Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-24724

Publication date:

03/03/2022

cmark-gfm is GitHub&#39;s extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm&#39;s table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who&#39;s marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-25125

Publication date:

03/03/2022

MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp.

Severity CVSS v4.0: Pending analysis

Last modification:

09/03/2022

CVE-2022-23899

Publication date:

03/03/2022

MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/MCmsAction.java.

Severity CVSS v4.0: Pending analysis

Last modification:

09/03/2022

CVE-2022-23898

Publication date:

03/03/2022

MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml.

Severity CVSS v4.0: Pending analysis

Last modification:

09/03/2022

CVE-2022-22700

Publication date:

03/03/2022

CyberArk Identity versions up to and including 22.1 in the &#39;StartAuthentication&#39; resource, exposes the response header &#39;X-CFY-TX-TM&#39;. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.

Severity CVSS v4.0: Pending analysis

Last modification:

09/03/2022

CVE-2021-3620

Publication date:

03/03/2022

A flaw was found in Ansible Engine&#39;s ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.

Severity CVSS v4.0: Pending analysis

Last modification:

28/12/2023

CVE-2021-3602

Publication date:

03/03/2022

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Severity CVSS v4.0: Pending analysis

Last modification:

24/10/2022

CVE-2022-0492

Publication date:

03/03/2022

A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

Severity CVSS v4.0: Pending analysis

Last modification:

07/12/2023

CVE-2021-3609

Publication date:

03/03/2022

.A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.

Severity CVSS v4.0: Pending analysis

Last modification:

11/08/2023

CVE-2022-26129

Publication date:

03/03/2022

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the subtlv length in the functions, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.

Severity CVSS v4.0: Pending analysis

Last modification:

03/07/2024

CVE-2022-26126

Publication date:

03/03/2022

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to the use of strdup with a non-zero-terminated binary string in isis_nb_notifications.c.

Severity CVSS v4.0: Pending analysis

Last modification:

28/04/2024