Home

2023年01月の脆弱性

誤りがあった場合はTwitterに報告をお願いします。-> Twitter《Har-sia》

今月話題になった脆弱性まとめ

CVE-2017-0483

Description from NVD

A denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High severity due to the possibility of remote denial of service. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33137046.

Information Acquisition Date:2023/02/01
CVSS 2.0: 7.1 HIGH CVSS 3.x: 5.5 MEDIUM

Highest Score:186 (2023/01/12)

脆弱性情報:Har-sia CVE-2017-0483


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2017-1833


Highest Score:40 (2023/01/05)

脆弱性情報:Har-sia CVE-2017-1833


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2022-23521

Description from NVD

Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 9.8 CRITICAL

Highest Score:32 (2023/01/18)

脆弱性情報:Har-sia CVE-2022-23521


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2022-23529

Description from NVD

node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions `<= 8.5.1` of `jsonwebtoken` library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the `secretOrPublicKey` argument from the readme link of the `jwt.verify()` function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the `jwt.verify()` on a host that you control. This issue has been fixed, please update to version 9.0.0.

Information Acquisition Date:2023/01/14
CVSS 2.0: 0.0 None CVSS 3.x: 9.8 CRITICAL

Highest Score:148 (2023/01/11)

脆弱性情報:Har-sia CVE-2022-23529


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2022-34689

Description from NVD

Windows CryptoAPI Spoofing Vulnerability.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 7.5 HIGH
This vulnerability may involve a PoC.

Description from Forti

Microsoft Windows CryptoAPI Spoofing Vulnerability

Information Acquisition Date:2023/01/28

Affected Products

Impact

Recommended Actions

References


Highest Score:36 (2023/01/27)

脆弱性情報:Har-sia CVE-2022-34689


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2022-42475

Description from NVD

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 9.8 CRITICAL
This vulnerability may involve a PoC.

Highest Score:201 (2022/12/13)

脆弱性情報:Har-sia CVE-2022-42475


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2022-42856

Description from NVD

A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1..

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 8.8 HIGH

Description from Forti

About the security content of macOS Ventura 13 1

Information Acquisition Date:2023/01/25

Affected Products

Impact

Recommended Actions

References


Highest Score:79 (2023/01/24)

脆弱性情報:Har-sia CVE-2022-42856


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2022-43931

Description from NVD

Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 10.0 CRITICAL

Highest Score:37 (2023/01/04)

脆弱性情報:Har-sia CVE-2022-43931


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2022-44877

Description from NVD

login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 9.8 CRITICAL

Highest Score:38 (2023/01/06)

脆弱性情報:Har-sia CVE-2022-44877


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2022-47523

Description from NVD

Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 9.8 CRITICAL

Highest Score:38 (2023/01/06)

脆弱性情報:Har-sia CVE-2022-47523


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2022-47966

Description from NVD

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 9.8 CRITICAL
This vulnerability may involve a PoC.

Description from Forti

Proof-of-Concept Released for Zoho ManageEngine RCE vulnerability (CVE-2022-47966)

Information Acquisition Date:2023/01/26

Affected Products

Impact

Recommended Actions

References


Highest Score:124 (2023/01/20)

脆弱性情報:Har-sia CVE-2022-47966


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2023-21674

Description from NVD

Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 8.8 HIGH

Highest Score:126 (2023/01/13)

脆弱性情報:Har-sia CVE-2023-21674


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2023-21780

Description from NVD

3D Builder Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21781, CVE-2023-21782, CVE-2023-21783, CVE-2023-21784, CVE-2023-21785, CVE-2023-21786, CVE-2023-21787, CVE-2023-21788, CVE-2023-21789, CVE-2023-21790, CVE-2023-21791, CVE-2023-21792, CVE-2023-21793.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 7.8 HIGH

Highest Score:52 (2023/01/11)

脆弱性情報:Har-sia CVE-2023-21780


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2023-21781

Description from NVD

3D Builder Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21780, CVE-2023-21782, CVE-2023-21783, CVE-2023-21784, CVE-2023-21785, CVE-2023-21786, CVE-2023-21787, CVE-2023-21788, CVE-2023-21789, CVE-2023-21790, CVE-2023-21791, CVE-2023-21792, CVE-2023-21793.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 7.8 HIGH

Highest Score:51 (2023/01/11)

脆弱性情報:Har-sia CVE-2023-21781


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2023-21782

Description from NVD

3D Builder Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21780, CVE-2023-21781, CVE-2023-21783, CVE-2023-21784, CVE-2023-21785, CVE-2023-21786, CVE-2023-21787, CVE-2023-21788, CVE-2023-21789, CVE-2023-21790, CVE-2023-21791, CVE-2023-21792, CVE-2023-21793.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 7.8 HIGH

Highest Score:51 (2023/01/11)

脆弱性情報:Har-sia CVE-2023-21782


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2023-21783

Description from NVD

3D Builder Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21780, CVE-2023-21781, CVE-2023-21782, CVE-2023-21784, CVE-2023-21785, CVE-2023-21786, CVE-2023-21787, CVE-2023-21788, CVE-2023-21789, CVE-2023-21790, CVE-2023-21791, CVE-2023-21792, CVE-2023-21793.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 7.8 HIGH

Highest Score:51 (2023/01/11)

脆弱性情報:Har-sia CVE-2023-21783


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2023-21784

Description from NVD

3D Builder Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21780, CVE-2023-21781, CVE-2023-21782, CVE-2023-21783, CVE-2023-21785, CVE-2023-21786, CVE-2023-21787, CVE-2023-21788, CVE-2023-21789, CVE-2023-21790, CVE-2023-21791, CVE-2023-21792, CVE-2023-21793.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 7.8 HIGH

Highest Score:51 (2023/01/11)

脆弱性情報:Har-sia CVE-2023-21784


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2023-21785

Description from NVD

3D Builder Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21780, CVE-2023-21781, CVE-2023-21782, CVE-2023-21783, CVE-2023-21784, CVE-2023-21786, CVE-2023-21787, CVE-2023-21788, CVE-2023-21789, CVE-2023-21790, CVE-2023-21791, CVE-2023-21792, CVE-2023-21793.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 7.8 HIGH

Highest Score:51 (2023/01/11)

脆弱性情報:Har-sia CVE-2023-21785


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2023-21786

Description from NVD

3D Builder Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21780, CVE-2023-21781, CVE-2023-21782, CVE-2023-21783, CVE-2023-21784, CVE-2023-21785, CVE-2023-21787, CVE-2023-21788, CVE-2023-21789, CVE-2023-21790, CVE-2023-21791, CVE-2023-21792, CVE-2023-21793.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 7.8 HIGH

Highest Score:51 (2023/01/11)

脆弱性情報:Har-sia CVE-2023-21786


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2023-21787

Description from NVD

3D Builder Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21780, CVE-2023-21781, CVE-2023-21782, CVE-2023-21783, CVE-2023-21784, CVE-2023-21785, CVE-2023-21786, CVE-2023-21788, CVE-2023-21789, CVE-2023-21790, CVE-2023-21791, CVE-2023-21792, CVE-2023-21793.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 7.8 HIGH

Highest Score:42 (2023/01/11)

脆弱性情報:Har-sia CVE-2023-21787


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2023-22809

Description from NVD

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 7.8 HIGH

Highest Score:67 (2023/01/19)

脆弱性情報:Har-sia CVE-2023-22809


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


CVE-2023-24059

Description from NVD

Grand Theft Auto V for PC allows attackers to achieve partial remote code execution or modify files on a PC, as exploited in the wild in January 2023.

Information Acquisition Date:2023/02/01
CVSS 2.0: 0.0 None CVSS 3.x: 0.0 None

Highest Score:43 (2023/01/23)

脆弱性情報:Har-sia CVE-2023-24059


管理者コメント

(自動翻訳)脆弱性まとめる際にここに自動翻訳を挿入します。次月までお待ちください。(自動翻訳ここまで)

###---###

参考URL:

上に戻る


計22件

Tweet