Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-0721
Publication date:
23/02/2022
Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022

CVE-2022-0719
Publication date:
23/02/2022
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022

CVE-2022-0736
Publication date:
23/02/2022
Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2023

CVE-2022-0717
Publication date:
23/02/2022
Out-of-bounds Read in GitHub repository mruby/mruby prior to 3.2.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022

CVE-2022-0654
Publication date:
23/02/2022
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository fgribreau/node-request-retry prior to 7.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022

CVE-2022-23612
Publication date:
22/02/2022
OpenMRS is a patient-based medical record system focusing on giving providers a free customizable electronic medical record system. Affected versions are subject to arbitrary file exfiltration due to failure to sanitize request when satisfying GET requests for `/images` & `/initfilter/scripts`. This can allow an attacker to access any file on a system running OpenMRS that is accessible to the user id OpenMRS is running under. Affected implementations should update to the latest patch version of OpenMRS Core for the minor version they use. These are: 2.1.5, 2.2.1, 2.3.5, 2.4.5 and 2.5.3. As a general rule, this vulnerability is already mitigated by Tomcat's URL normalization in Tomcat 7.0.28+. Users on older versions of Tomcat should consider upgrading their Tomcat instance as well as their OpenMRS instance.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022

CVE-2022-21655
Publication date:
22/02/2022
Envoy is an open source edge and service proxy, designed for cloud-native applications. The envoy common router will segfault if an internal redirect selects a route configured with direct response or redirect actions. This will result in a denial of service. As a workaround turn off internal redirects if direct response entries are configured on the same listener.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022

CVE-2022-23606
Publication date:
22/02/2022
Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. This infinite recursion causes Envoy to crash. Users are advised to upgrade.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022

CVE-2022-21654
Publication date:
22/02/2022
Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2022

CVE-2022-21657
Publication date:
22/02/2022
Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). This means that a peer may present an e-mail certificate (e.g. id-kp-emailProtection), either as a leaf certificate or as a CA in the chain, and it will be accepted for TLS. This is particularly bad when combined with the issue described in pull request #630, in that it allows a Web PKI CA that is intended only for use with S/MIME, and thus exempted from audit or supervision, to issue TLS certificates that will be accepted by Envoy. As a result Envoy will trust upstream certificates that should not be trusted. There are no known workarounds to this issue. Users are advised to upgrade.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2022

CVE-2022-21656
Publication date:
22/02/2022
Envoy is an open source edge and service proxy, designed for cloud-native applications. The default_validator.cc implementation used to implement the default certificate validation routines has a "type confusion" bug when processing subjectAltNames. This processing allows, for example, an rfc822Name or uniformResourceIndicator to be authenticated as a domain name. This confusion allows for the bypassing of nameConstraints, as processed by the underlying OpenSSL/BoringSSL implementation, exposing the possibility of impersonation of arbitrary servers. As a result Envoy will trust upstream certificates that should not be trusted.
Severity CVSS v4.0: Pending analysis
Last modification:
24/07/2023

CVE-2021-43826
Publication date:
22/02/2022
Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions of Envoy a crash occurs when configured for :ref:`upstream tunneling ` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. There are no workarounds for this issue. Users are advised to upgrade.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022
Subscribe to Vulnerabilities