cvelistv5 - cve-2022-24434

CVE-2022-24434 (GCVE-0-2022-24434)

Vulnerability from cvelistv5

Published

2022-05-20 20:05

Modified

2024-09-16 19:10

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

CWE

Denial of Service (DoS)

Summary

This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

References

URL

Tags

report@snyk.io	https://github.com/mscdex/busboy/issues/250	Patch, Third Party Advisory
report@snyk.io	https://github.com/mscdex/dicer/pull/22	Exploit, Issue Tracking, Patch, Third Party Advisory
report@snyk.io	https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac	Patch, Third Party Advisory
report@snyk.io	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865	Exploit, Third Party Advisory
report@snyk.io	https://snyk.io/vuln/SNYK-JS-DICER-2311764	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/mscdex/busboy/issues/250	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/mscdex/dicer/pull/22	Exploit, Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://snyk.io/vuln/SNYK-JS-DICER-2311764	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	n/a	dicer	Version: 0 < unspecified

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:13:55.554Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JS-DICER-2311764"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/mscdex/dicer/pull/22"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/mscdex/busboy/issues/250"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dicer",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Aras Abbasi"
        }
      ],
      "datePublic": "2022-05-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "exploitCodeMaturity": "FUNCTIONAL",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 7,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Denial of Service (DoS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-20T20:05:13",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JS-DICER-2311764"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mscdex/dicer/pull/22"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mscdex/busboy/issues/250"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac"
        }
      ],
      "title": "Denial of Service (DoS)",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "DATE_PUBLIC": "2022-05-20T20:00:07.054468Z",
          "ID": "CVE-2022-24434",
          "STATE": "PUBLIC",
          "TITLE": "Denial of Service (DoS)"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "dicer",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Aras Abbasi"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service (DoS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://snyk.io/vuln/SNYK-JS-DICER-2311764",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JS-DICER-2311764"
            },
            {
              "name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865"
            },
            {
              "name": "https://github.com/mscdex/dicer/pull/22",
              "refsource": "MISC",
              "url": "https://github.com/mscdex/dicer/pull/22"
            },
            {
              "name": "https://github.com/mscdex/busboy/issues/250",
              "refsource": "MISC",
              "url": "https://github.com/mscdex/busboy/issues/250"
            },
            {
              "name": "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac",
              "refsource": "MISC",
              "url": "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2022-24434",
    "datePublished": "2022-05-20T20:05:13.484157Z",
    "dateReserved": "2022-02-24T00:00:00",
    "dateUpdated": "2024-09-16T19:10:28.087Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-24434\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2022-05-20T20:15:09.993\",\"lastModified\":\"2024-11-21T06:50:24.817\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.\"},{\"lang\":\"es\",\"value\":\"Esto afecta a todas las versiones de package dicer. Un atacante malicioso puede enviar un formulario modificado al servidor, y colapsar el servicio nodejs. Un atacante podr\u00eda enviar la carga \u00fatil una y otra vez para que el servicio sea bloqueado continuamente\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dicer_project:dicer:*:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"0756E708-E6AD-4D9D-9CAF-FA901A56A959\"}]}]}],\"references\":[{\"url\":\"https://github.com/mscdex/busboy/issues/250\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/mscdex/dicer/pull/22\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JS-DICER-2311764\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/mscdex/busboy/issues/250\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/mscdex/dicer/pull/22\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JS-DICER-2311764\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

ghsa-wm7h-9275-46v2

Vulnerability from github

Published

2022-05-21 00:00

Modified

2023-08-28 14:22

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Crash in HeaderParser in dicer

Details

This affects all versions of the package dicer. A malicious attacker can send a modified form to the server and crash the Node.js service. A complete denial of service can be achieved by sending the malicious form in a loop.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dicer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.webjars.npm:dicer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T20:22:41Z",
    "nvd_published_at": "2022-05-20T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "This affects all versions of the package `dicer`. A malicious attacker can send a modified form to the server and crash the Node.js service. A complete denial of service can be achieved by sending the malicious form in a loop.",
  "id": "GHSA-wm7h-9275-46v2",
  "modified": "2023-08-28T14:22:54Z",
  "published": "2022-05-21T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24434"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mscdex/busboy/issues/250"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mscdex/dicer/pull/22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mscdex/dicer"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-DICER-2311764"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Crash in HeaderParser in dicer"
}

fkie_cve-2022-24434

Vulnerability from fkie_nvd

Published

2022-05-20 20:15

Modified

2024-11-21 06:50

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
report@snyk.io	https://github.com/mscdex/busboy/issues/250	Patch, Third Party Advisory
report@snyk.io	https://github.com/mscdex/dicer/pull/22	Exploit, Issue Tracking, Patch, Third Party Advisory
report@snyk.io	https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac	Patch, Third Party Advisory
report@snyk.io	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865	Exploit, Third Party Advisory
report@snyk.io	https://snyk.io/vuln/SNYK-JS-DICER-2311764	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/mscdex/busboy/issues/250	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/mscdex/dicer/pull/22	Exploit, Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://snyk.io/vuln/SNYK-JS-DICER-2311764	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	dicer_project	dicer	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dicer_project:dicer:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "0756E708-E6AD-4D9D-9CAF-FA901A56A959",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes."
    },
    {
      "lang": "es",
      "value": "Esto afecta a todas las versiones de package dicer. Un atacante malicioso puede enviar un formulario modificado al servidor, y colapsar el servicio nodejs. Un atacante podr\u00eda enviar la carga \u00fatil una y otra vez para que el servicio sea bloqueado continuamente"
    }
  ],
  "id": "CVE-2022-24434",
  "lastModified": "2024-11-21T06:50:24.817",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "report@snyk.io",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-05-20T20:15:09.993",
  "references": [
    {
      "source": "report@snyk.io",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/mscdex/busboy/issues/250"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/mscdex/dicer/pull/22"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://snyk.io/vuln/SNYK-JS-DICER-2311764"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/mscdex/busboy/issues/250"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/mscdex/dicer/pull/22"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://snyk.io/vuln/SNYK-JS-DICER-2311764"
    }
  ],
  "sourceIdentifier": "report@snyk.io",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CERTFR-2023-AVI-0286

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
IBM	QRadar	IBM QRadar Data Synchronization App versions 1.0 à 3.1.0 antérieures à 3.1.1
IBM	QRadar	IBM QRadar Use Case Manager App versions 1.0 à 3.5.0 antérieures à 3.6.0
IBM	QRadar WinCollect Agent	IBM QRadar WinCollect Agent versions antérieures à 10.1.3
IBM	QRadar Assistant	IBM QRadar Assistant versions 1.0 à 3.5.2 antérieures à 3.6.0

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6980797 du 04 avril 2023	None	vendor-advisory
Bulletin de sécurité IBM 6980821 du 04 avril 2023	None	vendor-advisory
Bulletin de sécurité IBM 6980843 du 04 avril 2023	None	vendor-advisory
Bulletin de sécurité IBM 6980799 du 04 avril 2023	None	vendor-advisory
Bulletin de sécurité IBM 6980839 du 04 avril 2023	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM QRadar Data Synchronization App versions 1.0 \u00e0 3.1.0 ant\u00e9rieures \u00e0 3.1.1",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM QRadar Use Case Manager App versions 1.0 \u00e0 3.5.0 ant\u00e9rieures \u00e0 3.6.0",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM QRadar WinCollect Agent versions ant\u00e9rieures \u00e0 10.1.3",
      "product": {
        "name": "QRadar WinCollect Agent",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM QRadar Assistant versions 1.0 \u00e0 3.5.2 ant\u00e9rieures \u00e0 3.6.0",
      "product": {
        "name": "QRadar Assistant",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-44906",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
    },
    {
      "name": "CVE-2022-31129",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
    },
    {
      "name": "CVE-2022-29244",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-29244"
    },
    {
      "name": "CVE-2022-24434",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24434"
    },
    {
      "name": "CVE-2022-24785",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
    },
    {
      "name": "CVE-2022-43880",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-43880"
    },
    {
      "name": "CVE-2022-0235",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0235"
    },
    {
      "name": "CVE-2022-22313",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-22313"
    },
    {
      "name": "CVE-2020-15168",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15168"
    },
    {
      "name": "CVE-2021-3765",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3765"
    },
    {
      "name": "CVE-2020-7598",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7598"
    }
  ],
  "initial_release_date": "2023-04-05T00:00:00",
  "last_revision_date": "2023-04-05T00:00:00",
  "links": [],
  "reference": "CERTFR-2023-AVI-0286",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-04-05T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits \u003cspan\nclass=\"textit\"\u003eIBM\u003c/span\u003e. Certaines d\u0027entre elles permettent \u00e0 un\nattaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par\nl\u0027\u00e9diteur, une ex\u00e9cution de code arbitraire \u00e0 distance et un d\u00e9ni de\nservice \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6980797 du 04 avril 2023",
      "url": "https://www.ibm.com/support/pages/node/6980797"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6980821 du 04 avril 2023",
      "url": "https://www.ibm.com/support/pages/node/6980821"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6980843 du 04 avril 2023",
      "url": "https://www.ibm.com/support/pages/node/6980843"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6980799 du 04 avril 2023",
      "url": "https://www.ibm.com/support/pages/node/6980799"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6980839 du 04 avril 2023",
      "url": "https://www.ibm.com/support/pages/node/6980839"
    }
  ]
}

CERTFR-2022-AVI-836

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	Cloud Pak	IBM Cloud Pak for Watson AIOps Infrastructure Automation versions antérieures à 3.4.2
	IBM	Spectrum	IBM Spectrum Protect Plus Affected versions 10.1.x antérieures à 10.1.12

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6621463 du 19 septembre 2022	None	vendor-advisory
Bulletin de sécurité IBM 6621311 du 19 septembre 2022	None	vendor-advisory
Bulletin de sécurité IBM 6621267 du 19 septembre 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Cloud Pak for Watson AIOps Infrastructure Automation versions ant\u00e9rieures \u00e0 3.4.2",
      "product": {
        "name": "Cloud Pak",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Spectrum Protect Plus Affected versions 10.1.x ant\u00e9rieures \u00e0 10.1.12",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-35946",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35946"
    },
    {
      "name": "CVE-2022-27781",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-27781"
    },
    {
      "name": "CVE-2022-33980",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-33980"
    },
    {
      "name": "CVE-2022-32208",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32208"
    },
    {
      "name": "CVE-2022-32207",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32207"
    },
    {
      "name": "CVE-2022-27776",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-27776"
    },
    {
      "name": "CVE-2022-27782",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-27782"
    },
    {
      "name": "CVE-2022-24434",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24434"
    },
    {
      "name": "CVE-2021-22947",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22947"
    },
    {
      "name": "CVE-2022-22576",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-22576"
    },
    {
      "name": "CVE-2021-22946",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22946"
    },
    {
      "name": "CVE-2022-31143",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31143"
    },
    {
      "name": "CVE-2022-27775",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-27775"
    },
    {
      "name": "CVE-2022-27774",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-27774"
    },
    {
      "name": "CVE-2022-32205",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32205"
    },
    {
      "name": "CVE-2022-35947",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35947"
    },
    {
      "name": "CVE-2022-32206",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32206"
    },
    {
      "name": "CVE-2022-31187",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31187"
    },
    {
      "name": "CVE-2022-35945",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35945"
    },
    {
      "name": "CVE-2022-36112",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-36112"
    },
    {
      "name": "CVE-2021-22945",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22945"
    }
  ],
  "initial_release_date": "2022-09-20T00:00:00",
  "last_revision_date": "2022-09-20T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-836",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-09-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6621463 du 19 septembre 2022",
      "url": "https://www.ibm.com/support/pages/node/6621463"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6621311 du 19 septembre 2022",
      "url": "https://www.ibm.com/support/pages/node/6621311"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6621267 du 19 septembre 2022",
      "url": "https://www.ibm.com/support/pages/node/6621267"
    }
  ]
}

CERTFR-2023-AVI-0362

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans IBM. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité, une atteinte à la confidentialité des données, une élévation de privilèges, un déni de service à distance et une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
IBM	Spectrum	IBM Spectrum Virtualize versions 8.2.x antérieures à 8.2.1.17
IBM	Cognos Analytics	IBM Cognos Analytics versions 11.2.x antérieures à 11.2.4.1 IF1
IBM	Spectrum	IBM Spectrum Virtualize versions 8.5.x antérieures à 8.5.0.7 ou 8.5.2.3 ou 8.5.4.0
IBM	Spectrum	IBM Spectrum Virtualize versions 8.4.x antérieures à 8.4.0.10
IBM	Cognos Analytics	IBM Cognos Analytics versions 11.1.x antérieures à 11.1.7 FP7
IBM	N/A	IBM Cognos Analytics on Cloud Pak for Data versions 4.0.x antérieures à 4.6.5
IBM	Spectrum	IBM Spectrum Virtualize versions 8.3.x antérieures à 8.3.1.9

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6986505 du 05 mai 2023	None	vendor-advisory
Bulletin de sécurité IBM 6988147 du 05 mai 2023	None	vendor-advisory
Bulletin de sécurité IBM 6987769 du 02 mai 2023	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Spectrum Virtualize versions 8.2.x ant\u00e9rieures \u00e0 8.2.1.17",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Cognos Analytics versions 11.2.x ant\u00e9rieures \u00e0 11.2.4.1 IF1",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Spectrum Virtualize versions 8.5.x ant\u00e9rieures \u00e0 8.5.0.7 ou 8.5.2.3 ou 8.5.4.0",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Spectrum Virtualize versions 8.4.x ant\u00e9rieures \u00e0 8.4.0.10",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Cognos Analytics versions 11.1.x ant\u00e9rieures \u00e0 11.1.7 FP7",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Cognos Analytics on Cloud Pak for Data versions 4.0.x ant\u00e9rieures \u00e0 4.6.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Spectrum Virtualize versions 8.3.x ant\u00e9rieures \u00e0 8.3.1.9",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-44906",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
    },
    {
      "name": "CVE-2022-31129",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
    },
    {
      "name": "CVE-2022-32213",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32213"
    },
    {
      "name": "CVE-2022-35256",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35256"
    },
    {
      "name": "CVE-2015-5237",
      "url": "https://www.cve.org/CVERecord?id=CVE-2015-5237"
    },
    {
      "name": "CVE-2022-43887",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-43887"
    },
    {
      "name": "CVE-2021-29469",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29469"
    },
    {
      "name": "CVE-2022-45061",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45061"
    },
    {
      "name": "CVE-2022-25647",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25647"
    },
    {
      "name": "CVE-2022-36364",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-36364"
    },
    {
      "name": "CVE-2022-39135",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39135"
    },
    {
      "name": "CVE-2022-24434",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24434"
    },
    {
      "name": "CVE-2022-21680",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21680"
    },
    {
      "name": "CVE-2022-32212",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32212"
    },
    {
      "name": "CVE-2021-3516",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3516"
    },
    {
      "name": "CVE-2022-24728",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24728"
    },
    {
      "name": "CVE-2022-0185",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0185"
    },
    {
      "name": "CVE-2023-30441",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-30441"
    },
    {
      "name": "CVE-2022-24729",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24729"
    },
    {
      "name": "CVE-2020-7789",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7789"
    },
    {
      "name": "CVE-2022-32215",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32215"
    },
    {
      "name": "CVE-2022-42004",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
    },
    {
      "name": "CVE-2021-22569",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22569"
    },
    {
      "name": "CVE-2022-43548",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-43548"
    },
    {
      "name": "CVE-2022-32214",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32214"
    },
    {
      "name": "CVE-2022-38900",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38900"
    },
    {
      "name": "CVE-2022-42003",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
    },
    {
      "name": "CVE-2022-35255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35255"
    },
    {
      "name": "CVE-2022-43883",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-43883"
    },
    {
      "name": "CVE-2022-39160",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39160"
    },
    {
      "name": "CVE-2022-34165",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-34165"
    },
    {
      "name": "CVE-2021-39036",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-39036"
    },
    {
      "name": "CVE-2022-3171",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
    },
    {
      "name": "CVE-2022-32223",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32223"
    },
    {
      "name": "CVE-2022-21681",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21681"
    },
    {
      "name": "CVE-2022-41881",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
    },
    {
      "name": "CVE-2020-7598",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7598"
    },
    {
      "name": "CVE-2021-3518",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3518"
    },
    {
      "name": "CVE-2022-38708",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38708"
    }
  ],
  "initial_release_date": "2023-05-09T00:00:00",
  "last_revision_date": "2023-05-09T00:00:00",
  "links": [],
  "reference": "CERTFR-2023-AVI-0362",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-05-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eIBM\u003c/span\u003e. Elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es,\nune \u00e9l\u00e9vation de privil\u00e8ges, un d\u00e9ni de service \u00e0 distance et une\ninjection de code indirecte \u00e0 distance (XSS).\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6986505 du 05 mai 2023",
      "url": "https://www.ibm.com/support/pages/node/6986505"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6988147 du 05 mai 2023",
      "url": "https://www.ibm.com/support/pages/node/6988147"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6987769 du 02 mai 2023",
      "url": "https://www.ibm.com/support/pages/node/6987769"
    }
  ]
}

gsd-2022-24434

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2022-24434

Aliases

CVE-2022-24434

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-24434",
    "description": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.",
    "id": "GSD-2022-24434"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-24434"
      ],
      "details": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.",
      "id": "GSD-2022-24434",
      "modified": "2023-12-13T01:19:43.342164Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "report@snyk.io",
        "DATE_PUBLIC": "2022-05-20T20:00:07.054468Z",
        "ID": "CVE-2022-24434",
        "STATE": "PUBLIC",
        "TITLE": "Denial of Service (DoS)"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "dicer",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003e=",
                          "version_value": "0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Aras Abbasi"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Denial of Service (DoS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://snyk.io/vuln/SNYK-JS-DICER-2311764",
            "refsource": "MISC",
            "url": "https://snyk.io/vuln/SNYK-JS-DICER-2311764"
          },
          {
            "name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865",
            "refsource": "MISC",
            "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865"
          },
          {
            "name": "https://github.com/mscdex/dicer/pull/22",
            "refsource": "MISC",
            "url": "https://github.com/mscdex/dicer/pull/22"
          },
          {
            "name": "https://github.com/mscdex/busboy/issues/250",
            "refsource": "MISC",
            "url": "https://github.com/mscdex/busboy/issues/250"
          },
          {
            "name": "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac",
            "refsource": "MISC",
            "url": "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,0.3.0]",
          "affected_versions": "All versions up to 0.3.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-06-08",
          "description": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.",
          "fixed_versions": [],
          "identifier": "CVE-2022-24434",
          "identifiers": [
            "GHSA-wm7h-9275-46v2",
            "CVE-2022-24434"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.webjars.npm/dicer",
          "pubdate": "2022-05-21",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Crash in HeaderParser in dicer",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-24434",
            "https://github.com/mscdex/busboy/issues/250",
            "https://github.com/mscdex/dicer/pull/22",
            "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac",
            "https://snyk.io/vuln/SNYK-JS-DICER-2311764",
            "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865",
            "https://github.com/advisories/GHSA-wm7h-9275-46v2"
          ],
          "uuid": "ed927602-b8aa-47f7-9f1e-1aa3a51101b9"
        },
        {
          "affected_range": "",
          "affected_versions": "All versions",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-06-07",
          "description": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.",
          "fixed_versions": [],
          "identifier": "CVE-2022-24434",
          "identifiers": [
            "CVE-2022-24434",
            "GHSA-wm7h-9275-46v2"
          ],
          "not_impacted": "",
          "package_slug": "npm/dicer",
          "pubdate": "2022-05-20",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Crash in HeaderParser in dicer",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-24434",
            "https://github.com/mscdex/busboy/issues/250",
            "https://github.com/mscdex/dicer/pull/22",
            "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac",
            "https://snyk.io/vuln/SNYK-JS-DICER-2311764",
            "https://github.com/advisories/GHSA-wm7h-9275-46v2"
          ],
          "uuid": "cddfc674-9ea9-47f8-8f88-48558bd6f9e5"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:dicer_project:dicer:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "ID": "CVE-2022-24434"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://snyk.io/vuln/SNYK-JS-DICER-2311764"
            },
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac"
            },
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/mscdex/dicer/pull/22"
            },
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865"
            },
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/mscdex/busboy/issues/250"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-06-07T02:04Z",
      "publishedDate": "2022-05-20T20:15Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-24434 (GCVE-0-2022-24434)

Vulnerability from cvelistv5

ghsa-wm7h-9275-46v2

Vulnerability from github

fkie_cve-2022-24434

Vulnerability from fkie_nvd

CERTFR-2023-AVI-0286

Vulnerability from certfr_avis

Solution

CERTFR-2022-AVI-836

Vulnerability from certfr_avis

Solution

CERTFR-2023-AVI-0362

Vulnerability from certfr_avis

Solution

gsd-2022-24434

Vulnerability from gsd

Tags

Sightings

Nomenclature