The Consensus Security Vulnerability Alert

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2022-47986 - IBM Aspera Faspex 4.4.1 has a YAML deserialization flaw allowing remote code execution via an obsolete API call.Product: IBM Aspera FaspexCVSS Score: 0** KEV since 2023-02-21 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47986ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8432CVE-2022-3686 - A vulnerability exists in a SDM600 endpoint. An attacker could exploit this vulnerability by running multiple parallel requests, the SDM600 web services become busy rendering the application unresponsive. This issue affects: All SDM600 versions prior to version 1.2 FP3 HF4 (Build Nr. 1.2.23000.291)Product: Hitachi Energy SDM600CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3686NVD References: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000138&LanguageCode=en&DocumentPartId=&Action=LaunchCVE-2023-28326 - Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any roomProduct: Apache OpenMeetingsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28326NVD References: https://lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9CVE-2023-27821 - Databasir v1.0.7 was discovered to contain a remote code execution (RCE) vulnerability via the mockDataScript parameter.Product: Databasir CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27821NVD References: - https://github.com/luelueking/Databasir-1.0.7-vuln-poc- https://github.com/vran-dev/databasir/issues/269CVE-2022-0194 - This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ad_addcomment function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15876.Product: Netatalk Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-0194NVD References: - https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html- https://www.zerodayinitiative.com/advisories/ZDI-22-530/CVE-2022-23121 - This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15819.Product: Netatalk Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-23121NVD References: - https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html- https://www.zerodayinitiative.com/advisories/ZDI-22-527/CVE-2022-23122 - This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the setfilparams function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15837.Product: Netatalk Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-23122NVD References: - https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html- https://www.zerodayinitiative.com/advisories/ZDI-22-529/CVE-2022-23123 - This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getdirparams method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15830.Product: Netatalk Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-23123NVD References: - https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html- https://www.zerodayinitiative.com/advisories/ZDI-22-528/CVE-2022-23124 - This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the …