CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2014-0322

Microsoft Internet Explorer Use-After-Free Vulnerability

Vendor: Microsoft

Product: Internet Explorer

Added: 2022-05-04

Due Date: 2022-05-25

Description:

Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2014-0160

OpenSSL Information Disclosure Vulnerability

Vendor: OpenSSL

Product: OpenSSL

Added: 2022-05-04

Due Date: 2022-05-25

Description:

The TLS and DTLS implementations in OpenSSL do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-125

CVE-2022-29464

Ransomware

WSO2 Multiple Products Unrestrictive Upload of File Vulnerability

Vendor: WSO2

Product: Multiple Products

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22

CVE-2022-26904

Microsoft Windows User Profile Service Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-362

CVE-2022-21919

Microsoft Windows User Profile Service Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-1386

CVE-2022-0847

Linux Kernel Privilege Escalation Vulnerability

Vendor: Linux

Product: Kernel

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Linux kernel contains an improper initialization vulnerability where an unprivileged local user could escalate their privileges on the system. This vulnerability has the moniker of "Dirty Pipe."

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-665

CVE-2021-41357

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CVE-2021-40450

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CVE-2019-1003029

Jenkins Script Security Plugin Sandbox Bypass Vulnerability

Vendor: Jenkins

Product: Script Security Plugin

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox.

Required Action:

Apply updates per vendor instructions.

CVE-2018-6882

Ransomware

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Vendor: Synacor

Product: Zimbra Collaboration Suite (ZCS)

Added: 2022-04-19

Due Date: 2022-05-10

Description:

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that might allow remote attackers to inject arbitrary web script or HTML.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-79

CVE-2019-3568

WhatsApp VOIP Stack Buffer Overflow Vulnerability

Vendor: Meta Platforms

Product: WhatsApp

Added: 2022-04-19

Due Date: 2022-05-10

Description:

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-122

CVE-2022-22718

Microsoft Windows Print Spooler Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-04-19

Due Date: 2022-05-10

Description:

Microsoft Windows Print Spooler contains an unspecified vulnerability which allow for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CVE-2022-22960

VMware Multiple Products Privilege Escalation Vulnerability

Vendor: VMware

Product: Multiple Products

Added: 2022-04-15

Due Date: 2022-05-06

Description:

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-250

CVE-2022-1364

Google Chromium V8 Type Confusion Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2022-04-15

Due Date: 2022-05-06

Description:

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-843

CVE-2019-3929

Crestron Multiple Products Command Injection Vulnerability

Vendor: Crestron

Product: Multiple Products

Added: 2022-04-15

Due Date: 2022-05-06

Description:

Multiple Crestron products are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-79