021-21708
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    AlmaLinux has released a security update for php to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8197 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8197
  • CVE-2022-37434
    QID: 940803
    Recently Published

    AlmaLinux Security Update for rsync (ALSA-2022:8291)

    Severity
    Urgent5
    Qualys ID
    940803
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8291
    CVE Reference
    CVE-2022-37434
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    AlmaLinux has released a security update for rsync to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8291 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8291
  • CVE-2022-27405+
    QID: 940791
    Recently Published

    AlmaLinux Security Update for freetype (ALSA-2022:8340)

    Severity
    Urgent5
    Qualys ID
    940791
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8340
    CVE Reference
    CVE-2022-27405, CVE-2022-27404, CVE-2022-27406
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    AlmaLinux has released a security update for freetype to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8340 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8340
  • CVE-2022-39377
    QID: 904508
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for sysstat (11450)

    Severity
    Urgent5
    Qualys ID
    904508
    Date Published
    November 21, 2022
    Vendor Reference
    Mariner_2.0_11450
    CVE Reference
    CVE-2022-39377
    CVSS Scores
    Base 9.8 / Temporal 9
    Description
    CBL-Mariner 2.0 is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has NOT released a security update for sysstat to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    Patch is NOT available for the package.

  • CVE-2022-3970
    QID: 904507
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (11449)

    Severity
    Urgent5
    Qualys ID
    904507
    Date Published
    November 21, 2022
    Vendor Reference
    Mariner_2.0_11449
    CVE Reference
    CVE-2022-3970
    CVSS Scores
    Base 9.8 / Temporal 9
    Description
    CBL-Mariner 2.0 is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has NOT released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    Patch is NOT available for the package.

  • CVE-2022-3970
    QID: 904506
    Recently Published

    Common Base Linux Mariner (CBL-Mariner) Security Update for libtiff (11451)

    Severity
    Urgent5
    Qualys ID
    904506
    Date Published
    November 21, 2022
    Vendor Reference
    11451
    CVE Reference
    CVE-2022-3970
    CVSS Scores
    Base 9.8 / Temporal 9
    Description
    CBL-Mariner is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.
    CBL-Mariner has NOT released a security update for libtiff to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution

    Patch is NOT available for the package.

  • CVE-2022-39377
    QID: 283323
    Recently Published

    Fedora Security Update for sysstat (FEDORA-2022-5adda2d05f)

    Severity
    Urgent5
    Qualys ID
    283323
    Date Published
    November 21, 2022
    Vendor Reference
    FEDORA-2022-5adda2d05f
    CVE Reference
    CVE-2022-39377
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for sysstat to fix the vulnerabilities.

    Affected OS:
    Fedora 35


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 35 for updates and patch information.
    Patches
    Fedora 35 FEDORA-2022-5adda2d05f
  • CVE-2022-39377
    QID: 283322
    Recently Published

    Fedora Security Update for sysstat (FEDORA-2022-dbe48a4bc7)

    Severity
    Urgent5
    Qualys ID
    283322
    Date Published
    November 21, 2022
    Vendor Reference
    FEDORA-2022-dbe48a4bc7
    CVE Reference
    CVE-2022-39377
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for sysstat to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-dbe48a4bc7
  • CVE-2022-24764+
    QID: 181237
    Recently Published

    Debian Security Update for asterisk (DSA 5285-1)

    Severity
    Urgent5
    Qualys ID
    181237
    Date Published
    November 21, 2022
    Vendor Reference
    DSA 5285-1
    CVE Reference
    CVE-2022-24764, CVE-2021-46837, CVE-2021-43845, CVE-2022-26498, CVE-2022-21722, CVE-2022-21723, CVE-2021-43301, CVE-2022-24786, CVE-2021-43299, CVE-2022-24763, CVE-2022-24793, CVE-2022-23608, CVE-2021-37706, CVE-2022-26651, CVE-2021-43300, CVE-2021-43302, CVE-2021-43303, CVE-2022-24792, CVE-2021-43804, CVE-2022-26499
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released a security update for asterisk to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Debian security advisory DSA 5285-1 for updates and patch information.
    Patches
    Debian DSA 5285-1
  • CVE-2022-32898+
    QID: 610448
    Recently Published

    Apple iOS 15.7 and iPadOS 15.7 Security Update Missing

    Severity
    Urgent5
    Qualys ID
    610448
    Date Published
    November 21, 2022
    Vendor Reference
    HT213445
    CVE Reference
    CVE-2022-32898, CVE-2022-32899, CVE-2022-42796, CVE-2022-32929, CVE-2022-32854, CVE-2022-32911, CVE-2022-32864, CVE-2022-32917, CVE-2022-32883, CVE-2022-32908, CVE-2022-32879, CVE-2022-32795, CVE-2022-32868, CVE-2022-42793, CVE-2022-32872, CVE-2022-42790, CVE-2022-32888, CVE-2022-32886, CVE-2022-32912, CVE-2022-32892
    CVSS Scores
    Base 8.8 / Temporal 8.2
    Description
    iOS is a mobile operating system created and developed by Apple Inc.

    Following security issues are observed :
    The issue was addressed with improved memory handling. CVE-2022-32898
    This issue was addressed by removing the vulnerable code. CVE-2022-42796
    A permissions issue was addressed with additional restrictions. CVE-2022-32929
    This issue was addressed with improved checks. CVE-2022-32854
    The issue was addressed with improved memory handling. CVE-2022-32911
    The issue was addressed with improved memory handling. CVE-2022-32864
    The issue was addressed with improved bounds checks. CVE-2022-32917
    A logic issue was addressed with improved restrictions. CVE-2022-32883
    A memory corruption issue was addressed with improved input validation. CVE-2022-32908
    A logic issue was addressed with improved state management. CVE-2022-32879
    This issue was addressed with improved checks. CVE-2022-32795
    A logic issue was addressed with improved state management. WebKit Bugzilla
    An issue in code signature validation was addressed with improved checks. CVE-2022-42793
    A logic issue was addressed with improved restrictions. CVE-2022-32872
    A logic issue was addressed with improved state management. CVE-2022-42790
    An out-of-bounds write issue was addressed with improved bounds checking. WebKit Bugzilla
    A buffer overflow issue was addressed with improved memory handling. WebKit Bugzilla
    An out-of-bounds read was addressed with improved bounds checking. WebKit Bugzilla
    An access issue was addressed with improvements to the sandbox. WebKit Bugzilla

    Affected Devices
    iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to Apple advisory HT213445 for patching details.
    Patches
    iOS HT213445
  • CVE-2022-22658
    QID: 610449
    Recently Published

    Apple iOS 16.0.3 Security Update Missing

    Severity
    Urgent5
    Qualys ID
    610449
    Date Published
    November 21, 2022
    Vendor Reference
    HT213480
    CVE Reference
    CVE-2022-22658
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    CVE-2022-22658:An input validation issue was addressed with improved input validation
    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to Apple advisory HT213480 for patching details.
    Patches
    iOS HT213480
  • CVE-2022-40303+
    QID: 610450
    Recently Published

    Apple iOS 16.1.1 and iPadOS 16.1.1 Security Update Missing

    Severity
    Urgent5
    Qualys ID
    610450
    Date Published
    November 21, 2022
    Vendor Reference
    HT213505
    CVE Reference
    CVE-2022-40303, CVE-2022-40304
    CVSS Scores
    Base 0 / Temporal 0
    Description
    iOS is a mobile operating system created and developed by Apple Inc.

    Following security issues are observed :
    An integer overflow was addressed through improved input validation. CVE-2022-40303
    This issue was addressed with improved checks. CVE-2022-40304

    Affected Devices
    iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to Apple advisory HT213505 for patching details.
    Patches
    iOS HT213505
  • CVE-2022-25313+
    QID: 377786
    Recently Published

    Alibaba Cloud Linux Security Update for mingw-expat (ALINUX3-SA-2022:0183)

    Severity
    Critical4
    Qualys ID
    377786
    Date Published
    November 21, 2022
    Vendor Reference
    ALINUX3-SA-2022:0183
    CVE Reference
    CVE-2022-25313, CVE-2022-23990, CVE-2022-25235, CVE-2022-25314, CVE-2022-25236, CVE-2022-25315
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Alibaba Cloud Linux has released a security update for mingw-expat to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to Alibaba Cloud Linux security advisory ALINUX3-SA-2022:0183 for updates and patch information.
    Patches
    Alibaba Cloud Linux ALINUX3-SA-2022:0183
  • CVE-2022-1049
    QID: 940840
    Recently Published

    AlmaLinux Security Update for pcs (ALSA-2022:7935)

    Severity
    Critical4
    Qualys ID
    940840
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:7935
    CVE Reference
    CVE-2022-1049
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    AlmaLinux has released a security update for pcs to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:7935 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:7935
  • CVE-2022-30631+
    QID: 940826
    Recently Published

    AlmaLinux Security Update for grafana (ALSA-2022:8057)

    Severity
    Critical4
    Qualys ID
    940826
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8057
    CVE Reference
    CVE-2022-30631, CVE-2022-21698, CVE-2022-1962, CVE-2022-21702, CVE-2022-21703, CVE-2022-21673, CVE-2022-32148, CVE-2022-21713, CVE-2022-1705, CVE-2022-30630, CVE-2022-30633, CVE-2022-30635, CVE-2022-30632, CVE-2022-28131, CVE-2021-23648
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    AlmaLinux has released a security update for grafana to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8057 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8057
  • CVE-2022-30550
    QID: 940809
    Recently Published

    AlmaLinux Security Update for dovecot (ALSA-2022:8208)

    Severity
    Critical4
    Qualys ID
    940809
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8208
    CVE Reference
    CVE-2022-30550
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    AlmaLinux has released a security update for dovecot to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8208 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8208
  • CVE-2022-3550+
    QID: 377785
    Recently Published

    Alibaba Cloud Linux Security Update for xorg-x11-server (ALINUX2-SA-2022:0053)

    Severity
    Critical4
    Qualys ID
    377785
    Date Published
    November 21, 2022
    Vendor Reference
    ALINUX2-SA-2022:0053
    CVE Reference
    CVE-2022-3550, CVE-2022-3551
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Alibaba Cloud Linux has released a security update for xorg-x11-server to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to Alibaba Cloud Linux security advisory ALINUX2-SA-2022:0053 for updates and patch information.
    Patches
    Alibaba Cloud Linux ALINUX2-SA-2022:0053
  • CVE-2022-0396+
    QID: 940822
    Recently Published

    AlmaLinux Security Update for bind (ALSA-2022:8068)

    Severity
    Critical4
    Qualys ID
    940822
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8068
    CVE Reference
    CVE-2022-0396, CVE-2021-25220
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    AlmaLinux has released a security update for bind to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8068 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8068
  • CVE-2021-3839+
    QID: 940804
    Recently Published

    AlmaLinux Security Update for dpdk (ALSA-2022:8263)

    Severity
    Critical4
    Qualys ID
    940804
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8263
    CVE Reference
    CVE-2021-3839, CVE-2022-2132, CVE-2022-28199
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    AlmaLinux has released a security update for dpdk to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8263 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8263
  • CVE-2021-25220
    QID: 940793
    Recently Published

    AlmaLinux Security Update for dhcp (ALSA-2022:8385)

    Severity
    Critical4
    Qualys ID
    940793
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8385
    CVE Reference
    CVE-2021-25220
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    AlmaLinux has released a security update for dhcp to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8385 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8385
  • CVE-2022-3787
    QID: 377789
    Recently Published

    Alibaba Cloud Linux Security Update for device-mapper-multipath (ALINUX3-SA-2022:0185)

    Severity
    Critical4
    Qualys ID
    377789
    Date Published
    November 21, 2022
    Vendor Reference
    ALINUX3-SA-2022:0185
    CVE Reference
    CVE-2022-3787
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Alibaba Cloud Linux has released a security update for device-mapper-multipath to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to Alibaba Cloud Linux security advisory ALINUX3-SA-2022:0185 for updates and patch information.
    Patches
    Alibaba Cloud Linux ALINUX3-SA-2022:0185
  • QID: 283320
    Recently Published

    Fedora Security Update for thunderbird (FEDORA-2022-05bdce3585)

    Severity
    Critical4
    Qualys ID
    283320
    Date Published
    November 21, 2022
    Vendor Reference
    FEDORA-2022-05bdce3585
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for thunderbird to fix the vulnerabilities.

    Affected OS:
    Fedora 36


    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Fedora security advisory Fedora 36 for updates and patch information.
    Patches
    Fedora 36 FEDORA-2022-05bdce3585
  • CVE-2021-3750+
    QID: 940832
    Recently Published

    AlmaLinux Security Update for qemu-kvm (ALSA-2022:7967)

    Severity
    Critical4
    Qualys ID
    940832
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:7967
    CVE Reference
    CVE-2021-3750, CVE-2021-4158, CVE-2021-3611, CVE-2021-3507
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    AlmaLinux has released a security update for qemu-kvm to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:7967 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:7967
  • CVE-2022-36881
    QID: 240927
    Recently Published

    Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2022:7865)

    Severity
    Critical4
    Qualys ID
    240927
    Date Published
    November 21, 2022
    Vendor Reference
    RHSA-2022:7865
    CVE Reference
    CVE-2022-36881
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Red hat openshift container platform is Red Hat's cloud computing kubernetes application platform solution designed for on-premise or private cloud deployments...Security Fix(es):
      jenkins-plugin: man-in-the-middle (mitm) in.
    Affected Products:
      Red Hat openshift container platform 4.10 for rhel 8 x86_64.
      Red hat openshift container platform for power 4.10 for rhel 8 ppc64le.
      Red hat openshift container platform for ibm z and linuxone 4.10 for rhel 8 s390x.
      Red hat openshift container platform for arm 64 4.10 aarch64.
    .

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
    Solution
    Refer to Red Hat security advisory RHSA-2022:7865 for updates and patch information.
    Patches
    Red Hat Enterprise Linux RHSA-2022:7865
  • CVE-2022-29901+
    QID: 940843
    Recently Published

    AlmaLinux Security Update for kernel-rt (ALSA-2022:7933)

    Severity
    Critical4
    Qualys ID
    940843
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:7933
    CVE Reference
    CVE-2022-29901, CVE-2022-23825, CVE-2022-24448, CVE-2022-29900, CVE-2020-36516, CVE-2022-28390, CVE-2022-1353, CVE-2022-0168, CVE-2022-1679, CVE-2022-21123, CVE-2022-1852, CVE-2022-2586, CVE-2022-26373, CVE-2022-28893, CVE-2022-1998, CVE-2022-1184, CVE-2022-29581, CVE-2022-36946, CVE-2022-1016, CVE-2022-20368, CVE-2022-1280, CVE-2021-3640, CVE-2022-0617, CVE-2022-1048, CVE-2022-0854, CVE-2022-21166, CVE-2022-2639, CVE-2022-39190, CVE-2022-21125, CVE-2022-23816, CVE-2022-21499
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    AlmaLinux has released a security update for kernel-rt to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:7933 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:7933
  • CVE-2022-25255
    QID: 940820
    Recently Published

    AlmaLinux Security Update for qt5 (ALSA-2022:8022)

    Severity
    Critical4
    Qualys ID
    940820
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8022
    CVE Reference
    CVE-2022-25255
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    AlmaLinux has released a security update for qt5 to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8022 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8022
  • CVE-2022-29162
    QID: 940818
    Recently Published

    AlmaLinux Security Update for runc (ALSA-2022:8090)

    Severity
    Critical4
    Qualys ID
    940818
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8090
    CVE Reference
    CVE-2022-29162
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    AlmaLinux has released a security update for runc to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8090 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8090
  • CVE-2022-24736+
    QID: 940817
    Recently Published

    AlmaLinux Security Update for redis (ALSA-2022:8096)

    Severity
    Critical4
    Qualys ID
    940817
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8096
    CVE Reference
    CVE-2022-24736, CVE-2022-24735
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    AlmaLinux has released a security update for redis to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8096 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8096
  • CVE-2022-26125
    QID: 940815
    Recently Published

    AlmaLinux Security Update for frr (ALSA-2022:8112)

    Severity
    Critical4
    Qualys ID
    940815
    Date Published
    November 21, 2022
    Vendor Reference
    ALSA-2022:8112
    CVE Reference
    CVE-2022-26125
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    AlmaLinux has released a security update for frr to fix the vulnerabilities.
    Consequence
    Successful exploitation of this vulnerability could lead to a security breach or could affect confidentiality, integrity, and availability.
    Solution
    Refer to AlmaLinux security advisory ALSA-2022:8112 for updates and patch information.
    Patches
    AlmaLinux ALSA-2022:8112
  • CVE-2022-2319+