Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-1809
Publication date:
21/05/2022
Access of Uninitialized Pointer in GitHub repository radareorg/radare2 prior to 5.7.0.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2022

CVE-2022-31268
Publication date:
21/05/2022
A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2022

CVE-2022-31267
Publication date:
21/05/2022
Gitblit 1.9.2 allows privilege escalation via the Config User Service: a control character can be placed in a profile data field, such as an emailAddress%3Atext 'attacker@example.com\n\trole = "#admin"' value.
Severity CVSS v4.0: Pending analysis
Last modification:
07/06/2022

CVE-2022-31264
Publication date:
21/05/2022
Solana solana_rbpf before 0.2.29 has an addition integer overflow via invalid ELF program headers. elf.rs has a panic via a malformed eBPF program.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2023

CVE-2022-31259
Publication date:
21/05/2022
The route lookup process in beego before 1.12.9 and 2.x before 2.0.3 allows attackers to bypass access control. When a /p1/p2/:name route is configured, attackers can access it by appending .xml in various places (e.g., p1.xml instead of p1).
Severity CVSS v4.0: Pending analysis
Last modification:
17/02/2023

CVE-2022-1752
Publication date:
21/05/2022
Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.2.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2022

CVE-2022-29222
Publication date:
21/05/2022
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.5, a DTLS Client could provide a Certificate that it doesn't posses the private key for and Pion DTLS wouldn't reject it. This issue affects users that are using Client certificates only. The connection itself is still secure. The Certificate provided by clients can't be trusted when using a Pion DTLS server prior to version 2.1.5. Users should upgrade to version 2.1.5 to receive a patch. There are currently no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2022

CVE-2022-29190
Publication date:
21/05/2022
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.4, an attacker can send packets that sends Pion DTLS into an infinite loop when processing. Version 2.1.4 contains a patch for this issue. There are currently no known workarounds available.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2022

CVE-2022-29188
Publication date:
21/05/2022
Smokescreen is an HTTP proxy. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that made it possible to bypass the deny list feature by surrounding the hostname with square brackets (e.g. `[example.com]`). This only impacted the HTTP proxy functionality of Smokescreen. HTTPS requests were not impacted. Smokescreen version 0.0.4 contains a patch for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
07/06/2022

CVE-2022-29215
Publication date:
21/05/2022
RegionProtect is a plugin that allows users to manage certain events in certain regions of the world. Versions prior to 1.1.0 contain a YAML injection vulnerability that can cause an instant server crash if the passed arguments are not matched. Version 1.1.0 contains a patch for this issue. As a workaround, restrict operator permissions to untrusted people and avoid entering arguments likely to cause a crash.
Severity CVSS v4.0: Pending analysis
Last modification:
07/06/2022

CVE-2022-29214
Publication date:
21/05/2022
NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers recommend adding a certain configuration to one's `callbacks` option as a workaround for those unable to upgrade.
Severity CVSS v4.0: Pending analysis
Last modification:
07/06/2022

CVE-2022-29189
Publication date:
21/05/2022
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.4, a buffer that was used for inbound network traffic had no upper limit. Pion DTLS would buffer all network traffic from the remote user until the handshake completes or timed out. An attacker could exploit this to cause excessive memory usage. Version 2.1.4 contains a patch for this issue. There are currently no known workarounds available.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2022
Subscribe to Vulnerabilities