Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-46365

Summary
Assigner-apache
Assigner Org ID-f0158376-9dc2-43b6-827c-5f631a4d8d09
Published At-01 May, 2023 | 14:53
Updated At-15 Oct, 2024 | 16:43
Rejected At-
Credits

Apache StreamPark (incubating): Logic error causing any account reset

Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:apache
Assigner Org ID:f0158376-9dc2-43b6-827c-5f631a4d8d09
Published At:01 May, 2023 | 14:53
Updated At:15 Oct, 2024 | 16:43
Rejected At:
▼CVE Numbering Authority (CNA)
Apache StreamPark (incubating): Logic error causing any account reset

Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

Affected Products
Vendor
The Apache Software FoundationApache Software Foundation
Product
Apache StreamPark (incubating)
Default Status
unaffected
Versions
Affected
  • From 1.0.0 before 2.0.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-20CWE-20 Improper Input Validation
Type: CWE
CWE ID: CWE-20
Description: CWE-20 Improper Input Validation
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Textual description of severity
text:
important
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h
vendor-advisory
Hyperlink: https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h
vendor-advisory
x_transferred
Hyperlink: https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h
Resource:
vendor-advisory
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Vendor
The Apache Software Foundationapache
Product
streampark
CPEs
  • cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 1.0.0 before 2.0.0 (custom)
Metrics
VersionBase scoreBase severityVector
3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@apache.org
Published At:01 May, 2023 | 15:15
Updated At:15 Oct, 2024 | 17:35

Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Secondary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CPE Matches
The Apache Software Foundation
apache
>>streampark>>Versions from 1.0.0(inclusive) to 2.0.0(exclusive)
cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE-20Secondarysecurity@apache.org
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-20
Type: Secondary
Source: security@apache.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7hsecurity@apache.org
Mailing List
Hyperlink: https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h
Source: security@apache.org
Resource:
Mailing List

Change History

0
Information is not available yet

Similar CVEs

257Records found
CVE-2021-46762
Matching Score-4
Assigner-Advanced Micro Devices Inc.
ShareView Details
Matching Score-4
Assigner-Advanced Micro Devices Inc.
CVSS Score-3.9||LOW
EPSS-0.03% / 5.51%
||
7 Day CHG~0.00%
Published-09 May, 2023 | 18:36
Updated-28 Jan, 2025 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient input validation in the SMU may allow an attacker to corrupt SMU SRAM potentially leading to a loss of integrity or denial of service.

Action-Not Available
Vendor-Advanced Micro Devices, Inc.
Product-epyc_7543epyc_7502_firmwareepyc_7402epyc_7262_firmwareepyc_7443_firmwareepyc_7402pepyc_7343epyc_7252_firmwareepyc_7543_firmwareepyc_7282_firmwareepyc_7542_firmwareepyc_7f32epyc_7763_firmwareepyc_7272_firmwareepyc_7573xepyc_7713pepyc_7443epyc_7513epyc_7313p_firmwareepyc_7252epyc_7502pepyc_7232p_firmwareepyc_7702epyc_7302p_firmwareepyc_7453epyc_7642_firmwareepyc_7452epyc_7373xepyc_7h12epyc_7513_firmwareepyc_7543p_firmwareepyc_7542epyc_7302epyc_7413_firmwareepyc_7h12_firmwareepyc_7232pepyc_7643_firmwareepyc_7f52epyc_7663epyc_7773x_firmwareepyc_75f3epyc_7552_firmwareepyc_7373x_firmwareepyc_72f3_firmwareepyc_7f72epyc_7f32_firmwareepyc_7662epyc_7502epyc_75f3_firmwareepyc_7662_firmwareepyc_7f72_firmwareepyc_7642epyc_7473xepyc_7473x_firmwareepyc_7343_firmwareepyc_7532_firmwareepyc_7502p_firmwareepyc_7413epyc_7313pepyc_7313epyc_7663_firmwareepyc_7573x_firmwareepyc_7552epyc_7302pepyc_7702p_firmwareepyc_74f3_firmwareepyc_7352epyc_7763epyc_7302_firmwareepyc_7713_firmwareepyc_7402_firmwareepyc_7742epyc_7713p_firmwareepyc_7272epyc_73f3_firmwareepyc_7702pepyc_7f52_firmwareepyc_7262epyc_7713epyc_7443p_firmwareepyc_7773xepyc_72f3epyc_7643epyc_7402p_firmwareepyc_7452_firmwareepyc_7313_firmwareepyc_7543pepyc_7443pepyc_7742_firmwareepyc_7453_firmwareepyc_7282epyc_7702_firmwareepyc_74f3epyc_7352_firmwareepyc_7532epyc_73f3AMD EPYC™ Embedded 7002AMD EPYC™ Embedded 70033rd Gen AMD EPYC™2nd Gen AMD EPYC™
CWE ID-CWE-20
Improper Input Validation
CVE-2021-46756
Matching Score-4
Assigner-Advanced Micro Devices Inc.
ShareView Details
Matching Score-4
Assigner-Advanced Micro Devices Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.11% / 30.84%
||
7 Day CHG~0.00%
Published-09 May, 2023 | 19:00
Updated-28 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient validation of inputs in SVC_MAP_USER_STACK in the ASP (AMD Secure Processor) bootloader may allow an attacker with a malicious Uapp or ABL to send malformed or invalid syscall to the bootloader resulting in a potential denial of service and loss of integrity.

Action-Not Available
Vendor-Advanced Micro Devices, Inc.
Product-epyc_72f3_firmwareepyc_7443pepyc_7301_firmwareepyc_7451_firmwareepyc_7552_firmwareepyc_7451epyc_7282_firmwareepyc_7742_firmwareepyc_7371epyc_7773xepyc_7f72_firmwareepyc_7413epyc_7532epyc_7313p_firmwareepyc_7702p_firmwareepyc_7663epyc_7551epyc_7h12epyc_7301epyc_7453epyc_73f3_firmwareepyc_7401epyc_7f52epyc_7543_firmwareepyc_7f32epyc_7402pepyc_7552epyc_7261_firmwareepyc_73f3epyc_74f3_firmwareepyc_7252epyc_7571_firmwareepyc_7402_firmwareepyc_7351_firmwareepyc_7642_firmwareepyc_75f3_firmwareepyc_7262_firmwareepyc_7343epyc_7351epyc_7542epyc_7642epyc_7443_firmwareepyc_7272_firmwareepyc_7501epyc_7302epyc_7f32_firmwareepyc_7763_firmwareepyc_7573x_firmwareepyc_7401p_firmwareepyc_7252_firmwareepyc_7473x_firmwareepyc_7352epyc_7643_firmwareepyc_7401_firmwareepyc_7662epyc_7473xepyc_7232pepyc_7532_firmwareepyc_7453_firmwareepyc_7351p_firmwareepyc_7551pepyc_7501_firmwareepyc_7713p_firmwareepyc_7302_firmwareepyc_7702_firmwareepyc_7742epyc_72f3epyc_7f52_firmwareepyc_7543pepyc_7502epyc_7452epyc_7601_firmwareepyc_7513epyc_7302pepyc_7763epyc_7413_firmwareepyc_74f3epyc_7502_firmwareepyc_7402p_firmwareepyc_7713pepyc_7251epyc_7402epyc_7643epyc_7551_firmwareepyc_7313epyc_7232p_firmwareepyc_7443epyc_7302p_firmwareepyc_7261epyc_7551p_firmwareepyc_7663_firmwareepyc_7352_firmwareepyc_7543epyc_7281epyc_7502p_firmwareepyc_7713_firmwareepyc_7371_firmwareepyc_7713epyc_7281_firmwareepyc_7571epyc_7702epyc_7702pepyc_75f3epyc_7313pepyc_7251_firmwareepyc_7351pepyc_7773x_firmwareepyc_7313_firmwareepyc_7573xepyc_7502pepyc_7h12_firmwareepyc_7452_firmwareepyc_7401pepyc_7543p_firmwareepyc_7282epyc_7272epyc_7513_firmwareepyc_7373xepyc_7662_firmwareepyc_7542_firmwareepyc_7f72epyc_7343_firmwareepyc_7443p_firmwareepyc_7373x_firmwareepyc_7601epyc_72621st Gen AMD EPYC™ Processors2nd Gen AMD EPYC™ ProcessorsAthlon™ 3000 Series Mobile Processors with Radeon™ Graphics “Dali”/”Dali” ULP3rd Gen AMD Ryzen™ Threadripper™ Processors “Castle Peak” HEDTRyzen™ 3000 Series Mobile processor, 2nd Gen AMD Ryzen™ Mobile Processors with Radeon™ Graphics “Picasso”Ryzen™ 3000 Series Desktop Processors “Matisse” AM4Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics “Pollock”Ryzen™ 2000 Series Desktop Processors “Pinnacle Ridge”Ryzen™ Threadripper™ PRO Processors “Castle Peak” WSRyzen™ 2000 Series Mobile Processors “Raven Ridge” FP5Ryzen™ 5000 Series Desktop processor with Radeon™ Graphics “Cezanne” AM42nd Gen AMD Ryzen™ Threadripper™ Processors “Colfax”3rd Gen AMD EPYC™ ProcessorsRyzen™ 2000 series Desktop Processors “Raven Ridge” AM4Ryzen™ 3000 Series Mobile Processors with Radeon™ Graphics “Renoir” AMD Ryzen™ 5000 Series Desktop Processors “Vermeer” AM4Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics “Lucienne”Ryzen™ 5000 Series Mobile processors with Radeon™ Graphics “Cezanne”
CWE ID-CWE-20
Improper Input Validation
CVE-2023-42798
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.11% / 29.47%
||
7 Day CHG~0.00%
Published-22 Sep, 2023 | 15:13
Updated-24 Sep, 2024 | 14:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AutomataCI Release Job Can Revert Repo to First Commit

AutomataCI is a template git repository equipped with a native built-in semi-autonomous CI tools. An issue in versions 1.4.1 and below can let a release job reset the git root repository to the first commit. Version 1.5.0 has a patch for this issue. As a workaround, make sure the `PROJECT_PATH_RELEASE` (e.g. `releases/`) directory is manually and actually `git cloned` properly, making it a different git repostiory from the root git repository.

Action-Not Available
Vendor-hollowaykeanhoChewKeanHo
Product-automataciAutomataCI
CWE ID-CWE-20
Improper Input Validation
CVE-2023-39529
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.61% / 68.94%
||
7 Day CHG+0.14%
Published-07 Aug, 2023 | 20:37
Updated-03 Oct, 2024 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PrestaShop vulnerable to file deletion via attachment API

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

Action-Not Available
Vendor-PrestaShop S.A
Product-prestashopPrestaShop
CWE ID-CWE-20
Improper Input Validation
CVE-2019-16029
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.2||HIGH
EPSS-0.49% / 64.60%
||
7 Day CHG~0.00%
Published-26 Jan, 2020 | 04:31
Updated-15 Nov, 2024 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Smart Software Manager On-Prem Web Interface Denial of Service Vulnerability

A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. The vulnerability is due to the lack of input validation in the API. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to change or corrupt user account information which could grant the attacker administrator access or prevent legitimate user access to the web interface, resulting in a denial of service (DoS) condition.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-smart_software_manager_on-premCisco Smart Software Manager On-Prem
CWE ID-CWE-20
Improper Input Validation
CVE-2018-7237
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-9.1||CRITICAL
EPSS-0.53% / 66.18%
||
7 Day CHG~0.00%
Published-09 Mar, 2018 | 23:00
Updated-16 Sep, 2024 | 23:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow a remote attacker to delete arbitrary system file due to lack of validation of the /login/bin/set_param to the file name with the value of 'system.delete.sd_file'

Action-Not Available
Vendor-
Product-imp519-1er_firmwareibp319-1erimp319-1erimps110-1eibp519-1er_firmwareimp1110-1er_firmwareimps110-1eribp1110-1erimp519-1_firmwareimp519-1ibps110-1er_firmwareimp219-1_firmwareimp319-1_firmwareimps110-1er_firmwareimp219-1erimp319-1mps110-1ibp319-1er_firmwareimp319-1er_firmwareimps110-1e_firmwareimp219-1e_firmwareimp219-1eibp219-1erimp1110-1e_firmwareimp1110-1_firmwareimp519-1eimp319-1e_firmwareimp1110-1erimp219-1ibp219-1er_firmwareimp519-1erimp1110-1eimp319-1eibp1110-1er_firmwareibps110-1erimp219-1er_firmwareimp519-1e_firmwareimp1110-1ibp519-1ermps110-1_firmwarePelco Sarix Professional
CWE ID-CWE-20
Improper Input Validation
CVE-2018-19945
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.40% / 59.82%
||
7 Day CHG~0.00%
Published-31 Dec, 2020 | 16:33
Updated-17 Sep, 2024 | 02:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Limitation of a Pathname to a Restricted Directory in QTS

A vulnerability has been reported to affect earlier QNAP devices running QTS 4.3.4 to 4.3.6. Caused by improper limitations of a pathname to a restricted directory, this vulnerability allows for renaming arbitrary files on the target system, if exploited. QNAP have already fixed this vulnerability in the following versions: QTS 4.3.6.0895 build 20190328 (and later) QTS 4.3.4.0899 build 20190322 (and later) This issue does not affect QTS 4.4.x or QTS 4.5.x.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qtsQTS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-73
External Control of File Name or Path
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-20
Improper Input Validation
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found