Total
224 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-41881 | 2 Debian, Netty | 2 Debian Linux, Netty | 2023-12-10 | N/A | 7.5 HIGH |
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. | |||||
CVE-2021-36395 | 1 Moodle | 1 Moodle | 2023-12-10 | N/A | 7.5 HIGH |
In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service. | |||||
CVE-2022-23516 | 1 Loofah Project | 1 Loofah | 2023-12-10 | N/A | 7.5 HIGH |
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized. | |||||
CVE-2022-47662 | 1 Gpac | 1 Gpac | 2023-12-10 | N/A | 5.5 MEDIUM |
GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 has a segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662 | |||||
CVE-2022-41966 | 1 Xstream Project | 1 Xstream | 2023-12-10 | N/A | 7.5 HIGH |
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable. | |||||
CVE-2022-23500 | 1 Typo3 | 1 Typo3 | 2023-12-10 | N/A | 7.5 HIGH |
TYPO3 is an open source PHP based web content management system. In versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1, requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This vulnerability is very similar, but not identical, to the one described in CVE-2021-21359. This issue is patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20 or 12.1.1. | |||||
CVE-2023-22617 | 1 Powerdns | 1 Recursor | 2023-12-10 | N/A | 7.5 HIGH |
A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1. | |||||
CVE-2022-37034 | 1 Dotcms | 1 Dotcms | 2023-12-10 | N/A | 5.3 MEDIUM |
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests. | |||||
CVE-2019-10761 | 1 Vm2 Project | 1 Vm2 | 2023-12-10 | N/A | 8.3 HIGH |
This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code. | |||||
CVE-2022-37315 | 1 Graphql-go Project | 1 Graphql-go | 2023-12-10 | N/A | 7.5 HIGH |
graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser. | |||||
CVE-2022-31173 | 1 Juniper Project | 1 Juniper | 2023-12-10 | N/A | 7.5 HIGH |
Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually. | |||||
CVE-2022-30633 | 1 Golang | 1 Go | 2023-12-10 | N/A | 7.5 HIGH |
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag. | |||||
CVE-2022-30630 | 1 Golang | 1 Go | 2023-12-10 | N/A | 7.5 HIGH |
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. | |||||
CVE-2022-1962 | 1 Golang | 1 Go | 2023-12-10 | N/A | 5.5 MEDIUM |
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. | |||||
CVE-2022-30632 | 1 Golang | 1 Go | 2023-12-10 | N/A | 7.5 HIGH |
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. | |||||
CVE-2022-30635 | 1 Golang | 1 Go | 2023-12-10 | N/A | 7.5 HIGH |
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. | |||||
CVE-2022-28201 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-12-10 | N/A | 4.4 MEDIUM |
An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message. | |||||
CVE-2022-38334 | 1 Xpdfreader | 1 Xpdf | 2023-12-10 | N/A | 5.5 MEDIUM |
XPDF v4.04 and earlier was discovered to contain a stack overflow via the function Catalog::countPageTree() at Catalog.cc. | |||||
CVE-2022-3216 | 1 Nintendo | 2 Game Boy Color, Game Boy Color Firmware | 2023-12-10 | N/A | 8.8 HIGH |
A vulnerability has been found in Nintendo Game Boy Color and classified as problematic. This vulnerability affects unknown code of the component Mobile Adapter GB. The manipulation leads to memory corruption. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-208606 is the identifier assigned to this vulnerability. | |||||
CVE-2022-27810 | 1 Facebook | 1 Hermes | 2023-12-10 | N/A | 7.5 HIGH |
It was possible to trigger an infinite recursion condition in the error handler when Hermes executed specific maliciously formed JavaScript. This condition was only possible to trigger in dev-mode (when asserts were enabled). This issue affects Hermes versions prior to v0.12.0. |