Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-37452PUBLISHED: 2022-08-07Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.
CVE-2022-26979PUBLISHED: 2022-08-06Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a NULL pointer dereference when this.Span is used for oState of Collab.addStateModel, because this.Span.text can be NULL.
CVE-2022-27944PUBLISHED: 2022-08-06Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow an exportXFAData NULL pointer dereference.
CVE-2022-2688PUBLISHED: 2022-08-06
A vulnerability was found in SourceCodester Expense Management System. It has been rated as critical. This issue affects the function fetch_report_credit of the file report.php of the component POST Parameter Handler. The manipulation of the argument from/to leads to sql injection. The attack may be...
CVE-2022-2689PUBLISHED: 2022-08-06
A vulnerability classified as problematic has been found in SourceCodester Wedding Hall Booking System. Affected is an unknown function of the file /whbs/?page=contact_us of the component Contact Page. The manipulation of the argument Message leads to cross site scripting. It is possible to launch t...
User Rank: Apprentice
4/25/2014 | 11:07:57 AM
The Heartbleed bug is a missing boundary check in OpenSSL code - a library that implements TLS, it's not a flaw in the TLS protocol.
Moving on to servers to test for "advanced mutations" makes no sense at all. Either the patch is applied or it isn't - there are no variants of it. The bug doesn't magially mutate to something else on it's own. There are no other attack vectors. It's not a protocol level flaw, it's flaw in one library that implements the protocol. Other SSL libraries are not vulnerable. This is OpenSSL bug only.
The article uses terminology (mutation, spreading) that also plays on the "heartbleed is a virus" fallacy and as such is not only inaccurate but also dangerously close to being pure FUD.
OpenSSL and other libraries most likely contain other bugs - and more rigorous testing is a very good idea, especially for components that are widely used(/embedded) in core infrastructure products. But that has nothing to do with Heartbleed, it's just common sense.
Heartbleed has caused a lot of panic and misinformation, let's not create any more of it.