CVE-2022-22827 | libexpat1 (CWE-190)

[fleimkeipa]

A high severity vulnerability has been discovered in your project.

Project Name: tesTrivy1

Scanner Name: trivy

Cwe ID: 190

Cwe Name: Integer Overflow of Wraparound

Cwe Link: https://cwe.mitre.org/data/definitions/190.html

CVE ID: CVE-2022-22827

Target: kondukto/nodejsscan:v0.2.8 (debian 10.10)

Packages:

• libexpat1 : 2.2.6-2+deb10u1 - Fixed Version: 2.2.6-2+deb10u2

References:

• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827
• [CVE-2022-22822 to CVE-2022-22827] lib: Prevent more integer overflows libexpat/libexpat#539
• https://linux.oracle.com/cve/CVE-2022-22827.html
• https://linux.oracle.com/errata/ELSA-2022-0951.html
• https://ubuntu.com/security/notices/USN-5288-1
• https://www.debian.org/security/2022/dsa-5073
• https://www.tenable.com/security/tns-2022-05

Training(Secure Code Warrior):

• Name: Integer Overflow or Wraparound

• Description: The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/website-trial/web/memory/integer

• Videos:

  • https://media.securecodewarrior.com/v2/Module_51_Integer_Overflow_v2.mp4

Tool Description: storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Custom Description: sdaadadad