VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202208-0633 CVE-2022-35750 plural  Microsoft Windows  Elevated privilege vulnerabilities in products CVSS V2: -
CVSS V3: 8.8
Severity: HIGH
Win32k Elevation of Privilege Vulnerability. plural Microsoft Windows The product has Win32k There is a vulnerability that elevates privileges due to a flaw in.You may be elevated. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the cdd.dll driver. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Microsoft Windows Canonical Display是美国微软(Microsoft)公司的一个为GDI图形提供渲染的支撑程序. Microsoft Windows Canonical Display Driver存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 7 for 32-bit Systems Service Pack 1,Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows Server 2008 for 32-bit Systems Service Pack 2,Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation),Windows Server 2008 for x64-based Systems Service Pack 2,Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation),Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation),Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation),Windows Server 2022 (Server Core installation),Windows Server 2022,Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems
VAR-202208-0588 CVE-2022-35743 plural  Microsoft Windows  Remote code execution vulnerability in product CVSS V2: -
CVSS V3: 7.8
Severity: HIGH
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. Microsoft Windows Support Diagnostic Tool (MSDT)存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation),Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 7 for 32-bit Systems Service Pack 1,Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
VAR-202208-0632 CVE-2022-35748 Microsoft Windows Server  Service operation interruption in  (DoS)  Vulnerability CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
HTTP.sys Denial of Service Vulnerability. Microsoft Windows Server for, HTTP.sys Service operation is interrupted due to a defect in (DoS) Vulnerability exists.Service operation interruption (DoS) It may be in a state
VAR-202208-0759 CVE-2022-35751 plural  Microsoft Windows  Elevated privilege vulnerabilities in products CVSS V2: -
CVSS V3: 7.8
Severity: HIGH
Windows Hyper-V Elevation of Privilege Vulnerability. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the vhdmp.sys driver. The issue results from improper authorization logic when accessing VHD files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Microsoft Windows Hyper-V是美国微软(Microsoft)公司的一个应用程序。一种系统管理程序虚拟化技术,能够实现桌面虚拟化. Microsoft Windows Hyper-V 存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 21H1 for x64-based Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for x64-based Systems,Windows 10 Version 1809 for x64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for x64-based systems,Windows Server 2008 for x64-based Systems Service Pack 2,Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation),Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation),Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation)
VAR-202208-0798 CVE-2022-35744 plural  Microsoft Windows  Remote code execution vulnerability in product CVSS V2: -
CVSS V3: 9.8
Severity: CRITICAL
Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability. Microsoft Windows Point-to-Point Tunneling Protocol(PPTP)是美国微软(Microsoft)公司的一种网络协议,通过在基于 TCP/IP 的数据网络上创建虚拟专用网络 (VPN),可以将数据从远程客户端安全传输到私有企业服务器. Microsoft Windows Point-to-Point Tunneling Protocol存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 7 for 32-bit Systems Service Pack 1,Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows Server 2008 for 32-bit Systems Service Pack 2,Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation),Windows Server 2008 for x64-based Systems Service Pack 2,Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation),Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation),Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation)
VAR-202208-0758 CVE-2022-34713 plural  Microsoft Windows  Remote code execution vulnerability in product CVSS V2: -
CVSS V3: 7.8
Severity: HIGH
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. This vulnerability is CVE-2022-35743 Is a different vulnerability.It is possible to execute code remotely. Microsoft Windows Support Diagnostic Tool (MSDT)存在安全漏洞。以下产品和版本受到影响:Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation),Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows Server 2012,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 7 for 32-bit Systems Service Pack 1,Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
VAR-202208-0760 CVE-2022-35755 plural  Microsoft Windows  Elevated privilege vulnerabilities in products CVSS V2: -
CVSS V3: 7.3
Severity: HIGH
Windows Print Spooler Elevation of Privilege Vulnerability. Microsoft Windows Print Spooler Components存在安全漏洞。以下产品和版本受到影响:Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation)
VAR-202208-0589 CVE-2022-35745 plural  Microsoft Windows  Remote code execution vulnerability in product CVSS V2: -
CVSS V3: 8.1
Severity: HIGH
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. Microsoft Windows Secure Socket Tunneling Protocol (SSTP)存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation),Windows Server 2008 for x64-based Systems Service Pack 2,Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation),Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation),Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation),Windows 10 Version 21H1 for ARM64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 7 for 32-bit Systems Service Pack 1,Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows Server 2008 for 32-bit Systems Service Pack 2
VAR-202208-0593 CVE-2022-35758 plural  Microsoft Windows  A vulnerability in which information is disclosed in a product CVSS V2: -
CVSS V3: 5.5
Severity: MEDIUM
Windows Kernel Memory Information Disclosure Vulnerability. Microsoft Windows Kernel是美国微软(Microsoft)公司的Windows操作系统的内核. Microsoft Windows Kernel存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 7 for 32-bit Systems Service Pack 1,Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows Server 2008 for 32-bit Systems Service Pack 2,Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation),Windows Server 2008 for x64-based Systems Service Pack 2,Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation),Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation),Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation)
VAR-202208-0689 CVE-2022-35757 plural  Microsoft  Elevated privilege vulnerabilities in products CVSS V2: -
CVSS V3: 7.3
Severity: HIGH
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability. Microsoft Windows Cloud Files Mini Filter Driver存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows Server, version 20H2 (Server Core Installation),Windows 10 Version 21H1 for ARM64-based Systems,Windows Server 2019 (Server Core installation),Windows 10 Version 21H2 for ARM64-based Systems,Windows 11 for ARM64-based Systems,Windows Server 2019,Windows 10 Version 1809 for ARM64-based Systems,Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 11 for x64-based Systems
VAR-202208-0652 CVE-2022-35747 plural  Microsoft Windows  Service operation interruption in the product  (DoS)  Vulnerability CVSS V2: -
CVSS V3: 5.9
Severity: MEDIUM
Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability. Microsoft Windows Point-to-Point Tunneling Protocol(PPTP)是美国微软(Microsoft)公司的一种网络协议,通过在基于 TCP/IP 的数据网络上创建虚拟专用网络 (VPN),可以将数据从远程客户端安全传输到私有企业服务器. Microsoft Windows Point-to-Point Tunneling Protocol存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 7 for 32-bit Systems Service Pack 1,Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows Server 2008 for 32-bit Systems Service Pack 2,Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation),Windows Server 2008 for x64-based Systems Service Pack 2,Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation),Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation),Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation),Windows 8.1 for 32-bit systems
VAR-202208-0631 CVE-2022-35746 plural  Microsoft Windows  Elevated privilege vulnerabilities in products CVSS V2: -
CVSS V3: 7.8
Severity: HIGH
Windows Digital Media Receiver Elevation of Privilege Vulnerability. Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统. Microsoft Windows Digital Media存在安全漏洞。以下产品和版本受到影响:Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation),Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows 10 Version 1607 for x64-based Systems
VAR-202208-0807 CVE-2022-34716 .NET  and  PowerShell  Spoofed vulnerabilities in CVSS V2: -
CVSS V3: 5.9
Severity: MEDIUM
.NET Spoofing Vulnerability. 9) - aarch64, s390x, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: .NET Core 3.1 security, bug fix, and enhancement update Advisory ID: RHSA-2022:6037-01 Product: .NET Core on Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:6037 Issue date: 2022-08-10 CVE Names: CVE-2022-34716 ==================================================================== 1. Summary: An update for .NET Core 3.1 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 3.1.422 and .NET Runtime 3.1.28. Security Fix(es): * dotnet: External Entity Injection during XML signature verification (CVE-2022-34716) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2115183 - CVE-2022-34716 dotnet: External Entity Injection during XML signature verification 6. Package List: .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7): Source: rh-dotnet31-dotnet-3.1.422-1.el7_9.src.rpm x86_64: rh-dotnet31-aspnetcore-runtime-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-apphost-pack-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-debuginfo-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-host-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-hostfxr-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-runtime-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-sdk-3.1-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-sdk-3.1-source-built-artifacts-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-targeting-pack-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-templates-3.1-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-netstandard-targeting-pack-2.1-3.1.422-1.el7_9.x86_64.rpm .NET Core on Red Hat Enterprise Linux Server (v. 7): Source: rh-dotnet31-dotnet-3.1.422-1.el7_9.src.rpm x86_64: rh-dotnet31-aspnetcore-runtime-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-apphost-pack-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-debuginfo-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-host-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-hostfxr-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-runtime-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-sdk-3.1-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-sdk-3.1-source-built-artifacts-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-targeting-pack-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-templates-3.1-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-netstandard-targeting-pack-2.1-3.1.422-1.el7_9.x86_64.rpm .NET Core on Red Hat Enterprise Linux Workstation (v. 7): Source: rh-dotnet31-dotnet-3.1.422-1.el7_9.src.rpm x86_64: rh-dotnet31-aspnetcore-runtime-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-apphost-pack-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-debuginfo-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-host-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-hostfxr-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-runtime-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-sdk-3.1-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-sdk-3.1-source-built-artifacts-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-targeting-pack-3.1-3.1.28-1.el7_9.x86_64.rpm rh-dotnet31-dotnet-templates-3.1-3.1.422-1.el7_9.x86_64.rpm rh-dotnet31-netstandard-targeting-pack-2.1-3.1.422-1.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-34716 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYvOfQ9zjgjWX9erEAQgz/BAApIpyQHcvY4oKILJFLse9IV0BiE2IdfKd tz8I4vsvlDtzn9+XcaVXPplZJioG+kXvLQYCWyP3pZT0jMEa7tg+HHaw+DiQPkP5 EapqguieJRDZ+fk45OvFLiXECSEGlPBOeyMb67CjtDHIFiqT9PypfOXQbLtiPVGA 8XAHZgnjnlg/2TsQgQJCjEOKE8pYduTo0+XJVXDpwleQ6KpZT2RcxWdV8MdL7Qy2 689jzxUU5pdepUlB6VHO9pw37BDsvpKhrOjB1DBLQzFOHVQNoRRjn4tPXWs1oCs6 ChEO9w9/sZVSRhoLYapbnIs1lDKE9OKxjFFPXvcRIDyCVm3gEE/HlIDtFiHuXKMK oVK87SBGqM1ZlDvhZcT10JTlZ7TESmjJuiuNqYKT4SHEA54zgHdGMlG+ouEuogRW LaFiwE5A7nh3hofjkmpRQVa6VP13lfZ36/m7ODlWpFqWlhGtvgGwV+CiuPvMX5vw KX56kAIJhuhLniiP2eDko7cs0Y4gdcmGGJjmTTD08qEDnAcV5CgSns9skixKZN6s 3LaVKBkeELyo6kxp6ckGuIE7Qgbw+zxdX3OZSRIT0Eh3Pkyg7fjdCHm7/kLXZJEg I5UbZ5DGm64jrwldInXGto3I0z5Dh4j3rVqQRKYy7F1qEfvUz9sITXpjhj5P1AS9 SfnD49PWESw=gIlP -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . The following packages have been upgraded to a later upstream version: rh-dotnet60-dotnet (6.0.108)
VAR-202208-0592 CVE-2022-35756 plural  Microsoft Windows  Elevated privilege vulnerabilities in products CVSS V2: -
CVSS V3: 7.8
Severity: HIGH
Windows Kerberos Elevation of Privilege Vulnerability. Microsoft Windows Kerberos是美国微软(Microsoft)公司的一个用于在网络集群中进行身份验证的软件。Kerberos 同时作为一种网络认证协议,其设计目标是通过密钥系统为客户机/服务器应用程序提供强大的认证服务. Microsoft Windows Kerberos存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 7 for 32-bit Systems Service Pack 1,Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation),Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation),Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems
VAR-202208-0591 CVE-2022-35754 plural  Microsoft Windows  Elevated privilege vulnerabilities in products CVSS V2: -
CVSS V3: 6.7
Severity: MEDIUM
Unified Write Filter Elevation of Privilege Vulnerability. Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统. Microsoft Windows Unified Write Filter存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows 11 for x64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 10 for x64-based Systems,Windows Server 2016 (Server Core installation),Windows 10 Version 20H2 for 32-bit Systems,Windows Server 2019,Windows 10 Version 1607 for x64-based Systems,Windows 8.1 for x64-based systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 8.1 for 32-bit systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows RT 8.1,Windows 10 Version 21H1 for ARM64-based Systems,Windows Server 2019 (Server Core installation),Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows Server 2016,Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2 (Server Core installation),Windows 10 Version 21H2 for x64-based Systems,Windows Server 2012 R2,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows 11 for ARM64-based Systems
VAR-202208-0590 CVE-2022-35752 plural  Microsoft Windows  Remote code execution vulnerability in product CVSS V2: -
CVSS V3: 8.1
Severity: HIGH
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. Microsoft Windows Point-to-Point Tunneling Protocol(PPTP)是美国微软(Microsoft)公司的一种网络协议,通过在基于 TCP/IP 的数据网络上创建虚拟专用网络 (VPN),可以将数据从远程客户端安全传输到私有企业服务器. Microsoft Windows Point-to-Point Tunneling Protocol 存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 7 for 32-bit Systems Service Pack 1,Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows Server 2008 for 32-bit Systems Service Pack 2,Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation),Windows Server 2008 for x64-based Systems Service Pack 2,Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation),Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation),Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation),Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems
VAR-202208-0654 CVE-2022-35753 plural  Microsoft Windows  Remote code execution vulnerability in product CVSS V2: -
CVSS V3: 8.1
Severity: HIGH
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. Microsoft Windows Point-to-Point Tunneling Protocol(PPTP)是美国微软(Microsoft)公司的一种网络协议,通过在基于 TCP/IP 的数据网络上创建虚拟专用网络 (VPN),可以将数据从远程客户端安全传输到私有企业服务器. Microsoft Windows Point-to-Point Tunneling Protocol 存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows 10 Version 1607 for x64-based Systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows Server 2008 for 32-bit Systems Service Pack 2,Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation),Windows Server 2008 for x64-based Systems Service Pack 2,Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation),Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation),Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation),Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 7 for 32-bit Systems Service Pack 1,Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for 32-bit systems
VAR-202208-0596 CVE-2022-35759 plural  Microsoft Windows  Service operation interruption in the product  (DoS)  Vulnerability CVSS V2: -
CVSS V3: 6.5
Severity: MEDIUM
Windows Local Security Authority (LSA) Denial of Service Vulnerability. Microsoft Windows Local Security Authority (LSA)存在安全漏洞。以下产品和版本受到影响:Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 7 for 32-bit Systems Service Pack 1,Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows Server 2008 for 32-bit Systems Service Pack 2,Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation),Windows 10 Version 1607 for x64-based Systems,Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation),Windows Server 2008 for x64-based Systems Service Pack 2,Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation),Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation),Windows Server 2012,Windows Server 2012 (Server Core installation),Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows 10 Version 1607 for 32-bit Systems
VAR-202208-0688 CVE-2022-35749 plural  Microsoft Windows  Elevated privilege vulnerabilities in products CVSS V2: -
CVSS V3: 7.8
Severity: HIGH
Windows Digital Media Receiver Elevation of Privilege Vulnerability. Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统. Microsoft Windows Digital Media存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows RT 8.1,Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation)
VAR-202208-0557 CVE-2021-41615 Embedthis Software, LLC  of  GoAhead  Vulnerability regarding lack of entropy in CVSS V2: -
CVSS V3: 9.8
Severity: CRITICAL
websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP Digest Access Authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). NOTE: 2.1.8 is a version from 2003; however, the affected websda.c code appears in multiple derivative works that may be used in 2021. Recent GoAhead software is unaffected. Embedthis Software, LLC of GoAhead Exists in a vulnerability related to lack of entropy.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Embedthis Software GoAhead is an open source small embedded Web server from Embedthis Software in the United States. Embedthis Software GoAhead WebServer version 2.1.8 has a security vulnerability