OS command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request.

A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.

A default erlang cluster node cookie in Apache CouchDB allows attackers to access, gain admin privileges and execute system commands with couchdb user privileges.

An authentication bypass vulnerability present in com.vmware.vcops.ui.util.MainPortalFilter class, an information disclosure vulnerability present in com.vmware.vcops.ui.action.SupportLogsAction and a local privilege escalation in the generateSupportBundle.py script; allows unauthenticated remote attackers to execute system commands as root in VMware vRealize Operations Manager by using a dashboard shared link.

An authentication bypass in OAuth2TokenResourceController access control service, a JDBC injection that allows remote code execution in DBConnectionCheckController dbCheck and a local privilege escalation via publishCaCert.hzn and gatherConfig.hzn; allows unauthenticated remote attackers to execute system commands as root.

There is an integer overflow in the BaseSrvActivationContextCacheDuplicateUnicodeString function in the sxssrv.dll module of the CSRSS process.

The vulnerable function can be accessed from the BaseSrvSxsCreateActivationContextFromMessage CSR routine. However, the default size of the CSR shared memory section is only 0x10000 bytes, so by default it is impossible to pass a large enough UNICODE_STRING to CSRSS. Fortunately, the section size is controlled entirely by the client process, and if an attacker can modify ntdll! CsrpConnectToServer early enough during the start of the process, you'll be able to pass strings larger than 0x10000 in size.

A java deserialization vulnerability in Zoho ManageEngine Pro before 12101 and PAM360 before 5510 allows unauthenticated attackers to send crafted XML-RPC requests with malicious serialized data to execute system commands as SYSTEM.

A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system

Microsoft Windows SMBv3 suffers from a null pointer dereference in versions of Windows prior to the April, 2022 patch set. By sending a malformed FileNormalizedNameInformation SMBv3 request over a named pipe, an attacker can cause a Blue Screen of Death (BSOD) crash of the Windows kernel. For most systems, this attack requires authentication, except in the special case of Windows Domain Controllers, where unauthenticated users can always open named pipes as long as they can establish an SMB session. Typically, after the BSOD, the victim SMBv3 server will reboot.

The vulnerability allowed a local low-privileged user to execute arbitrary Powershell as SYSTEM due to improper file permission assignment.