CWE-863

The Windows Installation component of TIBCO Software Inc.’s TIBCO Messaging – Eclipse Mosquitto Distribution – Core – Community Edition and TIBCO Messaging – Eclipse Mosquitto Distribution – Core – Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.’s TIBCO Messaging – Eclipse Mosquitto Distribution – Core – Community Edition: versions 1.3.0 and below and TIBCO Messaging – Eclipse Mosquitto Distribution – Core – Enterprise Edition: versions 1.3.0 and below.

The Windows Installation component of TIBCO Software Inc.’s TIBCO Messaging – Eclipse Mosquitto Distribution – Bridge – Community Edition and TIBCO Messaging – Eclipse Mosquitto Distribution – Bridge – Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.’s TIBCO Messaging – Eclipse Mosquitto Distribution – Bridge – Community Edition: versions 1.3.0 and below and TIBCO Messaging – Eclipse Mosquitto Distribution – Bridge – Enterprise Edition: versions 1.3.0 and below.

IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn’t have access to anymore (CVE-2021-28696).

The unofficial SwiftFormat extension before 1.3.7 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted swiftformat.path configuration value that triggers execution upon opening the workspace.

vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.

Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass.