several recently identified vulnerabilities:
- In the Visual Studio Code (vs code) editor, critical vault a a of > (CVE-2022-41034), which allows you to organize the performance of the code when the user opened the link prepared by the attacker. The code can be made both on a computer with VS CODE and on any other computers connected to VS Code using the Remote Development function. The problem is the greatest danger for users of Web version of VS Code and Web editors on its basis, including Github Codespaces and Github.dev. Shell team, when processing specially executed documents in the JYPITER NOTEBOOK format, loaded from a Web server controlled by the attacking (external files with the extension “.Ipynb” without additional confirmation are opened in “Istrusted” mode, allowing the processing “Command:”) .
- In the text editor GNU Emacs revealed Vulnerability (CVE-2022-45939), which allows you to organize the execution of commands When opening a file with a code, through the substitution of special systems in a name processed using the CTAGS tools.
- In the open platform of data visualization of Grafana revealed vulnerability (CVE-2022-31097), which allows to achieve the execution of the JavaScript code when displaying the notification through the Grafana Alerting system. An attacker with the rights of the editor (Editor) can prepare a specially executed link and gain access to the Grafana interface with the rights of the administrator in the event of an administrator crossing this link. Vulnerability is eliminated in the issues of Grafana 9.2.7, 9.3.0, 9.0.3, 8.5.9, 8.4.10 and 8.3.10.
- vulnerability (cve-2022-46146) in the library Exporter-toolkit used to create export modules for Prometheus. The problem allows you to get around the BASIC authentication.
- vulnerability (CVE-2022-44635) in the platform for creating financial services
Apache finerate , which allows a non -assumption user to achieve remote code execution. The problem is caused by the lack of proper shielding of characters “..” In the paths processed by the component to download files. Vulnerability is eliminated in the issues of Apache Finract 1.7.1 and 1.8.1. - vulnerability (cve-2022-46366) in the Java frame apache tapestry , which allows you to achieve your code in the deserization of specially designed data. The problem is manifested only in the old Apache Tapestry 3.x branch, which is no longer supported.
- Vulnerability in the providers Apache Airlfow to hive
/Media reports cited above.