Fedoraproject Fedora vulnerabilities

CVE-2022-3049 [HIGH] CWE-362 CVE-2022-3049: Use after free in SplitScreen in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a Use after free in SplitScreen in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-3053 [MEDIUM] CVE-2022-3053: Inappropriate implementation in Pointer Lock in Google Chrome on Mac prior to 105.0.5195.52 allowed Inappropriate implementation in Pointer Lock in Google Chrome on Mac prior to 105.0.5195.52 allowed a remote attacker to restrict user navigation via a crafted HTML page.

CVE-2022-3047 [MEDIUM] CWE-602 CVE-2022-3047: Insufficient policy enforcement in Extensions API in Google Chrome prior to 105.0.5195.52 allowed an Insufficient policy enforcement in Extensions API in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to bypass downloads policy via a crafted HTML page.

CVE-2022-2860 [MEDIUM] CVE-2022-2860: Insufficient policy enforcement in Cookies in Google Chrome prior to 104.0.5112.101 allowed a remote Insufficient policy enforcement in Cookies in Google Chrome prior to 104.0.5112.101 allowed a remote attacker to bypass cookie prefix restrictions via a crafted HTML page.

CVE-2022-3201 [MEDIUM] CWE-20 CVE-2022-3201: Insufficient validation of untrusted input in DevTools in Google Chrome on Chrome OS prior to 105.0. Insufficient validation of untrusted input in DevTools in Google Chrome on Chrome OS prior to 105.0.5195.125 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High)

CVE-2022-3048 [MEDIUM] CWE-863 CVE-2022-3048: Inappropriate implementation in Chrome OS lockscreen in Google Chrome on Chrome OS prior to 105.0.51 Inappropriate implementation in Chrome OS lockscreen in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a local attacker to bypass lockscreen navigation restrictions via physical access to the device.

CVE-2022-2861 [MEDIUM] CWE-79 CVE-2022-2861: Inappropriate implementation in Extensions API in Google Chrome prior to 104.0.5112.101 allowed an a Inappropriate implementation in Extensions API in Google Chrome prior to 104.0.5112.101 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts into WebUI via a crafted HTML page.

CVE-2022-3044 [MEDIUM] CWE-693 CVE-2022-3044: Inappropriate implementation in Site Isolation in Google Chrome prior to 105.0.5195.52 allowed a rem Inappropriate implementation in Site Isolation in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

CVE-2022-3056 [MEDIUM] CWE-693 CVE-2022-3056: Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 105.0.5195.52 a Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to bypass content security policy via a crafted HTML page.

CVE-2022-2856 [MEDIUM] CWE-20 CVE-2022-2856: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.511 Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.

CVE-2022-3054 [MEDIUM] CVE-2022-3054: Insufficient policy enforcement in DevTools in Google Chrome prior to 105.0.5195.52 allowed a remote Insufficient policy enforcement in DevTools in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-3057 [MEDIUM] CWE-352 CVE-2022-3057: Inappropriate implementation in iframe Sandbox in Google Chrome prior to 105.0.5195.52 allowed a rem Inappropriate implementation in iframe Sandbox in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2022-3297 [HIGH] CWE-416 CVE-2022-3297: Use After Free in GitHub repository vim/vim prior to 9.0.0579. Use After Free in GitHub repository vim/vim prior to 9.0.0579.

CVE-2022-3296 [HIGH] CWE-121 CVE-2022-3296: Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577. Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.

CVE-2022-35951 [CRITICAL] CWE-190 CVE-2022-35951: Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are v Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are vulnerable to an Integer Overflow. Executing an `XAUTOCLAIM` command on a stream key in a specific state, with a specially crafted `COUNT` argument may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code executi

CVE-2022-36944 [CRITICAL] CWE-502 CVE-2022-36944: Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot b Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specific

CVE-2022-41322 [HIGH] CWE-116 CVE-2022-41322: In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup.

CVE-2022-40188 [HIGH] CWE-407 CVE-2022-40188: Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) be Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. During an attack, an authoritative server must return large NS sets or address sets.

CVE-2022-3278 [MEDIUM] CWE-476 CVE-2022-3278: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552. NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.

CVE-2022-1941 [HIGH] CWE-1286 CVE-2022-1941: A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and includi A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple