Pexip security bulletins

The following security bulletins are published by Pexip for issues affecting Pexip Infinity and the Pexip Connect apps.

Please contact your Pexip authorized support representative for more information about these issues. This list covers issues addressed in v29.0 and later. For issues addressed in v28.x or earlier, see our documentation for previous releases.

More information specific for each of the vulnerabilities can be found via the NIST National Vulnerability Database: http://nvd.nist.gov/.

Pexip Infinity

Each bulletin addresses a number of vulnerabilities in the operating system software used by Pexip Infinity. The bulletins include an assessment of the issues, the impact to the Pexip Infinity platform, and resolution details.

In the table below, "Severity" reflects the severity of the issue as calculated from the CVSS Base Score. "Risk" reflects the risk associated with each vulnerability in the context of the Pexip Infinity product environment.

Reference Description Severity Risk Updated Impacted versions Addressed in version
CVE-2023-31455

Insufficient input validation in the RTCP implementation allows a remote attacker to trigger a software abort resulting in a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Discussion: A crafted RTCP payload allows a remote attacker to trigger a software abort resulting in a denial of service.

Mitigation: None

Resolution: Upgrade to Pexip Infinity 31.2

High High June 2023 All before 31.2 31.2
CVE-2023-31289

Insufficient input validation in the signalling implementation(s) allows a malicious attacker to trigger a software abort resulting in a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to v31.2

High High May 2023 1 through 31.1 31.2
CVE-2023-22809

The sudoedit command mishandles extra arguments, allowing a local attacker to append arbitrary entries to the list of files to process, leading to privilege escalation.

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: The sole non-system user account ("admin") is explicitly given privileges to allow escalation via sudo. Therefore, this vulnerability is only relevant as a mechanism to potentially escalate privileges after exploiting some other vulnerability to gain access to the system as an unprivileged user.

Resolution: Upgrade to Pexip Infinity v31.1

High Medium March 2023 All before 31.0 31.1
CVE-2023-0286

A type confusion vulnerability in the OpenSSL cryptography library allows an attacker to read memory contents or cause a software abort when CRL checking is enabled.

CVSS 3.1 base score: 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H)

Mitigation: No software shipped as part of Pexip Infinity is configured to use CRLs (as Infinity uses OCSP instead), therefore this vulnerability is only relevant if unsupported configuration or software changes have been made.

Resolution: Upgrade to Pexip Infinity v31.1

High

None March 2023 All before 31.0 31.1
CVE-2023-0215

Resource mismanagement in the OpenSSL cryptography library allows an attacker to trigger a use after free when processing ASN.1 data leading to a software abort.

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity v31.1

High

None March 2023 All before 31.0 31.1
CVE-2022-40617

The strongSwan IPsec implementation allows remote attackers to cause a denial of service.

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: Strongswan is configured to only permit tunnel establishment by other nodes in the deployment. Further, ISAKMP traffic is restricted by the firewall such that traffic from source addresses outside the deployment is rejected.

Resolution: Upgrade to Pexip Infinity v31.1

High

Medium March 2023 All before 31.0 31.1
CVE-2022-40304

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity v31.1

High

Medium March 2023 All before 31.0 31.1
CVE-2022-40303

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: Components using this library enforce payload size limits before passing input data into libxml2. These size limits are significantly below that needed to be able to exploit this issue.

Resolution: Upgrade to Pexip Infinity v31.1

High None March 2023 All before 31.0 31.1
CVE-2022-2068

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection, potentially allowing an attacker to execute arbitrary commands with the privileges of the script.

CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: The c_rehash script is used during system upgrade when updating the built-in Certificate Authorities. The updated Certificate Authorities and script usage are part of the upgrade archive which is signed using keys known only to Pexip and thus ensures that the input data is trusted.

Resolution: Upgrade to Pexip Infinity v31.1

Critical

None March 2023 All before 31.0 31.1
CVE-2022-1941

A parsing vulnerability for the MessageSet type in the ProtocolBuffers implementation allows an attacker to cause a software abort.

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: ProtocolBuffers are used when communicating with Google Meet. Other service types are not affected.

Resolution: Upgrade to Pexip Infinity v31.1

High

Low March 2023 19.0-31.0 31.1
CVE-2022-1587

An out-of-bounds read vulnerability in the PCRE2 library allows an attacker to cause a software abort.

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity v31.1

High

Medium March 2023 All before 31.0 31.1
CVE-2022-1586

An out-of-bounds read vulnerability in the PCRE2 library allows an attacker to cause a software abort.

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity v31.1

High

Medium March 2023 All before 31.0 31.1
CVE-2022-1292

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection, potentially allowing an attacker to execute arbitrary commands with the privileges of the script.

CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: The c_rehash script is used during system upgrade when updating the built-in Certificate Authorities. The updated Certificate Authorities and script usage are part of the upgrade archive which is signed using keys known only to Pexip and thus ensures that the input data is trusted.

Resolution: Upgrade to Pexip Infinity v31.1

Critical None March 2023 All before 31.0 31.1
Multiple

Resolved minor issues: CVE-2022-43680, CVE-2022-43638, CVE-2022-42898, CVE-2022-42703, CVE-2022-42010, CVE-2022-41323, CVE-2022-40476, CVE-2022-39190, CVE-2022-39188, CVE-2022-38178, CVE-2022-38177, CVE-2022-36946, CVE-2022-36879, CVE-2022-36359, CVE-2022-35252, CVE-2022-34495, CVE-2022-34494, CVE-2022-32296, CVE-2022-32206, CVE-2022-32205, CVE-2022-32148, CVE-2022-28347, CVE-2022-28346, CVE-2022-27776, CVE-2022-27774, CVE-2022-26373, CVE-2022-22576, CVE-2022-20368, CVE-2022-4304, CVE-2022-3775, CVE-2022-3629, CVE-2022-3625, CVE-2022-3586, CVE-2022-3515, CVE-2022-3080, CVE-2022-3028, CVE-2022-2959, CVE-2022-2938, CVE-2022-2929, CVE-2022-2928, CVE-2022-2905, CVE-2022-2795, CVE-2022-2602, CVE-2022-2601, CVE-2022-2588, CVE-2022-2586, CVE-2022-2585, CVE-2022-1962, CVE-2022-1705, CVE-2022-1508, CVE-2022-1184, CVE-2021-46829, CVE-2021-46828, CVE-2021-33655, CVE-2021-29648, CVE-2021-26401, CVE-2021-4150, CVE-2021-4023, CVE-2021-3759, CVE-2021-3669

    March 2023   31.1
CVE-2022-44722

Insufficient input validation in the signaling implementation(s) allows a malicious attacker to trigger a software abort resulting in a denial of service

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None.

Resolution: Upgrade to Pexip Infinity 30.1

High High December 2022 27.0-30.0 30.1
CVE-2022-21712

The RedirectAgent and BrowserLikeRedirectAgent HTTP client implementations in the Twisted event-driven networking engine expose cookies and authorization headers when following cross-origin redirects.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Mitigation: This functionality is only used when interfacing with trusted third party services, none of which currently use cross-origin redirects, therefore no exploit path currently exists.

Resolution: Upgrade to Pexip Infinity 30.0

High None October 2022 17.0-29.x 30.0
CVE-2022-31676

open-vm-tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.

CVSS3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 30.0

High Medium October 2022 21.0-29.x 30.0
CVE-2022-1043

A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.

CVSS3.1 base score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 30.0

High Medium October 2022 27.0-29.x 30.0
CVE-2021-30560

Use after free in xsltApplyTemplates prior to libxslt 1.1.35 allows attackers to potentially exploit heap corruption via crafted XML data.

CVSS3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: Infinity versions before 27 do not expose this component to untrusted input and are thus not directly impacted by this issue (although it is still present in the versions of the component contained in pre-27 Infinity releases). Infinity versions from 27 up to 30 do process untrusted input using the affected component as part of the SIngle Sign-On functionality. Administrators should ensure that only trusted Identity Providers are configured.

Resolution: Upgrade to Pexip Infinity 30.0

High None October 2022 All before 30 30.0
CVE-2019-5815

Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: No exploit paths exist in Infinity versions before 27 as this component is not exposed to untrusted input. Exploits in Infinity versions 27 through 29 require a malicious Identity Provider to be used for the Single Sign-On participant authentication functionality.

Resolution: Upgrade to Pexip Infinity 30.0

High None October 2022 All before 30 30.0
CVE-2022-42959

Insufficient input validation in the signalling implementation(s) allows a malicious attacker to trigger a software abort resulting in a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 30.0

High High October 2022 All before 30 30.0
CVE-2022-42730

Insufficient input validation allows a malicious attacker to trigger a software abort resulting in a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: Configure a global maximum call bandwidth (via Platform > Global Settings > Service Configuration)

Resolution: Upgrade to Pexip Infinity 30.0

High High October 2022 27.0-29.x 30.0
CVE-2022-41872

Unauthenticated denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 30.0

High High October 2022 All before 30 30.0
CVE-2022-40618

Insufficient input validation in the in-call setup implementation allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 29.3 or Pexip Infinity 30.0

High High October 2022 27.0-29.1 29.3 and 30.0
Multiple Resolved minor issues: CVE-2021-3800, CVE-2021-22924, CVE-2021-20223, CVE-2021-45868, CVE-2022-0494, CVE-2022-0854, CVE-2022-1016, CVE-2022-20153, CVE-2022-2078, CVE-2022-21499, CVE-2022-21716, CVE-2022-22576, CVE-2022-24801, CVE-2022-24805, CVE-2022-24806, CVE-2022-24807, CVE-2022-24808, CVE-2022-24809, CVE-2022-24810, CVE-2022-25309, CVE-2022-25310, CVE-2022-27404, CVE-27405, CVE-27406, CVE-2022-27776, CVE-2022-28356, CVE-2022-28614, CVE-2022-32206, CVE-2022-32208, CVE-2022-34265, CVE-2020-35525, CVE-2020-35527, CVE-2022-34903, CVE-2022-37434, CVE-2022-40674     October 2022   30.0
CVE-2021-0707

In dma_buf_release of dma-buf.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android kernelAndroid ID: A-155756045References: Upstream kernel.

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

High Medium July 2022 All before 29 29.0
CVE-2021-39698

In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android kernelAndroid ID: A-185125206References: Upstream kernel.

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

High Medium July 2022 All before 29 29.0
CVE-2022-1011

A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

High Medium July 2022 All before 29 29.0
CVE-2022-1729

A use-after-free flaw was found in the Linux kernel's performance events subsystem allowing a local user to crash the system.

CVSS 3.1 base score: 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

High Medium July 2022 13-28.x 29.0
CVE-2022-1786

A use-after-free flaw was found in the Linux kernel’s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a local user to crash or escalate their privileges on the system.

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

High Medium July 2022 26-28.x 29.0
CVE-2022-27666

A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

High Medium July 2022 21-28.x 29.0
CVE-2022-29581

Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

High Medium July 2022 21-28.x 29.0
CVE-2022-29582

In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.

CVSS 3.1 base score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

High Medium July 2022 26-28.x 29.0
CVE-2022-30594

The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

High Medium July 2022 13-28.x 29.0
CVE-2018-25032

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: This issue is most reliably triggered by use of static Huffman coding (Z_FIXED), which is not used by Pexip Infinity, but can also occur when using dynamic Huffman coding (Z_DEFAULT_STRATEGY) with a memLevel of 1. All use of zlib compression within Pexip Infinity uses dynamic Huffman coding (Z_DEFAULT_STRATEGY) with a memLevel of at least 8.

Resolution: Upgrade to Pexip Infinity 29

High Medium July 2022 All before 29 29.0
CVE-2022-36434

Insufficient input validation in the Pexip Client API implementation allows an unauthenticated remote attacker to trigger a software abort leading to a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: Disable support for Pexip Infinity Connect clients and Client API in Pexip Infinity Global Settings.

Resolution: Upgrade to Pexip Infinity 29

High High July 2022 28.x 29.0
CVE-2022-34490

Insufficient input validation in the RTP implementation allows a malicious attacker to trigger a software abort resulting in a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 29

High High July 2022 9.0 - 28.2 29.0
CVE-2022-32956

Improper access control in the Infinity Management API allows a malicious attacker to escalate privileges when certificate based authentication is enabled.

CVSS 3.1 base score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Mitigation: Disable certificate based authentication.

Resolution: Upgrade to Pexip Infinity 29

High High July 2022 5.5 - 28.2 29.0
Multiple

Resolved minor issues: CVE-2021-45452, CVE-2021-45868, CVE-2022-0494, CVE-2022-0850, CVE-2022-0854, CVE-2022-1012, CVE-2022-1016, CVE-2022-1055, CVE-2022-1271, CVE-2022-1353, CVE-2022-1664, CVE-2022-1972, CVE-2022-1998, CVE-2022-2068, CVE-2022-2078, CVE-2022-20153, CVE-2022-21499, CVE-2022-28614, CVE-2022-29824, CVE-2022-31813, CVE-2022-32250, CVE-2022-1292

    July 2022   29.0

Connect app

Each bulletin addresses a number of vulnerabilities in the software used by the Connect apps. The bulletins include an assessment of the issues, the impact on the Connect app, and resolution details.

Bulletin Description Risk Updated Impacted versions Addressed in version
CVE-2022-2478

Use after free in PDF in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

High March 2023 Unknown 1.12
CVE-2022-2295

Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

High March 2023

Unknown

1.12
CVE-2022-2294

Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

High March 2023 Unknown 1.12
CVE-2022-2162

Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 103.0.5060.53 allowed a remote attacker to bypass file system access via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

High

March 2023 Unknown 1.12
CVE-2022-2011

Use after free in ANGLE in Google Chrome prior to 102.0.5005.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

High March 2023 Unknown 1.12
 

Resolved minor issue: CVE-2022-1867

 

  March 2023   1.12
CVE-2021-29655

Missing authenticity checks in application provisioning allow an attacker to cause the application to run untrusted code.

CVSS3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect app 1.8.0

Credit: This issue was responsibly disclosed by The UK's National Cyber Security Centre (NCSC)

High June 2021 All before 1.8.0 1.8.0
CVE-2021-29656

Missing checks in certificate allow list matching allow a remote attacker to compromise a TLS connection, extracting data and potentially causing remote code execution.

CVSS3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity Connect 1.8.0

Credit: This issue was responsibly disclosed by The UK's National Cyber Security Centre (NCSC)

High June 2021 All before 1.8.0 1.8.0