CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2022-29464

Ransomware

WSO2 Multiple Products Unrestrictive Upload of File Vulnerability

Vendor: WSO2

Product: Multiple Products

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22

CVE-2022-26904

Microsoft Windows User Profile Service Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-362

CVE-2022-21919

Microsoft Windows User Profile Service Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-1386

CVE-2022-0847

Linux Kernel Privilege Escalation Vulnerability

Vendor: Linux

Product: Kernel

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Linux kernel contains an improper initialization vulnerability where an unprivileged local user could escalate their privileges on the system. This vulnerability has the moniker of "Dirty Pipe."

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-665

CVE-2021-41357

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CVE-2021-40450

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CVE-2019-1003029

Jenkins Script Security Plugin Sandbox Bypass Vulnerability

Vendor: Jenkins

Product: Script Security Plugin

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox.

Required Action:

Apply updates per vendor instructions.

CVE-2018-6882

Ransomware

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Vendor: Synacor

Product: Zimbra Collaboration Suite (ZCS)

Added: 2022-04-19

Due Date: 2022-05-10

Description:

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that might allow remote attackers to inject arbitrary web script or HTML.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-79

CVE-2019-3568

WhatsApp VOIP Stack Buffer Overflow Vulnerability

Vendor: Meta Platforms

Product: WhatsApp

Added: 2022-04-19

Due Date: 2022-05-10

Description:

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-122

CVE-2022-22718

Microsoft Windows Print Spooler Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-04-19

Due Date: 2022-05-10

Description:

Microsoft Windows Print Spooler contains an unspecified vulnerability which allow for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CVE-2022-22960

VMware Multiple Products Privilege Escalation Vulnerability

Vendor: VMware

Product: Multiple Products

Added: 2022-04-15

Due Date: 2022-05-06

Description:

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-250

CVE-2022-1364

Google Chromium V8 Type Confusion Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2022-04-15

Due Date: 2022-05-06

Description:

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-843

CVE-2019-3929

Crestron Multiple Products Command Injection Vulnerability

Vendor: Crestron

Product: Multiple Products

Added: 2022-04-15

Due Date: 2022-05-06

Description:

Multiple Crestron products are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-79

CVE-2019-16057

Ransomware

D-Link DNS-320 Remote Code Execution Vulnerability

Vendor: D-Link

Product: DNS-320 Storage Device

Added: 2022-04-15

Due Date: 2022-05-06

Description:

The login_mgr.cgi script in D-Link DNS-320 is vulnerable to remote code execution.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-78

CVE-2018-7841

Schneider Electric U.motion Builder SQL Injection Vulnerability

Vendor: Schneider Electric

Product: U.motion Builder

Added: 2022-04-15

Due Date: 2022-05-06

Description:

A SQL Injection vulnerability exists in U.motion Builder software which could cause unwanted code execution when an improper set of characters is entered.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-89