MidnightBSD

Advisories for netapp

CVE-2007-2379 MEDIUM

The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
jquery jquery -
netapp snapcenter -
CVE-2009-5155 MEDIUM

In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-19,

Products Affected

Vendor Product Version
netapp cloud_backup *
gnu glibc *
netapp ontap_select_deploy_administration_utility -
netapp steelstore_cloud_integrated_storage -
CVE-2010-1871 MEDIUM

JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-917,CWE-917,

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 4.3.0
netapp oncommand_insight -
netapp oncommand_balance -
netapp oncommand_unified_manager -
CVE-2010-5312 MEDIUM

Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 7.0
apache drill 1.16.0
fedoraproject fedora 35
drupal drupal *
jquery jquery_ui *
debian debian_linux 9.0
netapp snapcenter -
CVE-2013-3320 MEDIUM

Cross-site Scripting (XSS) vulnerability in NetApp OnCommand System Manager before 2.2 allows remote attackers to inject arbitrary web script or HTML via the 'full-name' and 'comment' fields.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
netapp oncommand_system_manager *
CVE-2013-3321 MEDIUM

NetApp OnCommand System Manager 2.1 and earlier allows remote attackers to include arbitrary files through specially crafted requests to the "diagnostic" page using the SnapMirror log path parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-829,

Products Affected

Vendor Product Version
netapp oncommand_system_manager *
CVE-2013-3322 HIGH

NetApp OnCommand System Manager 2.1 and earlier allows remote attackers to inject arbitrary commands in the Halt/Reboot interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
netapp oncommand_system_manager *
CVE-2014-9353 HIGH

NetApp OnCommand Balance before 4.2P2 contains a "default privileged account," which allows remote attackers to gain privileges via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
netapp oncommand_balance *
CVE-2014-9354 MEDIUM

NetApp OnCommand Balance before 4.2P3 allows local users to obtain sensitive information via unspecified vectors related to cleartext storage.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp oncommand_balance *
CVE-2015-20107 HIGH

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
fedoraproject fedora 36
fedoraproject fedora 37
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
python python *
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2015-3292 HIGH

The installer in NetApp OnCommand Workflow Automation before 2.2.1P1 and 3.x before 3.0P1 sets up the Java Debugging Wire Protocol (JDWP) service, which allows remote attackers to execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-17,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation *
netapp oncommand_workflow_automation 3.0
CVE-2015-7691 MEDIUM

The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted packets containing particular autokey operations. NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_desktop 7.0
netapp data_ontap -
redhat enterprise_linux_server_eus 7.3
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
ntp ntp *
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
ntp ntp 4.2.8
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_tus 7.6
oracle linux 6
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
CVE-2015-7692 MEDIUM

The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash). NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_desktop 7.0
netapp data_ontap -
redhat enterprise_linux_server_eus 7.3
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
ntp ntp *
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
ntp ntp 4.2.8
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_tus 7.6
oracle linux 6
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
CVE-2015-7701 MEDIUM

Memory leak in the CRYPTO_ASSOC function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (memory consumption).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_desktop 7.0
netapp data_ontap -
redhat enterprise_linux_server_eus 7.3
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
ntp ntp *
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
ntp ntp 4.2.8
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_tus 7.6
oracle linux 6
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
CVE-2015-7702 MEDIUM

The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash). NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_desktop 7.0
netapp data_ontap -
redhat enterprise_linux_server_eus 7.3
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
ntp ntp *
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
ntp ntp 4.2.8
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_tus 7.6
oracle linux 6
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
CVE-2015-7703 MEDIUM

The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77, when ntpd is configured to allow remote configuration, allows remote attackers with an IP address that is allowed to send configuration requests, and with knowledge of the remote configuration password to write to arbitrary files via the :config command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_desktop 7.0
netapp data_ontap -
redhat enterprise_linux_server_eus 7.3
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
ntp ntp *
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
ntp ntp 4.2.8
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_tus 7.6
oracle linux 6
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
CVE-2015-7704 MEDIUM

The ntpd client in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service via a number of crafted "KOD" messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux_server_aus 7.7
citrix xenserver 7.0
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_desktop 7.0
netapp data_ontap -
redhat enterprise_linux_server_eus 7.3
netapp oncommand_unified_manager -
mcafee enterprise_security_manager *
redhat enterprise_linux_server 6.0
citrix xenserver 6.2.0
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_server_aus 6.6
ntp ntp *
debian debian_linux 9.0
redhat enterprise_linux_server_eus 6.7
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
citrix xenserver 6.0.2
redhat enterprise_linux_server_tus 6.5
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 6.5
ntp ntp 4.2.8
redhat enterprise_linux_server_aus 7.3
citrix xenserver 6.5
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_tus 6.6
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_eus 6.6
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
redhat enterprise_linux_server_eus 6.5
CVE-2015-7705 HIGH

The rate limiting feature in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to have unspecified impact via a large number of crafted requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
citrix xenserver 7.0
citrix xenserver 6.0.2
ntp ntp 4.2.8
netapp data_ontap -
citrix xenserver 6.5
netapp oncommand_unified_manager -
siemens tim_4r-ie_dnp3_firmware *
siemens tim_4r-ie_firmware *
citrix xenserver 6.2.0
netapp clustered_data_ontap -
netapp oncommand_performance_manager -
ntp ntp *
CVE-2015-7746 HIGH

NetApp Data ONTAP before 8.2.4, when operating in 7-Mode, allows remote attackers to bypass authentication and (1) obtain sensitive information from or (2) modify volumes via vectors related to UTF-8 in the volume language.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
netapp data_ontap *
CVE-2015-7848 MEDIUM

An integer overflow can occur in NTP-dev.4.3.70 leading to an out-of-bounds memory copy operation when processing a specially crafted private mode packet. The crafted packet needs to have the correct message authentication code and a valid timestamp. When processed by the NTP daemon, it leads to an immediate crash.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
netapp oncommand_performance_manager -
ntp ntp 4.2.8
netapp oncommand_balance -
ntp ntp *
ntp ntp-dev 4.3.70
netapp oncommand_unified_manager -
netapp data_ontap_operating_in_7-mode -
CVE-2015-7849 MEDIUM

Use-after-free vulnerability in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to possibly execute arbitrary code or cause a denial of service (crash) via crafted packets.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
netapp oncommand_performance_manager -
ntp ntp 4.2.8
netapp data_ontap -
netapp oncommand_balance -
ntp ntp *
netapp oncommand_unified_manager -
CVE-2015-7850 MEDIUM

ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to cause a denial of service (infinite loop or crash) by pointing the key file at the log file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
debian debian_linux 7.0
netapp clustered_data_ontap -
debian debian_linux 8.0
netapp oncommand_performance_manager -
ntp ntp 4.2.8
netapp data_ontap -
netapp oncommand_balance -
ntp ntp *
debian debian_linux 9.0
netapp oncommand_unified_manager -
CVE-2015-7852 MEDIUM

ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted mode 6 response packets.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_desktop 7.0
netapp data_ontap -
redhat enterprise_linux_server_eus 7.3
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
ntp ntp *
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
ntp ntp 4.2.8
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat enterprise_linux_server_tus 7.6
oracle linux 6
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
CVE-2015-7853 HIGH

The datalen parameter in the refclock driver in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a negative input value.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
netapp oncommand_performance_manager -
ntp ntp 4.2.8
netapp data_ontap -
netapp oncommand_balance -
ntp ntp *
netapp oncommand_unified_manager -
CVE-2015-7854 MEDIUM

Buffer overflow in the password management functionality in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted key file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
netapp oncommand_performance_manager -
ntp ntp 4.2.8
netapp data_ontap -
netapp oncommand_balance -
ntp ntp *
netapp oncommand_unified_manager -
CVE-2015-7855 MEDIUM

The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (assertion failure) via a 6 or mode 7 packet containing a long data value.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
debian debian_linux 8.0
ntp ntp 4.2.8
netapp data_ontap -
netapp oncommand_balance -
netapp oncommand_unified_manager -
siemens tim_4r-ie_dnp3_firmware *
siemens tim_4r-ie_firmware *
debian debian_linux 7.0
netapp clustered_data_ontap -
netapp oncommand_performance_manager -
ntp ntp *
debian debian_linux 9.0
CVE-2015-7871 HIGH

Crypto-NAK packets in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to bypass authentication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
debian debian_linux 7.0
netapp clustered_data_ontap -
debian debian_linux 8.0
netapp oncommand_performance_manager -
ntp ntp 4.2.8
netapp data_ontap -
netapp oncommand_balance -
ntp ntp *
debian debian_linux 9.0
netapp oncommand_unified_manager -
ntp ntp 4.2.5
CVE-2015-7886 MEDIUM

NetApp Data ONTAP before 8.2.4P1, when 7-Mode and HTTP access are enabled, allows remote attackers to obtain sensitive volume information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp data_ontap *
CVE-2015-7887 MEDIUM

NetApp SnapCenter Server 1.0 allows remote authenticated users to list and delete backups.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
netapp snapcenter_server 1.0
CVE-2015-7973 MEDIUM

NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H 2.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,

Products Affected

Vendor Product Version
freebsd freebsd 10.2
ntp ntp 4.2.8
freebsd freebsd *
netapp oncommand_balance -
canonical ubuntu_linux 12.04
siemens tim_4r-ie_dnp3_firmware *
siemens tim_4r-ie_firmware *
freebsd freebsd 10.1
canonical ubuntu_linux 16.04
netapp clustered_data_ontap -
canonical ubuntu_linux 14.04
ntp ntp *
freebsd freebsd 9.3
CVE-2015-7974 MEDIUM

NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N 3.1 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
siemens tim_4r-ie_firmware *
netapp clustered_data_ontap -
debian debian_linux 8.0
ntp ntp 4.2.8
netapp oncommand_balance -
ntp ntp *
debian debian_linux 9.0
siemens tim_4r-ie_dnp3_firmware *
CVE-2015-7977 MEDIUM

ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (NULL pointer dereference) via a ntpdc reslist command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
freebsd freebsd 10.2
debian debian_linux 8.0
fedoraproject fedora 23
fedoraproject fedora 22
ntp ntp 4.2.8
netapp oncommand_balance -
siemens tim_4r-ie_dnp3_firmware -
canonical ubuntu_linux 12.04
siemens tim_4r-ie_firmware *
freebsd freebsd 10.1
oracle linux 6
canonical ubuntu_linux 16.04
netapp clustered_data_ontap -
canonical ubuntu_linux 14.04
ntp ntp *
debian debian_linux 9.0
freebsd freebsd 9.3
CVE-2015-8020 MEDIUM

Clustered Data ONTAP versions 8.0, 8.3.1, and 8.3.2 contain a default privileged account which under certain conditions can be used for unauthorized information disclosure.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 8.3.1
netapp clustered_data_ontap 8.3.2
netapp clustered_data_ontap 8.0
CVE-2015-8322 MEDIUM

NetApp OnCommand System Manager 8.3.x before 8.3.2 allows remote authenticated users to execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp data_ontap 8.3
netapp data_ontap 8.3.1
CVE-2015-8544 MEDIUM

NetApp SnapDrive for Windows before 7.0.2P4, 7.0.3, and 7.1 before 7.1.3P1 allows remote attackers to obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp snapdrive *
CVE-2015-8960 MEDIUM

The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the "Key Compromise Impersonation (KCI)" issue.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
netapp data_ontap_edge -
netapp plug-in_for_symantec_netbackup -
netapp solidfire_&_hci_management_node -
netapp snapdrive -
netapp snapprotect -
ietf transport_layer_security *
netapp snap_creator_framework -
netapp system_setup -
netapp smi-s_provider -
netapp host_agent -
netapp snapmanager -
netapp oncommand_shift -
netapp clustered_data_ontap_antivirus_connector -
CVE-2016-0762 MEDIUM

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
oracle tekelec_platform_distribution *
apache tomcat *
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
netapp snap_creator_framework -
redhat enterprise_linux_server_tus 7.6
oracle communications_diameter_signaling_router *
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat jboss_enterprise_web_server 3.0.0
redhat enterprise_linux_server_aus 7.6
apache tomcat 9.0.0
netapp oncommand_shift -
CVE-2016-1000338 MEDIUM

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,

Products Affected

Vendor Product Version
netapp 7-mode_transition_tool -
bouncycastle legion-of-the-bouncy-castle-java-crytography-api *
redhat satellite 6.4
redhat satellite_capsule 6.4
canonical ubuntu_linux 14.04
CVE-2016-10160 HIGH

Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-193,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
debian debian_linux 8.0
php php *
CVE-2016-10165 MEDIUM

The Type_MLU_Read function in cmstypes.c in Little CMS (aka lcms2) allows remote attackers to obtain sensitive information or cause a denial of service via an image with a crafted ICC profile, which triggers an out-of-bounds heap read.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
littlecms little_cms_color_engine *
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_eus 7.3
netapp e-series_santricity_os_controller 11.0.0
netapp e-series_santricity_os_controller 11.40.5
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 18.04
netapp e-series_santricity_management -
netapp e-series_santricity_os_controller 11.50.1
netapp e-series_santricity_os_controller 11.20
redhat enterprise_linux_server 5.0
netapp e-series_santricity_os_controller 11.70.1
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp e-series_santricity_os_controller 11.60.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_aus 7.4
opensuse leap 42.1
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
netapp e-series_santricity_os_controller 11.40.3r2
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_aus 7.6
netapp e-series_santricity_os_controller 11.60.3
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller 11.30.5r3
netapp e-series_santricity_os_controller 11.50.2
netapp e-series_santricity_os_controller 11.25
netapp e-series_santricity_os_controller 11.60.1
netapp oncommand_unified_manager -
netapp oncommand_unified_manager 7.1
redhat enterprise_linux_server 6.0
canonical ubuntu_linux 16.04
redhat enterprise_linux_desktop 5.0
canonical ubuntu_linux 14.04
netapp e-series_santricity_os_controller 11.0
netapp oncommand_shift -
redhat enterprise_linux_workstation 5.0
netapp e-series_santricity_os_controller 11.70.2
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_os_controller 11.30
netapp e-series_santricity_os_controller 11.60
netapp e-series_santricity_os_controller 11.40
CVE-2016-10708 MEDIUM

sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
netapp data_ontap_edge -
debian debian_linux 8.0
netapp oncommand_unified_manager *
netapp data_ontap -
netapp vasa_provider -
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap -
netapp service_processor -
netapp storagegrid -
netapp storagegrid_webscale -
netapp cloud_backup -
openbsd openssh *
canonical ubuntu_linux 14.04
CVE-2016-1502 HIGH

NetApp SnapCenter Server 1.0 and 1.0P1 allows remote attackers to partially bypass authentication and then list and delete backups via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
netapp snapcenter_server 1.0
CVE-2016-1563 MEDIUM

NetApp Clustered Data ONTAP 8.3.1 does not properly verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-200,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 8.3.1
CVE-2016-1894 HIGH

NetApp OnCommand Workflow Automation before 3.1P2 allows remote attackers to bypass authentication via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation *
CVE-2016-1895 MEDIUM

NetApp Data ONTAP before 8.2.5 and 8.3.x before 8.3.2P12 allow remote authenticated users to cause a denial of service via vectors related to unsafe user input string handling.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-134,

Products Affected

Vendor Product Version
netapp data_ontap 8.3.2p12
netapp data_ontap *
netapp data_ontap 9.0
CVE-2016-20012 MEDIUM

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
netapp hci_management_node -
openbsd openssh *
netapp solidfire -
netapp ontap_select_deploy_administration_utility -
CVE-2016-2518 MEDIUM

The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x before 4.3.92 allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.7
freebsd freebsd 10.2
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
oracle communications_user_data_repository 12.0.0
redhat enterprise_linux_server_aus 7.2
netapp oncommand_unified_manager_for_clustered_data_ontap -
redhat enterprise_linux_desktop 7.0
netapp data_ontap -
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_server 6.0
oracle communications_user_data_repository 10.0.0
oracle linux 7
ntp ntp *
debian debian_linux 9.0
freebsd freebsd 9.3
redhat enterprise_linux_server_tus 7.3
siemens simatic_net_cp_443-1_opc_ua_firmware *
debian debian_linux 10.0
freebsd freebsd 10.3
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
oracle communications_user_data_repository 10.0.1
redhat enterprise_linux_server_aus 7.4
ntp ntp 4.2.8
netapp oncommand_balance -
redhat enterprise_linux_server_tus 7.6
freebsd freebsd 10.1
oracle linux 6
redhat enterprise_linux_server_tus 7.2
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.2
netapp oncommand_performance_manager -
CVE-2016-3063 MEDIUM

Multiple functions in NetApp OnCommand System Manager before 8.3.2 do not properly escape special characters, which allows remote authenticated users to execute arbitrary API calls via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-116,

Products Affected

Vendor Product Version
netapp oncommand_system_manager *
CVE-2016-3064 MEDIUM

NetApp Clustered Data ONTAP before 8.2.4P4 and 8.3.x before 8.3.2P2 allows remote authenticated users to obtain sensitive cluster and tenant information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 8.3.1
netapp clustered_data_ontap *
netapp clustered_data_ontap 8.3.2
netapp clustered_data_ontap 8.3
CVE-2016-3400 MEDIUM

NetApp Data ONTAP 8.1 and 8.2, when operating in 7-Mode, allows man-in-the-middle attackers to obtain sensitive information, gain privileges, or cause a denial of service via vectors related to the SMB protocol.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,

Products Affected

Vendor Product Version
netapp data_ontap 8.1
netapp data_ontap 8.2
CVE-2016-3427 HIGH

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,CWE-284,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
suse manager 2.1
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_eus 7.2
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
suse openstack_cloud 5
redhat enterprise_linux_eus 6.7
netapp oncommand_report -
canonical ubuntu_linux 15.10
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
redhat enterprise_linux_server 5.0
redhat enterprise_linux_server_eus 6.7
redhat enterprise_linux_server_tus 7.3
suse linux_enterprise_server 12
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
netapp storagegrid *
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
opensuse leap 42.1
netapp oncommand_insight -
netapp e-series_santricity_web_services -
canonical ubuntu_linux 12.04
apache cassandra 4.0.0
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
opensuse opensuse 13.1
oracle linux 6
suse linux_enterprise_server 10
suse linux_enterprise_module_for_legacy 12
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.2
netapp oncommand_performance_manager -
suse linux_enterprise_server 11
redhat satellite 5.6
oracle jdk 1.6.0
netapp oncommand_cloud_manager -
oracle linux 5
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
opensuse opensuse 13.2
redhat enterprise_linux_server 6.0
oracle jrockit r28.3.9
canonical ubuntu_linux 16.04
redhat enterprise_linux_desktop 5.0
oracle jre 1.8.0
oracle linux 7
canonical ubuntu_linux 14.04
suse linux_enterprise_desktop 12
netapp oncommand_shift -
suse manager_proxy 2.1
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 5.0
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat satellite 5.7
suse linux_enterprise_software_development_kit 11
apache cassandra *
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
suse linux_enterprise_software_development_kit 12
netapp e-series_santricity_management_plug-ins -
CVE-2016-3997 MEDIUM

NetApp Clustered Data ONTAP allows man-in-the-middle attackers to obtain sensitive information, gain privileges, or cause a denial of service by leveraging failure to enable SMB signing enforcement in its default state.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 8.3.1
CVE-2016-3998 MEDIUM

NetApp AltaVault 4.1 and earlier allows man-in-the-middle attackers to obtain sensitive information, gain privileges, or cause a denial of service via vectors related to the SMB protocol.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
netapp altavault *
CVE-2016-4341 MEDIUM

NetApp Clustered Data ONTAP before 8.3.2P7 allows remote attackers to obtain SMB share information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
CVE-2016-4461 HIGH

Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
apache struts *
netapp oncommand_balance -
CVE-2016-5018 MEDIUM

In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
oracle tekelec_platform_distribution *
apache tomcat *
redhat jboss_enterprise_application_platform 6.4
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
netapp snap_creator_framework -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat jboss_enterprise_web_server 3.0.0
redhat enterprise_linux_server_aus 7.6
apache tomcat 9.0.0
netapp oncommand_shift -
CVE-2016-5045 MEDIUM

NetApp OnCommand System Manager before 9.0 allows remote attackers to obtain sensitive credentials via vectors related to cluster peering setup.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp oncommand_system_manager 8.3
netapp oncommand_system_manager 8.3.2
netapp oncommand_system_manager 8.3.1
CVE-2016-5047 MEDIUM

NetApp OnCommand System Manager 8.3.x before 8.3.2P5 allows remote authenticated users to cause a denial of service via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_system_manager 8.3
netapp oncommand_system_manager 8.3.2
netapp oncommand_system_manager 8.3.1
CVE-2016-5195 HIGH

Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."

CVSS 2.0

Severity: HIGH

Problem Type: CWE-362,CWE-362,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
redhat enterprise_linux 5
paloaltonetworks pan-os *
redhat enterprise_linux_eus 7.1
redhat enterprise_linux_long_life 5.9
netapp oncommand_unified_manager_for_clustered_data_ontap -
netapp ontap_select_deploy_administration_utility -
netapp snapprotect -
redhat enterprise_linux_tus 6.5
redhat enterprise_linux_eus 6.7
debian debian_linux 7.0
canonical ubuntu_linux 16.04
fedoraproject fedora 25
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
redhat enterprise_linux_eus 6.6
redhat enterprise_linux_aus 6.5
debian debian_linux 8.0
fedoraproject fedora 23
netapp oncommand_balance -
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.10
redhat enterprise_linux_aus 6.2
redhat enterprise_linux 7.0
redhat enterprise_linux_aus 6.4
netapp oncommand_performance_manager -
fedoraproject fedora 24
redhat enterprise_linux_long_life 5.6
netapp hci_storage_nodes -
CVE-2016-5372 MEDIUM

Cross-site request forgery (CSRF) vulnerability in NetApp Snap Creator Framework before 4.3.0P1 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
netapp snap_creator_framework *
CVE-2016-5374 MEDIUM

NetApp Data ONTAP 9.0 and 9.1 before 9.1P1 allows remote authenticated users that own SMB-hosted data to bypass intended sharing restrictions by leveraging improper handling of the owner_rights ACL entry.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
netapp data_ontap 9.1
netapp data_ontap 9.0
CVE-2016-5710 LOW

NetApp Snap Creator Framework before 4.3P1 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5

CVSS 2.0

Severity: LOW

Problem Type: CWE-1021,

Products Affected

Vendor Product Version
netapp snap_creator_framework *
CVE-2016-5711 MEDIUM

NetApp Virtual Storage Console for VMware vSphere before 6.2.1 uses a non-unique certificate, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp virtual_storage_console_for_vmware_vsphere *
CVE-2016-6495 MEDIUM

NetApp Data ONTAP before 8.2.4P5, when operating in 7-Mode, allows remote attackers to obtain information about the volumes configured for HTTP access.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp data_ontap *
CVE-2016-6667 HIGH

NetApp OnCommand Unified Manager for Clustered Data ONTAP 6.3 through 6.4P1 contain a default privileged account, which allows remote attackers to execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager_for_clustered_data_ontap 6.3
netapp oncommand_unified_manager_for_clustered_data_ontap 6.4
CVE-2016-6794 MEDIUM

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
oracle tekelec_platform_distribution *
apache tomcat *
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
netapp snap_creator_framework -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat jboss_enterprise_web_server 3.0.0
redhat enterprise_linux_server_aus 7.6
apache tomcat 9.0.0
netapp oncommand_shift -
CVE-2016-6796 MEDIUM

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
apache tomcat *
redhat jboss_enterprise_application_platform 6.4
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
netapp snap_creator_framework -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
canonical ubuntu_linux 16.04
oracle tekelec_platform_distribution 7.7.1
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat jboss_enterprise_web_server 3.0.0
redhat enterprise_linux_server_aus 7.6
apache tomcat 9.0.0
oracle tekelec_platform_distribution 7.4.0
netapp oncommand_shift -
CVE-2016-6797 MEDIUM

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
oracle tekelec_platform_distribution *
apache tomcat *
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
netapp snap_creator_framework -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat jboss_enterprise_web_server 3.0.0
redhat enterprise_linux_server_aus 7.6
apache tomcat 9.0.0
netapp oncommand_shift -
CVE-2016-6820 MEDIUM

MetroCluster Tiebreaker for clustered Data ONTAP in versions before 1.2 discloses sensitive information in cleartext which may be viewed by an unauthenticated user.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp metrocluster_tiebreaker *
CVE-2016-6904 MEDIUM

Versions of VASA Provider for Clustered Data ONTAP prior to 7.0P1 contain a web server that accepts plain text authentication. This could allow an unauthenticated attacker to obtain authentication credentials.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
netapp vasa_provider *
CVE-2016-7103 MEDIUM

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
fedoraproject fedora 36
redhat openstack 7.0
oracle weblogic_server 12.2.1.3.0
oracle weblogic_server 12.1.3.0.0
fedoraproject fedora 30
oracle business_intelligence 12.2.1.3.0
oracle business_intelligence 12.2.1.4.0
redhat openstack 9
netapp snapcenter -
juniper junos 21.2
oracle weblogic_server 10.3.6.0.0
oracle hospitality_cruise_fleet_management 9.0.11
oracle oss_support_tools 2.12.42
oracle application_express *
jqueryui jquery_ui 1.10.0
fedoraproject fedora 35
oracle siebel_ui_framework *
oracle primavera_unifier *
redhat openstack 8
jquery jquery_ui *
debian debian_linux 9.0
oracle oss_support_tools *
CVE-2016-7171 MEDIUM

NetApp Plug-in for Symantec NetBackup prior to version 2.0.1 makes use of a non-unique server certificate, making it vulnerable to impersonation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
netapp netapp_plug-in *
CVE-2016-7172 MEDIUM

NetApp Snap Creator Framework before 4.3.1 discloses sensitive information which could be viewed by an unauthorized user.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp snap_creator_framework *
CVE-2016-7480 HIGH

The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
php php *
CVE-2016-8610 MEDIUM

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
oracle application_testing_suite 13.3.0.1
paloaltonetworks pan-os *
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
oracle core_rdbms 12.1.0.2
redhat enterprise_linux_desktop 7.0
oracle enterprise_manager_ops_center 12.3.3
redhat enterprise_linux_server_eus 7.3
oracle peoplesoft_enterprise_peopletools 8.56
oracle weblogic_server 10.3.6.0.0
redhat enterprise_linux_desktop 6.0
openssl openssl 1.1.0
oracle jd_edwards_enterpriseone_tools 9.2
netapp snapcenter_server -
openssl openssl *
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
fujitsu m10-1_firmware *
redhat enterprise_linux_server_aus 7.4
oracle core_rdbms 12.2.0.1
redhat enterprise_linux_server_tus 7.6
oracle peoplesoft_enterprise_peopletools 8.58
netapp smi-s_provider -
netapp cn1610_firmware -
fujitsu m10-4s_firmware *
netapp service_processor -
redhat enterprise_linux_server_aus 7.6
openssl openssl 1.0.1
netapp clustered_data_ontap_antivirus_connector -
netapp e-series_santricity_os_controller *
netapp data_ontap_edge -
oracle weblogic_server 12.2.1.3.0
oracle communications_analytics 12.1.1
oracle communications_ip_service_activator 7.3.4
oracle weblogic_server 12.1.3.0.0
oracle adaptive_access_manager 11.1.2.3.0
netapp snapdrive -
fujitsu m10-4_firmware *
netapp data_ontap -
oracle enterprise_manager_ops_center 12.4.0
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
fujitsu m12-1_firmware *
fujitsu m12-2s_firmware *
netapp ontap_select_deploy -
netapp storagegrid -
netapp storagegrid_webscale -
netapp host_agent -
oracle core_rdbms 11.2.0.4
netapp oncommand_workflow_automation -
oracle core_rdbms 19c
debian debian_linux 8.0
redhat jboss_enterprise_application_platform 6.0.0
oracle retail_predictive_application_server 16.0.3
oracle core_rdbms 18c
openssl openssl 0.9.8
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
oracle weblogic_server 12.2.1.4.0
oracle peoplesoft_enterprise_peopletools 8.57
netapp clustered_data_ontap -
redhat jboss_enterprise_application_platform 6.4.0
oracle communications_ip_service_activator 7.4.0
oracle retail_predictive_application_server 15.0.3
oracle goldengate_application_adapters 12.3.2.1.0
fujitsu m12-2_firmware *
oracle timesten_in-memory_database *
CVE-2016-8612 LOW

Apache HTTP Server mod_cluster before version httpd 2.4.23 is vulnerable to an Improper Input Validation in the protocol parsing logic in the load balancer resulting in a Segmentation Fault in the serving httpd process.

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
redhat enterprise_linux 7.0
apache http_server *
netapp storage_automation_store -
CVE-2016-8735 HIGH

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
apache tomcat 7.0.70
apache tomcat 6.0.35
oracle agile_plm 9.3.6
oracle agile_engineering_data_management 6.1.3
apache tomcat 6.0.18
apache tomcat 6.0.21
apache tomcat 7.0.21
apache tomcat 7.0.56
oracle micros_retail_xbri_loss_prevention 10.8.0
apache tomcat 7.0.10
apache tomcat 8.0.10
apache tomcat 8.0.15
apache tomcat 7.0.28
apache tomcat 7.0.8
apache tomcat 7.0.15
apache tomcat 8.5.3
oracle transportation_management 6.3.2
apache tomcat 8.0.28
apache tomcat 7.0.23
netapp oncommand_insight -
oracle micros_retail_xbri_loss_prevention 10.7.7
apache tomcat 7.0.47
apache tomcat 6.0.41
apache tomcat 6.0.19
apache tomcat 8.0.5
oracle micros_relate_crm_software 10.8
apache tomcat *
apache tomcat 7.0.31
apache tomcat 8.0.36
apache tomcat 7.0.36
apache tomcat 6.0.25
apache tomcat 7.0.7
apache tomcat 7.0.32
apache tomcat 8.0.25
apache tomcat 6.0.24
apache tomcat 7.0.1
apache tomcat 8.0.11
apache tomcat 7.0.72
apache tomcat 8.5.4
apache tomcat 7.0.41
apache tomcat 8.5.0
apache tomcat 7.0.24
apache tomcat 7.0.61
oracle communications_application_session_controller 3.8.0
apache tomcat 8.0.17
apache tomcat 6.0.29
apache tomcat 8.0.0
apache tomcat 8.0.2
apache tomcat 6.0.2
oracle transportation_management 6.3.3
apache tomcat 7.0.22
apache tomcat 6.0.31
apache tomcat 8.0.16
apache tomcat 6.0.38
apache tomcat 7.0.50
apache tomcat 8.0.38
apache tomcat 8.0.4
apache tomcat 7.0.39
apache tomcat 7.0.65
oracle micros_retail_xbri_loss_prevention 10.6.0
apache tomcat 6.0.15
apache tomcat 6.0.44
apache tomcat 8.0.7
apache tomcat 7.0.13
apache tomcat 6.0.37
apache tomcat 7.0.29
apache tomcat 7.0.33
apache tomcat 8.0.30
apache tomcat 6.0.34
apache tomcat 7.0.30
apache tomcat 8.5.5
apache tomcat 8.0.8
apache tomcat 8.0.23
apache tomcat 7.0.42
apache tomcat 6.0.5
apache tomcat 6.0.36
oracle transportation_management 6.3.0
apache tomcat 7.0.55
apache tomcat 7.0.16
netapp snap_creator_framework -
apache tomcat 7.0.43
apache tomcat 8.0.26
apache tomcat 6.0.9
apache tomcat 7.0.12
apache tomcat 6.0.26
apache tomcat 8.0.12
apache tomcat 8.0.21
oracle agile_engineering_data_management 6.2.1.0
apache tomcat 8.0.31
canonical ubuntu_linux 16.04
apache tomcat 7.0.5
oracle communications_application_session_controller 3.7.1
netapp oncommand_shift -
apache tomcat 7.0.46
apache tomcat 8.5.6
debian debian_linux 8.0
apache tomcat 7.0.49
apache tomcat 6.0.16
apache tomcat 7.0.14
apache tomcat 6.0.17
apache tomcat 8.0.18
apache tomcat 7.0.63
apache tomcat 8.0.22
oracle communications_interactive_session_recorder 6.0
apache tomcat 6.0.3
apache tomcat 7.0.59
apache tomcat 7.0.64
apache tomcat 6.0.4
apache tomcat 6.0.28
apache tomcat 7.0.4
apache tomcat 8.0.14
redhat jboss_enterprise_web_server 3.0.0
apache tomcat 9.0.0
apache tomcat 7.0.52
apache tomcat 8.0.33
apache tomcat 6.0.32
apache tomcat 8.0.19
oracle agile_engineering_data_management 6.2.0
apache tomcat 8.0.27
apache tomcat 8.0.29
apache tomcat 8.0.34
apache tomcat 7.0.34
apache tomcat 6.0.42
oracle transportation_management 6.3.6
netapp 7-mode_transition_tool -
oracle retail_convenience_and_fuel_pos_software 2.1.132
apache tomcat 7.0.40
oracle micros_retail_xbri_loss_prevention 10.0.1
oracle mysql_enterprise_monitor *
apache tomcat 8.0.37
apache tomcat 7.0.17
apache tomcat 7.0.18
apache tomcat 6.0.0
oracle micros_relate_crm_software 11.4
apache tomcat 7.0.54
apache tomcat 7.0.0
apache tomcat 8.0.9
apache tomcat 7.0.51
oracle hospitality_guest_access 4.2.0
apache tomcat 7.0.48
apache tomcat 7.0.27
apache tomcat 6.0.20
apache tomcat 6.0.39
apache tomcat 7.0.53
apache tomcat 8.0.3
apache tomcat 7.0.2
apache tomcat 7.0.69
apache tomcat 8.0.35
apache tomcat 6.0.43
apache tomcat 8.5.2
apache tomcat 6.0.12
oracle communications_interactive_session_recorder 6.2
apache tomcat 6.0.40
apache tomcat 6.0.13
apache tomcat 6.0.1
apache tomcat 7.0.11
apache tomcat 8.0.1
apache tomcat 6.0.46
apache tomcat 6.0.33
oracle transportation_management 6.3.5
apache tomcat 6.0.10
apache tomcat 6.0.22
apache tomcat 6.0.23
apache tomcat 7.0.68
apache tomcat 7.0.35
oracle micros_retail_xbri_loss_prevention 10.8.1
apache tomcat 6.0.14
apache tomcat 7.0.58
oracle communications_instant_messaging_server 10.0.1
apache tomcat 7.0.57
oracle transportation_management 6.3.4
apache tomcat 8.0.13
apache tomcat 6.0.8
apache tomcat 7.0.20
apache tomcat 7.0.71
apache tomcat 7.0.45
oracle transportation_management 6.3.1
apache tomcat 6.0.30
apache tomcat 7.0.66
apache tomcat 8.0.24
apache tomcat 8.0.32
apache tomcat 7.0.37
apache tomcat 6.0.6
apache tomcat 8.0.20
oracle transportation_management 6.3.7
oracle agile_plm 9.3.5
apache tomcat 7.0.60
oracle hospitality_guest_access 4.2.1
apache tomcat 6.0.47
oracle micros_retail_xbri_loss_prevention 10.5.0
apache tomcat 6.0.45
oracle communications_interactive_session_recorder 6.1
apache tomcat 7.0.62
apache tomcat 7.0.9
apache tomcat 7.0.38
apache tomcat 6.0.11
apache tomcat 7.0.44
apache tomcat 7.0.6
apache tomcat 8.0.6
apache tomcat 7.0.26
apache tomcat 8.5.1
apache tomcat 6.0.7
apache tomcat 7.0.19
apache tomcat 7.0.25
apache tomcat 7.0.3
apache tomcat 6.0.27
apache tomcat 7.0.67
CVE-2016-8743 MEDIUM

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
apache http_server *
redhat jboss_core_services 1.0
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
CVE-2016-8864 MEDIUM

named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp data_ontap_edge -
isc bind 9.9.9
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_aus 6.2
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_eus 7.2
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_eus 6.7
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_desktop 5.0
isc bind 9.10.4
redhat enterprise_linux_server 5.0
redhat enterprise_linux_server_aus 6.6
netapp solidfire -
isc bind 9.11.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_workstation 5.0
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_server_tus 6.5
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 6.5
redhat enterprise_linux_server_aus 7.3
netapp steelstore_cloud_integrated_storage -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 6.6
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
isc bind *
redhat enterprise_linux_server_aus 6.4
CVE-2016-9131 MEDIUM

named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed response to an RTYPE ANY query.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp data_ontap_edge -
isc bind 9.9.9
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_eus 7.2
redhat enterprise_linux_desktop 7.0
isc bind 9.10.4
netapp solidfire -
isc bind 9.11.0
redhat enterprise_linux_server_workstation 7.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
netapp hci_management_node -
redhat enterprise_linux_server_aus 7.3
netapp steelstore_cloud_integrated_storage -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
isc bind *
CVE-2016-9778 MEDIUM

An error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met the criteria for the vulnerability and if the attacker could cause it to accept a query that possessed the required attributes. Please note: This vulnerability affects the "nxdomain-redirect" feature, which is one of two methods of handling NXDOMAIN redirection, and is only available in certain versions of BIND. Redirection using zones of type "redirect" is not affected by this vulnerability. Affects BIND 9.9.8-S1 -> 9.9.8-S3, 9.9.9-S1 -> 9.9.9-S6, 9.11.0-9.11.0-P1.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-388,

Products Affected

Vendor Product Version
netapp data_ontap_edge -
isc bind 9.9.9
netapp solidfire_element_os_management_node -
isc bind 9.9.8
isc bind 9.11.0
CVE-2016-9841 HIGH

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
netapp symantec_netbackup -
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 18.04
netapp e-series_santricity_management -
nodejs node.js *
netapp virtual_storage_console -
netapp snapmanager -
oracle database_server 18c
redhat enterprise_linux_workstation 7.0
oracle jdk 1.8.0
opensuse leap 42.1
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
netapp oncommand_performance_manager -
zlib zlib *
apple mac_os_x *
netapp e-series_santricity_os_controller *
oracle jdk 1.6.0
netapp storage_replication_adapter_for_clustered_data_ontap -
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
opensuse opensuse 13.2
redhat enterprise_linux_server 6.0
apple iphone_os *
opensuse leap 42.2
canonical ubuntu_linux 16.04
oracle jre 1.8.0
apple tvos *
netapp cloud_backup -
netapp solidfire -
netapp oncommand_shift -
netapp oncommand_workflow_automation -
debian debian_linux 8.0
apple watchos *
netapp oncommand_balance -
redhat satellite 5.8
oracle mysql *
redhat enterprise_linux_eus 7.5
netapp hci_storage_node -
CVE-2016-9843 HIGH

The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
oracle jdk 1.6.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
opensuse opensuse 13.2
redhat enterprise_linux_server 6.0
apple iphone_os *
opensuse leap 42.2
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
apple tvos *
nodejs node.js *
oracle database_server 18c
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
debian debian_linux 8.0
oracle jdk 1.8.0
opensuse leap 42.1
apple watchos *
netapp oncommand_insight -
netapp active_iq_unified_manager *
redhat satellite 5.8
oracle mysql *
redhat enterprise_linux_eus 7.5
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
zlib zlib *
apple mac_os_x *
CVE-2017-10053 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
oracle jrockit r28.3.14
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
netapp snapmanager -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp virtual_storage_console 6.2.2
netapp e-series_santricity_os_controller *
netapp element_software -
oracle jdk 1.6.0
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
netapp vasa_provider *
oracle jre 1.8.0
netapp cloud_backup -
debian debian_linux 9.0
netapp oncommand_shift -
debian debian_linux 10.0
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp vasa_provider 6.0
phoenixcontact fl_mguard_dm *
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10067 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
netapp snapmanager -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp virtual_storage_console 6.2.2
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10074 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
netapp element_software -
redhat enterprise_linux_server_aus 7.7
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
netapp virtual_storage_console *
debian debian_linux 8.0
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
redhat enterprise_linux_server_aus 7.3
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp virtual_storage_console 6.2.2
CVE-2017-10078 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Scripting). The supported version that is affected is Java SE: 8u131. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data as well as unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
netapp element_software -
redhat enterprise_linux_server_aus 7.7
netapp vasa_provider_for_clustered_data_ontap 6.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
netapp virtual_storage_console *
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
redhat enterprise_linux_server_aus 7.3
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
phoenixcontact fl_mguard_dm *
netapp oncommand_performance_manager -
netapp virtual_storage_console 6.2.2
CVE-2017-10081 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
oracle jdk 1.7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
debian debian_linux 8.0
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
netapp oncommand_performance_manager -
netapp virtual_storage_console 6.2.2
CVE-2017-10086 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are Java SE: 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
netapp oncommand_performance_manager -
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10087 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
netapp element_software -
redhat enterprise_linux_server_aus 7.7
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
netapp virtual_storage_console *
debian debian_linux 8.0
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10089 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: ImageIO). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
netapp snapmanager -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10090 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
netapp element_software -
redhat enterprise_linux_server_aus 7.7
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
netapp virtual_storage_console *
debian debian_linux 8.0
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
redhat enterprise_linux_server_aus 7.3
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10096 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
netapp element_software -
redhat enterprise_linux_server_aus 7.7
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
netapp virtual_storage_console *
debian debian_linux 8.0
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
redhat enterprise_linux_server_aus 7.3
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
CVE-2017-10101 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
netapp virtual_storage_console *
debian debian_linux 8.0
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
redhat enterprise_linux_server_aus 7.3
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
CVE-2017-10102 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
netapp snapmanager -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
phoenixcontact fl_mguard_dm *
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10105 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
netapp oncommand_shift -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
redhat satellite 5.8
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
oracle jre 1.6.0
netapp oncommand_performance_manager -
CVE-2017-10107 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
netapp snapmanager -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10108 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
oracle jrockit r28.3.14
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
netapp snapmanager -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp oncommand_unified_manager 7.1
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
phoenixcontact fl_mguard_dm *
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10109 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
oracle jrockit r28.3.14
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
netapp snapmanager -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10110 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
netapp snapmanager -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10111 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
netapp element_software -
redhat enterprise_linux_server_aus 7.7
netapp vasa_provider_for_clustered_data_ontap 6.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
netapp virtual_storage_console *
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
redhat enterprise_linux_server_aus 7.3
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10114 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are Java SE: 7u141 and 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
netapp oncommand_performance_manager -
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10115 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
oracle jrockit r28.3.14
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
netapp snapmanager -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
phoenixcontact fl_mguard_dm *
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10116 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
oracle jrockit r28.3.14
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
netapp snapmanager -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
phoenixcontact fl_mguard_dm 1.8.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10118 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE). Supported versions that are affected are Java SE: 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
oracle jrockit r28.3.14
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
debian debian_linux 8.0
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
phoenixcontact fl_mguard_dm *
netapp oncommand_performance_manager -
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10125 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 7u141 and 8u131. Difficult to exploit vulnerability allows physical access to compromise Java SE. While the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: Applies to deployment of Java where the Java Auto Update is enabled. CVSS 3.0 Base Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 0.5 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
netapp oncommand_shift -
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
netapp oncommand_performance_manager -
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10135 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
oracle jrockit r28.3.14
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
netapp snapmanager -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
phoenixcontact fl_mguard_dm *
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10176 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
oracle jrockit r28.3.14
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
phoenixcontact fl_mguard_dm *
netapp oncommand_performance_manager -
CVE-2017-10193 LOW

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
netapp element_software -
redhat enterprise_linux_server_aus 7.7
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
netapp virtual_storage_console *
debian debian_linux 8.0
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
redhat enterprise_linux_server_aus 7.3
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10198 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N 2.2 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
oracle jrockit r28.3.14
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
netapp virtual_storage_console -
netapp snapmanager -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
debian debian_linux 9.0
netapp oncommand_shift -
redhat enterprise_linux_eus 7.3
netapp virtual_storage_console *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
phoenixcontact fl_mguard_dm *
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10243 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
netapp element_software -
redhat enterprise_linux_server_aus 7.7
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.6.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
oracle jrockit r28.3.14
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
netapp oncommand_shift -
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
netapp virtual_storage_console *
debian debian_linux 8.0
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
redhat enterprise_linux_server_aus 7.3
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2017-10268 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.1 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N 0.5 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
netapp oncommand_unified_manager *
netapp active_iq_unified_manager *
netapp oncommand_balance -
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
debian debian_linux 9.0
CVE-2017-10274 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Smart Card IO). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data as well as unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N 1.6 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
CVE-2017-10281 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
oracle jrockit r28.3.15
CVE-2017-10285 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_worksation 7.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
netapp vasa_provider_for_clustered_data_ontap 6.0.
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
redhat enterprise_linux_worksation 6.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
CVE-2017-10286 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
netapp oncommand_performance_manager -
netapp oncommand_insight -
netapp oncommand_unified_manager *
netapp active_iq_unified_manager *
netapp oncommand_balance -
oracle mysql *
netapp snapcenter -
CVE-2017-10293 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Javadoc). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
oracle jdk 1.7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
netapp snapmanager -
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
netapp e-series_santricity_web_services -
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
netapp oncommand_performance_manager -
netapp e-series_santricity_management_plug-ins -
CVE-2017-10295 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.0 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
oracle jrockit r28.3.15
CVE-2017-10309 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u144 and 9. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L 2.8 3.7

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
netapp snapmanager -
netapp oncommand_shift -
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_balance -
redhat satellite 5.8
netapp e-series_santricity_web_services -
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
netapp oncommand_performance_manager -
netapp e-series_santricity_management_plug-ins -
CVE-2017-10320 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.7.19 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
netapp oncommand_performance_manager -
netapp oncommand_insight -
netapp oncommand_unified_manager *
netapp active_iq_unified_manager *
netapp oncommand_balance -
oracle mysql *
netapp snapcenter -
CVE-2017-10345 LOW

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
oracle jrockit r28.3.15
CVE-2017-10346 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
CVE-2017-10347 MEDIUM

Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
CVE-2017-10348 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
CVE-2017-10349 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
CVE-2017-10350 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
CVE-2017-10355 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
oracle jrockit r28.3.15
CVE-2017-10356 LOW

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, Java SE Embedded, JRockit executes to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.5 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
CVE-2017-10357 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
CVE-2017-10365 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 3.8 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.8 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L 1.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
netapp oncommand_performance_manager -
netapp oncommand_insight -
netapp oncommand_unified_manager *
netapp active_iq_unified_manager *
netapp oncommand_balance -
oracle mysql *
netapp snapcenter -
CVE-2017-10378 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
netapp oncommand_unified_manager *
netapp active_iq_unified_manager *
netapp oncommand_balance -
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
debian debian_linux 9.0
CVE-2017-10379 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
netapp oncommand_unified_manager *
netapp active_iq_unified_manager *
netapp oncommand_balance -
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
CVE-2017-10384 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.57 and earlier 5.6.37 and earlier 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
netapp oncommand_unified_manager *
netapp active_iq_unified_manager *
netapp oncommand_balance -
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
CVE-2017-10388 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: Applies to the Java SE Kerberos client. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager *
netapp virtual_storage_console 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
debian debian_linux 7.0
netapp snapmanager -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
oracle jdk 1.8.0
redhat enterprise_linux_server_aus 7.4
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
redhat enterprise_linux_server_tus 7.6
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp oncommand_performance_manager -
netapp e-series_santricity_os_controller *
netapp element_software -
netapp vasa_provider_for_clustered_data_ontap 6.0
oracle jdk 1.9.0
oracle jdk 1.6.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
oracle jre 1.8.0
netapp cloud_backup -
oracle jre 1.9.0
debian debian_linux 9.0
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp oncommand_balance -
redhat satellite 5.8
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
CVE-2017-11147 MEDIUM

In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
php php *
CVE-2017-11461 MEDIUM

NetApp OnCommand Unified Manager for 7-mode (core package) versions prior to 5.2.1 are susceptible to a clickjacking or "UI redress attack" which could be used to cause a user to perform an unintended action in the user interface.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager *
CVE-2017-12420 MEDIUM

Heap-based buffer overflow in the SMB implementation in NetApp Clustered Data ONTAP before 8.3.2P8 and 9.0 before P2 allows remote authenticated users to cause a denial of service or execute arbitrary code.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
CVE-2017-12421 MEDIUM

NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote authenticated users to execute arbitrary code on the storage controller via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 8.3.1
netapp clustered_data_ontap 8.3.2
netapp clustered_data_ontap 8.3.2p11
netapp clustered_data_ontap 8.3
CVE-2017-12422 MEDIUM

NetApp StorageGRID Webscale 10.2.x before 10.2.2.3, 10.3.x before 10.3.0.4, and 10.4.x before 10.4.0.2 allow remote authenticated users to delete arbitrary objects via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
netapp storagegrid_webscale 10.4.0.1
netapp storagegrid_webscale 10.3.0
netapp storagegrid_webscale 10.2
netapp storagegrid_webscale 10.4.0
netapp storagegrid_webscale 10.2.2
netapp storagegrid_webscale 10.2.2.2
netapp storagegrid_webscale 10.3.0.3
netapp storagegrid_webscale 10.2.1
CVE-2017-12423 MEDIUM

NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote authenticated users to read data on other Storage Virtual Machines (SVMs) via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 8.3.1
netapp clustered_data_ontap 8.3.2
netapp clustered_data_ontap 8.3.2p11
netapp clustered_data_ontap 8.3
CVE-2017-12615 MEDIUM

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-434,

Products Affected

Vendor Product Version
redhat enterprise_linux_for_power_little_endian_eus 7.4_ppc64le
apache tomcat 7.0.59
apache tomcat 7.0.70
apache tomcat 7.0.64
apache tomcat 7.0
redhat enterprise_linux_desktop 7.0
apache tomcat 7.0.21
redhat enterprise_linux_server_update_services_for_sap_solutions 7.6
apache tomcat 7.0.56
apache tomcat 7.0.10
apache tomcat 7.0.4
redhat enterprise_linux_eus_compute_node 7.5
redhat jboss_enterprise_web_server 3.0.0
apache tomcat 7.0.28
apache tomcat 7.0.8
apache tomcat 7.0.15
redhat enterprise_linux_for_ibm_z_systems_eus 7.4_s390x
apache tomcat 7.0.77
redhat enterprise_linux_workstation 7.0
apache tomcat 7.0.23
redhat enterprise_linux_eus 7.6
apache tomcat 7.0.34
apache tomcat 7.0.47
netapp 7-mode_transition_tool -
apache tomcat 7.0.79
apache tomcat 7.0.40
redhat enterprise_linux_eus_compute_node 7.7
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_for_ibm_z_systems_eus 7.5_s390x
apache tomcat *
apache tomcat 7.0.31
redhat enterprise_linux_for_scientific_computing 7.0
apache tomcat 7.0.36
apache tomcat 7.0.17
apache tomcat 7.0.7
apache tomcat 7.0.18
apache tomcat 7.0.32
apache tomcat 7.0.1
apache tomcat 7.0.72
apache tomcat 7.0.41
apache tomcat 7.0.54
apache tomcat 7.0.0
apache tomcat 7.0.51
apache tomcat 7.0.24
apache tomcat 7.0.61
apache tomcat 7.0.73
apache tomcat 7.0.75
apache tomcat 7.0.48
apache tomcat 7.0.27
netapp oncommand_balance -
apache tomcat 7.0.76
apache tomcat 7.0.2
apache tomcat 7.0.22
apache tomcat 7.0.69
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_for_power_big_endian_eus 7.4_ppc64
redhat enterprise_linux_server_update_services_for_sap_solutions 7.7
redhat enterprise_linux_for_power_big_endian 7.0_ppc64
redhat enterprise_linux_for_ibm_z_systems_eus 7.6_s390x
apache tomcat 7.0.50
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.7_ppc64le
apache tomcat 7.0.11
apache tomcat 7.0.39
apache tomcat 7.0.65
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.6_ppc64le
apache tomcat 7.0.68
apache tomcat 7.0.13
apache tomcat 7.0.35
apache tomcat 7.0.29
apache tomcat 7.0.33
redhat enterprise_linux_for_power_big_endian_eus 7.5_ppc64
apache tomcat 7.0.58
apache tomcat 7.0.30
redhat enterprise_linux_server_update_services_for_sap_solutions 7.4
apache tomcat 7.0.42
redhat enterprise_linux_server_aus 7.4
redhat jboss_enterprise_web_server 2.0.0
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.4_ppc64le
apache tomcat 7.0.57
redhat enterprise_linux_for_power_big_endian_eus 7.7_ppc64
apache tomcat 7.0.55
apache tomcat 7.0.16
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.4
apache tomcat 7.0.20
apache tomcat 7.0.43
apache tomcat 7.0.71
apache tomcat 7.0.45
apache tomcat 7.0.66
apache tomcat 7.0.74
apache tomcat 7.0.37
redhat jboss_enterprise_web_server_text-only_advisories -
apache tomcat 7.0.12
apache tomcat 7.0.60
redhat enterprise_linux_for_power_little_endian_eus 7.6_ppc64le
redhat enterprise_linux_for_ibm_z_systems_eus 7.7_s390x
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.2_ppc64le
redhat enterprise_linux_server 6.0
apache tomcat 7.0.5
apache tomcat 7.0.62
apache tomcat 7.0.9
apache tomcat 7.0.38
apache tomcat 7.0.44
apache tomcat 7.0.6
netapp oncommand_shift -
redhat enterprise_linux_eus_compute_node 7.6
apache tomcat 7.0.46
apache tomcat 7.0.26
apache tomcat 7.0.19
apache tomcat 7.0.49
apache tomcat 7.0.25
redhat enterprise_linux_for_ibm_z_systems 7.0_s390x
redhat enterprise_linux_for_power_little_endian_eus 7.5_ppc64le
apache tomcat 7.0.14
redhat enterprise_linux_for_power_big_endian_eus 7.6_ppc64
redhat enterprise_linux_for_power_little_endian 7.0_ppc64le
apache tomcat 7.0.3
apache tomcat 7.0.63
redhat enterprise_linux_for_power_little_endian_eus 7.7_ppc64le
redhat enterprise_linux_eus_compute_node 7.4
apache tomcat 7.0.67
CVE-2017-12617 MEDIUM

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-434,

Products Affected

Vendor Product Version
redhat enterprise_linux_for_power_little_endian_eus 7.4_ppc64le
apache tomcat 7.0.70
netapp element -
oracle health_sciences_empirica_inspections 1.0.1.1
oracle agile_plm 9.3.6
redhat enterprise_linux_desktop 7.0
apache tomcat 7.0.21
oracle enterprise_manager_for_mysql_database 12.1.0.4.0
apache tomcat 7.0.56
oracle micros_retail_xbri_loss_prevention 10.8.0
apache tomcat 7.0.10
oracle retail_back_office 14.1.3
apache tomcat 8.0.10
apache tomcat 8.0.15
apache tomcat 7.0.28
apache tomcat 7.0.8
apache tomcat 7.0.15
redhat enterprise_linux_for_ibm_z_systems_eus 7.4_s390x
oracle retail_xstore_point_of_service 7.1.6
apache tomcat 8.5.3
oracle retail_store_inventory_management 16.0.1
oracle transportation_management 6.3.2
apache tomcat 8.0.28
oracle micros_retail_xbri_loss_prevention 10.7.0
oracle tuxedo_system_and_applications_monitor 12.1.3.0.0
apache tomcat 7.0.23
redhat enterprise_linux_eus 7.6
netapp oncommand_insight -
apache tomcat 8.5.9
oracle retail_store_inventory_management 14.0.4
canonical ubuntu_linux 12.04
apache tomcat 7.0.47
apache tomcat 7.0.79
redhat enterprise_linux_eus_compute_node 7.7
apache tomcat 8.0.39
redhat enterprise_linux_for_ibm_z_systems_eus 7.5_s390x
oracle retail_order_broker 15.0
oracle financial_services_analytical_applications_infrastructure *
apache tomcat *
apache tomcat 7.0.31
apache tomcat 8.0.36
oracle retail_point-of-service 14.1.3
apache tomcat 8.5.17
apache tomcat 7.0.36
redhat fuse 1.0
apache tomcat 7.0.7
oracle endeca_information_discovery_integrator 3.1.0
apache tomcat 7.0.32
apache tomcat 8.0.25
oracle retail_price_management 15.0
apache tomcat 7.0.1
apache tomcat 8.0.11
apache tomcat 7.0.72
oracle retail_order_broker 5.2
apache tomcat 8.5.18
apache tomcat 8.5.4
apache tomcat 7.0.41
oracle retail_xstore_point_of_service 15.0.1
apache tomcat 8.5.0
apache tomcat 8.0.42
apache tomcat 7.0.24
apache tomcat 7.0.61
apache tomcat 7.0.73
apache tomcat 8.0.17
apache tomcat 7.0.75
apache tomcat 8.0.0
redhat jboss_enterprise_application_platform 6.0.0
apache tomcat 8.0.43
canonical ubuntu_linux 17.10
netapp oncommand_balance -
apache tomcat 7.0.76
apache tomcat 8.0.2
oracle retail_advanced_inventory_planning 15.0
oracle transportation_management 6.3.3
apache tomcat 7.0.22
oracle retail_order_broker 5.0
redhat enterprise_linux_eus 7.7
oracle instantis_enterprisetrack 17.2
oracle retail_order_management_system 4.7
redhat enterprise_linux_server_tus 7.7
apache tomcat 8.0.16
redhat enterprise_linux_for_power_big_endian_eus 7.4_ppc64
redhat enterprise_linux_for_power_big_endian 7.0_ppc64
redhat enterprise_linux_for_ibm_z_systems_eus 7.6_s390x
apache tomcat 7.0.50
apache tomcat 8.0.38
apache tomcat 8.0.4
apache tomcat 8.5.20
apache tomcat 7.0.39
apache tomcat 7.0.65
oracle micros_retail_xbri_loss_prevention 10.6.0
apache tomcat 8.0.44
netapp snapcenter -
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
apache tomcat 8.0.7
apache tomcat 7.0.13
oracle retail_order_management_system 4.0
apache tomcat 7.0.29
apache tomcat 7.0.33
apache tomcat 8.0.30
oracle retail_invoice_matching 13.2
apache tomcat 7.0.30
apache tomcat 8.5.5
apache tomcat 8.0.23
apache tomcat 7.0.42
oracle retail_returns_management 2.4.9
apache tomcat 8.5.13
apache tomcat 8.5.7
apache tomcat 7.0.55
apache tomcat 7.0.16
redhat enterprise_linux_server_tus 7.6
oracle retail_central_office 14.0.4
apache tomcat 7.0.43
oracle retail_price_management 14.0
apache tomcat 7.0.74
apache tomcat 8.0.26
apache tomcat 7.0.12
oracle retail_price_management 16.0
oracle workload_manager 12.2.0.1
oracle retail_back_office 14.0.4
apache tomcat 8.0.12
redhat enterprise_linux_for_power_little_endian_eus 7.6_ppc64le
apache tomcat 8.0.21
redhat enterprise_linux_for_ibm_z_systems_eus 7.7_s390x
oracle retail_order_management_system 4.5
redhat enterprise_linux_server 6.0
apache tomcat 8.0.31
oracle retail_price_management 12.0
canonical ubuntu_linux 16.04
apache tomcat 7.0.5
netapp oncommand_shift -
oracle retail_invoice_matching 13.1
oracle retail_eftlink 16.0.2
apache tomcat 7.0.46
oracle retail_returns_management 14.1.3
oracle instantis_enterprisetrack 17.1
apache tomcat 8.5.6
oracle retail_advanced_inventory_planning 14.1
apache tomcat 7.0.49
oracle management_pack 11.2.1.0.13
oracle retail_eftlink 1.1.124
oracle retail_invoice_matching 16.0
oracle retail_point-of-service 14.0.4
oracle retail_price_management 13.0
apache tomcat 7.0.14
oracle retail_insights 16.0
apache tomcat 8.0.18
apache tomcat 7.0.63
apache tomcat 8.0.22
redhat enterprise_linux_eus_compute_node 7.4
apache tomcat 8.5.21
apache tomcat 7.0.59
apache tomcat 8.5.12
apache tomcat 7.0.64
apache tomcat 8.5.10
oracle fmw_platform 12.2.1.2.0
apache tomcat 8.5.16
apache tomcat 7.0.4
apache tomcat 8.0.46
apache tomcat 8.0.14
redhat enterprise_linux_eus_compute_node 7.5
canonical ubuntu_linux 18.04
oracle retail_xstore_point_of_service 7.0.6
apache tomcat 8.5.11
redhat jboss_enterprise_web_server 3.0.0
apache tomcat 9.0.0
oracle retail_returns_management 14.0.4
oracle endeca_information_discovery_integrator 3.2.0
oracle retail_invoice_matching 14.0
apache tomcat 8.0.33
oracle retail_store_inventory_management 15.0.2
apache tomcat 7.0.77
redhat enterprise_linux_workstation 7.0
apache tomcat 8.0.19
apache tomcat 8.0.27
apache tomcat 8.0.29
apache tomcat 8.0.34
apache tomcat 7.0.34
oracle retail_order_broker 16.0
oracle transportation_management 6.3.6
oracle retail_order_management_system 5.0
oracle retail_convenience_and_fuel_pos_software 2.1.132
apache tomcat 7.0.40
oracle micros_retail_xbri_loss_prevention 10.0.1
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_for_ibm_z_systems 6.0_s390x
oracle mysql_enterprise_monitor *
oracle retail_store_inventory_management 12.0.12
apache tomcat 8.0.37
apache tomcat 7.0.80
apache tomcat 7.0.17
oracle retail_invoice_matching 12.0
apache tomcat 7.0.81
oracle retail_store_inventory_management 13.1.9
apache tomcat 7.0.18
redhat enterprise_linux_for_power_big_endian 6.0_ppc64
oracle webcenter_sites 11.1.1.8.0
oracle retail_invoice_matching 13.0
oracle retail_returns_management 2.3.8
apache tomcat 7.0.54
apache tomcat 7.0.0
apache tomcat 8.0.9
apache tomcat 7.0.51
oracle hospitality_guest_access 4.2.0
oracle retail_advanced_inventory_planning 13.2
apache tomcat 7.0.48
apache tomcat 7.0.27
oracle retail_invoice_matching 14.1
apache tomcat 7.0.2
apache tomcat 7.0.69
apache tomcat 8.0.35
redhat enterprise_linux_eus 7.5
redhat jboss_enterprise_application_platform 6.4.0
apache tomcat 8.5.15
apache tomcat 8.5.2
oracle retail_store_inventory_management 13.2.9
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
apache tomcat 8.0.45
redhat enterprise_linux_server_aus 7.7
oracle retail_eftlink 15.0.1
apache tomcat 7.0.11
apache tomcat 8.0.1
redhat enterprise_linux_server_tus 7.4
oracle retail_price_management 13.1
oracle transportation_management 6.3.5
oracle retail_central_office 14.1.3
apache tomcat 7.0.68
apache tomcat 7.0.35
redhat enterprise_linux_for_power_big_endian_eus 7.5_ppc64
oracle micros_retail_xbri_loss_prevention 10.8.1
apache tomcat 7.0.58
oracle micros_lucas 2.9.5
oracle communications_instant_messaging_server 10.0.1
redhat enterprise_linux_server_aus 7.4
apache tomcat 8.5.14
redhat jboss_enterprise_web_server 2.0.0
netapp active_iq_unified_manager *
apache tomcat 7.0.57
redhat enterprise_linux_for_power_big_endian_eus 7.7_ppc64
oracle transportation_management 6.3.4
apache tomcat 8.0.13
redhat enterprise_linux_eus 7.4
apache tomcat 7.0.20
oracle retail_store_inventory_management 14.1.3
apache tomcat 8.0.40
apache tomcat 7.0.71
apache tomcat 7.0.45
oracle agile_plm 9.3.3
oracle transportation_management 6.3.1
apache tomcat 7.0.66
apache tomcat 8.0.24
oracle retail_store_inventory_management 13.0.7
apache tomcat 8.0.32
oracle retail_insights 15.0
oracle retail_order_broker 5.1
apache tomcat 7.0.37
apache tomcat 8.5.19
redhat jboss_enterprise_web_server_text-only_advisories -
apache tomcat 8.0.20
oracle transportation_management 6.3.7
oracle agile_plm 9.3.5
apache tomcat 7.0.60
oracle hospitality_guest_access 4.2.1
oracle micros_retail_xbri_loss_prevention 10.5.0
apache tomcat 8.5.22
oracle retail_price_management 13.2
redhat enterprise_linux_for_power_little_endian 7.0
oracle fmw_platform 12.2.1.3.0
oracle retail_insights 14.1
apache tomcat 7.0.62
apache tomcat 7.0.9
apache tomcat 7.0.38
apache tomcat 7.0.44
oracle retail_insights 14.0
apache tomcat 7.0.6
redhat enterprise_linux_eus_compute_node 7.6
netapp oncommand_workflow_automation -
apache tomcat 8.0.6
oracle agile_plm 9.3.4
oracle retail_price_management 14.1
apache tomcat 8.5.8
apache tomcat 7.0.26
apache tomcat 8.5.1
apache tomcat 7.0.19
apache tomcat 7.0.25
redhat enterprise_linux_for_ibm_z_systems 7.0_s390x
redhat enterprise_linux_for_power_little_endian_eus 7.5_ppc64le
oracle retail_xstore_point_of_service 6.0.11
redhat enterprise_linux_for_power_big_endian_eus 7.6_ppc64
oracle retail_invoice_matching 15.0
oracle retail_advanced_inventory_planning 13.4
apache tomcat 7.0.3
redhat enterprise_linux_for_power_little_endian_eus 7.7_ppc64le
apache tomcat 7.0.67
apache tomcat 8.0.41
CVE-2017-12652 HIGH

libpng before 1.6.32 does not properly check the length of chunks against the user limit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
libpng libpng *
netapp active_iq_unified_manager -
CVE-2017-12859 MEDIUM

NetApp Data ONTAP before 8.2.5, when operating in 7-Mode in NFS environments, allows remote attackers to cause a denial of service via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp data_ontap *
CVE-2017-13652 MEDIUM

NetApp OnCommand Insight version 7.3.0 and versions prior to 7.2.0 are susceptible to clickjacking attacks which could cause a user to perform an unintended action in the user interface.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp oncommand_insight *
netapp oncommand_insight 7.3.0
CVE-2017-14053 MEDIUM

NetApp OnCommand Unified Manager for Clustered Data ONTAP before 7.2P1 does not set the secure flag for an unspecified cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager_for_clustered_data_ontap *
CVE-2017-14583 MEDIUM

NetApp Clustered Data ONTAP versions 9.x prior to 9.1P10 and 9.2P2 are susceptible to a vulnerability which allows an attacker to cause a Denial of Service (DoS) in SMB environments.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.2
netapp clustered_data_ontap *
CVE-2017-15095 HIGH

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-184,CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform 2.6.0
oracle database_server 18.1
oracle banking_platform 2.6.2
redhat satellite_capsule 6.4
oracle communications_instant_messaging_server 10.0.1.2.0
oracle primavera_unifier 16.1
oracle identity_manager 12.2.1.3.0
netapp snapcenter -
oracle banking_platform 2.5.0
oracle communications_diameter_signaling_router *
oracle communications_billing_and_revenue_management 7.5
oracle identity_manager 11.1.2.3.0
oracle database_server 12.2.0.1
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle enterprise_manager_for_virtualization 13.2.2
fasterxml jackson-databind *
oracle financial_services_analytical_applications_infrastructure 8.0.3
oracle primavera_unifier *
oracle utilities_advanced_spatial_and_operational_analytics 2.7.0.1
debian debian_linux 9.0
netapp oncommand_shift -
oracle jd_edwards_enterpriseone_tools 9.2
oracle banking_platform 2.6.1
oracle enterprise_manager_for_virtualization 13.3.1
oracle webcenter_portal 12.2.1.3.0
fasterxml jackson-databind 2.9.0
oracle enterprise_manager_for_virtualization 13.2.3
oracle financial_services_analytical_applications_infrastructure 8.0.7
redhat satellite 6.4
debian debian_linux 8.0
redhat jboss_enterprise_application_platform 6.0.0
redhat jboss_enterprise_application_platform 7.1.0
netapp oncommand_balance -
oracle financial_services_analytical_applications_infrastructure 8.0.5
oracle financial_services_analytical_applications_infrastructure 8.0.4
redhat jboss_enterprise_application_platform 6.4.0
redhat openshift_container_platform 3.11
oracle clusterware 12.1.0.2.0
oracle financial_services_analytical_applications_infrastructure 8.0.2
redhat openshift_container_platform 4.1
netapp oncommand_performance_manager -
oracle communications_billing_and_revenue_management 12.0
oracle global_lifecycle_management_opatchauto *
oracle financial_services_analytical_applications_infrastructure 8.0.6
CVE-2017-15515 LOW

NetApp SnapCenter Server prior to 4.0 is susceptible to cross site scripting vulnerability that could allow a privileged user to inject arbitrary scripts into the custom secondary policy label field.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
netapp snapcenter_server *
CVE-2017-15516 MEDIUM

NetApp SnapCenter Server versions 1.1 through 2.x are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability which could be used to cause an unintended authenticated action in the user interface.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
netapp snapcenter_server 1.1
netapp snapcenter_server 2.0
CVE-2017-15517 LOW

AltaVault OST Plug-in versions prior to 1.2.2 may allow attackers to obtain sensitive information via unspecified vectors. All users are urged to move to a fixed version and change passwords used by Veritas NetBackup to access the OST shares on the NetApp AltaVault as a precaution.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp altavault_ost_plug-in *
CVE-2017-15518 LOW

All versions of OnCommand API Services prior to 2.1 and NetApp Service Level Manager prior to 1.0RC4 log a privileged database user account password. All users are urged to move to a fixed version. Since the affected password is changed during every upgrade/installation no further action is required.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp service_level_manager 1.0
netapp service_level_manager *
netapp oncommand_api_services *
CVE-2017-15519 MEDIUM

Versions of SnapCenter 2.0 through 3.0.1 allow unauthenticated remote attackers to view and modify backup related data via the Plug-in for NAS File Services. All users are urged to move to version 3.0.1 and perform the mitigation steps or upgrade to 4.0 following the product documentation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
netapp snapcenter_server *
CVE-2017-15707 MEDIUM

In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
oracle webcenter_portal 12.2.1.3.0
oracle weblogic_server 12.2.1.2
oracle enterprise_manager_for_virtualization 13.2.3
apache struts *
netapp oncommand_balance -
oracle retail_xstore_point_of_service 16.0.2
oracle webcenter_portal 12.2.1.2.0
oracle financial_services_market_risk_measurement_and_management 8.0.5
oracle financial_services_hedge_management_and_ifrs_valuations 8.0.4
oracle financial_services_hedge_management_and_ifrs_valuations 8.0.5
oracle retail_xstore_point_of_service 7.0.6
oracle enterprise_manager_for_virtualization 13.2.2
oracle retail_order_broker 5.2
oracle agile_plm_framework 9.3.6
oracle retail_xstore_point_of_service 6.5.11
oracle retail_xstore_point_of_service 7.1.6
oracle retail_xstore_point_of_service 15.0.1
oracle jd_edwards_enterpriseone_tools 9.2
oracle global_lifecycle_management_opatchauto *
oracle weblogic_server 12.2.1.3
CVE-2017-15710 MEDIUM

In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
apache http_server 2.4.1
netapp storage_automation_store -
netapp santricity_cloud_connector -
redhat enterprise_linux 7.5
apache http_server 2.4.9
apache http_server 2.4.7
redhat enterprise_linux 7.6
apache http_server 2.4.12
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
apache http_server 2.4.6
apache http_server 2.4.10
apache http_server 2.4.29
netapp storagegrid -
apache http_server 2.4.18
apache http_server 2.4.16
apache http_server 2.4.26
canonical ubuntu_linux 14.04
debian debian_linux 9.0
apache http_server 2.4.2
apache http_server 2.4.3
apache http_server 2.4.23
apache http_server 2.4.27
apache http_server 2.4.4
debian debian_linux 8.0
canonical ubuntu_linux 17.10
apache http_server 2.4.20
canonical ubuntu_linux 12.04
redhat enterprise_linux 7.0
apache http_server 2.4.17
redhat enterprise_linux 7.4
netapp clustered_data_ontap -
apache http_server 2.4.28
apache http_server 2.4.25
CVE-2017-15715 MEDIUM

In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
apache http_server *
netapp storage_automation_store -
debian debian_linux 8.0
netapp santricity_cloud_connector -
redhat enterprise_linux 7.5
canonical ubuntu_linux 17.10
redhat enterprise_linux 7.0
redhat enterprise_linux 7.6
redhat enterprise_linux 7.4
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap -
netapp storagegrid -
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2017-15906 MEDIUM

The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp data_ontap_edge -
redhat enterprise_linux_server_aus 7.7
netapp oncommand_unified_manager_core_package -
redhat enterprise_linux_desktop 7.0
netapp vasa_provider_for_clustered_data_ontap *
netapp cloud_backup -
openbsd openssh *
netapp virtual_storage_console 9.6
netapp solidfire -
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
netapp virtual_storage_console *
debian debian_linux 8.0
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp cn1610_firmware -
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
oracle sun_zfs_storage_appliance_kit 8.8.6
CVE-2017-16642 MEDIUM

In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
php php *
CVE-2017-17485 HIGH

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
debian debian_linux 8.0
redhat jboss_enterprise_application_platform 6.0.0
redhat jboss_enterprise_application_platform 7.1
netapp snapcenter -
netapp e-series_santricity_web_services_proxy -
redhat jboss_enterprise_application_platform 6.4.0
redhat openshift_container_platform 3.11
fasterxml jackson-databind *
redhat openshift_container_platform 4.1
debian debian_linux 9.0
netapp oncommand_shift -
CVE-2017-1779 LOW

IBM Cognos Analytics 11.0 could store cached credentials locally that could be obtained by a local user. IBM X-Force ID: 136824.

CVSS 2.0

Severity: LOW

Problem Type: CWE-522,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.0.1
ibm cognos_analytics 11.0.2
ibm cognos_analytics 11.0.4
ibm cognos_analytics 11.0.6.0
ibm cognos_analytics 11.0.0
ibm cognos_analytics 11.0.5.0
netapp oncommand_insight -
ibm cognos_analytics 11.0.3
ibm cognos_analytics 11.0.7.0
CVE-2017-1783 LOW

IBM Cognos Analytics 11.0 could allow a local user to change parameters set from the Cognos Analytics menus without proper authentication. IBM X-Force ID: 136857.

CVSS 2.0

Severity: LOW

Problem Type: CWE-287,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.0.1
ibm cognos_analytics 11.0.2
ibm cognos_analytics 11.0.4
ibm cognos_analytics 11.0.6.0
ibm cognos_analytics 11.0.0
ibm cognos_analytics 11.0.5.0
netapp oncommand_insight -
ibm cognos_analytics 11.0.3
ibm cognos_analytics 11.0.7.0
CVE-2017-1784 LOW

IBM Cognos Analytics 11.0 could produce results in temporary files that contain highly sensitive information that can be read by a local user. IBM X-Force ID: 136858.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.0.1
ibm cognos_analytics 11.0.2
ibm cognos_analytics 11.0.4
ibm cognos_analytics 11.0.6.0
ibm cognos_analytics 11.0.0
ibm cognos_analytics 11.0.5.0
netapp oncommand_insight -
ibm cognos_analytics 11.0.3
ibm cognos_analytics 11.0.7.0
CVE-2017-3135 MEDIUM

Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp data_ontap_edge -
isc bind 9.9.9
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
isc bind 9.11.1
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_eus 7.3
isc bind 9.9.10
isc bind 9.9.8
isc bind 9.10.4
isc bind 9.11.0
debian debian_linux 9.0
isc bind 9.10.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
isc bind 9.10.5
netapp element_software_management_node -
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_tus 7.6
isc bind 9.9.3
redhat enterprise_linux_server_aus 7.6
CVE-2017-3136 MEDIUM

A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Affects BIND 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp element_software -
isc bind 9.9.0
netapp data_ontap_edge -
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
isc bind 9.11.1
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_eus 7.3
isc bind 9.9.10
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
isc bind 9.10.4
isc bind 9.11.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
isc bind 9.10.5
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat enterprise_linux_server_tus 7.6
isc bind 9.9.3
redhat enterprise_linux_server_aus 7.6
isc bind *
isc bind 9.8.0
CVE-2017-3137 MEDIUM

Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. Affects BIND 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp element_software -
netapp data_ontap_edge -
isc bind 9.9.9
redhat enterprise_linux_server_aus 6.2
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_aus 7.2
isc bind 9.11.1
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_eus 7.3
isc bind 9.9.10
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
isc bind 9.10.4
redhat enterprise_linux_server_aus 6.6
isc bind 9.11.0
redhat enterprise_linux_server_eus 6.7
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_tus 6.5
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
isc bind 9.10.5
redhat enterprise_linux_server_aus 6.5
redhat enterprise_linux_server_aus 7.3
netapp oncommand_balance -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_server_tus 6.6
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.2
redhat enterprise_linux_server_aus 6.4
CVE-2017-3138 LOW

named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.

CVSS 2.0

Severity: LOW

Problem Type: CWE-617,

Products Affected

Vendor Product Version
netapp element_software -
netapp data_ontap_edge -
isc bind 9.9.9
debian debian_linux 8.0
isc bind 9.10.4
isc bind 9.10.5
isc bind 9.11.1
netapp oncommand_balance -
isc bind 9.11.0
isc bind 9.9.10
CVE-2017-3140 MEDIUM

If named is configured to use Response Policy Zones (RPZ) an error processing some rule types can lead to a condition where BIND will endlessly loop while handling a query. Affects BIND 9.9.10, 9.10.5, 9.11.0->9.11.1, 9.9.10-S1, 9.10.5-S1.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
netapp element_software -
netapp data_ontap_edge -
isc bind *
isc bind 9.10.5
netapp oncommand_balance -
isc bind 9.9.10
CVE-2017-3145 MEDIUM

BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp data_ontap_edge -
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_server 6.0
juniper junos 17.4r2
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
redhat enterprise_linux_server_aus 6.6
debian debian_linux 9.0
redhat enterprise_linux_server_eus 6.7
juniper junos 12.1x46-d76
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
isc bind 9.9.11
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
isc bind 9.10.6
redhat enterprise_linux_server_aus 7.4
isc bind 9.10.5
isc bind 9.12.0
redhat enterprise_linux_server_aus 6.5
juniper junos 18.1r2
redhat enterprise_linux_server_aus 7.3
juniper junos 15.1x49-d140
juniper junos 18.2r1
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_server_tus 6.6
isc bind 9.9.3
redhat enterprise_linux_server_aus 7.6
isc bind *
juniper junos 12.3x48-d70
redhat enterprise_linux_server_aus 6.4
CVE-2017-3167 HIGH

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_eus 7.2
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_eus 6.7
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
netapp storagegrid -
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
apache http_server *
redhat jboss_core_services 1.0
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_eus 7.5
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
oracle secure_global_desktop 5.3
apple mac_os_x *
CVE-2017-5123 MEDIUM

Insufficient data validation in waitid allowed an user to escape sandboxes on Linux.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h500s_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2017-5201 LOW

NetApp Clustered Data ONTAP before 8.3.2P8 and 9.0 before P2 allow remote authenticated users to obtain sensitive cluster and tenant information via unspecified vectors, a different vulnerability than CVE-2016-3064.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
netapp clustered_data_ontap 9.0
CVE-2017-5340 HIGH

Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
php php *
CVE-2017-5600 HIGH

The Data Warehouse component in NetApp OnCommand Insight before 7.2.3 allows remote attackers to obtain administrative access by leveraging a default privileged account.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
netapp oncommand_insight *
CVE-2017-5638 HIGH

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-755,CWE-755,

Products Affected

Vendor Product Version
apache struts 2.3.20
apache struts 2.3.19
apache struts 2.3.15
apache struts 2.3.10
ibm storwize_v5000_firmware 7.7.1.6
lenovo storage_v5030_firmware 7.8.1.0
apache struts 2.3.25
apache struts 2.3.13
oracle weblogic_server 10.3.6.0.0
apache struts 2.3.20.2
apache struts 2.3.14
hp server_automation 10.5.0
apache struts 2.3.15.1
apache struts 2.3.16
apache struts 2.3.28
apache struts 2.5.5
apache struts 2.3.21
apache struts 2.3.12
apache struts 2.5.3
hp server_automation 10.0.0
apache struts 2.3.17
apache struts 2.3.24.1
apache struts 2.3.11
oracle weblogic_server 12.2.1.2.0
hp server_automation 9.1.0
ibm storwize_v7000_firmware 7.8.1.0
apache struts 2.5.4
apache struts 2.3.20.1
apache struts *
apache struts 2.3.31
apache struts 2.3.24.3
apache struts 2.3.24
ibm storwize_v5000_firmware 7.8.1.0
apache struts 2.3.14.2
apache struts 2.3.9
apache struts 2.5.6
apache struts 2.5.10
apache struts 2.3.16.1
apache struts 2.3.14.1
ibm storwize_v7000_firmware 7.7.1.6
hp server_automation 10.1.0
apache struts 2.3.14.3
apache struts 2.3.6
apache struts 2.3.5
apache struts 2.5
hp server_automation 10.2.0
oracle weblogic_server 12.1.3.0.0
apache struts 2.3.22
apache struts 2.3.23
arubanetworks clearpass_policy_manager *
apache struts 2.5.9
oracle weblogic_server 12.2.1.1.0
apache struts 2.3.28.1
apache struts 2.3.7
apache struts 2.3.16.2
lenovo storage_v5030_firmware 7.7.1.6
apache struts 2.5.7
apache struts 2.3.30
apache struts 2.3.20.3
apache struts 2.5.8
apache struts 2.5.2
apache struts 2.3.8
apache struts 2.3.16.3
ibm storwize_v3500_firmware 7.7.1.6
netapp oncommand_balance -
apache struts 2.3.24.2
apache struts 2.3.15.2
apache struts 2.5.1
apache struts 2.3.26
apache struts 2.3.29
apache struts 2.3.15.3
apache struts 2.3.27
ibm storwize_v3500_firmware 7.8.1.0
CVE-2017-5645 HIGH

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle banking_platform 2.6.0
netapp storage_automation_store -
oracle soa_suite 12.2.2.0.0
redhat enterprise_linux 7.5
oracle retail_advanced_inventory_planning 14.0
oracle retail_service_backbone 14.1
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux 6.7
oracle in-memory_performance-driven_planning 12.2
oracle autovue_vuelink_integration 21.0.0
oracle retail_integration_bus 15.0
oracle weblogic_server 10.3.6.0.0
oracle flexcube_investor_servicing 12.3.0
oracle communications_network_integrity *
oracle insurance_rules_palette 11.0
oracle jd_edwards_enterpriseone_tools 9.2
oracle insurance_rules_palette 10.2
oracle banking_platform 2.6.1
oracle policy_automation 10.4.7
oracle enterprise_manager_for_mysql_database *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
oracle policy_automation 12.2.7
oracle enterprise_manager_for_oracle_database 13.2.2
netapp oncommand_insight -
oracle peoplesoft_enterprise_fin_install 9.2
oracle financial_services_loan_loss_forecasting_and_provisioning 8.0.4
oracle financial_services_hedge_management_and_ifrs_valuations 8.0.4
oracle financial_services_regulatory_reporting_with_agilereporter 8.0.9.2.0
oracle retail_open_commerce_platform 6.0.0
redhat enterprise_linux_server_aus 7.6
oracle retail_integration_bus 16.0
oracle retail_extract_transform_and_load 19.0
oracle retail_open_commerce_platform 5.3.0
oracle goldengate 12.3.2.1.1
oracle policy_automation_for_mobile_devices 12.2.9
oracle communications_service_broker 6.0
oracle enterprise_manager_for_oracle_database 12.1.0.8
oracle financial_services_analytical_applications_infrastructure *
oracle financial_services_loan_loss_forecasting_and_provisioning 8.0.5
oracle bi_publisher 11.1.1.7.0
oracle bi_publisher 12.2.1.4.0
oracle retail_service_backbone 15.0
oracle communications_messaging_server *
oracle mysql_enterprise_monitor *
oracle primavera_gateway *
oracle identity_management_suite 12.2.1.3.0
oracle configuration_manager 12.1.2.0.5
redhat fuse 1.0
oracle financial_services_lending_and_leasing 12.5.0
oracle fusion_middleware_mapviewer 12.2.1.2
oracle enterprise_manager_for_fusion_middleware 12.1.0.5
redhat enterprise_linux 7.6
oracle policy_automation 12.1.0
oracle instantis_enterprisetrack *
oracle communications_converged_application_server_-_service_controller 6.1
oracle rapid_planning 12.2
oracle retail_extract_transform_and_load 13.0
oracle identity_manager_connector 9.0
oracle jd_edwards_enterpriseone_tools 4.0.1.0
oracle policy_automation 12.2.2
oracle insurance_policy_administration 10.0
oracle flexcube_investor_servicing 12.0.4
oracle financial_services_behavior_detection_platform 6.1.1
oracle financial_services_lending_and_leasing *
oracle policy_automation 12.2.5
oracle siebel_ui_framework 18.8
redhat enterprise_linux 7.3
oracle retail_extract_transform_and_load 13.1
oracle enterprise_data_quality 12.2.1.3.0
oracle retail_advanced_inventory_planning 15.0
oracle siebel_ui_framework 18.9
oracle policy_automation 12.2.1
oracle communications_interactive_session_recorder *
oracle retail_predictive_application_server 15.0.3
oracle financial_services_behavior_detection_platform *
oracle soa_suite 12.2.1.3.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux 6.0
oracle endeca_information_discovery_studio 3.2.0
oracle jdeveloper 12.2.1.3.0
oracle insurance_rules_palette 11.1
oracle policy_automation_for_mobile_devices 12.2.3
oracle policy_automation 12.2.0
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
oracle policy_automation_for_mobile_devices 12.2.10
redhat enterprise_linux_server_tus 7.4
oracle insurance_rules_palette 10.1
netapp snapcenter -
netapp service_level_manager -
oracle financial_services_profitability_management *
oracle policy_automation 12.2.4
oracle timesten_in-memory_database 11.2.2.8.49
oracle policy_automation_for_mobile_devices 12.2.6
oracle policy_automation_for_mobile_devices 12.2.7
oracle autovue_vuelink_integration 21.0.1
oracle policy_automation_for_mobile_devices 12.2.4
oracle soa_suite 12.1.3.0.0
oracle insurance_calculation_engine 10.1.1
oracle insurance_policy_administration 11.0
oracle jdeveloper 11.1.1.9.0
oracle enterprise_manager_base_platform 13.2.0.0
oracle policy_automation_for_mobile_devices 12.2.1
oracle policy_automation_for_mobile_devices 12.2.5
oracle policy_automation 12.2.8
redhat enterprise_linux_server_aus 7.4
oracle identity_analytics 11.1.1.5.8
oracle enterprise_manager_for_peoplesoft 13.1.1.1
oracle insurance_rules_palette 10.0
oracle retail_integration_bus 14.0.0
oracle insurance_policy_administration 10.2
oracle flexcube_investor_servicing 14.0.0
oracle rapid_planning 12.1
oracle identity_management_suite 11.1.2.3.0
oracle communications_webrtc_session_controller *
oracle policy_automation_for_mobile_devices 10.4.7
redhat enterprise_linux_server_tus 7.6
oracle api_gateway 11.1.2.4.0
redhat enterprise_linux 7.4
oracle policy_automation_connector_for_siebel 10.4.6
oracle financial_services_profitability_management 6.1.1
oracle communications_pricing_design_center 11.1
oracle retail_clearance_optimization_engine 14.0.5
oracle tape_library_acsls 8.4
oracle communications_instant_messaging_server 10.0.1.3.0
oracle configuration_manager 12.1.2.0.2
oracle policy_automation 12.2.3
oracle weblogic_server 12.2.1.3.0
oracle weblogic_server 12.1.3.0.0
oracle policy_automation 12.1.1
oracle banking_platform 2.6.2
oracle bi_publisher 11.1.1.9.0
netapp oncommand_api_services -
oracle fusion_middleware_mapviewer 12.2.1.3
oracle retail_extract_transform_and_load 13.2
oracle enterprise_manager_for_fusion_middleware 13.2.0.0
oracle weblogic_server 14.1.1.0.0
oracle communications_online_mediation_controller 6.1
oracle enterprise_manager_base_platform 12.1.0.5
oracle utilities_work_and_asset_management 1.9.1.2.12
oracle utilities_advanced_spatial_and_operational_analytics 2.7.0.1
oracle enterprise_manager_for_peoplesoft 13.2.1.1
oracle retail_open_commerce_platform 6.0.1
oracle bi_publisher 12.2.1.3.0
oracle policy_automation 12.2.6
netapp oncommand_workflow_automation -
oracle flexcube_investor_servicing 12.4.0
oracle policy_automation_for_mobile_devices 12.1.1
oracle policy_automation_for_mobile_devices 12.2.0
oracle communications_pricing_design_center 12.0
oracle policy_automation_for_mobile_devices 12.2.8
oracle flexcube_investor_servicing 12.1.0
oracle policy_automation_for_mobile_devices 12.1.0
oracle policy_automation 12.2.9
oracle retail_service_backbone 16.0
oracle in-memory_performance-driven_planning 12.1
oracle policy_automation 12.2.10
oracle insurance_policy_administration 10.1
oracle jdeveloper 12.1.3.0.0
apache log4j *
oracle weblogic_server 12.2.1.4.0
oracle financial_services_hedge_management_and_ifrs_valuations 8.0.5
redhat enterprise_linux 7.0
oracle goldengate_application_adapters 12.3.2.1.1
oracle insurance_calculation_engine 10.2.1
oracle siebel_ui_framework 18.7
oracle retail_integration_bus 14.1.0
oracle policy_automation_for_mobile_devices 12.2.2
CVE-2017-5715 LOW

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N 1.1 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-203,CWE-203,

Products Affected

Vendor Product Version
intel xeon_phi 7230
intel core_i5 4402ec
intel core_i7 3770t
intel xeon_e3_1225_v3 -
intel core_i5 750s
intel xeon_e5_2408l_v3 -
intel xeon_e3_1275_v5 -
intel core_i5 6440eq
intel pentium_n n3530
intel core_i3 4100m
intel core_i7 4610m
intel xeon_e7 4820
intel xeon_e3_1225_v2 -
intel xeon_e5 2660_v3
intel xeon_e5 4648_v3
intel xeon_e7 2880_v2
intel xeon_e5 2698_v3
intel core_i7 640m
intel xeon_e5_2609_v2 -
intel xeon_e3 1505m_v6
intel xeon_e5 4620_v4
intel atom_x3 c3235rk
intel xeon_gold 6146
intel core_i5 650
intel xeon_phi 7295
intel atom_z z3530
intel xeon_e5 4650_v2
intel core_i3 4010u
intel xeon_gold 6138f
intel core_i5 2450p
intel xeon_phi 7230f
intel core_i5 4402e
intel xeon_e5 4617
intel core_i7 870s
intel atom_z z3775d
intel xeon_e5 2658a_v3
intel xeon_e7 4807
intel core_i3 2367m
intel xeon_e5 2650l_v4
intel xeon_e3_1220_v3 -
intel xeon_e5_2620_v2 -
intel xeon e5530
intel xeon_e5_2403_v2 -
intel xeon_e5 4657l_v2
intel core_i7 2675qm
intel core_i3 5020u
intel core_m 5y31
intel core_i3 370m
intel core_i7 980
intel core_i3 4340
intel core_i5 4278u
intel xeon_e3_1240l_v5 -
intel core_i5 655k
intel core_i5 3439y
intel core_i5 3210m
intel xeon_e3_1220 -
intel core_i5 4570t
intel core_i5 4200u
intel xeon_e5 2690_v3
intel core_i5 520m
intel core_i7 2960xm
intel core_i7 4790t
intel xeon x3480
intel core_i5 4460
intel core_i7 3632qm
intel xeon_e5 2683_v4
intel xeon_e5_2618l_v4 -
intel core_i3 3250
intel core_i3 4110e
intel xeon_e5 4655_v3
intel xeon_e7 8870
intel core_i5 4210u
intel core_i3 5005u
intel xeon ec5539
intel xeon_e7 2803
intel xeon_e5_2620_v4 -
intel atom_z z2560
intel celeron_j j1850
intel xeon_e7 8870_v2
intel celeron_n n3350
intel atom_c c2350
intel core_i7 4710mq
intel xeon_e5 4640_v3
intel xeon e5540
intel xeon_e5_2603_v3 -
intel core_i5 670
intel xeon_e5_2650_v4 -
intel atom_c c3750
intel core_i7 2640m
intel atom_c c3308
intel core_i5 8350u
intel core_i5 4670
intel xeon_e7 8893_v2
intel xeon_e5_2603_v2 -
intel core_i7 5557u
intel atom_z z3775
intel core_i3 3120me
intel xeon_e3 1565l_v5
intel core_i7 4650u
intel core_m5 6y57
intel core_i5 4670r
intel xeon_e3 1575m_v5
intel xeon_e5_2628l_v2 -
intel core_i3 2377m
intel core_i7 5600u
intel core_i3 6100t
intel xeon_e3_1270_v2 -
intel core_i5 3470s
intel xeon_e5 2697_v3
intel xeon_e3_1220l_v3 -
intel core_i7 2610ue
intel core_m 5y10
intel xeon_e5_2450 -
intel core_i5 3550s
intel core_i5 2450m
intel core_i7 7660u
intel xeon e5620
intel core_i7 2655le
intel core_m 5y51
intel xeon_platinum 8156
intel core_i3 4160t
intel core_i7 2635qm
intel xeon_silver 4114t
intel core_i7 860s
intel xeon_e7 8891_v2
intel core_i3 4330te
intel atom_c c2308
intel xeon_e3_1290_v2 -
intel xeon_e5_1660_v2 -
intel xeon_e5 4650
intel core_i5 4570
intel core_i7 4700mq
debian debian_linux 9.0
intel core_i3 4005u
intel core_i3 6157u
intel core_i3 2330m
intel core_i3 3229y
intel xeon_e7 8830
intel core_i7 5950hq
intel xeon_e5_2603 -
intel xeon_e3_1105c_v2 -
intel core_i5 6585r
intel core_i3 5015u
intel xeon_e7 8837
intel atom_z z3745d
intel xeon_e7 4860
intel core_i7 7920hq
intel xeon_e3_1280_v3 -
intel xeon e5507
intel core_i3 3250t
intel xeon_e5 4669_v4
intel core_i7 4765t
intel xeon_e3_1275_v2 -
intel core_i5 4570te
intel core_i7 8700
intel atom_z z3560
intel xeon_gold 6130f
canonical ubuntu_linux 18.04
intel core_i5 4210m
intel core_i5 3470
intel core_i7 5750hq
intel xeon_e5_2628l_v4 -
intel xeon e5506
intel core_i3 4158u
intel xeon_e7 8880l_v2
intel atom_c c2558
intel xeon_e3_1505m_v5 -
intel core_i5 661
intel xeon_e5_1428l_v2 -
intel xeon_e5_2450l -
intel xeon_e3 1535m_v6
intel xeon_e3_1260l_v5 -
intel core_i7 4770s
intel xeon_e3_1501l_v6 -
intel core_i5 6600
intel atom_c c2718
intel xeon_e5_2648l -
intel core_i7 4980hq
intel core_i5 2410m
intel xeon_e5 2667_v2
intel xeon_e3_1220_v2 -
intel xeon_e3_1280_v5 -
intel xeon_e5_2430_v2 -
intel xeon_e5_2618l_v2 -
intel core_i3 4150
intel core_i7 4960hq
intel atom_c c2508
intel atom_z z3770
intel xeon_phi 7290f
intel xeon_e7 8893_v3
intel core_i3 2115c
intel xeon_e5 2690_v2
intel xeon_e5_1620_v2 -
intel core_i5 6300hq
intel xeon_e5 2660_v2
intel xeon_e7 8891_v3
intel xeon_e7 4809_v4
intel core_i5 2500t
intel core_i3 330um
intel core_i5 4330m
intel xeon_gold 6126f
intel core_i5 2550k
intel atom_z z3736f
intel xeon_e3_1235 -
intel core_i7 4550u
intel xeon_e3_1280 -
intel xeon_e5_2640 -
intel core_i3 4330
intel xeon_e3_1240 -
intel core_i7 4510u
intel xeon_e5_1620 -
intel core_i5 3470t
intel core_i5 6260u
intel xeon x3460
intel core_i5 4302y
intel core_i3 4030y
intel xeon_e5 2697a_v4
intel atom_x3 c3205rk
intel xeon_e5_2407 -
intel xeon_e3_1225 -
intel core_i7 5775c
intel xeon_e3_1230 -
intel core_i7 960
intel xeon ec5549
intel xeon_platinum 8170m
intel atom_c c3958
intel xeon_e7 8894_v4
intel core_i7 2649m
intel atom_c c2550
intel xeon_e5 4667_v4
intel celeron_n n2940
intel atom_z z2760
intel core_i5 3340m
intel xeon_e3_1230_v3 -
intel core_i5 520e
intel core_i5 4210h
intel core_i7 8700k
intel xeon w3690
intel core_i7 4750hq
intel core_i7 4770hq
intel core_i7 4702mq
intel xeon e5606
intel xeon_e5_2650 -
intel xeon e5503
intel xeon_e5_2450l_v2 -
intel core_i5 2390t
intel core_i5 3610me
intel xeon_e7 8890_v4
intel core_i5 3450s
intel xeon_e3_1235l_v5 -
intel xeon_e3_1285l_v3 -
intel core_i5 580m
intel atom_z z3745
intel xeon_silver 4116t
intel celeron_n n2930
intel xeon_e5_2608l_v4 -
intel xeon_e7 2850
intel core_i7 2820qm
intel atom_c c2518
intel core_i3 2105
intel core_i7 5775r
intel atom_z z2460
intel core_i7 2600s
intel xeon e7540
intel core_i5 5287u
intel core_i3 330e
intel atom_c c2530
intel core_i5 4300y
intel core_i3 4350
intel core_i3 380m
intel core_i5 5575r
intel xeon_e3_1230_v5 -
intel core_i5 4570s
intel core_i3 4170t
intel xeon_e3_1246_v3 -
intel xeon x5560
intel core_i3 4130
intel xeon_e5_1620_v4 -
intel xeon_e7 2850_v2
intel core_i5 3337u
intel core_i5 4430
intel core_i7 3720qm
intel core_i7 7700k
intel xeon e7520
intel core_i3 4150t
intel xeon e5630
intel core_i7 4950hq
intel core_i5 2500s
intel core_i5 4288u
intel core_i5 4310u
intel atom_c c2750
intel core_i5 4422e
intel xeon_e3_1220_v5 -
intel atom_z z3735g
intel core_i7 2670qm
intel core_i7 5550u
intel core_i7 4810mq
intel xeon_e5 4607_v2
intel xeon_e3_1240_v5 -
intel core_i5 520um
intel core_i5 3570s
intel xeon_gold 6142m
intel core_i3 390m
intel core_i7 3555le
intel xeon_e7 8890_v2
intel core_i7 4610y
intel xeon_e7 2860
intel core_i7 3740qm
intel xeon_silver 4114
intel xeon_e3_1285_v6 -
intel atom_x3 c3295rk
intel core_i7 2920xm
intel xeon e5649
intel xeon_e3_1270 -
intel core_i7 4790k
intel xeon_e5_2430 -
intel core_i7 3610qm
intel xeon_e7 8890_v3
intel xeon_gold 6150
intel core_i7 620ue
intel xeon_gold 6126
intel xeon_e5_2630 -
intel xeon_e5_2630_v2 -
intel celeron_j j1750
intel xeon_e5_1630_v4 -
intel core_i7 7700t
intel atom_x3 c3405
intel xeon_e3_1240_v6 -
intel core_i7 7560u
intel xeon_gold 6154
intel core_i7 3520m
intel xeon_e7 4809_v3
intel xeon_e5_2650l_v3 -
intel core_i7 2677m
canonical ubuntu_linux 17.04
intel core_i7 4712hq
intel xeon_e3_1258l_v4 -
intel xeon_e5 2687w_v2
intel xeon_e5_2418l_v2 -
intel core_i5 3317u
intel xeon_platinum 8176f
intel core_i7 4850hq
intel xeon_e7 8880_v4
intel xeon_e5 2695_v2
intel xeon_silver 4108
intel xeon x5672
intel xeon_e7 4820_v4
intel xeon_e5 2680_v3
intel core_i5 6360u
intel core_i3 4340te
intel xeon_e7 8850
intel core_i7 3667u
intel xeon_bronze_3106 -
intel core_m 5y71
intel core_i5 480m
intel core_i3 2125
intel core_i3 4020y
intel xeon x6550
intel core_i5 3450
intel xeon_e5_2609_v3 -
intel core_i5 6350hq
intel xeon e5504
intel core_i7 3517u
intel xeon_e5_2650l_v2 -
intel core_i5 660
intel xeon_e5 4640
intel core_i5 5250u
intel core_i3 330m
intel core_i3 3217u
intel xeon_e5_2628l_v3 -
intel core_i7 8650u
intel xeon_e7 4860_v2
intel core_i3 530
intel core_i7 4700hq
intel xeon_e5 4610_v3
intel core_i7 4785t
intel xeon_platinum 8160f
intel xeon e5640
intel xeon_e5_2637 -
intel core_i7 4771
intel xeon_e3_1245_v5 -
intel core_i5 3330s
intel core_i7 8550u
intel xeon_e5_2620 -
intel xeon_e5 4620
intel core_i3 6098p
intel xeon_e5_2637_v2 -
intel core_i3 6100h
intel core_i7 4770t
intel xeon_e7 8860_v3
canonical ubuntu_linux 16.04
intel xeon_e7 4870_v2
intel core_i7 2720qm
intel xeon e5603
intel core_i5 5257u
intel core_i5 4670k
intel core_i7 2630qm
intel core_i3 4170
intel core_i5 6600t
intel xeon_e5_2420_v2 -
intel core_i3 4010y
intel core_i5 6400
intel celeron_n n2820
intel atom_c c2358
intel core_i3 3240t
intel core_i3 4100u
intel xeon x5670
intel xeon_e3 1535m_v5
intel xeon_e5_1650_v2 -
intel atom_x3 c3230rk
intel core_i7 4700ec
intel xeon_e5 2699_v4
intel xeon_e3_1505l_v5 -
intel core_i5 460m
intel xeon x3450
intel core_i3 3130m
intel xeon_e3_1275_v3 -
intel xeon_e5_2650_v3 -
intel xeon l5640
intel xeon_gold 5115
intel core_i5 5350h
intel core_i7 860
intel celeron_j j1900
intel xeon_e3_1245 -
intel core_i7 7700
intel xeon_e3_1230_v6 -
intel xeon_e5 2698_v4
intel xeon_e3_1276_v3 -
intel xeon_gold 6128
intel xeon_platinum 8180
intel xeon_e3_1265l_v2 -
intel core_i7 2600
intel atom_e e3827
intel core_i7 5500u
intel core_i7 3840qm
intel core_i3 4370t
intel xeon l5518
intel core_i7 3770s
intel atom_z z3795
intel xeon l5508
intel xeon ec5509
intel core_i5 6267u
intel xeon_e5 2680_v4
intel core_i5 3570t
intel xeon l7555
intel xeon_gold 5119t
intel atom_c c2538
intel celeron_j j3455
intel core_i5 3350p
intel atom_c c2316
intel core_i5 2310
intel xeon_e5_2640_v4 -
intel xeon_e7 8870_v3
intel core_i3 550
intel core_i7 4700eq
intel core_i5 4670s
intel atom_c c2338
intel core_i7 2760qm
intel xeon_e5 4610_v4
intel xeon_e7 4830_v2
intel core_i3 4100e
intel core_i3 2100t
intel xeon_e5_2643_v4 -
intel xeon l3426
intel core_i3 3220t
intel xeon_e5_2428l_v2 -
intel core_i5 3437u
intel xeon_platinum 8160t
intel xeon_e7 2890_v2
intel pentium_j j4205
intel core_i3 4030u
intel xeon_e3_1281_v3 -
intel xeon_e5 2687w_v4
intel core_i7 2700k
intel atom_c c2758
intel atom_z z3740
intel core_i5 4440s
intel core_i3 5157u
intel core_i7 920xm
intel celeron_n n2815
intel xeon_e7 4830_v4
intel celeron_j j3060
intel celeron_j j4005
intel atom_c c2516
intel celeron_n n3010
intel core_i5 4410e
intel xeon_e5_2630_v3 -
oracle communications_diameter_signaling_router 8.1
intel xeon_e3_1275_v6 -
intel xeon_e5 2699a_v4
oracle communications_diameter_signaling_router 8.0.0
intel core_i7 610e
intel core_i5 6300u
intel xeon_phi 7285
intel xeon_e3_1285l_v4 -
intel atom_z z3770d
intel core_i5 2500k
intel xeon_e5_2640_v2 -
intel core_i7 2710qe
intel atom_z z3735f
intel pentium_n n3520
intel xeon x7550
intel xeon_e3_1505l_v6 -
intel xeon_e5_1650_v4 -
intel xeon x5570
intel xeon_e3_1501m_v6 -
intel core_i7 2629m
intel xeon x3470
intel xeon_e5_2623_v3 -
intel xeon_e5 4624l_v2
intel xeon_e5_2630l_v3 -
intel xeon_e5_2643_v3 -
intel core_i5 430um
intel core_m7 6y75
intel xeon_e5 2690_v4
intel xeon_e5_1428l -
intel core_i5 4200h
intel xeon_e3_1225_v6 -
intel xeon_e5 4603_v2
intel xeon_e7 4830
intel core_i7 5850hq
intel celeron_n n2840
intel xeon_e7 2830
intel core_i7 2715qe
intel xeon_e5 2658
intel xeon_gold 6142f
intel xeon_e5 2695_v4
intel xeon_e7 4820_v2
intel xeon x5680
netapp solidfire -
intel atom_z z3736g
intel xeon_e5_2428l_v3 -
intel xeon_e5_1660_v3 -
intel core_i7 3610qe
intel xeon_e5_2630l_v2 -
intel xeon_e3_1220_v6 -
intel core_i3 6300
intel core_i7 660ue
intel xeon_e7 8880_v3
intel core_i7 5650u
intel core_i5 4460t
intel core_i7 875k
intel core_i7 720qm
intel core_i7 4860hq
intel xeon_e3_1275l_v3 -
intel xeon_e5 2670
intel core_i5 3339y
intel core_i5 4690s
intel xeon_platinum 8160m
intel xeon_e3_1125c -
siemens simatic_winac_rtx_(f)_firmware 2010
intel atom_z z2420
intel core_i5 4220y
intel core_i3 5010u
intel core_i5 680
intel core_i7 4800mq
intel core_i3 2120t
intel core_i5 6200u
intel xeon l3406
intel core_i3 6100
intel xeon_e3_1268l_v5 -
intel atom_x3 c3445
intel core_i3 2328m
intel xeon x5687
intel core_i7 3820qm
intel xeon_e5_2620_v3 -
intel xeon_e7 2870
intel xeon_e5 4620_v2
intel core_i5 4210y
intel pentium_n n3510
intel xeon l5530
intel xeon_e5 2658_v3
intel core_i5 4350u
intel core_i5 6287u
intel core_i5 750
intel core_i7 4900mq
intel xeon_e5_2470_v2 -
intel xeon_gold 5120
arm cortex-a 72
intel atom_z z2520
intel xeon_e5_1630_v3 -
intel xeon e5645
intel celeron_n n3060
intel xeon_gold 6126t
intel xeon_e7 2820
intel core_i7 930
intel atom_c c3858
intel xeon_e5 2697_v2
intel xeon_e5_2440_v2 -
intel core_i7 7820hq
intel core_i5 4308u
intel core_i7 7600u
intel core_i3 3227u
intel core_i7 660um
intel xeon_e5_2650l -
intel core_i7 3635qm
intel atom_z z3460
intel xeon_e5 2680_v2
intel core_i3 3115c
intel core_i5 2405s
intel core_i7 7700hq
intel atom_z z3480
intel xeon_gold 6152
intel xeon_e7 4850_v4
intel xeon_e3_1245_v3 -
intel core_i3 3210
intel core_i7 880
intel celeron_n n3450
intel xeon_e7 8850_v2
intel xeon_phi 7250f
intel core_i5 4690t
intel core_i5 4250u
intel xeon_e5 2667_v3
intel core_i5 2380p
intel atom_c c2730
intel xeon_e5_2418l -
intel xeon_e5 4640_v2
intel xeon_e5_2643 -
intel xeon_gold 5120t
intel core_i3 8350k
intel xeon_e5 4669_v3
intel xeon l5630
intel xeon_gold 5122
intel xeon_e7 8867_v3
arm cortex-a 9
intel core_i3 560
intel core_i5 6442eq
intel xeon_e3 1515m_v5
intel core_i5 2400s
intel xeon_gold 6132
intel celeron_n n2830
intel xeon_e3_1280_v2 -
intel xeon_e3_1280_v6 -
intel xeon_e5_2609 -
intel core_i5 8250u
intel atom_z z3735d
intel xeon_e5_2630_v4 -
intel xeon_e7 8867_v4
intel atom_z z3735e
intel xeon_platinum 8176m
intel core_i5 3570k
intel xeon_e3_1230l_v3 -
intel core_i7 4712mq
intel core_i3 8100
intel xeon_e7 4880_v2
intel xeon_silver 4112
intel core_i5 4690k
intel core_i3 4120u
intel xeon_gold 6140m
intel atom_z z2580
intel xeon x5650
intel xeon_e5_2448l -
intel core_i5 3475s
intel celeron_n n2810
intel core_i7 680um
intel xeon lc5518
intel core_i3 350m
intel atom_x7-e3950 -
intel core_i5 760
intel core_i5 6500t
intel xeon_e5 2687w_v3
intel core_i7 920
intel core_i7 3630qm
intel xeon_e7 8860
intel core_i7 620le
intel atom_c c3758
intel core_i3 6300t
intel core_i7 975
intel xeon_e7 4870
intel xeon_e3_1240l_v3 -
intel xeon_e3_1241_v3 -
intel core_i3 3225
oracle communications_diameter_signaling_router 8.3
intel core_i3 2102
intel core_i5 4400e
debian debian_linux 8.0
intel core_i5 4310m
intel xeon_e3_1271_v3 -
intel core_i5 3360m
intel core_i7 870
intel core_i3 4000m
intel core_i3 6100e
intel atom_x3 c3130
intel core_i3 4370
intel celeron_n n4100
intel xeon_e3_1278l_v4 -
intel core_i5 3570
intel xeon_silver 4110
intel core_i5 2435m
intel core_i7 3615qe
intel core_i5 2400
intel core_i7 620lm
intel core_i5 6685r
intel xeon_e5 4610_v2
intel core_i5 4590t
intel core_i3 6167u
intel celeron_n n3160
intel core_i5 8600k
intel atom_x3 c3265rk
intel atom_c c3955
intel core_i5 5675c
intel xeon_platinum 8153
intel core_i7 3770
intel core_i5 2500
intel core_m3 7y30
intel xeon w3670
intel atom_c c3338
intel core_i7 990x
intel core_i7 7567u
intel core_i3 6100te
intel core_i5 6440hq
intel core_i7 970
intel core_i5 5675r
intel xeon x5647
intel core_i7 4500u
intel core_m 5y70
intel atom_c c3830
intel xeon_e3 1578l_v5
intel xeon_e5 2660
intel pentium_n n3700
intel xeon_phi 7290
arm cortex-a 17
intel celeron_j j3160
intel xeon_e5 4603
intel core_i5 4590
intel core_i3 4012y
intel core_i7 4710hq
intel xeon_e5 4628l_v4
intel core_i7 3612qm
intel celeron_n n4000
intel xeon_e7 8860_v4
intel core_i5 560m
intel atom_c c3558
intel xeon_e3_1270_v5 -
intel xeon_gold 6140
intel xeon_e5 4620_v3
intel core_i5 4670t
intel core_i7 840qm
intel xeon x5690
intel xeon_e3_1285_v3 -
intel celeron_n n3150
intel core_i7 2617m
intel celeron_j j4105
intel core_i5 3340
intel atom_c c3850
intel xeon_e5_2603_v4 -
intel xeon_platinum 8176
intel xeon_e3 1558l_v5
intel xeon_e5 2687w
intel xeon_gold 6138
intel core_i7 950
intel xeon_e5 2699_v3
intel core_i7 4578u
intel xeon x5675
intel xeon_gold 6130
intel xeon x5677
intel xeon_gold 6138t
intel core_i3 4160
intel core_i7 2860qm
intel atom_e e3845
intel xeon_e5_2630l_v4 -
intel core_i7 4760hq
intel xeon_e7 8891_v4
intel xeon_e5_2650_v2 -
intel atom_z z3590
intel xeon_e5_1620_v3 -
intel xeon_e7 4890_v2
intel core_i5 3330
intel xeon_e5_2450_v2 -
intel xeon_e5_2618l_v3 -
intel core_i3 2375m
intel xeon_e5 2667
intel celeron_n n2910
intel xeon_e3_1225_v5 -
intel xeon_e3_1240_v3 -
intel pentium_j j2900
intel pentium_n n3710
intel core_i5 430m
intel core_i5 4360u
intel core_i3 2330e
intel core_i7 4770k
intel xeon_gold 6144
intel xeon_e3_1275 -
intel core_m3 6y30
intel core_i7 4770te
intel xeon_e7 4850
intel core_i5 4258u
intel xeon e7530
intel xeon_e3_1290 -
intel xeon_e3_1260l -
intel core_i5 4200y
intel xeon_e5_1660 -
intel xeon_e3 1545m_v5
intel core_i5 4340m
intel core_i3 2348m
intel core_i7 5700eq
intel core_i7 2620m
intel core_i5 2540m
intel xeon_e3 1585_v5
intel xeon_e5 4640_v4
intel xeon l5638
intel core_i5 4202y
intel xeon_e3 1585l_v5
intel xeon_e5_2438l_v3 -
intel core_i7 4558u
intel core_i7 820qm
intel core_i7 2600k
intel core_i7 4702hq
intel xeon_e5 2699r_v4
intel core_m5 6y54
intel xeon_e5 2695_v3
intel xeon_e5_2623_v4 -
intel xeon_gold 6134
intel core_i3 3240
intel xeon x5550
canonical ubuntu_linux 14.04
intel xeon_e7 4809_v2
intel celeron_n n2805
intel core_i3 2340ue
intel xeon_e3_1286l_v3 -
intel pentium_n n4200
intel celeron_j j1800
intel celeron_n n3050
intel xeon_e5_2407_v2 -
intel xeon_e5 2658_v2
intel xeon x7560
intel xeon_silver 4109t
intel xeon lc5528
intel core_i5 5200u
intel xeon_e7 2870_v2
intel xeon_e5 2680
intel xeon_e3_1286_v3 -
intel xeon_platinum 8168
intel xeon_e7 8870_v4
intel core_i7 7500u
intel atom_x5-e3940 -
intel xeon_e3_1231_v3 -
intel xeon e5502
intel xeon_e5 2670_v2
intel core_i5 4570r
intel core_i3 3110m
intel core_i7 4790
intel core_i7 3612qe
intel xeon_e5 2658_v4
intel core_i7 7820eq
intel core_i7 4600u
intel core_i3 2310m
intel core_i5 3380m
intel core_m3 7y32
intel core_i3 2357m
intel core_i7 5850eq
intel celeron_n n2807
intel core_i3 2100
intel atom_e e3815
intel core_i5 4590s
intel atom_z z2480
intel xeon_e5_2637_v3 -
intel core_i3 3220
intel core_i5 5300u
intel core_i7 4770
netapp hci_management_node -
intel core_i5 3230m
intel xeon e6510
intel xeon_e3_12201_v2 -
intel xeon_e3_1270_v3 -
intel core_i5 2300
intel core_i7 3537u
canonical ubuntu_linux 12.04
intel xeon_e3_1265l_v4 -
intel core_i3 6320
intel core_i5 4690
intel core_i5 2537m
intel xeon w5590
intel atom_c c3508
intel core_i5 3340s
intel core_i7 640um
intel atom_z z3785
arm cortex-a 75
intel xeon l5609
intel core_i3 2350m
intel core_i3 6100u
intel xeon_e7 8867l
intel xeon l5506
intel xeon_e3_1226_v3 -
intel core_i7 2637m
intel core_i5 450m
intel core_i7 620um
intel xeon_e5_1680_v4 -
intel core_i5 540m
intel core_i7 4770r
intel xeon_e5 4610
intel xeon_e5_2440 -
intel core_i3 6006u
intel celeron_n n2808
intel xeon_e5 4627_v3
intel core_i5 6500te
intel atom_z z3740d
intel xeon_platinum 8158
intel core_i5 3320m
intel core_i5 4300m
canonical ubuntu_linux 17.10
intel xeon w5580
intel xeon_platinum 8160
intel xeon_e7 4830_v3
intel xeon_e3_1240_v2 -
intel core_i3 540
intel core_i3 4130t
arm cortex-a 15
intel core_i5 2510e
intel core_i5 5350u
intel core_i5 560um
intel celeron_n n3000
intel core_i7 4870hq
intel xeon_e5_2608l_v3 -
intel xeon_e5_2418l_v3 -
intel xeon_e5 2665
intel core_i5 2467m
debian debian_linux 7.0
intel core_i5 4440
intel xeon_phi 7235
intel core_i5 4260u
intel core_i3 2365m
intel core_i3 2312m
intel xeon x5660
intel core_i7 4790s
intel xeon_e5_2648l_v4 -
intel core_i5 3427u
intel xeon_gold 5118
intel xeon_silver 4116
intel xeon_gold 6134m
intel core_i7 940xm
intel xeon_e5_2470 -
intel xeon_e5_1428l_v3 -
intel core_i5 4200m
intel xeon_e5 4667_v3
intel xeon_e5 2667_v4
intel xeon_e3_1268l_v3 -
intel xeon_e7 8880l_v3
intel core_i3 4360
intel atom_c c3950
intel xeon_bronze_3104 -
intel core_i5 3550
intel xeon_e5_1680_v3 -
intel pentium_j j2850
intel core_i7 3689y
intel core_i7 4600m
intel core_i3 4360t
intel core_i7 940
intel core_i7 3615qm
intel xeon_e3_1245_v2 -
intel atom_x3 c3200rk
intel core_i3 3217ue
intel xeon l5618
intel xeon_e5 4627_v4
intel xeon_e5_2420 -
intel xeon_e5_2643_v2 -
intel atom_x5-e3930 -
intel xeon_e5_2648l_v3 -
intel xeon_e5 2660_v4
intel xeon_gold 6148f
intel core_i5 2320
intel core_i5 470um
intel core_i7 4702ec
intel xeon_e7 8893_v4
intel xeon_e5_2428l -
intel core_i3 4112e
intel pentium_j j3710
intel xeon_e5 2670_v3
intel xeon_gold 6136
intel xeon_e7 4850_v2
intel core_i7 2657m
intel core_i7 3517ue
intel xeon_gold 6142
intel xeon_e5 4660_v4
intel xeon_e5_2430l -
intel xeon_e5_2637_v4 -
intel xeon_gold 6130t
intel core_i3 4350t
intel core_i5 2520m
intel core_i5 6600k
intel core_i7 640lm
intel atom_c c3708
intel core_i7 7y75
intel xeon e5607
intel atom_c c3538
intel core_i5 6402p
intel xeon e6540
intel xeon_e3_1265l_v3 -
intel xeon_e3_1125c_v2 -
intel core_i3 3120m
intel xeon_e7 4850_v3
intel xeon_e3_1285_v4 -
intel xeon e5520
intel xeon_e5 4650_v4
intel xeon_e7 8880_v2
intel core_i3 2120
intel core_i5 4300u
intel atom_z z3580
intel pentium_n n3540
intel xeon l7545
intel xeon_e5 4607
intel xeon_e5_2630l -
arm cortex-a 57
intel core_i3 4330t
intel core_i5 2430m
intel xeon_e5_2448l_v2 -
intel core_i7 3687u
intel xeon x3430
intel core_i7 3770k
intel xeon_e3_1270_v6 -
intel xeon_e-1105c -
intel core_i3 380um
intel core_i7 740qm
intel xeon_e5 4650_v3
intel xeon_e5 2683_v3
intel xeon_e5_2403 -
intel xeon_phi 7210f
intel xeon_e5_1650_v3 -
intel core_m 5y10a
intel core_i7 5700hq
intel xeon_e3_1230_v2 -
intel xeon_e5 4660_v3
intel core_i7 4722hq
intel xeon_platinum 8170
intel core_i5 2515e
intel core_i7 660lm
intel core_i7 3540m
intel xeon_e5_2640_v3 -
intel core_i7 4910mq
intel xeon_gold 6148
intel xeon_e5_2648l_v2 -
intel xeon_e5 4627_v2
intel core_i7 965
intel core_i3 2130
intel core_i5 6500
intel xeon_e7 8857_v2
arm cortex-a 73
intel core_i5 6400t
intel core_i3 4110m
intel core_i7 980x
intel core_i7 7820hk
intel atom_e e3825
intel xeon x5667
intel celeron_j j3355
intel core_m 5y10c
intel atom_e e3826
intel celeron_n n2920
intel xeon l5520
intel xeon x3440
intel atom_e e3805
intel xeon_e5_1660_v4 -
intel xeon_e5_1650 -
intel xeon_e5_2430l_v2 -
intel atom_c c2738
intel core_i3 4102e
intel xeon_phi 7210
intel core_i3 2310e
intel core_i3 4025u
intel core_i5 4430s
intel celeron_n n2806
intel xeon w3680
intel xeon_e5_2609_v4 -
intel core_i3 6102e
intel core_i5 4460s
intel xeon_e3_12201 -
intel core_i5 2557m
intel xeon_e5 4655_v4
intel xeon x7542
intel xeon_platinum 8164
intel atom_z z3570
oracle communications_diameter_signaling_router 8.2
intel xeon_e5 2697_v4
intel core_i7 620m
oracle vm_virtualbox *
intel xeon_e7 4820_v3
intel xeon_e3_1245_v6 -
intel xeon_e5 4650l
intel core_i3 2370m
intel core_i5 540um
intel core_i5 8400
intel core_i3 3245
intel core_i7 4720hq
intel xeon_phi 7250
netapp hci_compute_node -
intel atom_c c3808
intel xeon_e5 2690
CVE-2017-5753 MEDIUM

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N 1.1 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,

Products Affected

Vendor Product Version
intel xeon_phi 7230
intel core_i5 4402ec
intel core_i7 3770t
intel xeon_e3_1225_v3 -
intel core_i5 750s
intel xeon_e5_2408l_v3 -
intel xeon_e3_1275_v5 -
intel core_i5 6440eq
intel pentium_n n3530
intel core_i3 4100m
intel core_i7 4610m
intel xeon_e7 4820
intel xeon_e3_1225_v2 -
intel xeon_e5 2660_v3
intel xeon_e5 4648_v3
intel xeon_e7 2880_v2
intel xeon_e5 2698_v3
phoenixcontact valueline_ipc_firmware -
intel core_i7 640m
intel xeon_e5_2609_v2 -
intel xeon_e3 1505m_v6
intel xeon_e5 4620_v4
intel atom_x3 c3235rk
intel xeon_gold 6146
intel core_i5 650
intel xeon_phi 7295
intel atom_z z3530
intel xeon_e5 4650_v2
intel core_i3 4010u
intel xeon_gold 6138f
intel core_i5 2450p
intel xeon_phi 7230f
intel core_i5 4402e
intel xeon_e5 4617
intel core_i7 870s
intel atom_z z3775d
intel xeon_e5 2658a_v3
intel xeon_e7 4807
intel core_i3 2367m
intel xeon_e5 2650l_v4
intel xeon_e3_1220_v3 -
intel xeon_e5_2620_v2 -
intel xeon e5530
intel xeon_e5_2403_v2 -
intel xeon_e5 4657l_v2
intel core_i7 2675qm
intel core_i3 5020u
intel core_m 5y31
intel core_i3 370m
intel core_i7 980
intel core_i3 4340
intel core_i5 4278u
intel xeon_e3_1240l_v5 -
intel core_i5 655k
intel core_i5 3439y
synology router_manager *
intel core_i5 3210m
intel xeon_e3_1220 -
intel core_i5 4570t
intel core_i5 4200u
intel xeon_e5 2690_v3
intel core_i5 520m
intel core_i7 2960xm
intel core_i7 4790t
intel xeon x3480
intel core_i5 4460
intel core_i7 3632qm
intel xeon_e5 2683_v4
intel xeon_e5_2618l_v4 -
siemens simatic_itc1900_pro_firmware *
intel core_i3 3250
intel core_i3 4110e
intel xeon_e5 4655_v3
intel xeon_e7 8870
intel core_i5 4210u
intel core_i3 5005u
intel xeon ec5539
intel xeon_e7 2803
intel xeon_e5_2620_v4 -
intel atom_z z2560
intel celeron_j j1850
intel xeon_e7 8870_v2
intel celeron_n n3350
intel atom_c c2350
intel core_i7 4710mq
intel xeon_e5 4640_v3
intel xeon e5540
intel xeon_e5_2603_v3 -
intel core_i5 670
intel xeon_e5_2650_v4 -
intel atom_c c3750
intel core_i7 2640m
intel atom_c c3308
intel core_i5 8350u
phoenixcontact dl_ppc18.5m_7000_firmware -
intel core_i5 4670
phoenixcontact vl_bpc_3000_firmware -
intel xeon_e7 8893_v2
intel xeon_e5_2603_v2 -
intel core_i7 5557u
intel atom_z z3775
intel core_i3 3120me
intel xeon_e3 1565l_v5
intel core_i7 4650u
intel core_m5 6y57
intel core_i5 4670r
intel xeon_e3 1575m_v5
intel xeon_e5_2628l_v2 -
intel core_i3 2377m
phoenixcontact vl2_ppc9_1000_firmware -
intel core_i7 5600u
intel core_i3 6100t
intel xeon_e3_1270_v2 -
intel core_i5 3470s
intel xeon_e5 2697_v3
intel xeon_e3_1220l_v3 -
intel core_i7 2610ue
intel core_m 5y10
intel xeon_e5_2450 -
intel core_i5 3550s
intel core_i5 2450m
intel core_i7 7660u
pepperl-fuchs btc12_firmware -
intel xeon e5620
intel core_i7 2655le
siemens simatic_winac_rtx_(f)_2010_firmware 2010
intel core_m 5y51
intel xeon_platinum 8156
intel core_i3 4160t
intel core_i7 2635qm
vmware esxi 6.0
intel xeon_silver 4114t
intel core_i7 860s
phoenixcontact vl_ppc_3000_firmware -
phoenixcontact bl_ppc_1000_firmware -
intel xeon_e7 8891_v2
intel core_i3 4330te
intel atom_c c2308
phoenixcontact vl2_ppc_3000_firmware -
intel xeon_e3_1290_v2 -
intel xeon_e5_1660_v2 -
intel xeon_e5 4650
intel core_i5 4570
intel core_i7 4700mq
debian debian_linux 9.0
intel core_i3 4005u
intel core_i3 6157u
intel core_i3 2330m
intel core_i3 3229y
intel xeon_e7 8830
intel core_i7 5950hq
intel xeon_e5_2603 -
intel xeon_e3_1105c_v2 -
intel core_i5 6585r
intel core_i3 5015u
vmware esxi 5.5.0
intel xeon_e7 8837
intel atom_z z3745d
intel xeon_e7 4860
intel core_i7 7920hq
intel xeon_e3_1280_v3 -
intel xeon e5507
intel core_i3 3250t
intel xeon_e5 4669_v4
phoenixcontact bl2_ppc_1000_firmware -
intel core_i7 4765t
intel xeon_e3_1275_v2 -
intel core_i5 4570te
intel core_i7 8700
intel atom_z z3560
intel xeon_gold 6130f
intel core_i5 4210m
intel core_i5 3470
intel core_i7 5750hq
phoenixcontact bl2_ppc_7000_firmware -
intel xeon_e5_2628l_v4 -
intel xeon e5506
intel core_i3 4158u
intel xeon_e7 8880l_v2
intel atom_c c2558
intel xeon_e3_1505m_v5 -
intel core_i5 661
intel xeon_e5_1428l_v2 -
intel xeon_e5_2450l -
intel xeon_e3 1535m_v6
intel xeon_e3_1260l_v5 -
intel core_i7 4770s
arm cortex-a8_firmware -
intel xeon_e3_1501l_v6 -
intel core_i5 6600
intel atom_c c2718
intel xeon_e5_2648l -
intel core_i7 4980hq
intel core_i5 2410m
intel xeon_e5 2667_v2
siemens simatic_itc1500_firmware *
intel xeon_e3_1220_v2 -
intel xeon_e3_1280_v5 -
intel xeon_e5_2430_v2 -
intel xeon_e5_2618l_v2 -
phoenixcontact vl_bpc_2000_firmware -
intel core_i3 4150
intel core_i7 4960hq
intel atom_c c2508
intel atom_z z3770
intel xeon_phi 7290f
intel xeon_e7 8893_v3
intel core_i3 2115c
intel xeon_e5 2690_v2
intel xeon_e5_1620_v2 -
intel core_i5 6300hq
intel xeon_e5 2660_v2
intel xeon_e7 8891_v3
intel xeon_e7 4809_v4
intel core_i5 2500t
intel core_i3 330um
intel core_i5 4330m
intel xeon_gold 6126f
intel core_i5 2550k
siemens simatic_itc2200_pro_firmware *
intel atom_z z3736f
intel xeon_e3_1235 -
intel core_i7 4550u
intel xeon_e3_1280 -
intel xeon_e5_2640 -
intel core_i3 4330
intel xeon_e3_1240 -
intel core_i7 4510u
intel xeon_e5_1620 -
intel core_i5 3470t
intel core_i5 6260u
intel xeon x3460
intel core_i5 4302y
intel core_i3 4030y
intel xeon_e5 2697a_v4
intel atom_x3 c3205rk
intel xeon_e5_2407 -
intel xeon_e3_1225 -
intel core_i7 5775c
intel xeon_e3_1230 -
oracle solaris 11.3
intel core_i7 960
intel xeon ec5549
oracle solaris 10
intel xeon_platinum 8170m
intel atom_c c3958
intel xeon_e7 8894_v4
intel core_i7 2649m
intel atom_c c2550
suse suse_linux_enterprise_software_development_kit 11
intel xeon_e5 4667_v4
intel celeron_n n2940
intel atom_z z2760
intel core_i5 3340m
intel xeon_e3_1230_v3 -
intel core_i5 520e
intel core_i5 4210h
intel core_i7 8700k
intel xeon w3690
intel core_i7 4750hq
intel core_i7 4770hq
intel core_i7 4702mq
intel xeon e5606
intel xeon_e5_2650 -
intel xeon e5503
intel xeon_e5_2450l_v2 -
intel core_i5 2390t
intel core_i5 3610me
intel xeon_e7 8890_v4
intel core_i5 3450s
intel xeon_e3_1235l_v5 -
intel xeon_e3_1285l_v3 -
intel core_i5 580m
intel atom_z z3745
synology vs960hd_firmware -
intel xeon_silver 4116t
intel celeron_n n2930
intel xeon_e5_2608l_v4 -
intel xeon_e7 2850
intel core_i7 2820qm
intel atom_c c2518
arm cortex-x1_firmware -
intel core_i3 2105
intel core_i7 5775r
intel atom_z z2460
intel core_i7 2600s
intel xeon e7540
intel core_i5 5287u
phoenixcontact bl2_ppc_2000_firmware -
intel core_i3 330e
intel atom_c c2530
phoenixcontact bl_ppc17_7000_firmware -
intel core_i5 4300y
intel core_i3 4350
synology virtual_machine_manager *
intel core_i3 380m
intel core_i5 5575r
intel xeon_e3_1230_v5 -
intel core_i5 4570s
intel core_i3 4170t
intel xeon_e3_1246_v3 -
intel xeon x5560
intel core_i3 4130
intel xeon_e5_1620_v4 -
phoenixcontact el_ppc_1000/m_firmware -
intel xeon_e7 2850_v2
intel core_i5 3337u
intel core_i5 4430
intel core_i7 3720qm
intel core_i7 7700k
intel xeon e7520
intel core_i3 4150t
intel xeon e5630
intel core_i7 4950hq
arm cortex-a77_firmware -
intel core_i5 2500s
intel core_i5 4288u
intel core_i5 4310u
intel atom_c c2750
intel core_i5 4422e
intel xeon_e3_1220_v5 -
intel atom_z z3735g
intel core_i7 2670qm
intel core_i7 5550u
intel core_i7 4810mq
intel xeon_e5 4607_v2
intel xeon_e3_1240_v5 -
intel core_i5 520um
intel core_i5 3570s
intel xeon_gold 6142m
intel core_i3 390m
intel core_i7 3555le
intel xeon_e7 8890_v2
synology skynas -
intel core_i7 4610y
intel xeon_e7 2860
intel core_i7 3740qm
intel xeon_silver 4114
intel xeon_e3_1285_v6 -
intel atom_x3 c3295rk
intel core_i7 2920xm
intel xeon e5649
intel xeon_e3_1270 -
intel core_i7 4790k
siemens simatic_winac_rtx_(f)_2010_firmware *
intel xeon_e5_2430 -
arm neoverse_n1_firmware -
intel core_i7 3610qm
intel xeon_e7 8890_v3
intel xeon_gold 6150
intel core_i7 620ue
intel xeon_gold 6126
intel xeon_e5_2630 -
intel xeon_e5_2630_v2 -
intel celeron_j j1750
phoenixcontact vl2_ppc_1000_firmware -
intel xeon_e5_1630_v4 -
intel core_i7 7700t
intel atom_x3 c3405
phoenixcontact dl_ppc15_1000_firmware -
intel xeon_e3_1240_v6 -
intel core_i7 7560u
intel xeon_gold 6154
intel core_i7 3520m
intel xeon_e7 4809_v3
phoenixcontact el_ppc_1000_firmware -
intel xeon_e5_2650l_v3 -
intel core_i7 2677m
canonical ubuntu_linux 17.04
intel core_i7 4712hq
intel xeon_e3_1258l_v4 -
intel xeon_e5 2687w_v2
intel xeon_e5_2418l_v2 -
intel core_i5 3317u
intel xeon_platinum 8176f
phoenixcontact vl_bpc_1000_firmware -
intel core_i7 4850hq
intel xeon_e7 8880_v4
intel xeon_e5 2695_v2
intel xeon_silver 4108
intel xeon x5672
intel xeon_e7 4820_v4
intel xeon_e5 2680_v3
intel core_i5 6360u
intel core_i3 4340te
intel xeon_e7 8850
intel core_i7 3667u
intel xeon_bronze_3106 -
intel core_m 5y71
intel core_i5 480m
intel core_i3 2125
intel core_i3 4020y
intel xeon x6550
intel core_i5 3450
intel xeon_e5_2609_v3 -
intel core_i5 6350hq
intel xeon e5504
intel core_i7 3517u
intel xeon_e5_2650l_v2 -
intel core_i5 660
intel xeon_e5 4640
intel core_i5 5250u
intel core_i3 330m
intel core_i3 3217u
intel xeon_e5_2628l_v3 -
intel core_i7 8650u
arm cortex-a75_firmware -
intel xeon_e7 4860_v2
intel core_i3 530
intel core_i7 4700hq
intel xeon_e5 4610_v3
vmware esxi 6.5
intel core_i7 4785t
intel xeon_platinum 8160f
intel xeon e5640
intel xeon_e5_2637 -
intel core_i7 4771
intel xeon_e3_1245_v5 -
intel core_i5 3330s
intel core_i7 8550u
oracle local_service_management_system 13.2
intel xeon_e5_2620 -
intel xeon_e5 4620
arm cortex-a15_firmware -
intel core_i3 6098p
intel xeon_e5_2637_v2 -
intel core_i3 6100h
intel core_i7 4770t
intel xeon_e7 8860_v3
canonical ubuntu_linux 16.04
intel xeon_e7 4870_v2
intel core_i7 2720qm
intel xeon e5603
intel core_i5 5257u
intel core_i5 4670k
intel core_i7 2630qm
intel core_i3 4170
intel core_i5 6600t
intel xeon_e5_2420_v2 -
intel core_i3 4010y
intel core_i5 6400
intel celeron_n n2820
pepperl-fuchs btc14_firmware -
intel atom_c c2358
intel core_i3 3240t
intel core_i3 4100u
intel xeon x5670
intel xeon_e3 1535m_v5
intel xeon_e5_1650_v2 -
intel atom_x3 c3230rk
intel core_i7 4700ec
intel xeon_e5 2699_v4
intel xeon_e3_1505l_v5 -
intel core_i5 460m
intel xeon x3450
intel core_i3 3130m
intel xeon_e3_1275_v3 -
intel xeon_e5_2650_v3 -
intel xeon l5640
intel xeon_gold 5115
intel core_i5 5350h
intel core_i7 860
intel celeron_j j1900
arm cortex-a78ae_firmware -
intel xeon_e3_1245 -
intel core_i7 7700
intel xeon_e3_1230_v6 -
intel xeon_e5 2698_v4
intel xeon_e3_1276_v3 -
intel xeon_gold 6128
intel xeon_platinum 8180
intel xeon_e3_1265l_v2 -
intel core_i7 2600
siemens simatic_itc1500_pro_firmware *
intel atom_e e3827
intel core_i7 5500u
intel core_i7 3840qm
intel core_i3 4370t
intel xeon l5518
intel core_i7 3770s
intel atom_z z3795
intel xeon l5508
intel xeon ec5509
intel core_i5 6267u
intel xeon_e5 2680_v4
intel core_i5 3570t
intel xeon l7555
intel xeon_gold 5119t
intel atom_c c2538
intel celeron_j j3455
intel core_i5 3350p
intel atom_c c2316
intel core_i5 2310
intel xeon_e5_2640_v4 -
intel xeon_e7 8870_v3
arm cortex-a9_firmware -
intel core_i3 550
intel core_i7 4700eq
intel core_i5 4670s
intel atom_c c2338
arm cortex-a78_firmware -
intel core_i7 2760qm
intel xeon_e5 4610_v4
intel xeon_e7 4830_v2
phoenixcontact bl_ppc17_3000_firmware -
intel core_i3 4100e
intel core_i3 2100t
intel xeon_e5_2643_v4 -
intel xeon l3426
intel core_i3 3220t
intel xeon_e5_2428l_v2 -
intel core_i5 3437u
intel xeon_platinum 8160t
intel xeon_e7 2890_v2
intel pentium_j j4205
intel core_i3 4030u
intel xeon_e3_1281_v3 -
intel xeon_e5 2687w_v4
intel core_i7 2700k
intel atom_c c2758
intel atom_z z3740
intel core_i5 4440s
intel core_i3 5157u
intel core_i7 920xm
intel celeron_n n2815
intel xeon_e7 4830_v4
intel celeron_j j3060
intel celeron_j j4005
intel atom_c c2516
intel celeron_n n3010
intel core_i5 4410e
intel xeon_e5_2630_v3 -
intel xeon_e3_1275_v6 -
intel xeon_e5 2699a_v4
phoenixcontact vl2_bpc_1000_firmware -
intel core_i7 610e
intel core_i5 6300u
intel xeon_phi 7285
phoenixcontact vl2_bpc_2000_firmware -
intel xeon_e3_1285l_v4 -
intel atom_z z3770d
intel core_i5 2500k
intel xeon_e5_2640_v2 -
intel core_i7 2710qe
intel atom_z z3735f
intel pentium_n n3520
intel xeon x7550
intel xeon_e3_1505l_v6 -
intel xeon_e5_1650_v4 -
intel xeon x5570
intel xeon_e3_1501m_v6 -
intel core_i7 2629m
intel xeon x3470
intel xeon_e5_2623_v3 -
intel xeon_e5 4624l_v2
intel xeon_e5_2630l_v3 -
intel xeon_e5_2643_v3 -
intel core_i5 430um
intel core_m7 6y75
intel xeon_e5 2690_v4
intel xeon_e5_1428l -
intel core_i5 4200h
intel xeon_e3_1225_v6 -
intel xeon_e5 4603_v2
intel xeon_e7 4830
intel core_i7 5850hq
intel celeron_n n2840
intel xeon_e7 2830
intel core_i7 2715qe
intel xeon_e5 2658
intel xeon_gold 6142f
intel xeon_e5 2695_v4
intel xeon_e7 4820_v2
intel xeon x5680
netapp solidfire -
intel atom_z z3736g
intel xeon_e5_2428l_v3 -
intel xeon_e5_1660_v3 -
intel core_i7 3610qe
intel xeon_e5_2630l_v2 -
intel xeon_e3_1220_v6 -
intel core_i3 6300
intel core_i7 660ue
intel xeon_e7 8880_v3
arm cortex-a17_firmware -
intel core_i7 5650u
intel core_i5 4460t
intel core_i7 875k
intel core_i7 720qm
intel core_i7 4860hq
intel xeon_e3_1275l_v3 -
intel xeon_e5 2670
intel core_i5 3339y
phoenixcontact bl_bpc_3001_firmware -
intel core_i5 4690s
intel xeon_platinum 8160m
intel xeon_e3_1125c -
intel atom_z z2420
intel core_i5 4220y
intel core_i3 5010u
intel core_i5 680
intel core_i7 4800mq
intel core_i3 2120t
intel core_i5 6200u
intel xeon l3406
intel core_i3 6100
phoenixcontact vl2_ppc_2000_firmware -
intel xeon_e3_1268l_v5 -
intel atom_x3 c3445
intel core_i3 2328m
intel xeon x5687
intel core_i7 3820qm
intel xeon_e5_2620_v3 -
intel xeon_e7 2870
intel xeon_e5 4620_v2
intel core_i5 4210y
intel pentium_n n3510
intel xeon l5530
suse suse_linux_enterprise_server 11
intel xeon_e5 2658_v3
netapp hci -
intel core_i5 4350u
intel core_i5 6287u
intel core_i5 750
intel core_i7 4900mq
intel xeon_e5_2470_v2 -
intel xeon_gold 5120
intel atom_z z2520
intel xeon_e5_1630_v3 -
intel xeon e5645
intel celeron_n n3060
intel xeon_gold 6126t
intel xeon_e7 2820
intel core_i7 930
intel atom_c c3858
intel xeon_e5 2697_v2
intel xeon_e5_2440_v2 -
intel core_i7 7820hq
intel core_i5 4308u
intel core_i7 7600u
intel core_i3 3227u
phoenixcontact bl_ppc15_7000_firmware -
intel core_i7 660um
intel xeon_e5_2650l -
intel core_i7 3635qm
intel atom_z z3460
phoenixcontact bl_bpc_2001_firmware -
intel xeon_e5 2680_v2
intel core_i3 3115c
intel core_i5 2405s
intel core_i7 7700hq
intel atom_z z3480
intel xeon_gold 6152
intel xeon_e7 4850_v4
intel xeon_e3_1245_v3 -
intel core_i3 3210
intel core_i7 880
intel celeron_n n3450
intel xeon_e7 8850_v2
intel xeon_phi 7250f
intel core_i5 4690t
intel core_i5 4250u
intel xeon_e5 2667_v3
intel core_i5 2380p
intel atom_c c2730
intel xeon_e5_2418l -
intel xeon_e5 4640_v2
intel xeon_e5_2643 -
intel xeon_gold 5120t
intel core_i3 8350k
intel xeon_e5 4669_v3
intel xeon l5630
intel xeon_gold 5122
intel xeon_e7 8867_v3
arm cortex-a57_firmware -
intel core_i3 560
intel core_i5 6442eq
intel xeon_e3 1515m_v5
intel core_i5 2400s
intel xeon_gold 6132
intel celeron_n n2830
intel xeon_e3_1280_v2 -
intel xeon_e3_1280_v6 -
intel xeon_e5_2609 -
intel core_i5 8250u
arm cortex-r8_firmware -
intel atom_z z3735d
intel xeon_e5_2630_v4 -
intel xeon_e7 8867_v4
intel atom_z z3735e
intel xeon_platinum 8176m
intel core_i5 3570k
intel xeon_e3_1230l_v3 -
intel core_i7 4712mq
intel core_i3 8100
intel xeon_e7 4880_v2
phoenixcontact vl2_bpc_3000_firmware -
intel xeon_silver 4112
intel core_i5 4690k
intel core_i3 4120u
intel xeon_gold 6140m
intel atom_z z2580
intel xeon x5650
intel xeon_e5_2448l -
intel core_i5 3475s
intel celeron_n n2810
intel core_i7 680um
intel xeon lc5518
intel core_i3 350m
intel atom_x7-e3950 -
siemens simatic_itc2200_firmware *
intel core_i5 760
intel core_i5 6500t
intel xeon_e5 2687w_v3
intel core_i7 920
intel core_i7 3630qm
intel xeon_e7 8860
oracle local_service_management_system 13.3
intel core_i7 620le
intel atom_c c3758
intel core_i3 6300t
intel core_i7 975
intel xeon_e7 4870
intel xeon_e3_1240l_v3 -
intel xeon_e3_1241_v3 -
intel core_i3 3225
intel core_i3 2102
intel core_i5 4400e
debian debian_linux 8.0
intel core_i5 4310m
intel xeon_e3_1271_v3 -
intel core_i5 3360m
intel core_i7 870
intel core_i3 4000m
intel core_i3 6100e
intel atom_x3 c3130
intel core_i3 4370
intel celeron_n n4100
intel xeon_e3_1278l_v4 -
intel core_i5 3570
intel xeon_silver 4110
phoenixcontact bl_bpc_3000_firmware -
intel core_i5 2435m
intel core_i7 3615qe
intel core_i5 2400
intel core_i7 620lm
intel core_i5 6685r
intel xeon_e5 4610_v2
intel core_i5 4590t
phoenixcontact bl2_bpc_1000_firmware -
intel core_i3 6167u
intel celeron_n n3160
intel core_i5 8600k
intel atom_x3 c3265rk
intel atom_c c3955
intel core_i5 5675c
intel xeon_platinum 8153
intel core_i7 3770
intel core_i5 2500
intel core_m3 7y30
intel xeon w3670
intel atom_c c3338
intel core_i7 990x
intel core_i7 7567u
suse suse_linux_enterprise_software_development_kit 12
intel core_i3 6100te
intel core_i5 6440hq
intel core_i7 970
arm cortex-r7_firmware -
intel core_i5 5675r
intel xeon x5647
intel core_i7 4500u
intel core_m 5y70
intel atom_c c3830
intel xeon_e3 1578l_v5
intel xeon_e5 2660
phoenixcontact bl_ppc_7000_firmware -
intel pentium_n n3700
intel xeon_phi 7290
intel celeron_j j3160
intel xeon_e5 4603
intel core_i5 4590
intel core_i3 4012y
intel core_i7 4710hq
intel xeon_e5 4628l_v4
phoenixcontact vl2_bpc_7000_firmware -
intel core_i7 3612qm
intel celeron_n n4000
intel xeon_e7 8860_v4
intel core_i5 560m
intel atom_c c3558
intel xeon_e3_1270_v5 -
intel xeon_gold 6140
intel xeon_e5 4620_v3
intel core_i5 4670t
intel core_i7 840qm
intel xeon x5690
intel xeon_e3_1285_v3 -
intel celeron_n n3150
intel core_i7 2617m
intel celeron_j j4105
phoenixcontact vl2_ppc7_1000_firmware -
intel core_i5 3340
intel atom_c c3850
intel xeon_e5_2603_v4 -
intel xeon_platinum 8176
intel xeon_e3 1558l_v5
intel xeon_e5 2687w
intel xeon_gold 6138
intel core_i7 950
intel xeon_e5 2699_v3
phoenixcontact bl_ppc15_1000_firmware -
intel core_i7 4578u
intel xeon x5675
intel xeon_gold 6130
intel xeon x5677
intel xeon_gold 6138t
intel core_i3 4160
intel core_i7 2860qm
intel atom_e e3845
intel xeon_e5_2630l_v4 -
intel core_i7 4760hq
intel xeon_e7 8891_v4
intel xeon_e5_2650_v2 -
intel atom_z z3590
intel xeon_e5_1620_v3 -
intel xeon_e7 4890_v2
intel core_i5 3330
intel xeon_e5_2450_v2 -
intel xeon_e5_2618l_v3 -
intel core_i3 2375m
intel xeon_e5 2667
intel celeron_n n2910
intel xeon_e3_1225_v5 -
intel xeon_e3_1240_v3 -
intel pentium_j j2900
intel pentium_n n3710
intel core_i5 430m
intel core_i5 4360u
intel core_i3 2330e
phoenixcontact vl_ppc_2000_firmware -
intel core_i7 4770k
phoenixcontact vl2_bpc_9000_firmware -
intel xeon_gold 6144
intel xeon_e3_1275 -
suse suse_linux_enterprise_desktop 12
intel core_m3 6y30
intel core_i7 4770te
intel xeon_e7 4850
intel core_i5 4258u
intel xeon e7530
intel xeon_e3_1290 -
intel xeon_e3_1260l -
arm cortex-a73_firmware -
intel core_i5 4200y
intel xeon_e5_1660 -
intel xeon_e3 1545m_v5
intel core_i5 4340m
intel core_i3 2348m
intel core_i7 5700eq
intel core_i7 2620m
phoenixcontact bl_ppc12_1000_firmware -
intel core_i5 2540m
intel xeon_e3 1585_v5
synology diskstation_manager *
intel xeon_e5 4640_v4
intel xeon l5638
intel core_i5 4202y
intel xeon_e3 1585l_v5
intel xeon_e5_2438l_v3 -
intel core_i7 4558u
intel core_i7 820qm
intel core_i7 2600k
phoenixcontact dl_ppc15m_7000_firmware -
intel core_i7 4702hq
phoenixcontact bl_ppc15_3000_firmware -
intel xeon_e5 2699r_v4
intel core_m5 6y54
intel xeon_e5 2695_v3
opensuse leap 42.2
intel xeon_e5_2623_v4 -
intel xeon_gold 6134
intel core_i3 3240
intel xeon x5550
canonical ubuntu_linux 14.04
intel xeon_e7 4809_v2
oracle local_service_management_system 13.1
intel celeron_n n2805
intel core_i3 2340ue
intel xeon_e3_1286l_v3 -
intel pentium_n n4200
intel celeron_j j1800
intel celeron_n n3050
intel xeon_e5_2407_v2 -
intel xeon_e5 2658_v2
intel xeon x7560
intel xeon_silver 4109t
intel xeon lc5528
intel core_i5 5200u
intel xeon_e7 2870_v2
intel xeon_e5 2680
intel xeon_e3_1286_v3 -
intel xeon_platinum 8168
intel xeon_e7 8870_v4
intel core_i7 7500u
intel atom_x5-e3940 -
intel xeon_e3_1231_v3 -
intel xeon e5502
intel xeon_e5 2670_v2
intel core_i5 4570r
pepperl-fuchs visunet_rm_shell -
phoenixcontact bl2_bpc_7000_firmware -
intel core_i3 3110m
intel core_i7 4790
intel core_i7 3612qe
intel xeon_e5 2658_v4
arm cortex-a76_firmware -
intel core_i7 7820eq
intel core_i7 4600u
intel core_i3 2310m
intel core_i5 3380m
intel core_m3 7y32
phoenixcontact bl_rackmount_4u_firmware -
intel core_i3 2357m
intel core_i7 5850eq
intel celeron_n n2807
intel core_i3 2100
intel atom_e e3815
intel core_i5 4590s
intel atom_z z2480
intel xeon_e5_2637_v3 -
intel core_i3 3220
phoenixcontact vl2_ppc_7000_firmware -
intel core_i5 5300u
intel core_i7 4770
siemens simatic_itc1900_firmware *
intel core_i5 3230m
intel xeon e6510
intel xeon_e3_12201_v2 -
intel xeon_e3_1270_v3 -
intel core_i5 2300
intel core_i7 3537u
canonical ubuntu_linux 12.04
intel xeon_e3_1265l_v4 -
arm cortex-a12_firmware -
intel core_i3 6320
intel core_i5 4690
intel core_i5 2537m
intel xeon w5590
intel atom_c c3508
intel core_i5 3340s
phoenixcontact bl_bpc_7000_firmware -
intel core_i7 640um
intel atom_z z3785
intel xeon l5609
intel core_i3 2350m
intel core_i3 6100u
intel xeon_e7 8867l
intel xeon l5506
intel xeon_e3_1226_v3 -
vmware fusion *
intel core_i7 2637m
intel core_i5 450m
intel core_i7 620um
intel xeon_e5_1680_v4 -
intel core_i5 540m
intel core_i7 4770r
intel xeon_e5 4610
intel xeon_e5_2440 -
intel core_i3 6006u
phoenixcontact el_ppc_1000/wt_firmware -
intel celeron_n n2808
intel xeon_e5 4627_v3
intel core_i5 6500te
intel atom_z z3740d
intel xeon_platinum 8158
intel core_i5 3320m
intel core_i5 4300m
canonical ubuntu_linux 17.10
intel xeon w5580
intel xeon_platinum 8160
intel xeon_e7 4830_v3
intel xeon_e3_1240_v2 -
intel core_i3 540
vmware workstation *
intel core_i3 4130t
intel core_i5 2510e
intel core_i5 5350u
intel core_i5 560um
intel celeron_n n3000
intel core_i7 4870hq
intel xeon_e5_2608l_v3 -
intel xeon_e5_2418l_v3 -
intel xeon_e5 2665
intel core_i5 2467m
phoenixcontact bl_ppc17_1000_firmware -
intel core_i5 4440
intel xeon_phi 7235
intel core_i5 4260u
intel core_i3 2365m
intel core_i3 2312m
intel xeon x5660
intel core_i7 4790s
intel xeon_e5_2648l_v4 -
intel core_i5 3427u
intel xeon_gold 5118
intel xeon_silver 4116
phoenixcontact dl_ppc21.5m_7000_firmware -
intel xeon_gold 6134m
intel core_i7 940xm
intel xeon_e5_2470 -
intel xeon_e5_1428l_v3 -
intel core_i5 4200m
intel xeon_e5 4667_v3
intel xeon_e5 2667_v4
intel xeon_e3_1268l_v3 -
intel xeon_e7 8880l_v3
intel core_i3 4360
intel atom_c c3950
intel xeon_bronze_3104 -
intel core_i5 3550
intel xeon_e5_1680_v3 -
arm neoverse_n2_firmware -
intel pentium_j j2850
intel core_i7 3689y
intel core_i7 4600m
phoenixcontact bl_bpc_7001_firmware -
intel core_i3 4360t
intel core_i7 940
intel core_i7 3615qm
intel xeon_e3_1245_v2 -
intel atom_x3 c3200rk
intel core_i3 3217ue
arm cortex-a72_firmware -
intel xeon l5618
intel xeon_e5 4627_v4
opensuse leap 42.3
intel xeon_e5_2420 -
intel xeon_e5_2643_v2 -
intel atom_x5-e3930 -
intel xeon_e5_2648l_v3 -
intel xeon_e5 2660_v4
intel xeon_gold 6148f
intel core_i5 2320
intel core_i5 470um
intel core_i7 4702ec
intel xeon_e7 8893_v4
intel xeon_e5_2428l -
intel core_i3 4112e
intel pentium_j j3710
intel xeon_e5 2670_v3
intel xeon_gold 6136
intel xeon_e7 4850_v2
intel core_i7 2657m
intel core_i7 3517ue
intel xeon_gold 6142
intel xeon_e5 4660_v4
intel xeon_e5_2430l -
intel xeon_e5_2637_v4 -
intel xeon_gold 6130t
intel core_i3 4350t
intel core_i5 2520m
intel core_i5 6600k
intel core_i7 640lm
intel atom_c c3708
intel core_i7 7y75
intel xeon e5607
intel atom_c c3538
intel core_i5 6402p
intel xeon e6540
intel xeon_e3_1265l_v3 -
intel xeon_e3_1125c_v2 -
intel core_i3 3120m
intel xeon_e7 4850_v3
intel xeon_e3_1285_v4 -
intel xeon e5520
intel xeon_e5 4650_v4
intel xeon_e7 8880_v2
intel core_i3 2120
intel core_i5 4300u
phoenixcontact vl_ipc_p7000_firmware -
intel atom_z z3580
phoenixcontact bl_rackmount_2u_firmware -
intel pentium_n n3540
intel xeon l7545
intel xeon_e5 4607
intel xeon_e5_2630l -
intel core_i3 4330t
intel core_i5 2430m
intel xeon_e5_2448l_v2 -
intel core_i7 3687u
intel xeon x3430
intel core_i7 3770k
intel xeon_e3_1270_v6 -
intel xeon_e-1105c -
intel core_i3 380um
intel core_i7 740qm
intel xeon_e5 4650_v3
phoenixcontact vl2_ppc12_1000_firmware -
intel xeon_e5 2683_v3
intel xeon_e5_2403 -
intel xeon_phi 7210f
intel xeon_e5_1650_v3 -
intel core_m 5y10a
intel core_i7 5700hq
intel xeon_e3_1230_v2 -
intel xeon_e5 4660_v3
intel core_i7 4722hq
intel xeon_platinum 8170
intel core_i5 2515e
intel core_i7 660lm
intel core_i7 3540m
intel xeon_e5_2640_v3 -
intel core_i7 4910mq
intel xeon_gold 6148
intel xeon_e5_2648l_v2 -
intel xeon_e5 4627_v2
intel core_i7 965
intel core_i3 2130
intel core_i5 6500
intel xeon_e7 8857_v2
intel core_i5 6400t
intel core_i3 4110m
intel core_i7 980x
intel core_i7 7820hk
phoenixcontact vl2_ppc_9000_firmware -
intel atom_e e3825
intel xeon x5667
suse suse_linux_enterprise_server 12
intel celeron_j j3355
phoenixcontact bl_bpc_2000_firmware -
intel core_m 5y10c
intel atom_e e3826
intel celeron_n n2920
intel xeon l5520
intel xeon x3440
intel atom_e e3805
intel xeon_e5_1660_v4 -
intel xeon_e5_1650 -
intel xeon_e5_2430l_v2 -
intel atom_c c2738
intel core_i3 4102e
intel xeon_phi 7210
intel core_i3 2310e
intel core_i3 4025u
intel core_i5 4430s
intel celeron_n n2806
intel xeon w3680
intel xeon_e5_2609_v4 -
synology vs360hd_firmware -
intel core_i3 6102e
intel core_i5 4460s
intel xeon_e3_12201 -
intel core_i5 2557m
intel xeon_e5 4655_v4
intel xeon x7542
intel xeon_platinum 8164
intel atom_z z3570
intel xeon_e5 2697_v4
intel core_i7 620m
intel xeon_e7 4820_v3
intel xeon_e3_1245_v6 -
intel xeon_e5 4650l
phoenixcontact bl2_bpc_2000_firmware -
intel core_i3 2370m
intel core_i5 540um
intel core_i5 8400
intel core_i3 3245
intel core_i7 4720hq
intel xeon_phi 7250
intel atom_c c3808
intel xeon_e5 2690
CVE-2017-5988 MEDIUM

NetApp Clustered Data ONTAP 8.1 through 9.1P1, when NFS or SMB is enabled, allows remote attackers to cause a denial of service via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 8.1.1
netapp clustered_data_ontap 8.1.2
netapp clustered_data_ontap 8.1.3
netapp clustered_data_ontap 9.0
netapp clustered_data_ontap 8.3.2
netapp clustered_data_ontap 8.1
netapp clustered_data_ontap 8.2.2
netapp clustered_data_ontap 8.3.1
netapp clustered_data_ontap 8.2.1
netapp clustered_data_ontap 9.1
netapp clustered_data_ontap 8.1.4
netapp clustered_data_ontap 8.2
netapp clustered_data_ontap 8.3
netapp clustered_data_ontap 8.2.3
netapp clustered_data_ontap 8.2.4
CVE-2017-5995 MEDIUM

The NetApp ONTAP Select Deploy administration utility 2.0 through 2.2.1 might allow remote attackers to obtain sensitive information via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility 2.0
netapp ontap_select_deploy_administration_utility 2.2
netapp ontap_select_deploy_administration_utility 2.1
netapp ontap_select_deploy_administration_utility 2.2.1
CVE-2017-7236 MEDIUM

SQL injection vulnerability in NetApp OnCommand Unified Manager Core Package 5.x before 5.2.2P1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager_core_package 5.1
netapp oncommand_unified_manager_core_package 5.2
netapp oncommand_unified_manager_core_package 5.2.2
netapp oncommand_unified_manager_core_package 5.0.1
netapp oncommand_unified_manager_core_package 5.0
netapp oncommand_unified_manager_core_package 5.0.2
netapp oncommand_unified_manager_core_package 5.2.1
CVE-2017-7345 MEDIUM

NetApp OnCommand Performance Manager and OnCommand Unified Manager for Clustered Data ONTAP before 7.1P1 improperly bind the Java Management Extension Remote Method Invocation (aka JMX RMI) service to the network, which allows remote attackers to obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
CVE-2017-7439 MEDIUM

NetApp OnCommand Unified Manager Core Package 5.x before 5.2.2P1 might allow remote attackers to obtain sensitive information via vectors involving error messages.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager_core_package 5.1
netapp oncommand_unified_manager_core_package 5.2
netapp oncommand_unified_manager_core_package 5.2.2
netapp oncommand_unified_manager_core_package 5.0.1
netapp oncommand_unified_manager_core_package 5.0
netapp oncommand_unified_manager_core_package 5.0.2
netapp oncommand_unified_manager_core_package 5.2.1
CVE-2017-7525 HIGH

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-184,CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform 2.6.0
oracle financial_services_analytical_applications_infrastructure 8.0.3.0.0
oracle banking_platform 2.6.2
oracle communications_instant_messaging_server 10.0.1.2.0
oracle financial_services_analytical_applications_infrastructure 8.0.6.0.0
oracle primavera_unifier 16.1
oracle financial_services_analytical_applications_infrastructure 8.0.2.0.0
netapp snapcenter -
oracle banking_platform 2.5.0
oracle communications_billing_and_revenue_management 7.5
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
redhat virtualization 4.0
redhat virtualization_host 4.0
oracle enterprise_manager_for_virtualization 13.2.2
fasterxml jackson-databind *
oracle primavera_unifier *
oracle utilities_advanced_spatial_and_operational_analytics 2.7.0.1
debian debian_linux 9.0
netapp oncommand_shift -
oracle banking_platform 2.6.1
oracle communications_diameter_signaling_route *
oracle enterprise_manager_for_virtualization 13.3.1
oracle communications_instant_messaging_server 10.0.1
oracle financial_services_analytical_applications_infrastructure 8.0.5.0.0
oracle webcenter_portal 12.2.1.3.0
fasterxml jackson-databind 2.9.0
oracle enterprise_manager_for_virtualization 13.2.3
debian debian_linux 8.0
redhat jboss_enterprise_application_platform 6.0.0
redhat jboss_enterprise_application_platform 7.1
netapp oncommand_balance -
redhat jboss_enterprise_application_platform 7.0
oracle financial_services_analytical_applications_infrastructure 8.0.4.0.0
oracle communications_communications_policy_management *
oracle financial_services_analytical_applications_infrastructure 8.0.7.0.0
redhat jboss_enterprise_application_platform 6.4.0
redhat openshift_container_platform 3.11
redhat openshift_container_platform 4.1
netapp oncommand_performance_manager -
oracle communications_billing_and_revenue_management 12.0
oracle global_lifecycle_management_opatchauto *
CVE-2017-7568 LOW

NetApp OnCommand Unified Manager for 7-Mode (core package) versions prior to 5.2.3 may disclose sensitive LDAP account information to authenticated users when the LDAP authentication configuration is tested via the user interface.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager *
CVE-2017-7657 HIGH

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-444,CWE-190,CWE-444,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
oracle retail_xstore_point_of_service 7.1
oracle rest_data_services 12.2.0.1
netapp santricity_cloud_connector -
netapp oncommand_unified_manager *
netapp element_software_management_node -
netapp snapcenter *
oracle retail_xstore_point_of_service 15.0
netapp e-series_santricity_web_services -
eclipse jetty *
netapp oncommand_system_manager 3.x
oracle rest_data_services 11.2.0.4
oracle rest_data_services 18c
oracle retail_xstore_point_of_service 16.0
oracle retail_xstore_point_of_service 17.0
netapp e-series_santricity_management -
netapp snap_creator_framework *
netapp snapmanager *
hp xp_p9000_command_view *
oracle rest_data_services 12.1.0.2
debian debian_linux 9.0
netapp hci_storage_nodes -
CVE-2017-7658 HIGH

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle retail_xstore_point_of_service 7.1
netapp santricity_cloud_connector -
netapp snapcenter -
netapp oncommand_system_manager *
oracle rest_data_services 18c
oracle retail_xstore_point_of_service 16.0
netapp e-series_santricity_management -
netapp solidfire -
oracle rest_data_services 12.1.0.2
netapp snapmanager -
debian debian_linux 9.0
oracle retail_xstore_payment 3.3
netapp oncommand_unified_manager_for_7-mode -
oracle rest_data_services 12.2.0.1
netapp hci_management_node -
oracle retail_xstore_point_of_service 15.0
netapp e-series_santricity_web_services -
netapp snap_creator_framework -
eclipse jetty *
oracle rest_data_services 11.2.0.4
netapp hci_storage_node -
oracle retail_xstore_point_of_service 17.0
netapp storage_services_connector -
hp xp_p9000_command_view *
CVE-2017-7668 MEDIUM

The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-126,CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_eus 7.2
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp oncommand_unified_manager -
apache http_server 2.2.32
apple mac_os_x 10.12.6
netapp storagegrid -
debian debian_linux 9.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_eus 7.5
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
apache http_server 2.4.24
oracle secure_global_desktop 5.3
apple mac_os_x 10.11.6
apple mac_os_x *
apache http_server 2.4.25
CVE-2017-7947 MEDIUM

NetApp Clustered Data ONTAP before 8.3.2P11, 9.0 before P4, and 9.1 before P5 allow attackers to obtain sensitive password information by leveraging logging of passwords entered non-interactively on the command line.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.1
netapp clustered_data_ontap 9.0
netapp clustered_data_ontap 8.3.2
CVE-2017-8919 MEDIUM

NetApp OnCommand API Services before 1.2P3 logs the LDAP BIND password when a user attempts to log in using the REST API, which allows remote authenticated users to obtain sensitive password information via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_api_services *
CVE-2017-9078 HIGH

The server in Dropbear before 2017.75 might allow post-authentication root remote code execution because of a double free in cleanup of TCP listeners when the -a option is enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,

Products Affected

Vendor Product Version
debian debian_linux 8.0
netapp h410c_firmware -
dropbear_ssh_project dropbear_ssh *
CVE-2017-9118 MEDIUM

PHP 7.1.5 has an Out of bounds access in php_pcre_replace_impl via a crafted preg_replace call.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp storage_automation_store -
php php 7.1.5
php php *
CVE-2017-9119 HIGH

The i_zval_ptr_dtor function in Zend/zend_variables.h in PHP 7.1.5 allows attackers to cause a denial of service (memory consumption and application crash) or possibly have unspecified other impact by triggering crafted operations on array data structures.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
netapp storage_automation_store -
php php 7.1.5
CVE-2017-9120 HIGH

PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a long string because of an Integer overflow in mysqli_real_escape_string.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp storage_automation_store -
php php *
CVE-2017-9788 MEDIUM

In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-200,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
netapp storage_automation_store -
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_server_eus 7.3
netapp oncommand_unified_manager -
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
debian debian_linux 9.0
redhat enterprise_linux_server_eus 6.7
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
apache http_server *
redhat jboss_core_services 1.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat jboss_enterprise_application_platform 6.0.0
redhat enterprise_linux_server_aus 7.4
redhat jboss_enterprise_web_server 2.0.0
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_tus 7.2
redhat jboss_enterprise_application_platform 6.4.0
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.2
oracle secure_global_desktop 5.3
apple mac_os_x *
CVE-2017-9805 MEDIUM

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
cisco digital_media_manager -
cisco media_experience_engine 3.5
cisco hosted_collaboration_solution 11.0(1)
cisco hosted_collaboration_solution 10.5(1)
cisco video_distribution_suite_for_internet_streaming -
cisco hosted_collaboration_solution 11.6(1)
cisco media_experience_engine 3.5.2
apache struts *
netapp oncommand_balance -
cisco network_performance_analysis -
cisco hosted_collaboration_solution 11.5(1)
CVE-2018-0734 MEDIUM

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
openssl openssl 1.1.1
oracle primavera_p6_professional_project_management 15.1
oracle primavera_p6_professional_project_management 15.2
oracle primavera_p6_professional_project_management 16.2
netapp storage_automation_store -
netapp oncommand_unified_manager *
oracle mysql_enterprise_backup *
oracle enterprise_manager_ops_center 12.3.3
oracle primavera_p6_professional_project_management 16.1
netapp snapcenter -
oracle peoplesoft_enterprise_peopletools 8.56
netapp steelstore -
oracle e-business_suite_technology_stack 1.0.0
oracle peoplesoft_enterprise_peopletools 8.55
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
nodejs node.js *
netapp cloud_backup -
canonical ubuntu_linux 14.04
oracle tuxedo 12.1.1.0.0
oracle e-business_suite_technology_stack 1.0.1
debian debian_linux 9.0
nodejs node.js 10.13.0
canonical ubuntu_linux 18.10
oracle e-business_suite_technology_stack 0.9.8
openssl openssl *
oracle primavera_p6_professional_project_management 18.8
oracle enterprise_manager_base_platform 13.2.0.0.0
oracle enterprise_manager_base_platform 13.3.0.0.0
netapp santricity_smi-s_provider -
oracle primavera_p6_professional_project_management *
oracle api_gateway 11.1.2.4.0
netapp cn1610_firmware -
oracle peoplesoft_enterprise_peopletools 8.57
oracle enterprise_manager_base_platform 12.1.0.5.0
oracle primavera_p6_professional_project_management 8.4
CVE-2018-0735 MEDIUM

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
netapp element_software -
openssl openssl 1.1.1
netapp snapdrive -
netapp oncommand_unified_manager *
oracle enterprise_manager_ops_center 12.3.3
oracle peoplesoft_enterprise_peopletools 8.56
netapp steelstore -
oracle secure_global_desktop 5.4
oracle application_server 0.9.8
oracle primavera_p6_enterprise_project_portfolio_management 16.1
oracle peoplesoft_enterprise_peopletools 8.55
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle primavera_p6_enterprise_project_portfolio_management 16.2
nodejs node.js *
oracle primavera_p6_enterprise_project_portfolio_management 8.4
netapp cloud_backup -
oracle primavera_p6_enterprise_project_portfolio_management 15.2
canonical ubuntu_linux 14.04
oracle tuxedo 12.1.1.0.0
oracle vm_virtualbox *
debian debian_linux 9.0
nodejs node.js 10.13.0
canonical ubuntu_linux 18.10
oracle primavera_p6_enterprise_project_portfolio_management 15.1
openssl openssl *
debian debian_linux 8.0
oracle application_server 1.0.0
oracle enterprise_manager_base_platform 13.2.0.0.0
oracle enterprise_manager_base_platform 13.3.0.0.0
oracle primavera_p6_enterprise_project_portfolio_management 18.8
oracle mysql *
netapp santricity_smi-s_provider -
oracle api_gateway 11.1.2.4.0
oracle primavera_p6_enterprise_project_portfolio_management *
netapp smi-s_provider -
netapp cn1610_firmware -
oracle peoplesoft_enterprise_peopletools 8.57
oracle enterprise_manager_base_platform 12.1.0.5.0
oracle application_server 1.0.1
CVE-2018-1000180 MEDIUM

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
oracle weblogic_server 12.1.3.0.0
oracle retail_xstore_point_of_service 7.1
bouncycastle fips_java_api *
oracle communications_converged_application_server *
oracle peoplesoft_enterprise_peopletools 8.56
oracle peoplesoft_enterprise_peopletools 8.55
oracle managed_file_transfer 12.2.1.3.0
oracle business_process_management_suite 12.2.1.3.0
oracle enterprise_repository 12.1.3.0.0
oracle business_process_management_suite 11.1.1.9.0
oracle retail_xstore_point_of_service 7.0
oracle communications_application_session_controller 3.7.1
oracle retail_convenience_and_fuel_pos_software 2.8.1
debian debian_linux 9.0
oracle soa_suite 12.1.3.0.0
oracle business_process_management_suite 12.1.3.0.0
netapp oncommand_workflow_automation -
oracle communications_application_session_controller 3.8.0
oracle webcenter_portal 12.2.1.3.0
bouncycastle legion-of-the-bouncy-castle-java-crytography-api *
redhat virtualization 4.2
redhat jboss_enterprise_application_platform 7.1.0
oracle managed_file_transfer 12.1.3.0.0
oracle communications_webrtc_session_controller *
oracle api_gateway 11.1.2.4.0
oracle peoplesoft_enterprise_peopletools 8.57
bouncycastle bc-java *
oracle business_transaction_management 12.1.0
oracle webcenter_portal 11.1.1.9.0
oracle soa_suite 12.2.1.3.0
CVE-2018-1000613 HIGH

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-470,

Products Affected

Vendor Product Version
oracle banking_platform 2.6.0
oracle retail_xstore_point_of_service 7.1
oracle utilities_network_management_system 2.3.0.1
opensuse leap 15.1
oracle communications_converged_application_server *
oracle peoplesoft_enterprise_peopletools 8.56
oracle communications_diameter_signaling_router 8.1
oracle peoplesoft_enterprise_peopletools 8.55
oracle communications_diameter_signaling_router 8.0.0
oracle enterprise_repository 12.1.3.0.0
oracle soa_suite 12.1.3.0.0
oracle banking_platform 2.6.1
oracle weblogic_server 12.2.1.3
oracle utilities_network_management_system 2.3.0.2
oracle communications_converged_application_server 7.0.0.1
oracle enterprise_manager_base_platform 13.2.0.0
oracle enterprise_repository 11.1.1.7.0
oracle managed_file_transfer 12.1.3.0.0
oracle communications_webrtc_session_controller *
oracle api_gateway 11.1.2.4.0
oracle communications_convergence 3.0.2
oracle webcenter_portal 11.1.1.9.0
oracle communications_diameter_signaling_router 8.2.1
oracle enterprise_manager_base_platform 13.3.0.0
oracle banking_platform 2.6.2
oracle enterprise_manager_for_fusion_middleware 13.2.0.0
oracle managed_file_transfer 12.2.1.3.0
oracle business_process_management_suite 12.2.1.3.0
oracle communications_diameter_signaling_router 8.2
oracle business_process_management_suite 11.1.1.9.0
oracle retail_xstore_point_of_service 7.0
oracle communications_application_session_controller 3.7.1
oracle retail_convenience_and_fuel_pos_software 2.8.1
oracle utilities_network_management_system 1.12.0.3
oracle business_process_management_suite 12.1.3.0.0
netapp oncommand_workflow_automation -
oracle communications_application_session_controller 3.8.0
oracle data_integrator 12.2.1.3.0
oracle webcenter_portal 12.2.1.3.0
bouncycastle legion-of-the-bouncy-castle-java-crytography-api *
oracle enterprise_manager_for_fusion_middleware 13.3.0.0
oracle peoplesoft_enterprise_peopletools 8.57
oracle enterprise_manager_base_platform 12.1.0.5.0
bouncycastle bc-java *
oracle utilities_network_management_system 2.3.0.0
oracle communications_webrtc_session_controller 7.2
oracle business_transaction_management 12.1.0
oracle soa_suite 12.2.1.3.0
CVE-2018-1000632 MEDIUM

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-91,

Products Affected

Vendor Product Version
oracle utilities_framework *
redhat satellite_capsule 6.6
oracle utilities_framework 4.2.0.3.0
redhat satellite 6.6
netapp snapcenter -
oracle retail_integration_bus 15.0
oracle utilities_framework 4.4.0.2
oracle flexcube_investor_servicing 12.3.0
oracle utilities_framework 4.4.0.0.0
oracle rapid_planning 12.2
netapp snapmanager -
netapp oncommand_workflow_automation -
oracle flexcube_investor_servicing 12.4.0
dom4j_project dom4j *
oracle flexcube_investor_servicing 12.1.0
debian debian_linux 8.0
redhat jboss_enterprise_application_platform 6.0.0
oracle flexcube_investor_servicing 12.0.4
redhat jboss_enterprise_application_platform 7.1.0
oracle flexcube_investor_servicing 14.0.0
oracle rapid_planning 12.1
netapp snap_creator_framework -
oracle utilities_framework 4.2.0.2.0
oracle utilities_framework 2.2.0
oracle primavera_p6_enterprise_project_portfolio_management *
redhat jboss_enterprise_application_platform 6.4.0
oracle retail_integration_bus 16.0
CVE-2018-1000656 MEDIUM

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
palletsprojects flask *
netapp ontap_select_deploy_utility *
netapp hyper_converged_infrastructure *
netapp active_iq *
CVE-2018-1000873 MEDIUM

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
oracle database_server 12.1.0.2
fasterxml jackson-modules-java8 *
oracle database_server 12.2.0.1
oracle clusterware 12.1.0.2.0
oracle database_server 19c
netapp active_iq_unified_manager *
oracle nosql_database *
oracle database_server 18c
oracle global_lifecycle_management_opatch *
CVE-2018-1002105 HIGH

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-388,

Products Affected

Vendor Product Version
redhat openshift_container_platform 3.10
kubernetes kubernetes 1.9.12
redhat openshift_container_platform 3.2
netapp trident -
redhat openshift_container_platform 3.3
redhat openshift_container_platform 3.11
redhat openshift_container_platform 3.4
redhat openshift_container_platform 3.5
kubernetes kubernetes *
redhat openshift_container_platform 3.8
redhat openshift_container_platform 3.6
CVE-2018-10545 LOW

An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 12.04
php php *
CVE-2018-10546 MEDIUM

An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
debian debian_linux 9.0
php php *
CVE-2018-10547 MEDIUM

An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 12.04
php php *
CVE-2018-10548 MEDIUM

An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 12.04
php php *
CVE-2018-10549 MEDIUM

An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\0' character.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 17.10
debian debian_linux 9.0
php php *
CVE-2018-10933 MEDIUM

A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-592,CWE-287,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
libssh libssh *
netapp storage_automation_store -
debian debian_linux 8.0
netapp oncommand_unified_manager *
netapp snapcenter -
redhat enterprise_linux 7.0
oracle mysql_workbench *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
CVE-2018-11212 MEDIUM

An issue was discovered in libjpeg 9a and 9d. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-369,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation *
redhat enterprise_linux_workstation 7.0
oracle jdk 11.0.1
debian debian_linux 8.0
oracle jdk 1.8.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
redhat satellite 5.8
ijg libjpeg 9a
canonical ubuntu_linux 12.04
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 8.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp snapmanager *
canonical ubuntu_linux 14.04
opensuse leap 15.0
CVE-2018-11236 HIGH

stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp data_ontap_edge -
oracle enterprise_communications_broker 3.0.0
redhat enterprise_linux_workstation 7.0
oracle enterprise_communications_broker 3.1.0
gnu glibc *
redhat enterprise_linux_desktop 7.0
oracle communications_session_border_controller 8.1.0
redhat virtualization_host 4.0
oracle communications_session_border_controller 8.2.0
oracle communications_session_border_controller 8.0.0
netapp element_software_management -
CVE-2018-11237 MEDIUM

An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp data_ontap_edge -
oracle enterprise_communications_broker 3.0.0
redhat enterprise_linux_workstation 7.0
oracle enterprise_communications_broker 3.1.0
gnu glibc *
redhat enterprise_linux_desktop 7.0
oracle communications_session_border_controller 8.1.0
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat virtualization_host 4.0
oracle communications_session_border_controller 8.2.0
oracle communications_session_border_controller 8.0.0
netapp element_software_management -
CVE-2018-11763 MEDIUM

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
oracle hospitality_guest_access 4.2.0
oracle instantis_enterprisetrack 17.1
apache http_server *
netapp storage_automation_store -
oracle retail_xstore_point_of_service 7.1
oracle instantis_enterprisetrack 17.3
redhat enterprise_linux 7.5
oracle enterprise_manager_ops_center 12.3.3
oracle hospitality_guest_access 4.2.1
redhat enterprise_linux 7.0
redhat enterprise_linux 7.6
oracle instantis_enterprisetrack 17.2
redhat enterprise_linux 7.4
oracle secure_global_desktop 5.4
canonical ubuntu_linux 18.04
oracle retail_xstore_point_of_service 7.0
CVE-2018-11776 HIGH

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle enterprise_manager_base_platform 13.4.0.0
oracle mysql_enterprise_monitor *
oracle communications_policy_management *
netapp oncommand_insight -
apache struts *
netapp active_iq_unified_manager *
oracle enterprise_manager_base_platform 13.3.0.0
netapp snapcenter -
CVE-2018-11784 MEDIUM

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
oracle retail_order_broker 15.0
oracle retail_order_broker 5.1
apache tomcat *
oracle instantis_enterprisetrack 17.3
redhat enterprise_linux_desktop 7.0
oracle hospitality_guest_access 4.2.1
oracle secure_global_desktop 5.4
canonical ubuntu_linux 16.04
apache tomcat 9.0.0
oracle retail_order_broker 5.2
canonical ubuntu_linux 14.04
oracle communications_application_session_controller 3.7.1
oracle hospitality_guest_access 4.2.0
oracle communications_application_session_controller 3.8.0
redhat enterprise_linux_workstation 7.0
oracle instantis_enterprisetrack 17.1
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
netapp snap_creator_framework -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server 7.6
oracle instantis_enterprisetrack 17.2
redhat enterprise_linux_server_aus 7.6
CVE-2018-12015 MEDIUM

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-59,

Products Affected

Vendor Product Version
netapp data_ontap_edge -
netapp oncommand_workflow_automation -
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp snapdrive -
canonical ubuntu_linux 12.04
netapp snap_creator_framework -
archive::tar_project archive::tar *
perl perl *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
apple mac_os_x *
CVE-2018-12099 MEDIUM

Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
netapp storagegrid_webscale_nas_bridge -
grafana grafana *
netapp active_iq_performance_analytics_services -
CVE-2018-12538 MEDIUM

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-6,CWE-384,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
netapp santricity_cloud_connector -
netapp hyper_converged_infrastructure -
netapp snapcenter -
netapp oncommand_unified_manager -
netapp e-series_santricity_web_services_proxy -
netapp snap_creator_framework -
netapp oncommand_system_manager *
eclipse jetty *
netapp snapmanager -
netapp e-series_santricity_management_plug-ins -
CVE-2018-1258 MEDIUM

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle insurance_rules_palette 11.1
oracle retail_financial_integration 16.0
netapp storage_automation_store -
oracle retail_central_office 14.0
oracle agile_plm 9.3.6
netapp oncommand_unified_manager *
oracle enterprise_manager_ops_center 12.3.3
oracle insurance_rules_palette 10.1
oracle communications_converged_application_server *
netapp snapcenter -
oracle weblogic_server 12.1.3.0
oracle communications_diameter_signaling_router *
oracle retail_point-of-service 14.0
oracle retail_customer_insights 15.0
oracle retail_returns_management 14.0
oracle retail_customer_insights 16.0
oracle communications_network_integrity *
oracle enterprise_repository 12.1.3.0.0
oracle retail_returns_management 14.1
oracle endeca_information_discovery_integrator 3.2.0
oracle insurance_rules_palette 11.0
oracle insurance_rules_palette 10.2
oracle weblogic_server 12.2.1.3
oracle insurance_calculation_engine 10.1.1
oracle micros_lucas 2.9.5
oracle insurance_policy_administration 11.0
oracle goldengate_for_big_data 12.3.1.1
oracle retail_assortment_planning 16.0
oracle weblogic_server 12.2.1.2
pivotal_software spring_security *
oracle enterprise_repository 11.1.1.7.0
netapp oncommand_insight -
oracle insurance_rules_palette 10.0
oracle peoplesoft_enterprise_fin_install 9.2
oracle insurance_policy_administration 10.2
oracle goldengate_for_big_data 12.2.0.1
oracle application_testing_suite 12.5.0.3
oracle retail_financial_integration 15.0
oracle retail_xstore_point_of_service 17.0
oracle retail_financial_integration 13.2
oracle weblogic_server 10.3.6.0
oracle application_testing_suite 13.1.0.1
oracle agile_plm 9.3.3
oracle enterprise_manager_for_mysql_database 13.2
oracle tape_library_acsls 8.4
oracle application_testing_suite 10.1
oracle retail_central_office 14.1
oracle retail_integration_bus 14.1.2
oracle application_testing_suite 13.2.0.1
oracle retail_back_office 14.0
oracle mysql_enterprise_monitor *
oracle insurance_calculation_engine 10.2
oracle retail_assortment_planning 15.0
oracle agile_plm 9.3.5
oracle hospitality_guest_access 4.2.1
oracle big_data_discovery 1.6.0
oracle endeca_information_discovery_integrator 3.1.0
oracle retail_point-of-service 14.1
oracle service_architecture_leveraging_tuxedo 12.2.2.0.0
oracle healthcare_master_person_index 4.0
oracle communications_performance_intelligence_center *
netapp oncommand_workflow_automation -
oracle hospitality_guest_access 4.2.0
oracle communications_services_gatekeeper *
oracle agile_plm 9.3.4
oracle retail_assortment_planning 14.1
oracle insurance_policy_administration 10.0
oracle healthcare_master_person_index 3.0
oracle retail_financial_integration 14.0
vmware spring_framework 5.0.5
oracle insurance_policy_administration 10.1
oracle health_sciences_information_manager 3.0
oracle retail_financial_integration 14.1
oracle enterprise_manager_ops_center 12.2.2
oracle service_architecture_leveraging_tuxedo 12.1.3.0.0
oracle goldengate_for_big_data 12.3.2.1
redhat fuse 7.3.0
oracle retail_back_office 14.1
oracle insurance_calculation_engine 10.2.1
CVE-2018-1283 LOW

In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
apache http_server *
netapp storage_automation_store -
debian debian_linux 8.0
netapp santricity_cloud_connector -
redhat enterprise_linux 7.5
canonical ubuntu_linux 17.10
redhat enterprise_linux 7.0
redhat enterprise_linux 7.6
redhat enterprise_linux 7.4
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap -
netapp storagegrid -
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2018-1285 HIGH

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-611,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle hospitality_opera_5 5.6
oracle hospitality_simphony 18.2.7.2
fedoraproject fedora 32
fedoraproject fedora 31
netapp manageability_software_development_kit -
oracle hospitality_opera_5 5.5
apache log4net *
fedoraproject fedora 30
netapp snapcenter -
oracle hospitality_simphony 19.1.3
CVE-2018-12882 HIGH

exif_read_from_impl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file) because it closes a stream that it is not responsible for closing. The vulnerable code is reachable through the PHP exif_read_data function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
netapp storage_automation_store -
php php *
CVE-2018-1301 MEDIUM

A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
apache http_server *
netapp storage_automation_store -
debian debian_linux 8.0
netapp santricity_cloud_connector -
redhat enterprise_linux 7.5
canonical ubuntu_linux 17.10
canonical ubuntu_linux 12.04
redhat enterprise_linux 7.0
redhat enterprise_linux 7.6
redhat enterprise_linux 7.4
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap -
netapp storagegrid -
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2018-1302 MEDIUM

When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
netapp clustered_data_ontap -
apache http_server *
netapp storage_automation_store -
netapp storagegrid -
netapp santricity_cloud_connector -
CVE-2018-1303 MEDIUM

A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap -
apache http_server *
netapp storage_automation_store -
debian debian_linux 8.0
netapp storagegrid -
netapp santricity_cloud_connector -
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2018-1312 MEDIUM

In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
apache http_server 2.4.1
redhat enterprise_linux_desktop 7.0
apache http_server 2.4.9
apache http_server 2.4.7
apache http_server 2.4.12
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
apache http_server 2.4.6
apache http_server 2.4.10
apache http_server 2.4.29
netapp storagegrid -
apache http_server 2.4.18
netapp cloud_backup -
apache http_server 2.4.16
apache http_server 2.4.26
canonical ubuntu_linux 14.04
debian debian_linux 9.0
apache http_server 2.4.2
apache http_server 2.4.3
apache http_server 2.4.23
redhat enterprise_linux_workstation 7.0
apache http_server 2.4.27
apache http_server 2.4.4
redhat jboss_core_services 1.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 17.10
apache http_server 2.4.20
canonical ubuntu_linux 12.04
redhat enterprise_linux_server_tus 7.6
apache http_server 2.4.17
netapp clustered_data_ontap -
redhat enterprise_linux_server_aus 7.6
apache http_server 2.4.28
apache http_server 2.4.25
CVE-2018-1333 MEDIUM

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-2.4.30,2.4.33).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
apache http_server 2.4.33
canonical ubuntu_linux 18.04
apache http_server *
redhat jboss_core_services 1.0
netapp storage_automation_store -
netapp cloud_backup -
CVE-2018-1413 LOW

IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138819.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2018-14550 MEDIUM

An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
oracle mysql_workbench *
oracle hyperion_infrastructure_technology 11.1.2.6.0
libpng libpng 1.6.35
netapp active_iq_unified_manager -
netapp oncommand_api_services -
CVE-2018-14634 HIGH

An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerable.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
paloaltonetworks pan-os *
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_desktop 7.0
f5 big-ip_analytics *
netapp snapprotect -
netapp active_iq_performance_analytics_services -
f5 big-ip_domain_name_system *
f5 iworkflow *
redhat enterprise_linux_server 6.0
f5 big-ip_edge_gateway *
f5 big-ip_local_traffic_manager *
f5 big-iq_centralized_management *
redhat enterprise_linux_desktop 6.0
f5 big-ip_application_acceleration_manager *
f5 big-ip_policy_enforcement_manager *
linux linux_kernel *
f5 big-ip_access_policy_manager *
f5 enterprise_manager 3.1.1
redhat enterprise_linux_server_aus 6.6
canonical ubuntu_linux 14.04
f5 big-ip_webaccelerator *
redhat enterprise_linux_server_eus 6.7
redhat enterprise_linux_workstation 7.0
f5 big-iq_cloud_and_orchestration 1.0.0
redhat enterprise_linux_server_eus 7.6
f5 big-ip_advanced_firewall_manager *
f5 traffix_signaling_delivery_controller 4.4.0
redhat enterprise_linux_server_aus 6.5
canonical ubuntu_linux 12.04
redhat enterprise_linux_server_tus 7.6
f5 big-iq_centralized_management 4.6.0
redhat enterprise_linux_server_tus 6.6
f5 big-ip_application_security_manager *
redhat enterprise_linux_server_aus 7.6
f5 traffix_signaling_delivery_controller *
f5 big-ip_fraud_protection_service *
f5 big-ip_link_controller *
f5 big-ip_global_traffic_manager *
CVE-2018-14718 HIGH

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform 2.6.0
oracle jdeveloper 12.2.1.3.0
oracle retail_workforce_management_software 1.60.9.0.0
netapp snapcenter -
oracle banking_platform 2.5.0
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle primavera_p6_enterprise_project_portfolio_management 16.2
fasterxml jackson-databind *
oracle jd_edwards_enterpriseone_tools 9.2
oracle banking_platform 2.6.1
redhat openshift_container_platform *
oracle global_lifecycle_management_opatch *
oracle enterprise_manager_for_virtualization 13.3.1
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle jd_edwards_enterpriseone_orchestrator 9.2
oracle enterprise_manager_for_virtualization 13.2.3
oracle financial_services_analytical_applications_infrastructure 8.0.7
netapp steelstore_cloud_integrated_storage -
oracle financial_services_analytical_applications_infrastructure 8.0.5
oracle primavera_p6_enterprise_project_portfolio_management 18.8
oracle communications_instant_messaging_server 10.0.1.3.0
oracle retail_merchandising_system 16.0
oracle banking_platform 2.6.2
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle nosql_database 19.3.12
oracle siebel_engineering_-_installer_&_deployment *
oracle communications_billing_and_revenue_management 7.5
oracle primavera_p6_enterprise_project_portfolio_management 16.1
oracle business_process_management_suite 12.2.1.3.0
oracle enterprise_manager_for_virtualization 13.2.2
oracle primavera_p6_enterprise_project_portfolio_management 15.2
oracle siebel_ui_framework *
oracle financial_services_analytical_applications_infrastructure 8.0.3
oracle primavera_unifier *
oracle nosql_database *
debian debian_linux 9.0
oracle business_process_management_suite 12.1.3.0.0
oracle primavera_p6_enterprise_project_portfolio_management 15.1
redhat openshift_container_platform 3.10
netapp oncommand_workflow_automation -
oracle webcenter_portal 12.2.1.3.0
debian debian_linux 8.0
oracle jdeveloper 12.1.3.0.0
oracle primavera_p6_enterprise_project_portfolio_management *
oracle financial_services_analytical_applications_infrastructure 8.0.4
oracle financial_services_analytical_applications_infrastructure 8.0.2
oracle communications_billing_and_revenue_management 12.0
oracle financial_services_analytical_applications_infrastructure 8.0.6
CVE-2018-14719 HIGH

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform 2.6.0
oracle jdeveloper 12.2.1.3.0
oracle retail_merchandising_system 16.0
oracle banking_platform 2.6.2
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle retail_workforce_management_software 1.60.9.0.0
netapp snapcenter -
oracle database_server 12.1.0.2
oracle banking_platform 2.5.0
oracle communications_billing_and_revenue_management 7.5
oracle database_server 12.2.0.1
oracle primavera_p6_enterprise_project_portfolio_management 16.1
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle primavera_p6_enterprise_project_portfolio_management 16.2
oracle business_process_management_suite 12.2.1.3.0
oracle enterprise_manager_for_virtualization 13.2.2
fasterxml jackson-databind *
oracle primavera_p6_enterprise_project_portfolio_management 15.2
oracle financial_services_analytical_applications_infrastructure 8.0.3
oracle primavera_unifier *
debian debian_linux 9.0
oracle database_server 18c
oracle banking_platform 2.6.1
oracle business_process_management_suite 12.1.3.0.0
oracle primavera_p6_enterprise_project_portfolio_management 15.1
redhat openshift_container_platform *
oracle global_lifecycle_management_opatch *
oracle enterprise_manager_for_virtualization 13.3.1
netapp oncommand_workflow_automation -
oracle webcenter_portal 12.2.1.3.0
oracle enterprise_manager_for_virtualization 13.2.3
oracle financial_services_analytical_applications_infrastructure 8.0.7
debian debian_linux 8.0
oracle database_server 11.2.0.4
netapp steelstore_cloud_integrated_storage *
oracle jdeveloper 12.1.3.0.0
oracle financial_services_analytical_applications_infrastructure 8.0.5
oracle primavera_p6_enterprise_project_portfolio_management 18.8
oracle primavera_p6_enterprise_project_portfolio_management *
oracle financial_services_analytical_applications_infrastructure 8.0.4
oracle clusterware 12.1.0.2.0
oracle financial_services_analytical_applications_infrastructure 8.0.2
oracle database_server 19c
oracle communications_billing_and_revenue_management 12.0
oracle financial_services_analytical_applications_infrastructure 8.0.6
CVE-2018-14851 MEDIUM

exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 12.04
php php *
CVE-2018-14883 MEDIUM

An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-190,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 12.04
php php *
CVE-2018-14884 MEDIUM

An issue was discovered in PHP 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. Inappropriately parsing an HTTP response leads to a segmentation fault because http_header_value in ext/standard/http_fopen_wrapper.c can be a NULL value that is mishandled in an atoi call.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
netapp storage_automation_store -
php php *
CVE-2018-15132 MEDIUM

An issue was discovered in ext/standard/link_win32.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. The linkinfo function on Windows doesn't implement the open_basedir check. This could be abused to find files on paths outside of the allowed directories.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp storage_automation_store -
php php *
CVE-2018-15473 MEDIUM

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-362,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp data_ontap_edge -
netapp storage_replication_adapter *
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
netapp data_ontap -
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp vasa_provider *
netapp ontap_select_deploy -
netapp cloud_backup -
openbsd openssh *
canonical ubuntu_linux 14.04
debian debian_linux 9.0
redhat enterprise_linux_workstation 7.0
siemens scalance_x204rna_firmware *
netapp virtual_storage_console *
debian debian_linux 8.0
netapp aff_baseboard_management_controller -
netapp steelstore_cloud_integrated_storage -
netapp cn1610_firmware -
netapp clustered_data_ontap -
netapp service_processor -
oracle sun_zfs_storage_appliance_kit 8.8.6
netapp fas_baseboard_management_controller -
CVE-2018-15919 MEDIUM

Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp steelstore -
netapp data_ontap_edge -
netapp cn1610_firmware -
netapp ontap_select_deploy -
netapp cloud_backup -
openbsd openssh *
CVE-2018-16597 MEDIUM

An issue was discovered in the Linux kernel before 4.8. Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
netapp element_software -
linux linux_kernel *
opensuse leap 42.3
netapp active_iq_performance_analytics_services -
CVE-2018-16866 LOW

An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-200,CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
systemd_project systemd *
redhat enterprise_linux_compute_node_eus 7.6
redhat enterprise_linux_for_scientific_computing 7.0
redhat enterprise_linux_for_ibm_z_systems_eus 7.6
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_for_power_big_endian 7.0
netapp active_iq_performance_analytics_services -
redhat enterprise_linux_server_update_services_for_sap_solutions 7.6
redhat enterprise_linux 7.6
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.6
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_for_power_little_endian 7.0
redhat enterprise_linux_for_ibm_z_systems_(structure_a) 7_s390x
debian debian_linux 9.0
canonical ubuntu_linux 18.10
netapp element_software *
redhat enterprise_linux_for_power_big_endian_eus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_update_services_for_sap_solutions 7.4
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_for_power_little_endian_eus 7.6
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.4
redhat enterprise_linux_server_aus 7.6
CVE-2018-16871 MEDIUM

A flaw was found in the Linux kernel's NFS implementation, all versions 3.x and all versions 4.x up to 4.20. An attacker, who is able to mount an exported NFS filesystem, is able to trigger a null pointer dereference by using an invalid NFS sequence. This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp h300s_firmware -
netapp h300e_firmware -
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
redhat mrg_realtime 2.0
netapp h500s_firmware -
netapp h410c_firmware -
redhat developer_tools 1.0
netapp h700s_firmware -
netapp h410s_firmware -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 7.0
linux linux_kernel *
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_aus 7.6
netapp cloud_backup -
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2018-16888 LOW

It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.0 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-250,CWE-269,

Products Affected

Vendor Product Version
netapp element_software -
redhat enterprise_linux 7.0
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
systemd_project systemd *
netapp active_iq_performance_analytics_services -
CVE-2018-16890 MEDIUM

libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,CWE-190,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
oracle communications_operations_monitor 4.0
oracle communications_operations_monitor 3.4
oracle secure_global_desktop 5.4
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap *
f5 big-ip_access_policy_manager *
oracle http_server 12.2.1.3.0
siemens sinema_remote_connect_client *
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
haxx libcurl *
CVE-2018-17082 MEDIUM

The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
netapp storage_automation_store -
debian debian_linux 8.0
debian debian_linux 9.0
php php *
CVE-2018-17182 HIGH

An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp element_software -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
netapp active_iq_performance_analytics_services -
debian debian_linux 9.0
CVE-2018-17189 MEDIUM

In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
fedoraproject fedora 28
fedoraproject fedora 29
netapp storage_automation_store -
oracle retail_xstore_point_of_service 7.1
oracle instantis_enterprisetrack 17.3
netapp santricity_cloud_connector -
oracle enterprise_manager_ops_center 12.3.3
oracle hospitality_guest_access 4.2.1
apache http_server 2.4.33
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
apache http_server 2.4.29
apache http_server 2.4.18
apache http_server 2.4.26
canonical ubuntu_linux 14.04
oracle retail_xstore_point_of_service 7.0
debian debian_linux 9.0
apache http_server 2.4.35
canonical ubuntu_linux 18.10
oracle hospitality_guest_access 4.2.0
apache http_server 2.4.23
oracle instantis_enterprisetrack 17.1
apache http_server 2.4.27
redhat jboss_core_services 1.0
apache http_server 2.4.20
apache http_server 2.4.37
apache http_server 2.4.34
apache http_server 2.4.17
oracle instantis_enterprisetrack 17.2
apache http_server 2.4.28
oracle sun_zfs_storage_appliance_kit 8.8.6
apache http_server 2.4.30
apache http_server 2.4.25
CVE-2018-17199 MEDIUM

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-384,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
apache http_server *
netapp storage_automation_store -
debian debian_linux 8.0
netapp santricity_cloud_connector -
canonical ubuntu_linux 14.04
oracle enterprise_manager_ops_center 12.3.3
debian debian_linux 9.0
canonical ubuntu_linux 18.10
CVE-2018-18065 MEDIUM

_set_key in agent/helpers/table_container.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an authenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
paloaltonetworks pan-os *
netapp hyper_converged_infrastructure -
netapp data_ontap -
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp solidfire_element_os -
netapp storagegrid_webscale -
netapp cloud_backup -
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
net-snmp net-snmp *
CVE-2018-18066 MEDIUM

snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp solidfire_element_os -
netapp storagegrid_webscale -
netapp hyper_converged_infrastructure -
netapp cloud_backup -
netapp data_ontap -
net-snmp net-snmp *
CVE-2018-18311 HIGH

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux 6.0
fedoraproject fedora 29
redhat enterprise_linux 7.5
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
mcafee web_gateway *
redhat enterprise_linux 7.6
netapp e-series_santricity_os_controller -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 12.04
netapp snap_creator_framework -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux 7.4
perl perl *
redhat openshift_container_platform 3.11
redhat enterprise_linux_server_aus 7.6
netapp snapdriver -
apple mac_os_x *
CVE-2018-18312 HIGH

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux 7.5
netapp snapdrive -
netapp snapcenter -
netapp snap_creator_framework -
redhat enterprise_linux 7.0
redhat enterprise_linux 7.6
redhat enterprise_linux 7.4
perl perl *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
CVE-2018-18313 MEDIUM

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux 7.5
netapp snapdrive -
canonical ubuntu_linux 12.04
netapp snapcenter -
netapp snap_creator_framework -
redhat enterprise_linux 7.0
redhat enterprise_linux 7.6
redhat enterprise_linux 7.4
perl perl *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
apple mac_os_x *
canonical ubuntu_linux 18.10
CVE-2018-18314 HIGH

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux 7.5
netapp snapdrive -
netapp snapcenter -
netapp snap_creator_framework -
redhat enterprise_linux 7.0
redhat enterprise_linux 7.6
redhat enterprise_linux 7.4
perl perl *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
CVE-2018-1842 LOW

IBM Cognos Analytics 11 Configuration tool, under certain circumstances, will bypass OIDC namespace signature verification on its id_token. IBM X-Force ID: 150902.

CVSS 2.0

Severity: LOW

Problem Type: CWE-347,

Products Affected

Vendor Product Version
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2018-18605 MEDIUM

A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
gnu binutils 2.31
debian debian_linux 7.0
debian debian_linux 8.0
netapp data_ontap -
debian debian_linux 9.0
CVE-2018-18606 MEDIUM

An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
gnu binutils 2.31
debian debian_linux 7.0
debian debian_linux 8.0
netapp data_ontap -
debian debian_linux 9.0
CVE-2018-18607 MEDIUM

An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
gnu binutils 2.31
debian debian_linux 7.0
debian debian_linux 8.0
netapp data_ontap -
debian debian_linux 9.0
CVE-2018-19039 MEDIUM

Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
redhat ceph_storage 3.0
netapp storagegrid_webscale_nas_bridge -
redhat enterprise_linux_desktop 7.0
grafana grafana *
netapp active_iq_performance_analytics_services -
CVE-2018-19931 MEDIUM

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
netapp vasa_provider *
gnu binutils *
CVE-2018-19932 MEDIUM

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp vasa_provider *
gnu binutils *
CVE-2018-19985 LOW

The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space.

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
linux linux_kernel *
debian debian_linux 8.0
netapp element_software_management_node -
netapp active_iq_performance_analytics_services -
CVE-2018-20002 MEDIUM

The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,

Products Affected

Vendor Product Version
gnu binutils 2.31
netapp vasa_provider *
f5 traffix_signaling_delivery_controller *
f5 traffix_signaling_delivery_controller 4.4.0
CVE-2018-20449 LOW

The hidma_chan_stats function in drivers/dma/qcom/hidma_dbg.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading "callback=" lines in a debugfs file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp element_software_management_node -
linux linux_kernel 4.14.90
CVE-2018-20669 HIGH

An issue where a provided address with access_ok() is not checked was discovered in i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux kernel through 4.19.13. A local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory, resulting in a Denial of Service or privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp cn1610_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp hci_management_node -
canonical ubuntu_linux 14.04
netapp solidfire -
netapp snapprotect -
CVE-2018-20685 LOW

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-863,CWE-863,

Products Affected

Vendor Product Version
netapp element_software -
redhat enterprise_linux_eus 8.1
winscp winscp *
redhat enterprise_linux_server_aus 8.6
netapp storage_automation_store -
fujitsu m10-4_firmware *
oracle solaris 10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
fujitsu m12-1_firmware *
fujitsu m12-2s_firmware *
netapp ontap_select_deploy -
netapp cloud_backup -
openbsd openssh *
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
siemens scalance_x204rna_firmware *
redhat enterprise_linux_server_tus 8.2
debian debian_linux 8.0
fujitsu m10-1_firmware *
netapp steelstore_cloud_integrated_storage -
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.2
siemens scalance_x204rna_eec_firmware *
fujitsu m10-4s_firmware *
redhat enterprise_linux_eus 8.4
fujitsu m12-2_firmware *
CVE-2018-20796 MEDIUM

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,

Products Affected

Vendor Product Version
netapp cloud_backup *
gnu glibc *
netapp ontap_select_deploy_administration_utility -
netapp steelstore_cloud_integrated_storage -
CVE-2018-20836 HIGH

An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-362,CWE-416,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp virtual_storage_console *
debian debian_linux 8.0
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp storage_replication_adapter_for_clustered_data_ontap -
f5 traffix_signaling_delivery_controller 5.0.0
netapp snapprotect -
netapp active_iq_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
f5 traffix_signaling_delivery_controller 5.1.0
canonical ubuntu_linux 16.04
linux linux_kernel *
netapp solidfire_&_hci_storage_node -
opensuse leap 15.0
netapp hci_compute_node -
debian debian_linux 9.0
CVE-2018-20839 MEDIUM

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp cn1610_firmware -
netapp solidfire_&_hci_management_node -
netapp snapprotect -
systemd_project systemd 242
CVE-2018-20855 LOW

An issue was discovered in the Linux kernel before 4.18.7. In create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,

Products Affected

Vendor Product Version
netapp element_software -
linux linux_kernel *
netapp data_availability_services -
opensuse leap 15.1
netapp active_iq_unified_manager *
opensuse leap 15.0
netapp active_iq_performance_analytics_services -
CVE-2018-25015 MEDIUM

An issue was discovered in the Linux kernel before 4.14.16. There is a use-after-free in net/sctp/socket.c for a held lock after a peel off, aka CID-a0ff660058b8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2018-25020 MEDIUM

The BPF subsystem in the Linux kernel before 4.17 mishandles situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. This affects kernel/bpf/core.c and net/core/filter.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2018-25032 MEDIUM

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h300s_firmware -
azul zulu 8.60
fedoraproject fedora 36
azul zulu 11.54
apple macos *
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp h410c_firmware -
azul zulu 15.38
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
siemens scalance_sc626-2c_firmware *
siemens scalance_sc632-2c_firmware *
goto gotoassist *
debian debian_linux 9.0
siemens scalance_sc636-2c_firmware *
netapp oncommand_workflow_automation -
azul zulu 7.52
mariadb mariadb *
debian debian_linux 10.0
azul zulu 6.45
azul zulu 17.32
apple mac_os_x 10.15.7
siemens scalance_sc642-2c_firmware *
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp management_services_for_element_software -
nokogiri nokogiri *
siemens scalance_sc646-2c_firmware *
azul zulu 13.46
fedoraproject fedora 35
zlib zlib *
python python *
netapp hci_compute_node -
siemens scalance_sc622-2c_firmware *
apple mac_os_x *
CVE-2018-2562 HIGH

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Partition). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H 2.8 4.2

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
debian debian_linux 7.0
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
debian debian_linux 9.0
CVE-2018-2581 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are Java SE: 7u161, 8u152 and 9.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
redhat satellite 5.6
netapp vasa_provider_for_clustered_data_ontap 6.0
netapp santricity_cloud_connector -
oracle jdk 1.7.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
oracle jdk 9.0.1
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
netapp storagegrid *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp active_iq_unified_manager *
redhat satellite 5.8
netapp e-series_santricity_web_services -
redhat satellite 5.7
oracle jre 9.0.1
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
netapp e-series_santricity_management_plug-ins -
CVE-2018-2612 HIGH

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H 1.2 5.2

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
debian debian_linux 8.0
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp active_iq_unified_manager *
debian debian_linux 9.0
oracle mysql *
netapp snapcenter -
CVE-2018-2622 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
CVE-2018-2627 LOW

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Installer). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to the Windows installer only. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 0.8 6.0

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp vasa_provider_for_clustered_data_ontap 6.0
netapp santricity_cloud_connector -
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
oracle jdk 9.0.1
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
netapp oncommand_shift -
netapp oncommand_workflow_automation -
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
netapp storagegrid *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp active_iq_unified_manager *
redhat satellite 5.8
netapp e-series_santricity_web_services -
oracle jre 9.0.1
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
netapp e-series_santricity_management_plug-ins -
CVE-2018-2638 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
netapp vasa_provider_for_clustered_data_ontap 6.0
netapp santricity_cloud_connector -
redhat enterprise_linux_desktop 7.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp virtual_storage_console 6.0
redhat enterprise_linux_server 6.0
oracle jdk 9.0.1
redhat enterprise_linux_desktop 6.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
netapp oncommand_shift -
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
netapp storagegrid *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp active_iq_unified_manager *
redhat satellite 5.8
netapp e-series_santricity_web_services -
oracle jre 9.0.1
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
netapp e-series_santricity_management_plug-ins -
CVE-2018-2640 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
CVE-2018-2665 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
CVE-2018-2668 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
CVE-2018-2755 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.7 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.0 6.0

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
CVE-2018-2759 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-2761 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
CVE-2018-2766 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 18.04
debian debian_linux 8.0
netapp oncommand_insight -
netapp active_iq_unified_manager *
debian debian_linux 9.0
oracle mysql *
netapp snapcenter -
CVE-2018-2767 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
canonical ubuntu_linux 12.04
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2018-2771 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Locking). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
CVE-2018-2777 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-2781 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
CVE-2018-2782 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2018-2784 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2018-2810 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-2812 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-2813 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_eus 7.6
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 17.10
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
netapp oncommand_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_tus 7.6
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2018-2816 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-2817 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
CVE-2018-2818 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp oncommand_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
netapp snapcenter -
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
CVE-2018-2819 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
debian debian_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat openstack 12
redhat enterprise_linux_server_aus 7.6
CVE-2018-2825 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
netapp storage_replication_adapter *
netapp virtual_storage_console *
netapp santricity_cloud_connector -
netapp oncommand_insight -
netapp oncommand_unified_manager *
netapp oncommand_unified_manager 7.3
netapp e-series_santricity_web_services -
netapp oncommand_unified_manager -
netapp e-series_santricity_storage_manager -
oracle jdk 10
canonical ubuntu_linux 18.04
netapp vasa_provider *
netapp e-series_santricity_management -
netapp storagegrid -
netapp cloud_backup -
oracle jre 10
netapp snapmanager -
CVE-2018-2826 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
netapp storage_replication_adapter *
netapp virtual_storage_console *
netapp santricity_cloud_connector -
netapp oncommand_insight -
netapp oncommand_unified_manager *
netapp oncommand_unified_manager 7.3
netapp e-series_santricity_web_services -
netapp oncommand_unified_manager -
netapp e-series_santricity_storage_manager -
oracle jdk 10
canonical ubuntu_linux 18.04
netapp vasa_provider *
netapp e-series_santricity_management -
netapp storagegrid -
netapp cloud_backup -
oracle jre 10
netapp snapmanager -
CVE-2018-2839 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-2846 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-2938 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Java DB). Supported versions that are affected are Java SE: 6u191, 7u181 and 8u172. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. While the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVE-2018-2938 addresses CVE-2018-1313. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
oracle jdk 1.6.0
oracle jdk 1.7.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
oracle jre 1.7.0
oracle jre 1.8.0
oracle jre 1.6.0
netapp cloud_backup -
netapp snapmanager -
CVE-2018-2940 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat satellite 5.6
oracle jdk 1.6.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
hp xp7_command_view *
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
oracle jdk 10.0.1
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
redhat satellite 5.8
oracle jre 10.0.1
redhat satellite 5.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
CVE-2018-2941 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are Java SE: 7u181, 8u172 and 10.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
oracle jdk 10.0.1
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
oracle jdk 1.7.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp vasa_provider_for_clustered_data_ontap *
oracle jre 10.0.1
netapp oncommand_unified_manager -
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
CVE-2018-2942 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Windows DLL). Supported versions that are affected are Java SE: 7u181 and 8u172. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
oracle jdk 1.7.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
CVE-2018-2952 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat satellite 5.6
redhat enterprise_linux_server_aus 7.7
oracle jdk 1.6.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
hp xp7_command_view *
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp cloud_backup -
oracle jrockit r28.3.18
canonical ubuntu_linux 14.04
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
oracle jdk 10.0.1
netapp plug-in_for_symantec_netbackup -
redhat enterprise_linux_eus 7.6
netapp virtual_storage_console *
debian debian_linux 8.0
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
redhat satellite 5.8
oracle jre 10.0.1
redhat satellite 5.7
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
oracle jre 1.6.0
redhat enterprise_linux_server_aus 7.6
CVE-2018-2964 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u172 and 10.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
oracle jdk 10.0.1
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp vasa_provider_for_clustered_data_ontap *
oracle jre 10.0.1
netapp oncommand_unified_manager -
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
netapp vasa_provider_for_clustered_data_ontap 9.6
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
CVE-2018-2973 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat satellite 5.6
oracle jdk 1.6.0
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
netapp vasa_provider_for_clustered_data_ontap *
netapp oncommand_unified_manager -
hp xp7_command_view *
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
oracle jre 1.8.0
netapp cloud_backup -
netapp snapmanager -
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
oracle jdk 10.0.1
netapp plug-in_for_symantec_netbackup -
netapp virtual_storage_console *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
redhat satellite 5.8
oracle jre 10.0.1
redhat satellite 5.7
netapp storage_replication_adapter_for_clustered_data_ontap *
netapp e-series_santricity_storage_manager -
oracle jre 1.6.0
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
CVE-2018-3054 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3056 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3058 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
netapp storage_automation_store -
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
canonical ubuntu_linux 12.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2018-3060 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H 1.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3061 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3062 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via memcached to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3063 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.60 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
debian debian_linux 8.0
canonical ubuntu_linux 14.04
netapp oncommand_insight -
debian debian_linux 9.0
canonical ubuntu_linux 12.04
oracle mysql *
netapp snapcenter -
CVE-2018-3064 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H 2.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 14.04
netapp oncommand_insight -
debian debian_linux 9.0
oracle mysql *
netapp snapcenter -
CVE-2018-3065 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3066 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N 0.7 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
netapp storage_automation_store -
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
canonical ubuntu_linux 12.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2018-3067 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3070 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 14.04
netapp oncommand_insight -
canonical ubuntu_linux 12.04
oracle mysql *
netapp snapcenter -
CVE-2018-3071 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Audit Log). Supported versions that are affected are 5.7.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3073 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3074 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Roles). Supported versions that are affected are 8.0.11 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3075 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3077 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3078 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3079 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3080 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3081 MEDIUM

Vulnerability in the MySQL Client component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.0 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H 0.7 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
netapp storage_automation_store -
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
canonical ubuntu_linux 12.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2018-3082 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight *
oracle mysql *
netapp snapcenter -
CVE-2018-3084 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Shell: Core / Client). Supported versions that are affected are 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 2.8 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.8 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L 1.3 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2018-3133 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
debian debian_linux 8.0
netapp oncommand_insight -
netapp oncommand_unified_manager *
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
CVE-2018-3137 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-3143 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
netapp storage_automation_store -
debian debian_linux 8.0
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
CVE-2018-3144 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Audit). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3145 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-3155 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3156 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
netapp storage_automation_store -
debian debian_linux 8.0
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
CVE-2018-3162 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3170 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-3173 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3174 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
debian debian_linux 8.0
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
CVE-2018-3182 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-3185 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3186 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-3187 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3195 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-3200 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3203 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-3212 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Information Schema). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-3247 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Merge). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3251 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
netapp storage_automation_store -
debian debian_linux 8.0
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
CVE-2018-3276 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3277 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3278 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: RBR). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3279 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Roles). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-3280 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: JSON). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-3282 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Storage Engines). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation -
mariadb mariadb *
redhat enterprise_linux_workstation 7.0
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_insight -
netapp active_iq_unified_manager *
canonical ubuntu_linux 12.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
CVE-2018-3283 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Logging). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3284 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 18.10
CVE-2018-3285 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Windows). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-3286 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2018-3627 MEDIUM

Logic bug in Intel Converged Security Management Engine 11.x may allow an attacker to execute arbitrary code via local privileged access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp element_software_management_node -
intel converged_security_management_engine_firmware 11.0
CVE-2018-3693 MEDIUM

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N 1.1 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
intel xeon_phi 7230
intel core_i5 4402ec
intel core_i7 3770t
intel xeon_e3_1225_v3 -
intel core_i5 750s
intel xeon_e5_2408l_v3 -
intel xeon_e3_1275_v5 -
intel core_i5 6440eq
intel pentium_n n3530
intel core_i3 4100m
intel core_i7 4610m
intel xeon_e7 4820
intel xeon_e3_1225_v2 -
intel xeon_e5 2660_v3
intel xeon_e5 4648_v3
intel xeon_e7 2880_v2
intel xeon_e5 2698_v3
intel core_i7 640m
intel xeon_e5_2609_v2 -
intel xeon_e3 1505m_v6
intel xeon_e5 4620_v4
intel atom_x3 c3235rk
intel xeon_gold 6146
intel core_i5 650
intel xeon_phi 7295
intel atom_z z3530
intel xeon_e5 4650_v2
intel core_i3 4010u
intel xeon_gold 6138f
intel core_i5 2450p
intel xeon_phi 7230f
intel core_i5 4402e
intel xeon_e5 4617
intel core_i7 870s
intel atom_z z3775d
intel xeon_e5 2658a_v3
intel xeon_e7 4807
intel core_i3 2367m
intel xeon_e5 2650l_v4
intel xeon_e3_1220_v3 -
intel xeon_e5_2620_v2 -
intel xeon e5530
intel xeon_e5_2403_v2 -
intel xeon_e5 4657l_v2
oracle communications_eagle_application_processor 16.1.0
intel core_i7 2675qm
intel core_i3 5020u
intel core_m 5y31
intel core_i3 370m
intel core_i7 980
intel core_i3 4340
intel core_i5 4278u
intel xeon_e3_1240l_v5 -
intel core_i5 655k
intel core_i5 3439y
intel core_i5 3210m
intel xeon_e3_1220 -
intel core_i5 4570t
intel core_i5 4200u
intel xeon_e5 2690_v3
intel core_i5 520m
intel core_i7 2960xm
intel core_i7 4790t
intel xeon x3480
intel core_i5 4460
intel core_i7 3632qm
intel xeon_e5 2683_v4
intel xeon_e5_2618l_v4 -
intel core_i3 3250
intel core_i3 4110e
intel xeon_e5 4655_v3
intel xeon_e7 8870
intel core_i5 4210u
intel core_i3 5005u
intel xeon ec5539
intel xeon_e7 2803
intel xeon_e5_2620_v4 -
intel atom_z z2560
intel celeron_j j1850
intel xeon_e7 8870_v2
intel celeron_n n3350
intel atom_c c2350
intel core_i7 4710mq
intel xeon_e5 4640_v3
intel xeon e5540
intel xeon_e5_2603_v3 -
intel core_i5 670
intel xeon_e5_2650_v4 -
intel atom_c c3750
intel core_i7 2640m
intel atom_c c3308
intel core_i5 8350u
intel core_i5 4670
intel xeon_e7 8893_v2
intel xeon_e5_2603_v2 -
intel core_i7 5557u
intel atom_z z3775
intel core_i3 3120me
intel xeon_e3 1565l_v5
intel core_i7 4650u
intel core_m5 6y57
intel core_i5 4670r
intel xeon_e3 1575m_v5
intel xeon_e5_2628l_v2 -
intel core_i3 2377m
intel core_i7 5600u
intel core_i3 6100t
intel xeon_e3_1270_v2 -
intel core_i5 3470s
intel xeon_e5 2697_v3
intel xeon_e3_1220l_v3 -
intel core_i7 2610ue
intel core_m 5y10
intel xeon_e5_2450 -
intel core_i5 3550s
intel core_i5 2450m
intel core_i7 7660u
intel xeon e5620
intel core_i7 2655le
intel core_m 5y51
intel xeon_platinum 8156
intel core_i3 4160t
intel core_i7 2635qm
intel xeon_silver 4114t
intel core_i7 860s
intel xeon_e7 8891_v2
intel core_i3 4330te
intel atom_c c2308
intel xeon_e3_1290_v2 -
intel xeon_e5_1660_v2 -
intel xeon_e5 4650
intel core_i5 4570
intel core_i7 4700mq
intel core_i3 4005u
intel core_i3 6157u
intel core_i3 2330m
intel core_i3 3229y
intel xeon_e7 8830
intel core_i7 5950hq
intel xeon_e5_2603 -
intel xeon_e3_1105c_v2 -
intel core_i5 6585r
intel core_i3 5015u
intel xeon_e7 8837
intel atom_z z3745d
intel xeon_e7 4860
intel core_i7 7920hq
intel xeon_e3_1280_v3 -
intel xeon e5507
intel core_i3 3250t
intel xeon_e5 4669_v4
intel core_i7 4765t
intel xeon_e3_1275_v2 -
intel core_i5 4570te
intel core_i7 8700
intel atom_z z3560
intel xeon_gold 6130f
intel core_i5 4210m
intel core_i5 3470
intel core_i7 5750hq
intel xeon_e5_2628l_v4 -
intel xeon e5506
intel core_i3 4158u
intel xeon_e7 8880l_v2
intel atom_c c2558
intel xeon_e3_1505m_v5 -
intel core_i5 661
intel xeon_e5_1428l_v2 -
intel xeon_e5_2450l -
intel xeon_e3 1535m_v6
intel xeon_e3_1260l_v5 -
intel core_i7 4770s
intel xeon_e3_1501l_v6 -
intel core_i5 6600
intel atom_c c2718
intel xeon_e5_2648l -
intel core_i7 4980hq
intel core_i5 2410m
intel xeon_e5 2667_v2
intel xeon_e3_1220_v2 -
intel xeon_e3_1280_v5 -
intel xeon_e5_2430_v2 -
intel xeon_e5_2618l_v2 -
intel core_i3 4150
intel core_i7 4960hq
intel atom_c c2508
intel atom_z z3770
intel xeon_phi 7290f
intel xeon_e7 8893_v3
intel core_i3 2115c
intel xeon_e5 2690_v2
intel xeon_e5_1620_v2 -
intel core_i5 6300hq
intel xeon_e5 2660_v2
fujitsu m12-1_firmware *
intel xeon_e7 8891_v3
intel xeon_e7 4809_v4
intel core_i5 2500t
intel core_i3 330um
intel core_i5 4330m
intel xeon_gold 6126f
intel core_i5 2550k
intel atom_z z3736f
intel xeon_e3_1235 -
intel core_i7 4550u
intel xeon_e3_1280 -
intel xeon_e5_2640 -
intel core_i3 4330
intel xeon_e3_1240 -
intel core_i7 4510u
intel xeon_e5_1620 -
intel core_i5 3470t
intel core_i5 6260u
intel xeon x3460
intel core_i5 4302y
intel core_i3 4030y
intel xeon_e5 2697a_v4
intel atom_x3 c3205rk
redhat enterprise_linux_workstation 6.0
intel xeon_e5_2407 -
redhat enterprise_linux_server_eus 7.5
intel xeon_e3_1225 -
intel core_i7 5775c
redhat enterprise_linux_server_tus 7.4
intel xeon_e3_1230 -
intel core_i7 960
intel xeon ec5549
intel xeon_platinum 8170m
intel atom_c c3958
intel xeon_e7 8894_v4
intel core_i7 2649m
intel atom_c c2550
intel xeon_e5 4667_v4
intel celeron_n n2940
intel atom_z z2760
intel core_i5 3340m
intel xeon_e3_1230_v3 -
intel core_i5 520e
intel core_i5 4210h
intel core_i7 8700k
intel xeon w3690
intel core_i7 4750hq
intel core_i7 4770hq
intel core_i7 4702mq
intel xeon e5606
intel xeon_e5_2650 -
intel xeon e5503
intel xeon_e5_2450l_v2 -
intel core_i5 2390t
intel core_i5 3610me
intel xeon_e7 8890_v4
intel core_i5 3450s
intel xeon_e3_1235l_v5 -
intel xeon_e3_1285l_v3 -
intel core_i5 580m
intel atom_z z3745
intel xeon_silver 4116t
intel celeron_n n2930
intel xeon_e5_2608l_v4 -
intel xeon_e7 2850
intel core_i7 2820qm
intel atom_c c2518
intel core_i3 2105
intel core_i7 5775r
intel atom_z z2460
intel core_i7 2600s
intel xeon e7540
intel core_i5 5287u
intel core_i3 330e
intel atom_c c2530
intel core_i5 4300y
intel core_i3 4350
intel core_i3 380m
intel core_i5 5575r
intel xeon_e3_1230_v5 -
intel core_i5 4570s
intel core_i3 4170t
intel xeon_e3_1246_v3 -
intel xeon x5560
intel core_i3 4130
intel xeon_e5_1620_v4 -
intel xeon_e7 2850_v2
intel core_i5 3337u
intel core_i5 4430
intel core_i7 3720qm
intel core_i7 7700k
intel xeon e7520
intel core_i3 4150t
intel xeon e5630
intel core_i7 4950hq
fujitsu m12-2_firmware *
intel core_i5 2500s
intel core_i5 4288u
intel core_i5 4310u
intel atom_c c2750
intel core_i5 4422e
intel xeon_e3_1220_v5 -
intel atom_z z3735g
intel core_i7 2670qm
intel core_i7 5550u
intel core_i7 4810mq
intel xeon_e5 4607_v2
redhat enterprise_linux_desktop 7.0
intel xeon_e3_1240_v5 -
intel core_i5 520um
intel core_i5 3570s
intel xeon_gold 6142m
intel core_i3 390m
intel core_i7 3555le
intel xeon_e7 8890_v2
intel core_i7 4610y
intel xeon_e7 2860
intel core_i7 3740qm
intel xeon_silver 4114
intel xeon_e3_1285_v6 -
intel atom_x3 c3295rk
intel core_i7 2920xm
intel xeon e5649
intel xeon_e3_1270 -
intel core_i7 4790k
intel xeon_e5_2430 -
intel core_i7 3610qm
intel xeon_e7 8890_v3
intel xeon_gold 6150
intel core_i7 620ue
intel xeon_gold 6126
intel xeon_e5_2630 -
intel xeon_e5_2630_v2 -
intel celeron_j j1750
intel xeon_e5_1630_v4 -
intel core_i7 7700t
intel atom_x3 c3405
intel xeon_e3_1240_v6 -
intel core_i7 7560u
intel xeon_gold 6154
intel core_i7 3520m
intel xeon_e7 4809_v3
intel xeon_e5_2650l_v3 -
intel core_i7 2677m
intel core_i7 4712hq
intel xeon_e3_1258l_v4 -
intel xeon_e5 2687w_v2
intel xeon_e5_2418l_v2 -
intel core_i5 3317u
intel xeon_platinum 8176f
intel core_i7 4850hq
intel xeon_e7 8880_v4
intel xeon_e5 2695_v2
intel xeon_silver 4108
intel xeon x5672
intel xeon_e7 4820_v4
intel xeon_e5 2680_v3
intel core_i5 6360u
intel core_i3 4340te
intel xeon_e7 8850
intel core_i7 3667u
intel xeon_bronze_3106 -
arm cortex-a 8
intel core_m 5y71
intel core_i5 480m
intel core_i3 2125
intel core_i3 4020y
intel xeon x6550
intel core_i5 3450
intel xeon_e5_2609_v3 -
intel core_i5 6350hq
intel xeon e5504
intel core_i7 3517u
intel xeon_e5_2650l_v2 -
intel core_i5 660
intel xeon_e5 4640
intel core_i5 5250u
intel core_i3 330m
intel core_i3 3217u
intel xeon_e5_2628l_v3 -
intel core_i7 8650u
intel xeon_e7 4860_v2
intel core_i3 530
intel core_i7 4700hq
intel xeon_e5 4610_v3
intel core_i7 4785t
intel xeon_platinum 8160f
intel xeon e5640
intel xeon_e5_2637 -
intel core_i7 4771
intel xeon_e3_1245_v5 -
intel core_i5 3330s
intel core_i7 8550u
intel xeon_e5_2620 -
intel xeon_e5 4620
intel core_i3 6098p
intel xeon_e5_2637_v2 -
intel core_i3 6100h
intel core_i7 4770t
intel xeon_e7 8860_v3
intel xeon_e7 4870_v2
intel core_i7 2720qm
intel xeon e5603
intel core_i5 5257u
intel core_i5 4670k
intel core_i7 2630qm
intel core_i3 4170
intel core_i5 6600t
intel xeon_e5_2420_v2 -
intel core_i3 4010y
intel core_i5 6400
intel celeron_n n2820
intel atom_c c2358
intel core_i3 3240t
intel core_i3 4100u
intel xeon x5670
intel xeon_e3 1535m_v5
intel xeon_e5_1650_v2 -
intel atom_x3 c3230rk
intel core_i7 4700ec
intel xeon_e5 2699_v4
intel xeon_e3_1505l_v5 -
intel core_i5 460m
intel xeon x3450
intel core_i3 3130m
intel xeon_e3_1275_v3 -
intel xeon_e5_2650_v3 -
intel xeon l5640
intel xeon_gold 5115
intel core_i5 5350h
intel core_i7 860
intel celeron_j j1900
intel xeon_e3_1245 -
intel core_i7 7700
intel xeon_e3_1230_v6 -
intel xeon_e5 2698_v4
intel xeon_e3_1276_v3 -
intel xeon_gold 6128
intel xeon_platinum 8180
intel xeon_e3_1265l_v2 -
intel core_i7 2600
intel atom_e e3827
intel core_i7 5500u
intel core_i7 3840qm
intel core_i3 4370t
intel xeon l5518
intel core_i7 3770s
intel atom_z z3795
intel xeon l5508
intel xeon ec5509
intel core_i5 6267u
intel xeon_e5 2680_v4
intel core_i5 3570t
intel xeon l7555
intel xeon_gold 5119t
intel atom_c c2538
intel celeron_j j3455
intel core_i5 3350p
intel atom_c c2316
intel core_i5 2310
intel xeon_e5_2640_v4 -
intel xeon_e7 8870_v3
intel core_i3 550
intel core_i7 4700eq
intel core_i5 4670s
intel atom_c c2338
intel core_i7 2760qm
intel xeon_e5 4610_v4
intel xeon_e7 4830_v2
intel core_i3 4100e
intel core_i3 2100t
intel xeon_e5_2643_v4 -
intel xeon l3426
intel core_i3 3220t
intel xeon_e5_2428l_v2 -
intel core_i5 3437u
intel xeon_platinum 8160t
intel xeon_e7 2890_v2
intel pentium_j j4205
intel core_i3 4030u
intel xeon_e3_1281_v3 -
intel xeon_e5 2687w_v4
intel core_i7 2700k
intel atom_c c2758
redhat enterprise_linux_server 7.0
intel atom_z z3740
intel core_i5 4440s
intel core_i3 5157u
intel core_i7 920xm
intel celeron_n n2815
intel xeon_e7 4830_v4
intel celeron_j j3060
intel celeron_j j4005
intel atom_c c2516
intel celeron_n n3010
intel core_i5 4410e
intel xeon_e5_2630_v3 -
intel xeon_e3_1275_v6 -
intel xeon_e5 2699a_v4
intel core_i7 610e
intel core_i5 6300u
intel xeon_phi 7285
intel xeon_e3_1285l_v4 -
intel atom_z z3770d
intel core_i5 2500k
intel xeon_e5_2640_v2 -
intel core_i7 2710qe
intel atom_z z3735f
intel pentium_n n3520
intel xeon x7550
intel xeon_e3_1505l_v6 -
intel xeon_e5_1650_v4 -
intel xeon x5570
intel xeon_e3_1501m_v6 -
intel core_i7 2629m
intel xeon x3470
intel xeon_e5_2623_v3 -
intel xeon_e5 4624l_v2
intel xeon_e5_2630l_v3 -
intel xeon_e5_2643_v3 -
intel core_i5 430um
intel core_m7 6y75
intel xeon_e5 2690_v4
intel xeon_e5_1428l -
intel core_i5 4200h
intel xeon_e3_1225_v6 -
intel xeon_e5 4603_v2
intel xeon_e7 4830
intel core_i7 5850hq
intel celeron_n n2840
intel xeon_e7 2830
intel core_i7 2715qe
intel xeon_e5 2658
intel xeon_gold 6142f
intel xeon_e5 2695_v4
intel xeon_e7 4820_v2
intel xeon x5680
intel atom_z z3736g
intel xeon_e5_2428l_v3 -
intel xeon_e5_1660_v3 -
intel core_i7 3610qe
intel xeon_e5_2630l_v2 -
intel xeon_e3_1220_v6 -
intel core_i3 6300
intel core_i7 660ue
intel xeon_e7 8880_v3
intel core_i7 5650u
intel core_i5 4460t
intel core_i7 875k
intel core_i7 720qm
intel core_i7 4860hq
redhat enterprise_linux 7.0
intel xeon_e3_1275l_v3 -
intel xeon_e5 2670
intel core_i5 3339y
intel core_i5 4690s
intel xeon_platinum 8160m
intel xeon_e3_1125c -
intel atom_z z2420
intel core_i5 4220y
intel core_i3 5010u
intel core_i5 680
intel core_i7 4800mq
intel core_i3 2120t
intel core_i5 6200u
intel xeon l3406
intel core_i3 6100
intel xeon_e3_1268l_v5 -
arm cortex-a 76
intel atom_x3 c3445
intel core_i3 2328m
intel xeon x5687
intel core_i7 3820qm
intel xeon_e5_2620_v3 -
intel xeon_e7 2870
intel xeon_e5 4620_v2
intel core_i5 4210y
intel pentium_n n3510
intel xeon l5530
redhat enterprise_linux_server_eus 7.6
intel xeon_e5 2658_v3
intel core_i5 4350u
intel core_i5 6287u
intel core_i5 750
intel core_i7 4900mq
intel xeon_e5_2470_v2 -
intel xeon_gold 5120
arm cortex-a 72
intel atom_z z2520
intel xeon_e5_1630_v3 -
intel xeon e5645
intel celeron_n n3060
intel xeon_gold 6126t
intel xeon_e7 2820
intel core_i7 930
intel atom_c c3858
intel xeon_e5 2697_v2
intel xeon_e5_2440_v2 -
intel core_i7 7820hq
intel core_i5 4308u
intel core_i7 7600u
intel core_i3 3227u
intel core_i7 660um
intel xeon_e5_2650l -
intel core_i7 3635qm
intel atom_z z3460
fujitsu m12-2s_firmware *
intel xeon_e5 2680_v2
intel core_i3 3115c
intel core_i5 2405s
intel core_i7 7700hq
intel atom_z z3480
intel xeon_gold 6152
intel xeon_e7 4850_v4
intel xeon_e3_1245_v3 -
intel core_i3 3210
intel core_i7 880
intel celeron_n n3450
intel xeon_e7 8850_v2
intel xeon_phi 7250f
intel core_i5 4690t
intel core_i5 4250u
intel xeon_e5 2667_v3
intel core_i5 2380p
intel atom_c c2730
intel xeon_e5_2418l -
intel xeon_e5 4640_v2
intel xeon_e5_2643 -
arm cortex-r 8
intel xeon_gold 5120t
intel core_i3 8350k
intel xeon_e5 4669_v3
intel xeon l5630
intel xeon_gold 5122
intel xeon_e7 8867_v3
arm cortex-a 9
intel core_i3 560
intel core_i5 6442eq
intel xeon_e3 1515m_v5
intel core_i5 2400s
intel xeon_gold 6132
intel celeron_n n2830
intel xeon_e3_1280_v2 -
intel xeon_e3_1280_v6 -
intel xeon_e5_2609 -
intel core_i5 8250u
intel atom_z z3735d
intel xeon_e5_2630_v4 -
intel xeon_e7 8867_v4
intel atom_z z3735e
intel xeon_platinum 8176m
intel core_i5 3570k
intel xeon_e3_1230l_v3 -
intel core_i7 4712mq
intel core_i3 8100
intel xeon_e7 4880_v2
intel xeon_silver 4112
intel core_i5 4690k
intel core_i3 4120u
intel xeon_gold 6140m
intel atom_z z2580
intel xeon x5650
intel xeon_e5_2448l -
intel core_i5 3475s
intel celeron_n n2810
intel core_i7 680um
intel xeon lc5518
intel core_i3 350m
schneider-electric struxureware_data_center_expert 7.6.0
intel core_i5 760
redhat enterprise_linux_server 6.0
intel core_i5 6500t
intel xeon_e5 2687w_v3
intel core_i7 920
intel core_i7 3630qm
intel xeon_e7 8860
intel core_i7 620le
intel atom_c c3758
intel core_i3 6300t
intel core_i7 975
intel xeon_e7 4870
intel xeon_e3_1240l_v3 -
intel xeon_e3_1241_v3 -
intel core_i3 3225
intel core_i3 2102
intel core_i5 4400e
intel core_i5 4310m
intel xeon_e3_1271_v3 -
intel core_i5 3360m
intel core_i7 870
intel core_i3 4000m
intel core_i3 6100e
intel atom_x3 c3130
intel core_i3 4370
intel celeron_n n4100
intel xeon_e3_1278l_v4 -
intel core_i5 3570
intel xeon_silver 4110
intel core_i5 2435m
intel core_i7 3615qe
intel core_i5 2400
intel core_i7 620lm
intel core_i5 6685r
intel xeon_e5 4610_v2
intel core_i5 4590t
intel core_i3 6167u
intel celeron_n n3160
intel core_i5 8600k
intel atom_x3 c3265rk
intel atom_c c3955
intel core_i5 5675c
intel xeon_platinum 8153
intel core_i7 3770
intel core_i5 2500
intel core_m3 7y30
intel xeon w3670
intel atom_c c3338
intel core_i7 990x
intel core_i7 7567u
intel core_i3 6100te
intel core_i5 6440hq
intel core_i7 970
intel core_i5 5675r
intel xeon x5647
intel core_i7 4500u
intel core_m 5y70
intel atom_c c3830
intel xeon_e3 1578l_v5
intel xeon_e5 2660
oracle communications_lsms *
intel pentium_n n3700
intel xeon_phi 7290
arm cortex-a 17
intel celeron_j j3160
intel xeon_e5 4603
intel core_i5 4590
intel core_i3 4012y
intel core_i7 4710hq
intel xeon_e5 4628l_v4
intel core_i7 3612qm
intel celeron_n n4000
intel xeon_e7 8860_v4
intel core_i5 560m
redhat enterprise_linux_server_aus 7.6
intel atom_c c3558
intel xeon_e3_1270_v5 -
intel xeon_gold 6140
intel xeon_e5 4620_v3
intel core_i5 4670t
intel core_i7 840qm
intel xeon x5690
intel xeon_e3_1285_v3 -
intel celeron_n n3150
intel core_i7 2617m
intel celeron_j j4105
intel core_i5 3340
intel atom_c c3850
intel xeon_e5_2603_v4 -
intel xeon_platinum 8176
intel xeon_e3 1558l_v5
intel xeon_e5 2687w
intel xeon_gold 6138
intel core_i7 950
intel xeon_e5 2699_v3
intel core_i7 4578u
intel xeon x5675
intel xeon_gold 6130
intel xeon x5677
intel xeon_gold 6138t
intel core_i3 4160
intel core_i7 2860qm
intel atom_e e3845
intel xeon_e5_2630l_v4 -
intel core_i7 4760hq
intel xeon_e7 8891_v4
intel xeon_e5_2650_v2 -
intel atom_z z3590
intel xeon_e5_1620_v3 -
intel xeon_e7 4890_v2
intel core_i5 3330
intel xeon_e5_2450_v2 -
intel xeon_e5_2618l_v3 -
intel core_i3 2375m
intel xeon_e5 2667
intel celeron_n n2910
intel xeon_e3_1225_v5 -
intel xeon_e3_1240_v3 -
intel pentium_j j2900
intel pentium_n n3710
intel core_i5 430m
intel core_i5 4360u
intel core_i3 2330e
intel core_i7 4770k
intel xeon_gold 6144
intel xeon_e3_1275 -
intel core_m3 6y30
intel core_i7 4770te
intel xeon_e7 4850
intel core_i5 4258u
intel xeon e7530
intel xeon_e3_1290 -
intel xeon_e3_1260l -
intel core_i5 4200y
intel xeon_e5_1660 -
intel xeon_e3 1545m_v5
intel core_i5 4340m
intel core_i3 2348m
intel core_i7 5700eq
intel core_i7 2620m
intel core_i5 2540m
intel xeon_e3 1585_v5
intel xeon_e5 4640_v4
intel xeon l5638
intel core_i5 4202y
intel xeon_e3 1585l_v5
intel xeon_e5_2438l_v3 -
intel core_i7 4558u
intel core_i7 820qm
intel core_i7 2600k
intel core_i7 4702hq
intel xeon_e5 2699r_v4
intel core_m5 6y54
intel xeon_e5 2695_v3
intel xeon_e5_2623_v4 -
intel xeon_gold 6134
intel core_i3 3240
intel xeon x5550
intel xeon_e7 4809_v2
intel celeron_n n2805
intel core_i3 2340ue
intel xeon_e3_1286l_v3 -
intel pentium_n n4200
intel celeron_j j1800
intel celeron_n n3050
intel xeon_e5_2407_v2 -
intel xeon_e5 2658_v2
intel xeon x7560
intel xeon_silver 4109t
intel xeon lc5528
intel core_i5 5200u
intel xeon_e7 2870_v2
intel xeon_e5 2680
intel xeon_e3_1286_v3 -
intel xeon_platinum 8168
intel xeon_e7 8870_v4
intel core_i7 7500u
intel xeon_e3_1231_v3 -
intel xeon e5502
intel xeon_e5 2670_v2
intel core_i5 4570r
intel core_i3 3110m
intel core_i7 4790
intel core_i7 3612qe
intel xeon_e5 2658_v4
intel core_i7 7820eq
intel core_i7 4600u
intel core_i3 2310m
intel core_i5 3380m
intel core_m3 7y32
intel core_i3 2357m
intel core_i7 5850eq
intel celeron_n n2807
intel core_i3 2100
intel atom_e e3815
intel core_i5 4590s
intel atom_z z2480
intel xeon_e5_2637_v3 -
intel core_i3 3220
intel core_i5 5300u
intel core_i7 4770
intel core_i5 3230m
intel xeon e6510
intel xeon_e3_12201_v2 -
intel xeon_e3_1270_v3 -
intel core_i5 2300
intel core_i7 3537u
intel xeon_e3_1265l_v4 -
intel core_i3 6320
intel core_i5 4690
intel core_i5 2537m
intel xeon w5590
intel atom_c c3508
arm cortex-a 12
intel core_i5 3340s
intel core_i7 640um
intel atom_z z3785
arm cortex-a 75
intel xeon l5609
intel core_i3 2350m
intel core_i3 6100u
intel xeon_e7 8867l
intel xeon l5506
intel xeon_e3_1226_v3 -
intel core_i7 2637m
intel core_i5 450m
intel core_i7 620um
intel xeon_e5_1680_v4 -
intel core_i5 540m
intel core_i7 4770r
intel xeon_e5 4610
intel xeon_e5_2440 -
intel core_i3 6006u
intel celeron_n n2808
intel xeon_e5 4627_v3
intel core_i5 6500te
intel atom_z z3740d
intel xeon_platinum 8158
intel core_i5 3320m
intel core_i5 4300m
intel xeon w5580
intel xeon_platinum 8160
intel xeon_e7 4830_v3
intel xeon_e3_1240_v2 -
intel core_i3 540
intel core_i3 4130t
arm cortex-a 15
intel core_i5 2510e
intel core_i5 5350u
intel core_i5 560um
intel celeron_n n3000
intel core_i7 4870hq
intel xeon_e5_2608l_v3 -
intel xeon_e5_2418l_v3 -
intel xeon_e5 2665
intel core_i5 2467m
redhat enterprise_linux_desktop 6.0
intel core_i5 4440
intel xeon_phi 7235
intel core_i5 4260u
intel core_i3 2365m
intel core_i3 2312m
intel xeon x5660
intel core_i7 4790s
intel xeon_e5_2648l_v4 -
intel core_i5 3427u
intel xeon_gold 5118
intel xeon_silver 4116
intel xeon_gold 6134m
intel core_i7 940xm
intel xeon_e5_2470 -
intel xeon_e5_1428l_v3 -
intel core_i5 4200m
intel xeon_e5 4667_v3
intel xeon_e5 2667_v4
intel xeon_e3_1268l_v3 -
redhat enterprise_linux_server_tus 7.6
intel xeon_e7 8880l_v3
intel core_i3 4360
intel atom_c c3950
intel xeon_bronze_3104 -
arm cortex-r 7
intel core_i5 3550
intel xeon_e5_1680_v3 -
intel pentium_j j2850
intel core_i7 3689y
intel core_i7 4600m
intel core_i3 4360t
intel core_i7 940
intel core_i7 3615qm
intel xeon_e3_1245_v2 -
intel atom_x3 c3200rk
intel core_i3 3217ue
intel xeon l5618
intel xeon_e5 4627_v4
intel xeon_e5_2420 -
intel xeon_e5_2643_v2 -
intel xeon_e5_2648l_v3 -
intel xeon_e5 2660_v4
intel xeon_gold 6148f
intel core_i5 2320
intel core_i5 470um
intel core_i7 4702ec
intel xeon_e7 8893_v4
intel xeon_e5_2428l -
intel core_i3 4112e
intel pentium_j j3710
intel xeon_e5 2670_v3
intel xeon_gold 6136
intel xeon_e7 4850_v2
intel core_i7 2657m
intel core_i7 3517ue
intel xeon_gold 6142
intel xeon_e5 4660_v4
intel xeon_e5_2430l -
intel xeon_e5_2637_v4 -
intel xeon_gold 6130t
intel core_i3 4350t
intel core_i5 2520m
intel core_i5 6600k
intel core_i7 640lm
intel atom_c c3708
intel core_i7 7y75
intel xeon e5607
intel atom_c c3538
redhat enterprise_linux_workstation 7.0
intel core_i5 6402p
intel xeon e6540
intel xeon_e3_1265l_v3 -
intel xeon_e3_1125c_v2 -
intel core_i3 3120m
intel xeon_e7 4850_v3
intel xeon_e3_1285_v4 -
intel xeon e5520
intel xeon_e5 4650_v4
intel xeon_e7 8880_v2
intel core_i3 2120
intel core_i5 4300u
intel atom_z z3580
intel pentium_n n3540
intel xeon l7545
intel xeon_e5 4607
intel xeon_e5_2630l -
arm cortex-a 57
intel core_i3 4330t
intel core_i5 2430m
intel xeon_e5_2448l_v2 -
intel core_i7 3687u
intel xeon x3430
intel core_i7 3770k
intel xeon_e3_1270_v6 -
intel xeon_e-1105c -
intel core_i3 380um
intel core_i7 740qm
intel xeon_e5 4650_v3
intel xeon_e5 2683_v3
intel xeon_e5_2403 -
intel xeon_phi 7210f
intel xeon_e5_1650_v3 -
intel core_m 5y10a
intel core_i7 5700hq
intel xeon_e3_1230_v2 -
intel xeon_e5 4660_v3
intel core_i7 4722hq
intel xeon_platinum 8170
intel core_i5 2515e
netapp solidfire_element_os_management_node -
intel core_i7 660lm
intel core_i7 3540m
intel xeon_e5_2640_v3 -
intel core_i7 4910mq
intel xeon_gold 6148
intel xeon_e5_2648l_v2 -
intel xeon_e5 4627_v2
intel core_i7 965
intel core_i3 2130
intel core_i5 6500
intel xeon_e7 8857_v2
arm cortex-a 73
intel core_i5 6400t
intel core_i3 4110m
intel core_i7 980x
intel core_i7 7820hk
intel atom_e e3825
intel xeon x5667
intel celeron_j j3355
intel core_m 5y10c
intel atom_e e3826
redhat enterprise_linux_server_aus 7.4
intel celeron_n n2920
intel xeon l5520
intel xeon x3440
intel atom_e e3805
oracle communications_eagle_application_processor 16.2.0
intel xeon_e5_1660_v4 -
redhat enterprise_linux_eus 7.4
intel xeon_e5_1650 -
intel xeon_e5_2430l_v2 -
intel atom_c c2738
intel core_i3 4102e
intel xeon_phi 7210
intel core_i3 2310e
intel core_i3 4025u
intel core_i5 4430s
intel celeron_n n2806
intel xeon w3680
intel xeon_e5_2609_v4 -
intel core_i3 6102e
intel core_i5 4460s
intel xeon_e3_12201 -
intel core_i5 2557m
intel xeon_e5 4655_v4
intel xeon x7542
intel xeon_platinum 8164
intel atom_z z3570
intel xeon_e5 2697_v4
intel core_i7 620m
intel xeon_e7 4820_v3
intel xeon_e3_1245_v6 -
intel xeon_e5 4650l
intel core_i3 2370m
intel core_i5 540um
intel core_i5 8400
intel core_i3 3245
intel core_i7 4720hq
intel xeon_phi 7250
intel atom_c c3808
intel xeon_e5 2690
CVE-2018-3721 MEDIUM

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-471,CWE-1321,

Products Affected

Vendor Product Version
netapp system_manager 9.0
netapp active_iq_unified_manager -
lodash lodash *
CVE-2018-5481 MEDIUM

OnCommand Unified Manager for 7-Mode (core package) prior to 5.2.4 uses cookies that lack the secure attribute in certain circumstances making it vulnerable to impersonation via man-in-the-middle (MITM) attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-311,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager *
CVE-2018-5482 MEDIUM

NetApp SnapCenter Server prior to 4.1 does not set the secure flag for a sensitive cookie in an HTTPS session which can allow the transmission of the cookie in plain text over an unencrypted channel.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-311,

Products Affected

Vendor Product Version
netapp snapcenter_server *
CVE-2018-5485 MEDIUM

NetApp OnCommand Unified Manager for Windows versions 7.2 through 7.3 are susceptible to a vulnerability which could lead to a privilege escalation attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager *
CVE-2018-5486 MEDIUM

NetApp OnCommand Unified Manager for Linux versions 7.2 though 7.3 ship with the Java Debug Wire Protocol (JDWP) enabled which allows unauthorized local attackers to execute arbitrary code.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager *
CVE-2018-5487 HIGH

NetApp OnCommand Unified Manager for Linux versions 7.2 through 7.3 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service bound to the network, and are susceptible to unauthenticated remote code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager *
CVE-2018-5488 HIGH

NetApp SANtricity Web Services Proxy versions 1.10.x000.0002 through 2.12.X000.0002 and SANtricity Storage Manager 11.30.0X00.0004 through 11.42.0X00.0001 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service bound to the network, and are susceptible to unauthenticated remote code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp santricity_storage_manager *
netapp santricity_web_services_proxy *
CVE-2018-5489 MEDIUM

NetApp 7-Mode Transition Tool allows users with valid credentials to access functions and information which may have been intended to be restricted to administrators or privileged users. 7MTT versions below 2.0 do not enforce user authorization rules on file information and status that it has previously collected. The released version of 7MTT has been updated to maintain and verify authorization rules for file information, status and utilities.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
netapp 7-mode_transition_tool *
CVE-2018-5490 MEDIUM

Read-Only export policy rules are not correctly enforced in Clustered Data ONTAP 8.3 Release Candidate versions and therefore may allow more than "read-only" access from authenticated SMBv2 and SMBv3 clients. This behavior has been resolved in the GA release. Customers running prior release candidates (RCs) are requested to update their systems to the NetApp Data ONTAP 8.3 GA release.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
CVE-2018-5492 HIGH

NetApp E-Series SANtricity OS Controller Software 11.30 and later version 11.30.5 is susceptible to unauthenticated remote code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
CVE-2018-5495 HIGH

All StorageGRID Webscale versions are susceptible to a vulnerability which could permit an unauthenticated attacker to communicate with systems on the same network as the StorageGRID Webscale Admin Node via HTTP or to take over services on the Admin Node.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp storagegrid_webscale -
CVE-2018-5496 LOW

Data ONTAP operating in 7-Mode versions prior to 8.2.5P2 are susceptible to a vulnerability which discloses sensitive information to an unauthorized user.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp data_ontap 8.2.5
netapp data_ontap *
CVE-2018-5497 LOW

Clustered Data ONTAP versions prior to 9.1P16, 9.3P10 and 9.4P5 are susceptible to a vulnerability which discloses sensitive information to an unauthorized user.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.3
netapp clustered_data_ontap 9.1
netapp clustered_data_ontap *
netapp clustered_data_ontap 9.4
CVE-2018-5498 LOW

Clustered Data ONTAP versions 9.0 through 9.4 are susceptible to a vulnerability which allows remote authenticated attackers to cause a Denial of Service (DoS) in NFS and SMB environments. Exploitation of this vulnerability will allow a remote authenticated attacker to cause a Denial of Service (DoS) on affected versions of clustered Data ONTAP configured for multiprotocol access.

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
CVE-2018-5734 MEDIUM

While handling a particular type of malformed packet BIND erroneously selects a SERVFAIL rcode instead of a FORMERR rcode. If the receiving view has the SERVFAIL cache feature enabled, this can trigger an assertion failure in badcache.c when the request doesn't contain all of the expected information. Affects BIND 9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, 9.10.6-S2.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
netapp data_ontap_edge -
netapp solidfire_element_os_management_node -
isc bind 9.10.6
isc bind 9.10.5
CVE-2018-5736 LOW

An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession. This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test. Affects BIND 9.12.0 and 9.12.1.

CVSS 2.0

Severity: LOW

Problem Type: CWE-617,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
isc bind 9.12.1
netapp data_ontap_edge -
netapp cloud_backup -
isc bind 9.12.0
CVE-2018-5737 MEDIUM

A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off. Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging. Deliberate exploitation of this condition could cause operational problems depending on the particular manifestation -- either degradation or denial of service. Affects BIND 9.12.0 and 9.12.1.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
isc bind 9.12.1
netapp data_ontap_edge -
netapp cloud_backup -
isc bind 9.12.0
CVE-2018-5740 MEDIUM

"deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Affects BIND 9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->9.12.2, 9.13.0->9.13.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp data_ontap_edge -
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
hp hp-ux -
opensuse leap 15.1
opensuse leap 42.3
redhat enterprise_linux_desktop 7.0
canonical ubuntu_linux 12.04
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_aus 7.6
isc bind *
canonical ubuntu_linux 14.04
opensuse leap 15.0
debian debian_linux 9.0
CVE-2018-5968 MEDIUM

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-184,CWE-502,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
redhat virtualization 4.0
redhat openshift_container_platform 3.11
redhat virtualization_host 4.0
debian debian_linux 8.0
fasterxml jackson-databind *
redhat openshift_container_platform 4.1
redhat jboss_enterprise_application_platform 7.1
debian debian_linux 9.0
netapp oncommand_shift -
netapp e-series_santricity_web_services_proxy -
CVE-2018-6443 MEDIUM

A vulnerability in Brocade Network Advisor Versions before 14.3.1 could allow an unauthenticated, remote attacker to log in to the JBoss Administration interface of an affected system using an undocumented user credentials and install additional JEE applications. A remote unauthenticated user who has access to Network Advisor client libraries and able to decrypt the Jboss credentials could gain access to the Jboss web console.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
brocade network_advisor *
netapp brocade_network_advisor -
CVE-2018-6444 HIGH

A Vulnerability in Brocade Network Advisor versions before 14.1.0 could allow a remote unauthenticated attacker to execute arbitray code. The vulnerability could also be exploited to execute arbitrary OS Commands.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
brocade network_advisor *
netapp brocade_network_advisor -
CVE-2018-6445 MEDIUM

A Vulnerability in Brocade Network Advisor versions before 14.0.3 could allow a remote unauthenticated attacker to export the current user database which includes the encrypted (not hashed) password of the systems. The attacker could gain access to the Brocade Network Advisor System after extracting/decrypting the passwords.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
brocade network_advisor *
netapp brocade_network_advisor -
CVE-2018-6485 HIGH

An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp element_software -
netapp data_ontap_edge -
netapp storage_replication_adapter *
oracle enterprise_communications_broker 3.0.0
redhat enterprise_linux_workstation 7.0
netapp vasa_provider 6.x
netapp virtual_storage_console *
oracle enterprise_communications_broker 3.1.0
gnu glibc *
redhat enterprise_linux_desktop 7.0
netapp steelstore_cloud_integrated_storage -
oracle communications_session_border_controller 8.1.0
netapp vasa_provider *
redhat virtualization_host 4.0
netapp cloud_backup -
oracle communications_session_border_controller 8.2.0
netapp virtual_storage_console -
oracle communications_session_border_controller 8.0.0
netapp element_software_management -
CVE-2018-7170 LOW

ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp hci -
hpe hpux-ntp *
synology virtual_diskstation_manager *
synology vs960hd_firmware *
netapp solidfire -
ntp ntp 4.2.8
synology skynas *
synology router_manager *
synology diskstation_manager *
ntp ntp *
CVE-2018-7182 MEDIUM

The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp element_software -
canonical ubuntu_linux 18.04
canonical ubuntu_linux 17.10
ntp ntp 4.2.8
CVE-2018-7183 HIGH

Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp element_software -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
freebsd freebsd 10.3
canonical ubuntu_linux 17.10
canonical ubuntu_linux 14.04
ntp ntp 4.2.8
freebsd freebsd 10.4
canonical ubuntu_linux 12.04
freebsd freebsd 11.1
CVE-2018-7184 MEDIUM

ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
synology router_manager 1.1
canonical ubuntu_linux 17.10
synology diskstation_manager 6.1
ntp ntp 4.2.8
netapp steelstore_cloud_integrated_storage -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
synology virtual_diskstation_manager -
synology vs960hd_firmware -
slackware slackware_linux 14.0
synology diskstation_manager 5.2
netapp cloud_backup -
synology skynas -
canonical ubuntu_linux 14.04
slackware slackware_linux 14.1
synology diskstation_manager 6.0
slackware slackware_linux 14.2
CVE-2018-7185 MEDIUM

The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle fujitsu_m10-4_firmware *
oracle fujitsu_m12-1_firmware *
synology vs960hd_firmware *
oracle fujitsu_m10-1_firmware *
canonical ubuntu_linux 17.10
oracle fujitsu_m12-2_firmware *
ntp ntp 4.2.8
synology skynas *
synology router_manager *
canonical ubuntu_linux 12.04
netapp hci -
hpe hpux-ntp *
synology virtual_diskstation_manager *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
netapp solidfire -
oracle fujitsu_m12-2s_firmware *
synology diskstation_manager *
ntp ntp *
oracle fujitsu_m10-4s_firmware *
CVE-2018-8011 MEDIUM

By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
apache http_server 2.4.33
netapp cloud_backup -
CVE-2018-8014 HIGH

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1188,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
apache tomcat *
netapp storage_automation_store -
apache tomcat 8.0.0
debian debian_linux 8.0
canonical ubuntu_linux 17.10
netapp oncommand_insight -
netapp oncommand_unified_manager *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
apache tomcat 9.0.0
canonical ubuntu_linux 14.04
CVE-2018-8026 LOW

This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files (currency.xml, enumsConfig.xml referred from schema.xml, TIKA parsecontext config file). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. The manipulated files can be uploaded as configsets using Solr's API, allowing to exploit that vulnerability.

CVSS 2.0

Severity: LOW

Problem Type: CWE-611,

Products Affected

Vendor Product Version
netapp storage_automation_store -
apache solr *
netapp snapcenter -
CVE-2019-0192 HIGH

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
netapp storage_automation_store -
apache solr *
CVE-2019-0201 MEDIUM

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,

Products Affected

Vendor Product Version
netapp element_software -
oracle goldengate_stream_analytics *
oracle siebel_core_-_server_framework *
debian debian_linux 8.0
apache activemq 5.15.9
apache drill 1.16.0
apache zookeeper 3.5.2
apache zookeeper *
apache zookeeper 3.5.0
redhat fuse 1.0.0
apache zookeeper 3.5.1
apache zookeeper 3.5.3
netapp hci_bootstrap_os -
apache zookeeper 3.5.4
debian debian_linux 9.0
oracle timesten_in-memory_database *
CVE-2019-0211 HIGH

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
redhat openshift_container_platform_for_power 3.11_ppc64le
fedoraproject fedora 28
redhat enterprise_linux_server_tus 8.8
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_for_arm_64 8.0_aarch64
oracle communications_session_route_manager 8.1.0
redhat enterprise_linux_update_services_for_sap_solutions 8.1
redhat enterprise_linux_server_aus 8.6
oracle retail_xstore_point_of_service 7.1
oracle enterprise_manager_ops_center 12.3.3
oracle communications_session_report_manager 8.1.1
redhat enterprise_linux_for_arm_64_eus 8.8_aarch64
redhat software_collections 1.0
redhat enterprise_linux_for_power_little_endian 8.0_ppc64le
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
oracle communications_session_route_manager 8.0.0
redhat enterprise_linux_for_power_little_endian_eus 8.8_ppc64le
redhat enterprise_linux_for_arm_64_eus 8.4_aarch64
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_update_services_for_sap_solutions 8.4
redhat enterprise_linux_for_power_little_endian_eus 8.6_ppc64le
redhat enterprise_linux_for_ibm_z_systems_eus 8.6_s390x
redhat enterprise_linux_update_services_for_sap_solutions 8.8
redhat enterprise_linux_update_services_for_sap_solutions 8.6
redhat enterprise_linux_server_aus 8.4
oracle communications_session_route_manager 8.1.1
redhat enterprise_linux_server_aus 8.2
redhat openshift_container_platform 3.11
oracle http_server 12.2.1.3.0
redhat enterprise_linux_eus 8.4
oracle communications_session_report_manager 8.2.0
redhat enterprise_linux_for_ibm_z_systems_eus 8.8_s390x
oracle communications_session_route_manager 8.2.0
redhat enterprise_linux_for_ibm_z_systems_eus 8.4_s390x
redhat enterprise_linux_for_ibm_z_systems_eus 8.2_s390x
redhat enterprise_linux_for_arm_64_eus 8.6_aarch64
redhat enterprise_linux_for_arm_64_eus 8.2_aarch64
redhat enterprise_linux_for_power_little_endian_eus 8.1_ppc64le
fedoraproject fedora 29
oracle instantis_enterprisetrack 17.3
fedoraproject fedora 30
redhat enterprise_linux_for_arm_64_eus 8.1_aarch64
oracle enterprise_manager_ops_center 12.4.0
netapp oncommand_unified_manager -
canonical ubuntu_linux 16.04
oracle communications_session_report_manager 8.0.0
canonical ubuntu_linux 14.04
opensuse leap 15.0
redhat enterprise_linux_update_services_for_sap_solutions 8.0
oracle retail_xstore_point_of_service 7.0
debian debian_linux 9.0
canonical ubuntu_linux 18.10
redhat enterprise_linux_eus 8.2
oracle instantis_enterprisetrack 17.1
apache http_server *
redhat enterprise_linux_server_tus 8.4
redhat jboss_core_services 1.0
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_eus 8.8
redhat enterprise_linux_for_power_little_endian_eus 8.4_ppc64le
opensuse leap 42.3
oracle instantis_enterprisetrack 17.2
redhat enterprise_linux_for_power_little_endian_eus 8.2_ppc64le
redhat enterprise_linux_for_ibm_z_systems_eus 8.1_s390x
oracle communications_session_report_manager 8.1.0
redhat enterprise_linux_for_ibm_z_systems 8.0_s390x
CVE-2019-0217 MEDIUM

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
fedoraproject fedora 28
fedoraproject fedora 29
oracle retail_xstore_point_of_service 7.1
fedoraproject fedora 30
redhat enterprise_linux_desktop 7.0
oracle enterprise_manager_ops_center 12.3.3
oracle enterprise_manager_ops_center 12.4.0
netapp oncommand_unified_manager -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
opensuse leap 15.0
oracle retail_xstore_point_of_service 7.0
debian debian_linux 9.0
canonical ubuntu_linux 18.10
redhat enterprise_linux_workstation 7.0
apache http_server *
debian debian_linux 8.0
opensuse leap 42.3
canonical ubuntu_linux 12.04
netapp clustered_data_ontap -
oracle http_server 12.2.1.3.0
redhat enterprise_linux -
CVE-2019-0222 MEDIUM

In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle identity_manager_connector 9.0
oracle goldengate_stream_analytics *
oracle enterprise_manager_base_platform 13.2.0.0.0
oracle enterprise_manager_base_platform 13.3.0.0.0
netapp e-series_santricity_web_services -
oracle communications_diameter_signaling_router 8.1
oracle enterprise_manager_base_platform 12.1.0.5.0
oracle communications_diameter_signaling_router 8.0.0
oracle communications_diameter_signaling_router 8.2
oracle enterprise_repository 12.1.3.0.0
apache activemq *
oracle communications_diameter_signaling_router 8.2.1
debian debian_linux 9.0
CVE-2019-10092 MEDIUM

In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
debian debian_linux 10.0
redhat software_collection 1.0
apache http_server *
debian debian_linux 8.0
fedoraproject fedora 30
opensuse leap 15.1
oracle secure_global_desktop 5.5
oracle enterprise_manager_ops_center 12.3.3
canonical ubuntu_linux 19.04
oracle communications_element_manager 8.0.0
oracle enterprise_manager_ops_center 12.4.0
oracle communications_element_manager 8.1.0
oracle secure_global_desktop 5.4
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap *
oracle communications_element_manager 8.2.0
netapp clustered_data_ontap 9.6
opensuse leap 15.0
debian debian_linux 9.0
oracle communications_element_manager 8.1.1
CVE-2019-1010204 MEDIUM

GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-681,

Products Affected

Vendor Product Version
netapp hci_management_node -
netapp solidfire -
gnu binutils_gold *
gnu binutils *
CVE-2019-10125 HIGH

An issue was discovered in aio_poll() in fs/aio.c in the Linux kernel through 5.0.4. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp cn1610_firmware -
linux linux_kernel *
linux linux_kernel 5.1
netapp hci_management_node -
netapp solidfire -
netapp snapprotect -
netapp active_iq_unified_manager *
CVE-2019-10126 HIGH

A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_for_real_time 7
redhat enterprise_linux_server 8.0
opensuse leap 15.1
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_for_real_time_tus 8.4
redhat enterprise_linux_for_real_time_for_nfv_tus 8.4
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat virtualization 4.0
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp solidfire -
opensuse leap 15.0
redhat enterprise_linux_for_real_time 8
debian debian_linux 9.0
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 8.4
netapp h610s_firmware -
redhat enterprise_linux_server_tus 8.2
debian debian_linux 8.0
netapp hci_management_node -
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
netapp active_iq_unified_manager *
canonical ubuntu_linux 19.04
netapp a700s_firmware -
redhat enterprise_linux_aus 8.2
redhat enterprise_linux_eus 7.7
netapp cn1610_firmware -
redhat enterprise_linux_aus 8.4
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_for_real_time_for_nfv 7
redhat enterprise_linux_for_real_time_tus 8.2
CVE-2019-10160 MEDIUM

A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-172,CWE-522,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
fedoraproject fedora 31
redhat enterprise_linux_eus 7.6
fedoraproject fedora 29
debian debian_linux 8.0
fedoraproject fedora 30
opensuse leap 15.1
redhat enterprise_linux_desktop 7.0
canonical ubuntu_linux 19.04
canonical ubuntu_linux 12.04
netapp converged_systems_advisor_agent -
redhat enterprise_linux_server_tus 7.6
python python 3.8.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat virtualization 4.0
redhat enterprise_linux_server_aus 7.6
netapp cloud_backup -
canonical ubuntu_linux 14.04
python python *
opensuse leap 15.0
debian debian_linux 9.0
CVE-2019-10174 MEDIUM

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-470,CWE-470,

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 7.2
redhat openshift_application_runtimes -
redhat single_sign-on -
redhat jboss_data_grid -
infinispan infinispan *
netapp active_iq_unified_manager -
redhat fuse 1.0
redhat jboss_enterprise_application_platform -
CVE-2019-10184 MEDIUM

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,CWE-862,

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_enterprise_application_platform 7.2
netapp active_iq_unified_manager -
redhat jboss_enterprise_application_platform 7.4
redhat openshift_application_runtimes 1.0
redhat jboss_enterprise_application_platform -
redhat single_sign-on 7.3
redhat single_sign-on 7.0
redhat openshift_application_runtimes -
redhat jboss_enterprise_application_platform 7.3
redhat single_sign-on -
redhat jboss_data_grid -
redhat undertow *
CVE-2019-10212 MEDIUM

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,CWE-532,

Products Affected

Vendor Product Version
redhat single_sign-on *
redhat jboss_enterprise_application_platform 7.2
redhat jboss_data_grid *
redhat openshift_application_runtimes -
redhat jboss_enterprise_application_platform 7.3
redhat jboss_data_grid -
redhat undertow *
redhat jboss_fuse *
netapp active_iq_unified_manager -
redhat jboss_enterprise_application_platform 7.4
redhat jboss_enterprise_application_platform -
CVE-2019-10219 MEDIUM

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle java_se 7u321
netapp element -
oracle retail_extract_transform_and_load 13.2.8
oracle hospitality_suite8 8.14.0
oracle agile_plm 9.3.6
oracle communications_data_model 11.3.2.3.0
oracle argus_safety 8.2.3
oracle solaris 11
oracle webcenter_portal 12.2.1.4.0
oracle communications_cloud_native_core_unified_data_repository 1.14.0
oracle communications_convergent_charging_controller *
oracle retail_integration_bus 19.0.1
oracle insurance_rules_palette 10.2.4
oracle retail_price_management 16.0.3
oracle communications_application_session_controller 3.9.0
oracle enterprise_manager_base_platform 13.5.0.0
oracle banking_digital_experience 18.1
oracle utilities_testing_accelerator 6.0.0.1.1
oracle airlines_data_model 12.1.1.0.0
oracle application_express 21.1.4
oracle argus_insight 8.2.1
oracle financial_services_analytical_applications_infrastructure *
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle retail_allocation 19.0.1
oracle primavera_analytics 20.12.12.0
oracle retail_point-of-sale 14.1
oracle communications_unified_inventory_management 7.4.1
oracle utilities_framework *
oracle utilities_framework 4.2.0.3.0
oracle retail_eftlink 20.0.1
redhat fuse 1.0
oracle retail_size_profile_optimization 16.0.3
oracle retail_price_management 15.0
oracle communications_interactive_session_recorder 6.4
oracle financial_services_behavior_detection_platform 8.0.8
oracle webcenter_portal 12.2.1.3.0
oracle retail_predictive_application_server 16.0.3
oracle banking_deposits_and_lines_of_credit_servicing 2.12.0
oracle retail_analytics *
oracle thesaurus_management_system 5.3.0
oracle banking_digital_experience 21.1
oracle instantis_enterprisetrack 17.2
oracle retail_predictive_application_server 14.1.3.46
oracle airlines_data_model 12.2.0.1.0
oracle argus_safety 8.2.2
oracle insurance_policy_administration_j2ee *
oracle business_intelligence 5.5.0.0.0
oracle timesten_in-memory_database *
oracle retail_order_management_system 19.5
redhat jboss_enterprise_application_platform 7.2
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.9.0
oracle insurance_policy_administration_j2ee 10.2.0
oracle java_se 8u311
oracle communications_unified_inventory_management 7.4.2
oracle insurance_rules_palette 11.0.2
oracle insurance_policy_administration 11.3.0
oracle retail_xstore_point_of_service 20.0.1
oracle retail_predictive_application_server 15.0.3.115
oracle business_activity_monitoring 12.2.1.4.0
oracle banking_digital_experience 17.2
redhat single_sign-on -
oracle primavera_unifier 20.12
oracle insurance_policy_administration 11.3.1
oracle banking_loans_servicing 2.12.0
oracle banking_apis 18.3
oracle communications_cloud_native_core_policy 1.14.0
netapp snapcenter_plug-in -
oracle commerce_platform *
oracle primavera_analytics 18.8.3.3
oracle enterprise_manager_ops_center 12.4.0.0
oracle communications_network_charging_and_control 6.0.1.0.0
oracle mysql_server *
oracle communications_calendar_server 8.0.0.5.0
oracle peoplesoft_enterprise_cs_sa_integration_pack 9.2
oracle peoplesoft_enterprise_people_tools 8.59
oracle insurance_insbridge_rating_and_underwriting *
oracle banking_platform 2.7.1
oracle communications_cloud_native_core_console 1.7.0
oracle hyperion_infrastructure_technology 11.2.7.0
oracle banking_apis 21.1
oracle primavera_analytics 19.12.11.1
oracle http_server 12.2.1.3.0
oracle communications_unified_inventory_management 7.3.0
oracle retail_financial_integration 16.0.3
oracle agile_product_lifecycle_management_integration_pack 3.6
oracle e-business_suite *
oracle weblogic_server 12.2.1.3.0
oracle primavera_gateway 21.12.0
oracle zfs_storage_application_integration_engineering_software 1.3.3
oracle peoplesoft_enterprise_cs_sa_integration_pack 9.0
oracle financial_services_enterprise_case_management 8.0.11
oracle hospitality_reporting_and_analytics 9.1.0
oracle communications_data_model 12.1.0.1.0
oracle retail_eftlink 16.0.3
oracle mysql_connectors *
oracle demantra_demand_management *
oracle retail_allocation 16.0.3
oracle access_manager 11.1.2.3.0
oracle flexcube_investor_servicing 12.1.0
oracle utilities_framework 4.2.0.2.0
oracle retail_back_office 14.1
oracle mysql_workbench *
oracle bi_publisher 5.5.0.0.0
oracle communications_converged_application_server_-_service_controller 6.2
redhat jboss_enterprise_application_platform 7.3
oracle communications_cloud_native_core_network_repository_function 1.14.0
oracle communications_network_integrity 7.3.5
oracle retail_service_backbone 19.0.1
oracle retail_service_backbone 14.1.3.2
oracle commerce_guided_search 11.3.2
oracle hyperion_ilearning 6.3
oracle primavera_unifier 18.8
oracle retail_price_management 15.0.3
oracle retail_invoice_matching 16.0.3
oracle banking_enterprise_default_management 2.10.0
oracle financial_services_enterprise_case_management 8.0.7
oracle communications_billing_and_revenue_management 12.0.0.3
oracle retail_merchandising_system 19.0.1
oracle banking_apis 19.1
oracle health_sciences_information_manager 3.0.2
oracle communications_service_broker 6.2
oracle retail_price_management 14.1.3
oracle graalvm 21.3.0
oracle essbase_administration_services *
oracle retail_order_broker 16.0
oracle healthcare_translational_research 4.1.0
oracle retail_integration_bus 14.1.3.2
oracle retail_integration_bus 14.1.3.0
oracle communications_operations_monitor 5.0
oracle fusion_middleware 12.2.1.4.0
oracle retail_central_office 14.1
oracle retail_predictive_application_server 16.0.3.240
oracle http_server 12.2.1.4.0
oracle hospitality_suite8 8.11.0
oracle retail_assortment_planning 16.0.3
oracle primavera_gateway *
oracle communications_operations_monitor 4.2
oracle communications_design_studio 7.3.4
oracle communications_data_model 11.3.2.2.0
oracle insurance_rules_palette 11.3.1
oracle communications_unified_inventory_management 7.3.4
oracle primavera_portfolio_management *
oracle nosql_database *
oracle communications_cloud_native_core_security_edge_protection_proxy 1.6.0
oracle primavera_p6_professional_project_management *
oracle banking_apis 18.2
oracle communications_messaging_server 8.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
oracle retail_predictive_application_server 15.0.3
oracle sd-wan_edge 9.0
oracle banking_apis 19.2
oracle graalvm 20.3.4
oracle banking_digital_experience 20.1
oracle health_sciences_information_manager 3.0.3
oracle banking_apis 18.1
oracle essbase_administration_services 11.1.2.4.47
oracle communications_billing_and_revenue_management 12.0.0.4
netapp management_services_for_element_software_and_netapp_hci -
oracle communications_operations_monitor 4.4
oracle financial_services_trade-based_anti_money_laundering 8.0.8
oracle solaris 10
oracle banking_enterprise_default_management 2.7.0
oracle insurance_data_gateway 11.2.7
oracle banking_enterprise_default_management 2.6.2
oracle clinical 5.2.2
oracle communications_cloud_native_core_service_communication_proxy 1.14.0
oracle retail_integration_bus 19.0.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle healthcare_foundation 8.1.0
oracle enterprise_data_quality 12.2.1.4.0
redhat jboss_data_grid -
oracle flexcube_investor_servicing 14.5.0
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_service_backbone 14.1.3.0
oracle communications_contacts_server 8.0.0.3.0
oracle communications_design_studio 7.3.5
oracle mysql_server 5.7.36
oracle communications_data_model 11.3.2.1.0
oracle fujitsu_m10-1_firmware -
oracle access_manager 12.2.1.4.0
oracle managed_file_transfer 12.2.1.3.0
oracle weblogic_server 14.1.1.0.0
oracle utilities_framework 4.4.0.2.0
oracle communications_design_studio 7.4.2
oracle retail_price_management 14.1
oracle flexcube_private_banking 12.1.0
oracle application_performance_management 13.5.1.0
netapp active_iq_unified_manager -
oracle clinical 5.2.1
oracle communications_services_gatekeeper 7.0
oracle thesaurus_management_system 5.3.1
oracle insurance_policy_administration 11.2.7
oracle retail_price_management 14.0.4
oracle big_data_spatial_and_graph 23.1
oracle access_manager 12.2.1.3.0
oracle enterprise_communications_broker 3.3
oracle rest_data_services 21.2.4
oracle hospitality_suite8 8.12.0
oracle business_intelligence 12.2.1.4.0
oracle communications_pricing_design_center 12.0.0.4.0
oracle mysql_connectors 8.0.27
oracle insurance_insbridge_rating_and_underwriting 5.2.0
oracle communications_session_border_controller 8.3
oracle primavera_portfolio_management 20.0.0.1
oracle retail_order_broker 19.1
oracle retail_returns_management 14.1
oracle hospitality_cruise_shipboard_property_management_system 20.1.0
oracle communications_cloud_native_core_binding_support_function 1.9.0
oracle policy_automation 10.4.7
oracle primavera_unifier 21.12
oracle application_performance_management 13.4.1.0
oracle financial_services_foreign_account_tax_compliance_act_management 8.0.8
oracle fusion_middleware 12.2.1.3.0
oracle java_se 17.1
oracle insurance_data_gateway 11.1.0
oracle communications_unified_inventory_management 7.5.0
oracle fujitsu_m10-4s_firmware -
oracle business_process_management_suite 12.2.1.4.0
oracle banking_digital_experience 19.2
oracle database_server 19c
oracle enterprise_session_border_controller 9.0
oracle primavera_p6_enterprise_project_portfolio_management 21.12.0.0
oracle financial_services_trade-based_anti_money_laundering 8.0.7
oracle retail_allocation 14.1.3.2
oracle sd-wan_aware 8.2
oracle hospitality_suite8 8.10.2
oracle financial_services_behavior_detection_platform 8.0.11
oracle database_server 21c
oracle documaker *
oracle primavera_data_warehouse 19.12.11.1
oracle goldengate *
oracle retail_eftlink 18.0.1
oracle communications_cloud_native_core_automated_test_suite 1.8.0
oracle utilities_framework 4.4.0.0.0
oracle communications_design_studio 7.4.0
oracle communications_webrtc_session_controller 7.2.1
redhat openshift_application_runtimes -
oracle communications_diameter_signaling_route *
oracle primavera_unifier 19.12
oracle communications_session_border_controller 8.4
oracle healthcare_data_repository 8.1.0
oracle argus_analytics 8.2.1
oracle siebel_applications *
oracle banking_party_management 2.7.0
oracle fujitsu_m12-2_firmware -
oracle healthcare_foundation *
oracle retail_eftlink 19.0.1
oracle insurance_policy_administration 11.0.2
oracle rapid_planning *
oracle retail_service_backbone 15.0.3.1
oracle communications_cloud_native_core_security_edge_protection_proxy 1.5.0
oracle financial_services_foreign_account_tax_compliance_act_management 8.0.11
redhat jboss_enterprise_application_platform -
oracle jdk 11.0.13
oracle communications_convergence 3.0.2.2.0
oracle hyperion_ilearning 6.2
oracle primavera_data_warehouse 20.12.12.0
oracle graph_server_and_client *
oracle insurance_policy_administration 11.1.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle retail_order_broker 18.0
oracle retail_predictive_application_server 14.1.3
oracle hyperion_financial_management 11.1.2.4
oracle argus_insight 8.2.3
oracle fujitsu_m12-2s_firmware -
oracle financial_services_model_management_and_governance *
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle flexcube_private_banking 12.0.0
oracle real-time_decision_server 3.2.0.0
oracle banking_platform *
oracle weblogic_server 12.1.3.0.0
oracle instantis_enterprisetrack 17.3
oracle retail_price_management 16.0
oracle agile_engineering_data_management 6.2.1.0
oracle utilities_framework 4.4.0.3.0
oracle database_server 12.1.0.2
oracle insurance_policy_administration_j2ee 10.2.4
oracle insurance_data_gateway 11.3.1
oracle primavera_data_warehouse 18.8.3.3
oracle hospitality_suite8 8.13.0
oracle banking_enterprise_default_management 2.12.0
oracle business_process_management_suite 12.2.1.3.0
oracle communications_data_model 12.1.2.0.0
oracle flexcube_investor_servicing 14.4.0
oracle real_user_experience_insight 13.5.1.0
oracle flexcube_investor_servicing 12.4.0
oracle instantis_enterprisetrack 17.1
oracle communications_unified_inventory_management 7.4.0
oracle fujitsu_m10-4_firmware -
oracle argus_insight 8.2.2
oracle weblogic_server 12.2.1.4.0
oracle secure_backup 18.1.0.1.0
oracle essbase *
oracle managed_file_transfer 12.2.1.4.0
oracle banking_enterprise_default_management 2.7.1
oracle banking_digital_experience 19.1
oracle utilities_testing_accelerator 6.0.0.3.1
oracle policy_automation *
oracle communications_network_integrity 7.3.6
oracle health_sciences_clinical_development_analytics 4.0.1
oracle business_intelligence 12.2.1.3.0
oracle communications_session_border_controller 8.2
oracle banking_enterprise_default_managment *
oracle flexcube_investor_servicing 12.3.0
oracle retail_service_backbone 19.0.0
oracle communications_webrtc_session_controller 7.2.0
oracle retail_financial_integration 14.1.3.2
oracle retail_xstore_point_of_service 19.0.2
oracle retail_fiscal_management 14.2
oracle hyperion_financial_management 11.2.6.0
oracle enterprise_session_border_controller 8.4
oracle communications_metasolv_solution 6.3.1
oracle peoplesoft_enterprise_people_tools 8.57
oracle enterprise_manager_base_platform 13.4.0.0
oracle banking_apis 20.1
oracle agile_product_lifecycle_analytics 3.6.1
oracle sd-wan_edge 9.1
oracle insurance_policy_administration_j2ee 11.0.2
oracle banking_platform 2.7.0
oracle insurance_rules_palette 10.2.0
oracle health_sciences_inform_crf_submit 6.2.1
oracle retail_customer_insights *
oracle financial_services_behavior_detection_platform 8.0.7
oracle communications_cloud_native_core_security_edge_protection_proxy 1.15.0
oracle bi_publisher 12.2.1.4.0
oracle insurance_data_gateway 11.0.2
oracle communications_interactive_session_recorder 6.3
oracle primavera_portfolio_management 20.0.0.0
oracle communications_pricing_design_center 12.0.0.3.0
oracle healthcare_data_repository 7.0.2
oracle communications_eagle_application_processor *
oracle communications_design_studio 7.4.1
oracle database_server 12.1.0.1
oracle retail_financial_integration 15.0.3.1
oracle primavera_unifier *
oracle retail_invoice_matching 15.0.3
oracle retail_integration_bus *
oracle thesaurus_management_system 5.2.3
oracle financial_services_foreign_account_tax_compliance_act_management 8.0.7
oracle fujitsu_m12-1_firmware -
oracle banking_digital_experience 18.3
oracle zfs_storage_appliance_kit 8.8
oracle communications_convergent_charging_controller 6.0.1.0.0
oracle flexcube_investor_servicing 12.0.4
oracle essbase 11.1.2.4.47
oracle communications_instant_messaging_server 10.0.1.5.0
oracle retail_integration_bus 13.0
oracle enterprise_data_quality 12.2.1.3.0
oracle peoplesoft_enterprise_peopletools 8.57
oracle financial_services_enterprise_case_management 8.0.8
oracle communications_network_charging_and_control *
oracle communications_session_border_controller 9.0
oracle spatial_studio 21.2.1
oracle financial_services_analytical_applications_infrastructure 7.3.3
oracle real_user_experience_insight 13.4.1.0
oracle retail_eftlink 17.0.2
redhat hibernate_validator *
oracle mysql_cluster *
oracle argus_analytics 8.21
oracle healthcare_data_repository 8.1.1
oracle jd_edwards_enterpriseone_orchestrator *
oracle goldengate_application_adapters 19.1.0.0.0
oracle data_integrator 12.2.1.4.0
oracle utilities_testing_accelerator 6.0.0.2.2
oracle communications_operations_monitor 3.4
oracle communications_operations_monitor 4.3
oracle retail_integration_bus 15.0.3.1
oracle retail_allocation 15.0.3.1
oracle retail_financial_integration 19.0.1
oracle agile_plm 9.3.3
oracle business_intelligence 5.9.0.0.0
oracle oss_support_tools *
oracle retail_service_backbone *
oracle banking_platform 2.6.2
oracle bi_publisher 11.1.1.9.0
oracle argus_analytics 8.2.2
oracle healthcare_foundation 8.1.1
oracle retail_price_management 13.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_unified_inventory_management 7.3.5
oracle fusion_middleware_mapviewer 12.2.1.4.0
redhat hibernate_validator 6.1.0
oracle insurance_data_gateway 11.3.0
oracle communications_calendar_server 8.0.0.6.0
oracle vm_virtualbox *
oracle hospitality_opera_5_property_services 5.6
oracle bi_publisher 12.2.1.3.0
oracle argus_safety 8.2.1
oracle data_integrator 12.2.1.3.0
oracle insurance_rules_palette *
oracle peoplesoft_enterprise_people_tools 8.58
oracle primavera_p6_enterprise_project_portfolio_management *
oracle argus_analytics 8.2.3
oracle retail_xstore_point_of_service 17.0.4
CVE-2019-10246 MEDIUM

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-213,CWE-200,

Products Affected

Vendor Product Version
oracle enterprise_manager_base_platform 13.3
netapp element -
oracle communications_session_route_manager 8.1.0
oracle retail_xstore_point_of_service 7.1
oracle flexcube_core_banking 5.2.0
oracle communications_session_report_manager 8.1.1
netapp snapcenter -
netapp oncommand_system_manager *
oracle communications_element_manager 8.1.0
oracle rest_data_services 18c
oracle communications_session_route_manager 8.0.0
netapp virtual_storage_console 9.6
oracle enterprise_manager_base_platform 13.2
oracle endeca_information_discovery_integrator 3.2.0
oracle communications_services_gatekeeper 6.1
oracle rest_data_services 12.1.0.2
netapp snapmanager -
oracle communications_services_gatekeeper 6.0
eclipse jetty 9.4.16
oracle data_integrator 12.2.1.4.0
netapp snap_creator_framework -
oracle communications_session_route_manager 8.1.1
oracle flexcube_private_banking 12.0.0
oracle retail_xstore_point_of_service 17.0
netapp storage_services_connector -
oracle communications_session_report_manager 8.2.0
oracle communications_session_route_manager 8.2.0
oracle flexcube_core_banking *
oracle communications_analytics 12.1.1
oracle unified_directory 12.2.1.3.0
oracle unified_directory 12.2.1.4.0
oracle hospitality_guest_access 4.2.1
netapp vasa_provider_for_clustered_data_ontap *
oracle retail_xstore_point_of_service 16.0
oracle communications_element_manager 8.2.0
oracle communications_session_report_manager 8.0.0
oracle autovue 21.0.2
oracle hospitality_guest_access 4.2.0
oracle data_integrator 12.2.1.3.0
netapp virtual_storage_console *
oracle rest_data_services 12.2.0.1
oracle flexcube_private_banking 12.1.0
eclipse jetty 9.3.26
oracle retail_xstore_point_of_service 15.0
oracle communications_element_manager 8.0.0
oracle communications_services_gatekeeper 7.0
oracle rest_data_services 11.2.0.4
netapp storage_replication_adapter_for_clustered_data_ontap *
eclipse jetty 9.2.27
netapp vasa_provider_for_clustered_data_ontap -
netapp storage_replication_adapter_for_clustered_data_ontap 9.6
oracle communications_element_manager 8.1.1
oracle communications_session_report_manager 8.1.0
CVE-2019-10247 MEDIUM

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-213,CWE-200,

Products Affected

Vendor Product Version
eclipse jetty 7.5.0
netapp element -
eclipse jetty 7.3.0
eclipse jetty 7.5.1
eclipse jetty 9.2.9
oracle flexcube_core_banking 5.2.0
eclipse jetty 9.2.14
eclipse jetty 8.1.18
eclipse jetty 9.4.4
oracle communications_services_gatekeeper 6.1
eclipse jetty 9.4.3
eclipse jetty 9.2.15
eclipse jetty 8.1.8
eclipse jetty 9.4.8
eclipse jetty 9.2.19
eclipse jetty 9.2.20
oracle communications_session_route_manager 8.1.1
eclipse jetty 9.3.8
eclipse jetty 8.2.0
eclipse jetty 7.6.16
eclipse jetty 7.6.20
eclipse jetty 7.1.1
eclipse jetty 8.1.22
oracle flexcube_core_banking *
oracle communications_analytics 12.1.1
eclipse jetty 9.2.17
oracle unified_directory 12.2.1.4.0
eclipse jetty 9.3.10
eclipse jetty 8.0.3
eclipse jetty 9.4.10
eclipse jetty 7.6.18
oracle retail_xstore_point_of_service 16.0
eclipse jetty 9.4.13
eclipse jetty 7.6.3
eclipse jetty 8.1.14
oracle communications_session_report_manager 8.0.0
netapp virtual_storage_console *
eclipse jetty 7.6.0
eclipse jetty 8.1.0
eclipse jetty 9.2.26
eclipse jetty 7.0.2
eclipse jetty 7.1.5
eclipse jetty 9.2.24
eclipse jetty 9.0.5
eclipse jetty 9.2.5
eclipse jetty 7.4.3
eclipse jetty 7.6.17
eclipse jetty 7.1.3
eclipse jetty 8.1.4
oracle communications_session_route_manager 8.1.0
eclipse jetty 7.0.0
eclipse jetty 8.1.13
netapp snapcenter -
oracle communications_session_route_manager 8.0.0
eclipse jetty 9.3.4
eclipse jetty 7.1.6
eclipse jetty 7.5.4
eclipse jetty 9.3.18
eclipse jetty 9.3.12
eclipse jetty 9.3.13
eclipse jetty 7.6.11
eclipse jetty 7.6.9
netapp snap_creator_framework -
oracle flexcube_private_banking 12.0.0
eclipse jetty 9.0.0
eclipse jetty 9.4.0
eclipse jetty 9.2.6
oracle communications_session_report_manager 8.2.0
eclipse jetty 9.4.11
eclipse jetty 9.3.3
eclipse jetty 9.3.24
eclipse jetty 9.2.23
eclipse jetty 9.4.6
eclipse jetty 8.1.21
eclipse jetty 7.6.14
eclipse jetty 8.1.3
eclipse jetty 9.0.1
eclipse jetty 9.3.16
eclipse jetty 7.3.1
eclipse jetty 9.3.2
eclipse jetty 7.4.1
oracle communications_element_manager 8.2.0
eclipse jetty 9.2.16
eclipse jetty 7.5.3
debian debian_linux 9.0
eclipse jetty 7.5.2
debian debian_linux 10.0
eclipse jetty 9.3.17
eclipse jetty 9.0.2
eclipse jetty 9.2.27
eclipse jetty 9.0.7
eclipse jetty 8.0.4
eclipse jetty 9.3.22
oracle communications_session_report_manager 8.1.0
eclipse jetty 9.3.21
eclipse jetty 9.4.12
oracle communications_session_report_manager 8.1.1
netapp oncommand_system_manager *
eclipse jetty 9.2.12
eclipse jetty 7.6.4
eclipse jetty 9.1.5
eclipse jetty 9.1.3
eclipse jetty 7.1.4
eclipse jetty 7.6.8
oracle enterprise_manager_base_platform 13.2
oracle endeca_information_discovery_integrator 3.2.0
netapp snapmanager -
eclipse jetty 7.6.7
oracle fmw_platform 12.2.1.4.0
oracle communications_services_gatekeeper 6.0
eclipse jetty 8.1.10
eclipse jetty 9.2.0
eclipse jetty 8.1.1
eclipse jetty 9.3.7
eclipse jetty 9.1.2
eclipse jetty 9.3.25
eclipse jetty 8.1.19
eclipse jetty 9.4.14
eclipse jetty 9.3.6
eclipse jetty 9.3.5
oracle retail_xstore_point_of_service 17.0
netapp storage_services_connector -
eclipse jetty 9.1.0
eclipse jetty 7.6.12
eclipse jetty 7.4.5
eclipse jetty 9.3.23
eclipse jetty 7.2.0
eclipse jetty 9.3.1
eclipse jetty 7.6.10
eclipse jetty 7.4.0
eclipse jetty 8.0.2
eclipse jetty 9.2.3
eclipse jetty 7.6.1
eclipse jetty 8.1.20
eclipse jetty 9.0.6
oracle hospitality_guest_access 4.2.0
eclipse jetty 8.1.15
oracle communications_element_manager 8.0.0
eclipse jetty 7.1.2
eclipse jetty 9.4.9
eclipse jetty 7.4.4
eclipse jetty 9.2.22
eclipse jetty 8.1.12
netapp storage_replication_adapter_for_clustered_data_ontap *
eclipse jetty 9.2.4
eclipse jetty 8.1.17
eclipse jetty 9.4.1
eclipse jetty 7.6.15
eclipse jetty 8.1.2
eclipse jetty 7.6.6
eclipse jetty 9.1.4
oracle enterprise_manager_base_platform 13.3
eclipse jetty 9.2.13
oracle retail_xstore_point_of_service 7.1
eclipse jetty 9.1.1
eclipse jetty 7.1.0
eclipse jetty 7.2.2
oracle communications_element_manager 8.1.0
eclipse jetty 9.0.3
eclipse jetty 8.1.16
eclipse jetty 9.4.2
eclipse jetty 7.6.19
eclipse jetty 9.3.19
eclipse jetty 9.2.1
eclipse jetty 9.3.20
eclipse jetty 7.2.1
eclipse jetty 9.3.0
oracle data_integrator 12.2.1.4.0
eclipse jetty 9.3.9
eclipse jetty 7.6.2
eclipse jetty 9.2.18
eclipse jetty 9.3.14
eclipse jetty 8.0.1
eclipse jetty 8.1.6
eclipse jetty 9.2.11
eclipse jetty 8.1.9
oracle communications_session_route_manager 8.2.0
eclipse jetty 9.4.15
eclipse jetty 7.6.13
eclipse jetty 7.6.5
oracle unified_directory 12.2.1.3.0
eclipse jetty 9.2.25
oracle hospitality_guest_access 4.2.1
eclipse jetty 8.1.11
netapp vasa_provider_for_clustered_data_ontap *
eclipse jetty 7.0.1
eclipse jetty 9.2.7
eclipse jetty 9.0.4
oracle fmw_platform 12.2.1.3.0
oracle autovue 21.0.2
eclipse jetty 7.4.2
eclipse jetty 7.6.21
eclipse jetty 9.2.8
eclipse jetty 8.1.5
eclipse jetty 9.2.21
eclipse jetty 9.3.15
oracle data_integrator 12.2.1.3.0
eclipse jetty 9.1.6
eclipse jetty 9.3.11
eclipse jetty 9.4.7
oracle flexcube_private_banking 12.1.0
eclipse jetty 9.3.26
oracle retail_xstore_point_of_service 15.0
eclipse jetty 9.4.5
oracle communications_services_gatekeeper 7.0
eclipse jetty 8.1.7
eclipse jetty 9.2.2
eclipse jetty 8.0.0
eclipse jetty 9.2.10
oracle communications_element_manager 8.1.1
CVE-2019-10744 MEDIUM

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1321,

Products Affected

Vendor Product Version
f5 big-ip_analytics *
f5 big-iq_centralized_management 7.0.0
f5 big-ip_application_visibility_and_reporting *
f5 big-ip_domain_name_system *
netapp service_level_manager -
lodash lodash *
f5 big-ip_edge_gateway *
f5 big-ip_local_traffic_manager *
f5 big-iq_centralized_management *
f5 big-ip_application_acceleration_manager *
f5 big-ip_policy_enforcement_manager *
f5 big-ip_access_policy_manager *
f5 big-ip_webaccelerator *
f5 big-iq_centralized_management 5.4.0
f5 big-ip_advanced_firewall_manager *
oracle banking_extensibility_workbench 14.4.0
netapp active_iq_unified_manager -
oracle banking_extensibility_workbench 14.3.0
f5 iworkflow 2.3.0
f5 big-ip_application_security_manager *
f5 big-ip_fraud_protection_service *
f5 big-ip_link_controller *
redhat virtualization_manager 4.3
f5 big-ip_global_traffic_manager *
CVE-2019-11034 MEDIUM

When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
netapp storage_automation_store -
debian debian_linux 8.0
opensuse leap 15.1
opensuse leap 42.3
canonical ubuntu_linux 19.04
canonical ubuntu_linux 12.04
redhat software_collections 1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
opensuse leap 15.0
debian debian_linux 9.0
canonical ubuntu_linux 18.10
php php *
CVE-2019-11035 MEDIUM

When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
netapp storage_automation_store -
debian debian_linux 8.0
opensuse leap 15.1
opensuse leap 42.3
canonical ubuntu_linux 19.04
canonical ubuntu_linux 12.04
redhat software_collections 1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
opensuse leap 15.0
debian debian_linux 9.0
canonical ubuntu_linux 18.10
php php *
CVE-2019-11068 HIGH

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
fedoraproject fedora 29
fedoraproject fedora 30
opensuse leap 15.1
xmlsoft libxslt *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
opensuse leap 15.0
netapp snapmanager -
canonical ubuntu_linux 18.10
netapp oncommand_workflow_automation -
netapp e-series_santricity_unified_manager -
netapp plug-in_for_symantec_netbackup -
netapp santricity_unified_manager -
debian debian_linux 8.0
netapp hci_management_node -
opensuse leap 42.3
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
canonical ubuntu_linux 12.04
netapp e-series_santricity_web_services_proxy -
netapp e-series_santricity_storage_manager -
oracle jdk 8.0
netapp e-series_santricity_management_plug-ins -
CVE-2019-11089 LOW

Insufficient input validation in Kernel Mode module for Intel(R) Graphics Driver before version 25.20.100.6519 may allow an authenticated user to potentially enable denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
intel graphics_driver *
netapp data_availability_services -
netapp cloud_backup -
netapp steelstore_cloud_integrated_storage -
CVE-2019-11111 MEDIUM

Pointer corruption in the Unified Shader Compiler in Intel(R) Graphics Drivers before 10.18.14.5074 (aka 15.36.x.5074) may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
intel graphics_driver *
netapp data_availability_services -
netapp cloud_backup -
netapp steelstore_cloud_integrated_storage -
CVE-2019-11112 HIGH

Memory corruption in Kernel Mode Driver in Intel(R) Graphics Driver before 26.20.100.6813 (DCH) or 26.20.100.6812 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
intel graphics_driver *
netapp data_availability_services -
netapp cloud_backup -
netapp steelstore_cloud_integrated_storage -
CVE-2019-11113 LOW

Buffer overflow in Kernel Mode module for Intel(R) Graphics Driver before version 25.20.100.6618 (DCH) or 21.20.x.5077 (aka15.45.5077) may allow a privileged user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,

Products Affected

Vendor Product Version
intel graphics_driver 15.40.26.4474
intel graphics_driver 15.40.42.5063
intel graphics_driver 15.40.7.64.4279
intel graphics_driver 15.45.29.5077
netapp solidfire_baseboard_management_controller_firmware -
intel graphics_driver 15.22.58.2993
intel graphics_driver 15.40.14.4352
netapp data_availability_services -
intel graphics_driver 15.28.24.64.4229
netapp steelstore_cloud_integrated_storage -
intel graphics_driver 15.22.54.2622
intel graphics_driver 15.33.48.5069
intel graphics_driver *
intel graphics_driver 15.36.37.5074
intel graphics_driver 15.45.26.5065
netapp cloud_backup -
intel graphics_driver 15.45.27.5068
intel graphics_driver 15.40.1.64.4256
intel graphics_driver 15.22.58.64.2993
intel graphics_driver 15.36.36.5067
intel graphics_driver 15.28.24.4229
intel graphics_driver 15.22.54.64.2622
CVE-2019-11184 LOW

A race condition in specific microprocessors using Intel (R) DDIO cache allocation and RDMA may allow an authenticated user to potentially enable partial information disclosure via adjacent access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-362,

Products Affected

Vendor Product Version
intel xeon_e5-2450_v2_firmware -
intel xeon_e5-2418l_firmware -
intel xeon_e5-1428l_v2_firmware -
intel xeon_e7-8870_v4_firmware -
intel xeon_e5-2630_v4_firmware -
intel xeon_e5-2695_v4_firmware -
intel xeon_e5-1620_v4_firmware -
intel xeon_e7-8870_v3_firmware -
intel xeon_e5-2643_v3_firmware -
intel xeon_e5-2618l_v4_firmware -
intel xeon_e7-8891_v4_firmware -
intel xeon_e5-4640_v4_firmware -
intel 4109t_firmware -
intel xeon_e7-4880_v2_firmware -
intel 6138_firmware -
intel xeon_e5-2697_v2_firmware -
intel xeon_e5-2637_v4_firmware -
intel xeon_e5-2699_v3_firmware -
intel xeon_e5-4603_firmware -
intel xeon_e5-2418l_v3_firmware -
intel xeon_e5-2640_v2_firmware -
intel xeon_e5-4650_v3_firmware -
intel xeon_e5-2687w_v4_firmware -
intel xeon_e5-2697_v3_firmware -
intel xeon_e5-2470_firmware -
intel xeon_e7-4870_v2_firmware -
intel xeon_e7-8880l_v3_firmware -
intel xeon_e5-2680_v3_firmware -
intel xeon_e5-4640_v3_firmware -
intel xeon_e5-1680_v3_firmware -
intel xeon_e5-2650_v3_firmware -
intel xeon_e5-2650l_v3_firmware -
intel xeon_e7-4820_v4_firmware -
intel xeon_e5-4610_v3_firmware -
intel xeon_e5-2428l_firmware -
intel xeon_e5-1620_firmware -
intel xeon_e5-4603_v2_firmware -
intel xeon_e5-2648l_v2_firmware -
intel xeon_e5-2658_firmware -
intel xeon_e7-8880_v3_firmware -
intel xeon_e5-2667_v3_firmware -
intel xeon_e5-1630_v4_firmware -
intel 5118_firmware -
intel xeon_e7-8867_v4_firmware -
intel xeon_e5-1650_v3_firmware -
intel xeon_e5-2603_v4_firmware -
intel xeon_e7-4820_v3_firmware -
intel 5120t_firmware -
intel xeon_e5-2618l_v2_firmware -
intel xeon_e7-8893_v2_firmware -
intel xeon_e7-8890_v2_firmware -
intel xeon_e5-2609_v4_firmware -
intel xeon_e5-2650_firmware -
intel xeon_e5-2630l_v2_firmware -
intel xeon_e5-2609_v3_firmware -
intel xeon_e5-2428l_v3_firmware -
intel xeon_e7-8850_v2_firmware -
intel xeon_e5-1660_v3_firmware -
intel xeon_e5-1650_firmware -
intel xeon_e5-2630l_firmware -
intel xeon_e5-1630_v3_firmware -
intel xeon_e5-2430_v2_firmware -
intel xeon_e5-4660_v3_firmware -
intel xeon_e5-2403_v2_firmware -
intel xeon_e5-2650_v4_firmware -
intel xeon_e7-4830_v2_firmware -
intel xeon_e5-2648l_firmware -
intel xeon_e5-4650l_firmware -
intel xeon_e5-2697a_v4_firmware -
intel xeon_e5-1620_v3_firmware -
intel 4110_firmware -
intel xeon_e5-2643_firmware -
intel xeon_e7-4809_v3_firmware -
intel xeon_e5-2428l_v2_firmware -
intel xeon_e5-2660_v2_firmware -
intel xeon_e5-2680_v2_firmware -
intel xeon_e5-2648l_v4_firmware -
intel 5119t_firmware -
intel xeon_e5-2660_firmware -
intel xeon_e5-4627_v4_firmware -
intel xeon_e7-8867_v3_firmware -
intel xeon_e5-2408l_v3_firmware -
intel xeon_e5-4669_v3_firmware -
intel xeon_e5-2643_v2_firmware -
intel xeon_e5-2667_v2_firmware -
intel 4116_firmware -
intel xeon_e5-2637_v2_firmware -
intel xeon_e5-4628l_v4_firmware -
intel xeon_e5-4657l_v2_firmware -
intel xeon_e5-2683_v3_firmware -
intel xeon_e5-1660_firmware -
intel xeon_e7-8894_v4_firmware -
intel xeon_e5-4607_v2_firmware -
intel xeon_e7-8860_v4_firmware -
intel xeon_e5-4669_v4_firmware -
intel xeon_e5-2650_v2_firmware -
intel xeon_e5-2698_v3_firmware -
intel xeon_e5-2620_v4_firmware -
intel xeon_e5-2699_v4_firmware -
intel xeon_e5-2650l_v2_firmware -
intel xeon_e5-2640_v3_firmware -
intel xeon_e5-2648l_v3_firmware -
intel xeon_e5-2690_firmware -
intel xeon_e5-2407_firmware -
intel xeon_e7-4820_v2_firmware -
intel xeon_e5-2420_v2_firmware -
intel xeon_e5-2448l_firmware -
intel xeon_e7-2880_v2_firmware -
intel xeon_e5-4667_v4_firmware -
intel xeon_e5-4607_firmware -
intel xeon_e5-2620_firmware -
intel xeon_e5-1660_v2_firmware -
intel xeon_e7-8870_v2_firmware -
intel xeon_e5-2609_v2_firmware -
intel xeon_e5-2699r_v4_firmware -
intel xeon_e5-2450l_firmware -
netapp cloud_backup -
intel xeon_e5-4620_firmware -
intel xeon_e5-4627_v2_firmware -
intel xeon_e5-2660_v4_firmware -
intel xeon_e5-2630_v2_firmware -
intel 4114t_firmware -
intel xeon_e7-8893_v4_firmware -
intel xeon_e5-2623_v4_firmware -
intel xeon_e5-2637_v3_firmware -
intel xeon_e5-2623_v3_firmware -
intel xeon_e5-4650_v4_firmware -
intel xeon_e5-2690_v2_firmware -
intel xeon_e7-8880_v2_firmware -
intel xeon_e5-4667_v3_firmware -
intel xeon_e7-2870_v2_firmware -
intel xeon_e7-8891_v2_firmware -
intel xeon_e5-2658_v3_firmware -
intel 3106_firmware -
intel xeon_e5-2630_v3_firmware -
intel xeon_e5-4624l_v2_firmware -
intel xeon_e5-2630l_v4_firmware -
intel xeon_e7-8880l_v2_firmware -
intel xeon_e7-4830_v4_firmware -
intel xeon_e5-2687w_firmware -
intel xeon_e5-2665_firmware -
intel xeon_e7-4860_v2_firmware -
intel 6126t_firmware -
intel xeon_e5-2687w_v3_firmware -
intel xeon_e5-2680_firmware -
intel xeon_e5-2670_v2_firmware -
intel xeon_e5-4610_v2_firmware -
intel xeon_e7-8880_v4_firmware -
intel xeon_e5-4650_v2_firmware -
intel xeon_e7-4850_v4_firmware -
intel xeon_e5-2687w_v2_firmware -
intel xeon_e5-2608l_v3_firmware -
intel xeon_e5-2658a_v3_firmware -
intel xeon_e5-2440_firmware -
intel xeon_e7-8860_v3_firmware -
intel xeon_e5-4620_v4_firmware -
intel xeon_e5-1428l_firmware -
intel xeon_e5-2628l_v2_firmware -
intel xeon_e5-4610_firmware -
intel xeon_e5-2450l_v2_firmware -
intel xeon_e5-2618l_v3_firmware -
intel xeon_e5-2640_firmware -
intel xeon_e5-1680_v4_firmware -
intel xeon_e7-2850_v2_firmware -
intel xeon_e5-4650_firmware -
intel xeon_e5-2650l_firmware -
intel xeon_e7-8891_v3_firmware -
intel xeon_e5-4640_v2_firmware -
intel xeon_e5-2470_v2_firmware -
intel xeon_e5-2603_v2_firmware -
intel xeon_e5-2430l_v2_firmware -
intel xeon_e7-8893_v3_firmware -
intel xeon_e5-4655_v3_firmware -
intel xeon_e5-2603_v3_firmware -
intel xeon_e5-4610_v4_firmware -
intel xeon_e7-2890_v2_firmware -
intel xeon_e5-2448l_v2_firmware -
intel xeon_e5-2603_firmware -
intel xeon_e5-2438l_v3_firmware -
intel xeon_e7-4850_v2_firmware -
intel xeon_e5-2628l_v4_firmware -
intel xeon_e5-2418l_v2_firmware -
intel xeon_e5-4627_v3_firmware -
intel xeon_e5-4648_v3_firmware -
intel xeon_e5-4640_firmware -
intel xeon_e5-4617_firmware -
intel xeon_e5-2640_v4_firmware -
intel xeon_e7-4850_v3_firmware -
intel xeon_e7-8857_v2_firmware -
intel xeon_e5-2630_firmware -
intel xeon_e5-2620_v2_firmware -
intel xeon_e5-2680_v4_firmware -
intel xeon_e5-1650_v4_firmware -
intel xeon_e5-2667_firmware -
intel xeon_e7-4890_v2_firmware -
intel xeon_e5-2660_v3_firmware -
intel xeon_e5-2628l_v3_firmware -
intel xeon_e5-2630l_v3_firmware -
intel xeon_e5-2620_v3_firmware -
intel 4116t_firmware -
intel xeon_e5-2430_firmware -
intel xeon_e5-2690_v3_firmware -
intel xeon_e5-2683_v4_firmware -
intel xeon_e5-4620_v2_firmware -
intel xeon_e7-4809_v2_firmware -
intel xeon_e5-2430l_firmware -
intel xeon_e5-1620_v2_firmware -
intel xeon_e5-2667_v4_firmware -
intel xeon_e5-2608l_v4_firmware -
intel xeon_e5-2650l_v4_firmware -
intel xeon_e5-2407_v2_firmware -
intel xeon_e5-2450_firmware -
netapp steelstore_cloud_integrated_storage -
intel xeon_e5-1660_v4_firmware -
intel 6130_firmware -
intel xeon_e5-2670_v3_firmware -
intel xeon_e7-4830_v3_firmware -
intel xeon_e5-4655_v4_firmware -
intel xeon_e5-2698_v4_firmware -
intel xeon_e5-2420_firmware -
intel xeon_e5-2403_firmware -
intel xeon_e5-2690_v4_firmware -
intel xeon_e5-2637_firmware -
intel xeon_e5-1650_v2_firmware -
intel xeon_e5-2643_v4_firmware -
intel xeon_e5-2658_v2_firmware -
intel 6126_firmware -
intel xeon_e5-2609_firmware -
intel xeon_e5-1428l_v3_firmware -
intel xeon_e5-2697_v4_firmware -
intel xeon_e7-4809_v4_firmware -
intel xeon_e5-2699a_v4_firmware -
intel xeon_e5-2695_v3_firmware -
intel xeon_e5-2695_v2_firmware -
intel xeon_e5-4620_v3_firmware -
intel xeon_e5-2440_v2_firmware -
intel 6130t_firmware -
intel xeon_e7-8890_v4_firmware -
intel xeon_e7-8890_v3_firmware -
intel xeon_e5-2670_firmware -
intel xeon_e5-2658_v4_firmware -
intel xeon_e5-4660_v4_firmware -
CVE-2019-11243 MEDIUM

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-271,CWE-212,

Products Affected

Vendor Product Version
netapp trident -
kubernetes kubernetes *
kubernetes kubernetes 1.13.0
CVE-2019-11244 LOW

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N 1.3 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-524,CWE-732,

Products Affected

Vendor Product Version
netapp trident -
redhat openshift_container_platform 3.11
redhat openshift_container_platform 4.1
kubernetes kubernetes *
CVE-2019-11358 MEDIUM

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1321,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle insurance_ifrs_17_analyzer 8.0.6
oracle agile_product_lifecycle_management_for_process 6.2.3.0
oracle rest_data_services 18c
oracle weblogic_server 10.3.6.0.0
oracle retail_point-of-service 14.0
oracle retail_customer_insights 16.0
oracle retail_returns_management 14.1
oracle siebel_mobile_applications *
oracle financial_services_market_risk_measurement_and_management 8.0.6
oracle jd_edwards_enterpriseone_tools 9.2
oracle policy_automation 10.4.7
oracle financial_services_institutional_performance_analytics *
oracle financial_services_enterprise_financial_performance_analytics 8.0.7
oracle healthcare_foundation 7.2.0
oracle financial_services_asset_liability_management *
oracle financial_services_market_risk_measurement_and_management 8.0.8
oracle healthcare_translational_research 3.2.1
oracle communications_session_route_manager 8.1.1
oracle banking_digital_experience 18.1
oracle financial_services_hedge_management_and_ifrs_valuations 8.1.0
oracle financial_services_liquidity_risk_management 8.0.0.1.0
oracle business_process_management_suite 12.2.1.4.0
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle financial_services_enterprise_financial_performance_analytics 8.0.6
oracle banking_digital_experience 19.2
oracle financial_services_data_governance_for_us_regulatory_reporting *
oracle communications_diameter_signaling_router 8.2.1
oracle financial_services_analytical_applications_infrastructure *
oracle communications_analytics 12.1.1
oracle financial_services_balance_sheet_planning 8.0.8
oracle retail_back_office 14.0
fedoraproject fedora 29
oracle primavera_unifier 16.1
oracle financial_services_market_risk_measurement_and_management 8.0.5
juniper junos 21.2
oracle communications_billing_and_revenue_management 7.5
oracle financial_services_loan_loss_forecasting_and_provisioning 8.1.0
oracle system_utilities 19.1
oracle retail_customer_management_and_segmentation_foundation 19.0
oracle financial_services_regulatory_reporting_for_us_federal_reserve *
drupal drupal *
oracle financial_services_funds_transfer_pricing *
oracle financial_services_retail_performance_analytics 8.0.6
oracle application_testing_suite 13.3
oracle storagetek_tape_analytics_sw_tool 2.3.0
oracle communications_billing_and_revenue_management 12.0
oracle financial_services_regulatory_reporting_for_european_banking_authority 8.0.6
oracle jdeveloper 12.2.1.3.0
redhat cloudforms 4.7
oracle financial_services_liquidity_risk_measurement_and_management 8.0.7
oracle financial_services_liquidity_risk_management 8.0.4.0.0
oracle rest_data_services 19c
oracle enterprise_manager_ops_center 12.3.3
netapp snapcenter -
oracle financial_services_liquidity_risk_management 8.0.5.0.0
oracle peoplesoft_enterprise_peopletools 8.55
oracle big_data_discovery 1.6
oracle financial_services_funds_transfer_pricing 8.1.0
oracle service_bus 12.2.1.3.0
oracle knowledge *
oracle agile_product_lifecycle_management_for_process 6.1
oracle insurance_performance_insight 8.0.7
oracle enterprise_manager_ops_center 12.4.0.0
oracle healthcare_foundation 7.1.1
oracle insurance_insbridge_rating_and_underwriting *
oracle real-time_scheduler *
oracle financial_services_data_foundation *
oracle financial_services_revenue_management_and_billing 2.4.0.0
oracle hospitality_simphony 18.1
oracle policy_automation_connector_for_siebel 10.4.6
oracle financial_services_liquidity_risk_measurement_and_management 8.0.8
oracle communications_session_report_manager 8.2.0
oracle healthcare_translational_research 3.3.2
opensuse backports_sle 15.0
oracle financial_services_price_creation_and_discovery *
oracle banking_platform *
oracle communications_element_manager 8.2.1
oracle weblogic_server 12.2.1.3.0
oracle weblogic_server 12.1.3.0.0
oracle insurance_accounting_analyzer 8.0.9
oracle retail_point-of-service 14.1
oracle tape_library_acsls 8.5.1
oracle communications_element_manager 8.2.0
oracle business_process_management_suite 12.2.1.3.0
joomla joomla! *
oracle healthcare_translational_research 3.4.0
debian debian_linux 9.0
oracle transportation_management 1.4.3
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle insurance_allocation_manager_for_enterprise_profitability 8.0.8
debian debian_linux 8.0
oracle insurance_allocation_manager_for_enterprise_profitability 8.1.0
oracle healthcare_translational_research 3.1.0
oracle webcenter_sites 12.2.1.3.0
oracle service_bus 11.1.1.9.0
oracle weblogic_server 12.2.1.4.0
oracle siebel_ui_framework 20.8
oracle retail_back_office 14.1
oracle financial_services_asset_liability_management 8.1.0
oracle jdeveloper_and_adf 12.2.1.3.0
oracle banking_digital_experience 19.1
oracle bi_publisher 5.5.0.0.0
oracle communications_operations_monitor 4.1.0
oracle fusion_middleware_mapviewer 12.2.1.3.0
oracle utilities_mobile_workforce_management *
redhat virtualization_manager 4.3
oracle diagnostic_assistant 2.12.36
oracle policy_automation *
oracle retail_central_office 14.0
opensuse leap 15.1
oracle communications_session_report_manager 8.1.1
oracle peoplesoft_enterprise_peopletools 8.56
netapp oncommand_system_manager *
oracle application_testing_suite 13.2
oracle communications_unified_inventory_management 7.3
oracle agile_product_lifecycle_management_for_process 6.2.1.0
oracle jdeveloper_and_adf 12.1.3.0.0
oracle communications_operations_monitor *
oracle primavera_unifier 18.8
oracle retail_customer_management_and_segmentation_foundation 18.0
oracle retail_returns_management 14.0
backdropcms backdrop *
oracle banking_enterprise_collections *
oracle financial_services_profitability_management 8.1.0
oracle rest_data_services 12.1.0.2
oracle communications_application_session_controller 3.8m0
oracle financial_services_analytical_applications_reconciliation_framework *
oracle banking_digital_experience 18.2
oracle financial_services_revenue_management_and_billing 2.4.0.1
oracle policy_automation_for_mobile_devices *
oracle communications_session_route_manager 8.2.1
oracle financial_services_regulatory_reporting_for_european_banking_authority 8.0.7
oracle agile_product_lifecycle_management_for_process 6.2.2.0
oracle enterprise_session_border_controller 8.4
oracle application_service_level_management 13.2.0.0
oracle financial_services_liquidity_risk_management 8.0.2
oracle application_testing_suite 13.1.0.1
oracle retail_central_office 14.1
oracle application_testing_suite 13.2.0.1
oracle hospitality_materials_control 18.1
oracle bi_publisher 12.2.1.4.0
oracle service_bus 12.1.3.0.0
fedoraproject fedora 30
oracle primavera_gateway *
oracle hospitality_simphony *
oracle financial_services_basel_regulatory_capital_internal_ratings_based_approach 8.1.0
oracle healthcare_foundation 7.2.2
oracle communications_session_report_manager 8.2.1
oracle policy_automation 12.1.0
oracle communications_eagle_application_processor *
oracle jdeveloper_and_adf 11.1.1.9.0
oracle financial_services_liquidity_risk_measurement_and_management 8.1.0
oracle primavera_unifier *
oracle hospitality_guest_access 4.2.0
oracle banking_digital_experience 18.3
oracle rest_data_services 12.2.0.1
oracle financial_services_data_integration_hub 8.1.0
oracle financial_services_retail_performance_analytics 8.0.7
oracle financial_services_liquidity_risk_management 8.0.6
oracle insurance_insbridge_rating_and_underwriting 5.6.1.0
oracle agile_product_lifecycle_management_for_process 6.2.0.0
oracle financial_services_data_integration_hub *
oracle rest_data_services 11.2.0.4
oracle peoplesoft_enterprise_peopletools 8.57
oracle communications_webrtc_session_controller 7.2
oracle communications_interactive_session_recorder *
jquery jquery *
oracle financial_services_regulatory_reporting_for_de_nederlandsche_bank 8.0.4
oracle banking_digital_experience 20.1
fedoraproject fedora 28
oracle application_service_level_management 13.3.0.0
oracle financial_services_profitability_management *
oracle communications_diameter_signaling_router 8.1
oracle hospitality_simphony 18.2
oracle primavera_unifier 16.2
oracle communications_diameter_signaling_router 8.0.0
oracle financial_services_retail_customer_analytics *
oracle retail_customer_insights 15.0
oracle healthcare_foundation 7.3.0
oracle jdeveloper 11.1.1.9.0
oracle financial_services_analytical_applications_reconciliation_framework 8.1.0
oracle communications_operations_monitor 4.0
oracle application_testing_suite 12.5.0.3
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_operations_monitor 3.4
oracle application_express *
oracle financial_services_basel_regulatory_capital_basic 8.1.0
oracle primavera_gateway 15.2.18
oracle financial_services_basel_regulatory_capital_internal_ratings_based_approach *
oracle communications_session_route_manager 8.2.0
oracle insurance_data_foundation *
oracle insurance_ifrs_17_analyzer 8.0.7
oracle policy_automation 12.1.1
oracle hospitality_guest_access 4.2.1
oracle enterprise_manager_ops_center 12.4.0
oracle identity_manager 12.2.1.3.0
oracle weblogic_server 14.1.1.0.0
oracle communications_diameter_signaling_router 8.2
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle bi_publisher 12.2.1.3.0
oracle jdeveloper 12.2.1.4.0
oracle financial_services_loan_loss_forecasting_and_provisioning *
oracle healthcare_translational_research 3.3.1
oracle financial_services_basel_regulatory_capital_basic *
oracle communications_services_gatekeeper 7.0
oracle financial_services_hedge_management_and_ifrs_valuations *
oracle tape_library_acsls 8.5
oracle financial_services_institutional_performance_analytics 8.1.0
oracle communications_element_manager 8.1.1
CVE-2019-11486 MEDIUM

The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
netapp virtual_storage_console 9.7
linux linux_kernel *
netapp hci_management_node -
opensuse leap 15.1
netapp storage_replication_adapter_for_clustered_data_ontap 9.7
opensuse leap 42.3
netapp solidfire -
netapp vasa_provider_for_clustered_data_ontap 9.7
netapp snapprotect -
debian debian_linux 9.0
netapp active_iq -
CVE-2019-11815 HIGH

An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-362,CWE-416,

Products Affected

Vendor Product Version
netapp virtual_storage_console *
debian debian_linux 8.0
netapp hci_management_node -
opensuse leap 15.1
opensuse leap 42.3
netapp snapprotect -
netapp active_iq_unified_manager *
netapp vasa_provider_for_clustered_data_ontap *
canonical ubuntu_linux 19.04
netapp storage_replication_adapter 7.2
netapp cn1610_firmware -
netapp hci_storage_node -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
linux linux_kernel 5.1
canonical ubuntu_linux 14.04
netapp solidfire -
opensuse leap 15.0
netapp hci_compute_node -
debian debian_linux 9.0
CVE-2019-12255 HIGH

Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is a IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
siemens ruggedcom_win7018_firmware *
siemens siprotec_5_firmware *
sonicwall sonicos 6.2.7.1
sonicwall sonicos *
siemens power_meter_9810_firmware *
siemens ruggedcom_win7200_firmware *
sonicwall sonicos 6.2.7.7
siemens ruggedcom_win7000_firmware *
sonicwall sonicos 6.2.7.0
siemens power_meter_9410_firmware *
windriver vxworks *
siemens ruggedcom_win7025_firmware *
belden hirschmann_hios *
belden garrettcom_magnum_dx940e_firmware *
CVE-2019-12256 HIGH

Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the IPv4 component. There is an IPNET security vulnerability: Stack overflow in the parsing of IPv4 packets’ IP options.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
siemens ruggedcom_win7018_firmware *
siemens siprotec_5_firmware *
sonicwall sonicos 6.2.7.1
sonicwall sonicos *
siemens power_meter_9810_firmware *
siemens ruggedcom_win7200_firmware *
sonicwall sonicos 6.2.7.7
siemens ruggedcom_win7000_firmware *
sonicwall sonicos 6.2.7.0
siemens power_meter_9410_firmware *
windriver vxworks *
siemens ruggedcom_win7025_firmware *
belden hirschmann_hios *
belden garrettcom_magnum_dx940e_firmware *
CVE-2019-12257 MEDIUM

Wind River VxWorks 6.6 through 6.9 has a Buffer Overflow in the DHCP client component. There is an IPNET security vulnerability: Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
siemens ruggedcom_win7018_firmware *
siemens siprotec_5_firmware *
sonicwall sonicos 6.2.7.1
sonicwall sonicos *
siemens ruggedcom_win7200_firmware *
sonicwall sonicos 6.2.7.7
siemens ruggedcom_win7000_firmware *
sonicwall sonicos 6.2.7.0
windriver vxworks *
siemens ruggedcom_win7025_firmware *
belden hirschmann_hios *
belden garrettcom_magnum_dx940e_firmware *
CVE-2019-12258 MEDIUM

Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability: DoS of TCP connection via malformed TCP options.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-384,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
siemens ruggedcom_win7018_firmware *
siemens siprotec_5_firmware *
windriver vxworks 7.0
sonicwall sonicos 6.2.7.1
sonicwall sonicos *
siemens power_meter_9810_firmware *
siemens ruggedcom_win7200_firmware *
sonicwall sonicos 6.2.7.7
siemens ruggedcom_win7000_firmware *
sonicwall sonicos 6.2.7.0
siemens power_meter_9410_firmware *
windriver vxworks *
siemens ruggedcom_win7025_firmware *
belden hirschmann_hios *
belden garrettcom_magnum_dx940e_firmware *
CVE-2019-12260 HIGH

Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the TCP component (issue 2 of 4). This is an IPNET security vulnerability: TCP Urgent Pointer state confusion caused by a malformed TCP AO option.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
siemens ruggedcom_win7018_firmware *
siemens siprotec_5_firmware *
windriver vxworks 7.0
sonicwall sonicos 6.2.7.1
sonicwall sonicos *
siemens power_meter_9810_firmware *
siemens ruggedcom_win7200_firmware *
sonicwall sonicos 6.2.7.7
siemens ruggedcom_win7000_firmware *
sonicwall sonicos 6.2.7.0
siemens power_meter_9410_firmware *
windriver vxworks *
siemens ruggedcom_win7025_firmware *
belden hirschmann_hios *
oracle communications_eagle *
belden garrettcom_magnum_dx940e_firmware *
CVE-2019-12261 HIGH

Wind River VxWorks 6.7 though 6.9 and vx7 has a Buffer Overflow in the TCP component (issue 3 of 4). This is an IPNET security vulnerability: TCP Urgent Pointer state confusion during connect() to a remote host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
siemens ruggedcom_win7018_firmware *
siemens siprotec_5_firmware *
windriver vxworks 7.0
sonicwall sonicos 6.2.7.1
sonicwall sonicos *
siemens power_meter_9810_firmware *
siemens ruggedcom_win7200_firmware *
sonicwall sonicos 6.2.7.7
siemens ruggedcom_win7000_firmware *
sonicwall sonicos 6.2.7.0
siemens power_meter_9410_firmware *
windriver vxworks *
siemens ruggedcom_win7025_firmware *
belden hirschmann_hios *
oracle communications_eagle *
belden garrettcom_magnum_dx940e_firmware *
CVE-2019-12263 MEDIUM

Wind River VxWorks 6.9.4 and vx7 has a Buffer Overflow in the TCP component (issue 4 of 4). There is an IPNET security vulnerability: TCP Urgent Pointer state confusion due to race condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-787,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
siemens ruggedcom_win7018_firmware *
siemens siprotec_5_firmware *
windriver vxworks 7.0
sonicwall sonicos 6.2.7.1
sonicwall sonicos *
siemens power_meter_9810_firmware *
siemens ruggedcom_win7200_firmware *
sonicwall sonicos 6.2.7.7
siemens ruggedcom_win7000_firmware *
sonicwall sonicos 6.2.7.0
siemens power_meter_9410_firmware *
windriver vxworks *
siemens ruggedcom_win7025_firmware *
belden hirschmann_hios *
belden garrettcom_magnum_dx940e_firmware *
CVE-2019-12265 MEDIUM

Wind River VxWorks 6.5, 6.6, 6.7, 6.8, 6.9.3 and 6.9.4 has a Memory Leak in the IGMPv3 client component. There is an IPNET security vulnerability: IGMP Information leak via IGMPv3 specific membership report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
siemens ruggedcom_win7018_firmware *
siemens siprotec_5_firmware *
windriver vxworks 7.0
sonicwall sonicos 6.2.7.1
sonicwall sonicos *
siemens power_meter_9810_firmware *
siemens ruggedcom_win7200_firmware *
sonicwall sonicos 6.2.7.7
siemens ruggedcom_win7000_firmware *
sonicwall sonicos 6.2.7.0
siemens power_meter_9410_firmware *
windriver vxworks *
siemens ruggedcom_win7025_firmware *
belden hirschmann_hios *
belden garrettcom_magnum_dx940e_firmware *
CVE-2019-12418 MEDIUM

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
apache tomcat *
canonical ubuntu_linux 16.04
oracle workload_manager 19c
debian debian_linux 8.0
oracle workload_manager 18c
opensuse leap 15.1
oracle workload_manager 12.2.0.1
debian debian_linux 9.0
netapp oncommand_system_manager *
CVE-2019-12615 HIGH

An issue was discovered in get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup_const of node_info->vdev_port.name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-476,

Products Affected

Vendor Product Version
linux linux_kernel 5.2
netapp cn1610_firmware -
netapp aff_a700s_firmware -
netapp h610s_firmware -
linux linux_kernel *
linux linux_kernel 2.6.12
netapp hci_management_node -
netapp solidfire -
netapp active_iq_unified_manager *
CVE-2019-13115 MEDIUM

In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-190,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 29
debian debian_linux 8.0
netapp cloud_backup -
fedoraproject fedora 30
netapp ontap_select_deploy_administration_utility -
f5 traffix_systems_signaling_delivery_controller *
debian debian_linux 9.0
libssh2 libssh2 *
CVE-2019-13118 MEDIUM

In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-843,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
apple mac_os_x 10.13.6
fedoraproject fedora 31
opensuse leap 15.1
apple macos *
apple itunes *
netapp ontap_select_deploy_administration_utility -
apple iphone_os *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
apple tvos *
apple mac_os_x 10.12.6
netapp cloud_backup -
canonical ubuntu_linux 14.04
apple icloud *
netapp oncommand_workflow_automation -
netapp plug-in_for_symantec_netbackup -
netapp santricity_unified_manager -
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp e-series_santricity_web_services -
canonical ubuntu_linux 12.04
xmlsoft libxslt 1.1.33
netapp e-series_performance_analyzer -
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
netapp clustered_data_ontap -
netapp e-series_santricity_management_plug-ins -
CVE-2019-13272 HIGH

In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 29
redhat enterprise_linux_for_real_time_for_nfv 8.0
netapp h410c_firmware -
redhat enterprise_linux_for_real_time_tus 8.4
redhat enterprise_linux_for_arm_64 7.0_aarch64
redhat enterprise_linux_for_real_time_for_nfv_tus 8.6
redhat enterprise_linux_for_real_time_for_nfv_tus 8.4
redhat enterprise_linux_for_real_time_tus 8.6
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
redhat enterprise_linux_for_real_time_for_nfv_tus 8.8
netapp solidfire -
redhat enterprise_linux_for_real_time 8
debian debian_linux 9.0
redhat enterprise_linux 8.0
debian debian_linux 10.0
netapp h610s_firmware -
debian debian_linux 8.0
netapp hci_management_node -
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
netapp steelstore_cloud_integrated_storage -
redhat enterprise_linux_for_ibm_z_systems 7.0_s390x
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
redhat enterprise_linux 7.0
netapp e-series_performance_analyzer -
netapp aff_a700s_firmware -
netapp service_processor -
netapp hci_compute_node -
redhat enterprise_linux_for_real_time_tus 8.8
redhat enterprise_linux_for_real_time_tus 8.2
CVE-2019-13990 HIGH

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
atlassian jira_service_management 5.4.5
oracle hyperion_infrastructure_technology 11.1.2.4
atlassian jira_service_management 4.20.0
atlassian jira_service_management 4.20.4
atlassian jira_service_management 5.4.4
atlassian jira_service_management 5.2.0
atlassian jira_service_management 4.20.1
oracle retail_integration_bus 15.0
atlassian jira_service_management 4.20.14
atlassian jira_service_management 5.5.1
oracle flexcube_investor_servicing 12.3.0
oracle primavera_unifier 18.8
atlassian jira_service_management 4.22.1
oracle google_guava_mapviewer 12.2.0.1
atlassian jira_service_management 4.20.10
oracle retail_returns_management 14.1
atlassian jira_service_management 4.20.5
atlassian jira_service_management 4.21.1
oracle customer_management_and_segmentation_foundation 18.0
atlassian jira_service_management 4.20.3
atlassian jira_service_management 5.3.3
oracle retail_order_broker 16.0
atlassian jira_service_management 4.20.17
oracle retail_order_broker 19.0
apache tomee 7.1.3
oracle retail_xstore_point_of_service 17.0
atlassian jira_service_management 5.4.2
oracle retail_integration_bus 16.0
oracle terracotta_quartz_scheduler_mapviewer 12.2.0.1
atlassian jira_service_management 4.20.16
atlassian jira_service_management 4.20.9
atlassian jira_service_management 5.6.0
oracle google_guava_mapviewer 18c
atlassian jira_service_management 5.4.7
oracle retail_order_broker 15.0
oracle retail_central_office 14.1
atlassian jira_service_management 4.20.18
atlassian jira_service_management 5.8.0
atlassian jira_service_management 5.4.8
atlassian jira_service_management 4.20.6
oracle apache_batik_mapviewer 19c
oracle primavera_unifier 16.1
oracle documaker *
oracle retail_xstore_point_of_service 16.0
atlassian jira_service_management 4.20.12
oracle primavera_unifier *
oracle enterprise_manager_base_platform 13.2.1.0
atlassian jira_service_management 4.20.2
atlassian jira_service_management 5.8.1
atlassian jira_service_management 4.20.7
atlassian jira_service_management 4.22.3
atlassian jira_service_management 4.22.4
atlassian jira_service_management 5.1.0
oracle banking_enterprise_originations 2.7.0
atlassian jira_service_management 4.22.0
atlassian jira_service_management 5.2.1
oracle communications_ip_service_activator 7.4.0
atlassian jira_service_management 4.20.15
atlassian jira_service_management 5.7.0
atlassian jira_service_management 5.3.1
atlassian jira_service_management 5.4.3
atlassian jira_service_management 5.4.9
oracle google_guava_mapviewer 19c
oracle terracotta_quartz_scheduler_mapviewer 18c
atlassian jira_service_management 4.21.0
oracle flexcube_investor_servicing 14.1.0
atlassian jira_service_management 5.3.2
atlassian jira_service_management 5.4.1
oracle primavera_unifier 16.2
oracle apache_batik_mapviewer 18c
atlassian jira_service_management 4.20.22
atlassian jira_service_management 5.1.1
oracle retail_order_broker 18.0
oracle jd_edwards_enterpriseone_orchestrator *
atlassian jira_service_management 5.10.0
softwareag quartz *
oracle enterprise_manager_ops_center 12.4.0.0
atlassian jira_service_management 5.4.0
oracle communications_ip_service_activator 7.3.0
atlassian jira_service_management 5.9.0
netapp cloud_secure_agent -
atlassian jira_service_management 4.20.19
oracle flexcube_private_banking 12.0.0
atlassian jira_service_management 5.4.6
oracle banking_enterprise_product_manufacturing 2.7.0
oracle banking_enterprise_product_manufacturing 2.8.0
atlassian jira_service_management 5.0.0
oracle banking_enterprise_originations 2.8.0
oracle banking_payments *
atlassian jira_service_management 4.20.23
atlassian jira_service_management 4.22.6
oracle retail_point-of-service 14.1
oracle terracotta_quartz_scheduler_mapviewer 19c
oracle communications_session_route_manager *
atlassian jira_service_management 4.20.8
oracle flexcube_investor_servicing 14.4.0
atlassian jira_service_management 4.20.13
oracle flexcube_investor_servicing 12.4.0
atlassian jira_service_management 4.20.11
atlassian jira_service_management 4.20.25
atlassian jira_service_management 5.3.0
atlassian jira_service_management 4.20.21
oracle flexcube_investor_servicing 12.1.0
oracle flexcube_private_banking 12.1.0
atlassian jira_service_management 4.20.24
atlassian jira_service_management 4.22.2
oracle retail_xstore_point_of_service 15.0
netapp active_iq_unified_manager -
oracle webcenter_sites 12.2.1.3.0
oracle apache_batik_mapviewer 12.2.0.1
oracle webcenter_sites 12.2.1.4.0
oracle retail_back_office 14.1
oracle retail_xstore_point_of_service 19.0
atlassian jira_service_management 5.7.1
oracle fusion_middleware_mapviewer 12.2.1.3.0
oracle retail_xstore_point_of_service 18.0
atlassian jira_service_management 4.20.20
CVE-2019-14287 HIGH

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-755,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
sudo_project sudo *
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
opensuse leap 15.1
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server 5.0
redhat enterprise_linux_server_aus 6.6
canonical ubuntu_linux 14.04
opensuse leap 15.0
debian debian_linux 9.0
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_server_tus 8.2
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
redhat virtualization 4.2
redhat enterprise_linux_server_aus 6.5
netapp element_software_management_node -
redhat enterprise_linux_server_aus 7.3
canonical ubuntu_linux 19.04
redhat enterprise_linux_server_aus 8.4
canonical ubuntu_linux 12.04
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
redhat openshift_container_platform 4.1
redhat enterprise_linux_eus 8.4
CVE-2019-14379 HIGH

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1321,

Products Affected

Vendor Product Version
oracle financial_services_analytical_applications_infrastructure *
oracle banking_platform 2.6.0
redhat jboss_enterprise_application_platform 7.2
fedoraproject fedora 31
oracle banking_platform 2.4.1
oracle goldengate_stream_analytics *
fedoraproject fedora 29
oracle retail_xstore_point_of_service 7.1
fedoraproject fedora 30
oracle primavera_unifier 16.1
netapp snapcenter -
netapp service_level_manager -
oracle banking_platform 2.5.0
oracle communications_diameter_signaling_router 8.1
oracle retail_xstore_point_of_service 16.0
oracle siebel_engineering_-_installer_&_deployment *
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle communications_diameter_signaling_router 8.0.0
fasterxml jackson-databind *
oracle communications_diameter_signaling_router 8.2
oracle siebel_ui_framework *
oracle primavera_unifier *
oracle jd_edwards_enterpriseone_tools 9.2
oracle banking_platform 2.6.1
netapp oncommand_workflow_automation -
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle jd_edwards_enterpriseone_orchestrator 9.2
debian debian_linux 8.0
oracle primavera_gateway 16.2
netapp active_iq_unified_manager *
oracle primavera_gateway 17.12
oracle retail_xstore_point_of_service 15.0
oracle banking_platform 2.7.1
redhat single_sign-on 7.3
oracle banking_platform 2.4.0
redhat openshift_container_platform 3.11
oracle retail_xstore_point_of_service 17.0
redhat openshift_container_platform 4.1
redhat jboss_enterprise_application_platform 7.3
oracle banking_platform 2.7.0
oracle retail_xstore_point_of_service 18.0
oracle communications_diameter_signaling_router 8.2.1
oracle primavera_gateway 18.8.0
apple xcode *
oracle communications_instant_messaging_server 10.0.1.3.0
oracle primavera_gateway 15.2
CVE-2019-14444 MEDIUM

apply_relocations in readelf.c in GNU Binutils 2.32 contains an integer overflow that allows attackers to trigger a write access violation (in byte_put_little_endian function in elfcomm.c) via an ELF file, as demonstrated by readelf.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
opensuse leap 15.2
canonical ubuntu_linux 18.04
netapp hci_management_node -
opensuse leap 15.1
gnu binutils 2.32
netapp solidfire -
CVE-2019-14540 HIGH

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle financial_services_analytical_applications_infrastructure *
oracle banking_platform 2.6.0
redhat jboss_enterprise_application_platform 7.2
oracle weblogic_server 12.2.1.3.0
fedoraproject fedora 31
oracle banking_platform 2.4.1
oracle goldengate_stream_analytics *
oracle retail_xstore_point_of_service 7.1
fedoraproject fedora 30
oracle primavera_gateway 17.12.6
oracle primavera_unifier 16.1
netapp oncommand_api_services -
oracle banking_platform 2.5.0
oracle retail_xstore_point_of_service 16.0
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
fasterxml jackson-databind *
oracle primavera_unifier *
debian debian_linux 9.0
oracle banking_platform 2.6.1
oracle primavera_gateway 16.2.11
oracle global_lifecycle_management_opatch *
netapp oncommand_workflow_automation -
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle goldengate_application_adapters 19.1.0.0.0
oracle primavera_gateway 18.8.8.1
debian debian_linux 10.0
oracle primavera_unifier 19.12
debian debian_linux 8.0
oracle primavera_gateway 16.2
netapp steelstore_cloud_integrated_storage -
oracle primavera_gateway 17.12
oracle retail_xstore_point_of_service 15.0
oracle customer_management_and_segmentation_foundation 18.0
oracle mysql *
oracle banking_platform 2.7.1
oracle banking_platform 2.4.0
oracle primavera_gateway 15.2.18
oracle retail_xstore_point_of_service 17.0
redhat jboss_enterprise_application_platform 7.3
oracle banking_platform 2.7.0
oracle retail_xstore_point_of_service 18.0
oracle primavera_gateway 18.8.0
oracle primavera_gateway 15.2
CVE-2019-14574 LOW

Out of bounds read in a subsystem for Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
intel graphics_driver *
netapp data_availability_services -
netapp cloud_backup -
netapp steelstore_cloud_integrated_storage -
CVE-2019-14590 LOW

Improper access control in the API for the Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-269,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
intel graphics_driver *
netapp data_availability_services -
netapp cloud_backup -
netapp steelstore_cloud_integrated_storage -
CVE-2019-14591 LOW

Improper input validation in the API for Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
intel graphics_driver *
netapp data_availability_services -
netapp cloud_backup -
netapp steelstore_cloud_integrated_storage -
CVE-2019-14598 MEDIUM

Improper Authentication in subsystem in Intel(R) CSME versions 12.0 through 12.0.48 (IOT only: 12.0.56), versions 13.0 through 13.0.20, versions 14.0 through 14.0.10 may allow a privileged user to potentially enable escalation of privilege, denial of service or information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
intel converged_security_management_engine_firmware *
netapp steelstore_cloud_integrated_storage -
CVE-2019-14814 HIGH

There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
netapp h300s_firmware -
netapp h300e_firmware -
redhat enterprise_linux 5.0
redhat enterprise_linux_eus 8.1
netapp a800_firmware -
netapp c190_firmware -
redhat enterprise_linux_for_real_time_for_nfv 8
netapp data_availability_services -
opensuse leap 15.1
netapp h500s_firmware -
netapp h410c_firmware -
redhat enterprise_linux_for_real_time_tus 8.4
netapp h700s_firmware -
netapp h410s_firmware -
redhat enterprise_linux_for_real_time_for_nfv_tus 8.4
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp solidfire -
opensuse leap 15.0
redhat enterprise_linux_for_real_time 8
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.2
netapp a320_firmware -
redhat enterprise_linux_server_tus 8.4
netapp h610s_firmware -
redhat enterprise_linux_server_tus 8.2
debian debian_linux 8.0
netapp hci_management_node -
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
netapp steelstore_cloud_integrated_storage -
netapp a220_firmware -
canonical ubuntu_linux 19.04
redhat enterprise_linux_server_aus 8.4
redhat messaging_realtime_grid 2.0
netapp a700s_firmware -
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.2
netapp fas2750_firmware -
netapp service_processor -
netapp fas2720_firmware -
redhat enterprise_linux_eus 8.4
netapp h700e_firmware -
netapp h500e_firmware -
redhat enterprise_linux_for_real_time_tus 8.2
CVE-2019-14815 HIGH

A vulnerability was found in Linux Kernel, where a Heap Overflow was found in mwifiex_set_wmm_params() function of Marvell Wifi Driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
redhat enterprise_linux 5
netapp solidfire_baseboard_management_controller_firmware -
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_for_real_time_for_nfv 8
redhat enterprise_linux_for_real_time_tus 8.4
redhat codeready_linux_builder_for_power_little_endian_eus 8.1
redhat enterprise_linux_for_real_time_for_nfv_tus 8.6
netapp steelstore -
redhat enterprise_linux_for_real_time_for_nfv_tus 8.4
redhat codeready_linux_builder_eus 8.2
redhat codeready_linux_builder_eus 8.4
redhat codeready_linux_builder_eus 8.6
redhat enterprise_linux_for_real_time_tus 8.6
redhat enterprise_linux_server_tus 8.6
netapp baseboard_management_controller -
linux linux_kernel *
redhat enterprise_linux_for_ibm_z_systems_(structure_a) 7_s390x
netapp solidfire -
redhat enterprise_linux_for_real_time 8
redhat enterprise_linux_for_ibm_z_systems_eus 8.1
redhat enterprise_linux 8.0
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
netapp altavault -
redhat codeready_linux_builder_eus 8.1
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_for_ibm_z_systems_eus 8.2
redhat codeready_linux_builder_for_power_little_endian_eus 8.4
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.2
netapp hci -
redhat enterprise_linux_for_ibm_z_systems_eus 8.6
redhat codeready_linux_builder_for_power_little_endian_eus 8.2
redhat codeready_linux_builder_for_power_little_endian_eus 8.6
redhat enterprise_linux_for_real_time_tus 8.2
CVE-2019-14816 HIGH

There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
netapp h300e_firmware -
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_for_real_time_for_nfv 8
redhat enterprise_linux_compute_node_eus 7.6
opensuse leap 15.1
redhat enterprise_linux_server_aus 7.2
netapp h500s_firmware -
netapp h410s_firmware -
redhat enterprise_linux_for_real_time_for_nfv_tus 8.4
canonical ubuntu_linux 18.04
redhat virtualization 4.0
redhat enterprise_linux 8.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux 6.4
netapp h610s_firmware -
redhat enterprise_linux_eus 7.6
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp a220_firmware -
canonical ubuntu_linux 19.04
redhat enterprise_linux_server_aus 8.4
redhat messaging_realtime_grid 2.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server 7.6
redhat enterprise_linux_server_aus 8.2
netapp fas2750_firmware -
netapp service_processor -
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_for_real_time_for_nfv 7
netapp h700e_firmware -
netapp h500e_firmware -
netapp h300s_firmware -
redhat enterprise_linux 5.0
redhat enterprise_linux_tus 7.7
redhat enterprise_linux_for_real_time 7
redhat enterprise_linux_server 8.0
netapp a800_firmware -
netapp c190_firmware -
fedoraproject fedora 29
netapp data_availability_services -
fedoraproject fedora 30
redhat enterprise_linux_for_real_time_tus 8.4
netapp h700s_firmware -
redhat enterprise_linux 7.6
canonical ubuntu_linux 16.04
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp solidfire -
opensuse leap 15.0
redhat enterprise_linux_for_real_time 8
redhat enterprise_linux_eus 8.2
netapp a320_firmware -
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_tus 8.2
debian debian_linux 8.0
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
redhat virtualization 4.2
redhat enterprise_linux_server_aus 7.3
netapp a700s_firmware -
redhat enterprise_linux 7.0
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_for_power_big_endian_eus 7.6_ppc64
netapp fas2720_firmware -
redhat enterprise_linux_for_real_time_tus 8.2
CVE-2019-14821 HIGH

An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp h300s_firmware -
netapp h300e_firmware -
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_for_real_time 7
fedoraproject fedora 29
netapp data_availability_services -
fedoraproject fedora 30
opensuse leap 15.1
redhat enterprise_linux_desktop 7.0
netapp h500s_firmware -
oracle sd-wan_edge 7.3
netapp h410c_firmware -
netapp h700s_firmware -
redhat enterprise_linux_server 6.0
netapp h410s_firmware -
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
redhat virtualization_host 4.0
canonical ubuntu_linux 14.04
netapp solidfire -
opensuse leap 15.0
redhat enterprise_linux_for_real_time 8
debian debian_linux 9.0
redhat enterprise_linux 8.0
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
netapp h610s_firmware -
debian debian_linux 8.0
netapp hci_management_node -
canonical ubuntu_linux 19.04
oracle sd-wan_edge 8.0
linux linux_kernel 5.4
redhat enterprise_linux_eus 7.7
oracle sd-wan_edge 8.2
redhat enterprise_linux_server_tus 7.7
netapp aff_a700s_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
oracle sd-wan_edge 8.1
CVE-2019-14835 HIGH

A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp h300e_firmware -
redhat enterprise_linux_server_aus 7.7
huawei imanager_neteco_6000 v600r008c10spc300
opensuse leap 15.1
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
netapp h500s_firmware -
netapp h410c_firmware -
netapp h410s_firmware -
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 18.04
redhat virtualization 4.0
redhat enterprise_linux_server_aus 6.6
redhat enterprise_linux 8.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
netapp h610s_firmware -
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_server_aus 7.4
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
canonical ubuntu_linux 19.04
huawei manageone 6.5.1rc1.b060
canonical ubuntu_linux 12.04
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server 7.6
huawei imanager_neteco v600r009c10spc200
redhat openshift_container_platform 3.11
netapp aff_a700s_firmware -
netapp service_processor -
redhat enterprise_linux_server_aus 7.6
netapp h700e_firmware -
netapp h500e_firmware -
netapp h300s_firmware -
redhat enterprise_linux_for_real_time 7
fedoraproject fedora 29
netapp data_availability_services -
fedoraproject fedora 30
huawei manageone 6.5.1rc1.b080
huawei imanager_neteco_6000 v600r008c20
netapp h700s_firmware -
redhat enterprise_linux_server 6.0
linux linux_kernel 5.3
canonical ubuntu_linux 16.04
netapp _steelstore_cloud_integrated_storage -
linux linux_kernel *
redhat virtualization_host 4.0
canonical ubuntu_linux 14.04
netapp solidfire -
huawei manageone 6.5.0.spc100.b210
opensuse leap 15.0
redhat enterprise_linux_for_real_time 8
debian debian_linux 9.0
huawei manageone 6.5.rc2.b050
debian debian_linux 10.0
debian debian_linux 8.0
redhat enterprise_linux_server_aus 6.5
redhat enterprise_linux_server_aus 7.3
huawei manageone 6.5.0
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_eus 7.5
huawei imanager_neteco v600r009c00
redhat enterprise_linux_server_tus 7.7
CVE-2019-14888 MEDIUM

A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 7.0.0
redhat single_sign-on 7.0
redhat jboss_fuse 6.0.0
redhat jboss_fuse 7.0.0
redhat jboss_data_grid 7.0.0
redhat jboss_data_grid -
redhat undertow *
netapp active_iq_unified_manager -
CVE-2019-14893 HIGH

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-200,CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle goldengate_stream_analytics *
fasterxml jackson-databind *
netapp steelstore_cloud_integrated_storage -
netapp oncommand_api_services -
CVE-2019-15098 MEDIUM

drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
netapp element_software -
debian debian_linux 8.0
netapp data_availability_services -
opensuse leap 15.1
netapp active_iq_unified_manager *
canonical ubuntu_linux 19.04
netapp active_iq_performance_analytics_services -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 14.04
opensuse leap 15.0
CVE-2019-15118 MEDIUM

check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp solidfire_baseboard_management_controller_firmware -
debian debian_linux 8.0
netapp data_availability_services -
netapp hci_management_node -
opensuse leap 15.1
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp h410c_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp solidfire -
opensuse leap 15.0
debian debian_linux 9.0
CVE-2019-15166 MEDIUM

lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4.9.3 lacks certain bounds checks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 1.6 LOW CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 0.2 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
debian debian_linux 10.0
fedoraproject fedora 31
fedoraproject fedora 29
debian debian_linux 8.0
tcpdump tcpdump *
netapp hci_management_node -
fedoraproject fedora 30
opensuse leap 15.1
canonical ubuntu_linux 12.04
redhat enterprise_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
opensuse leap 15.0
debian debian_linux 9.0
apple mac_os_x *
CVE-2019-15211 MEDIUM

An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
debian debian_linux 8.0
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp h410c_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp baseboard_management_controller_h410c_firmware -
opensuse leap 15.0
netapp solidfire_baseboard_management_controller -
CVE-2019-15212 MEDIUM

An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-415,

Products Affected

Vendor Product Version
debian debian_linux 8.0
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp h410c_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp baseboard_management_controller_h410c_firmware -
opensuse leap 15.0
netapp solidfire_baseboard_management_controller -
CVE-2019-15213 MEDIUM

An issue was discovered in the Linux kernel before 5.2.3. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
linux linux_kernel *
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp baseboard_management_controller_h410c_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp solidfire_baseboard_management_controller -
CVE-2019-15215 MEDIUM

An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
debian debian_linux 8.0
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp h410c_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp baseboard_management_controller_h410c_firmware -
opensuse leap 15.0
netapp solidfire_baseboard_management_controller -
CVE-2019-15216 MEDIUM

An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
debian debian_linux 8.0
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp h410c_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp baseboard_management_controller_h410c_firmware -
opensuse leap 15.0
netapp solidfire_baseboard_management_controller -
CVE-2019-15217 MEDIUM

An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
debian debian_linux 8.0
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp h410c_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp baseboard_management_controller_h410c_firmware -
opensuse leap 15.0
netapp solidfire_baseboard_management_controller -
CVE-2019-15218 MEDIUM

An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
debian debian_linux 8.0
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp h410c_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle sd-wan_edge 8.2
linux linux_kernel *
netapp baseboard_management_controller_h410c_firmware -
opensuse leap 15.0
netapp solidfire_baseboard_management_controller -
CVE-2019-15219 MEDIUM

An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
debian debian_linux 8.0
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp h410c_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp baseboard_management_controller_h410c_firmware -
opensuse leap 15.0
netapp solidfire_baseboard_management_controller -
CVE-2019-15220 MEDIUM

An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
debian debian_linux 8.0
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp h410c_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp baseboard_management_controller_h410c_firmware -
opensuse leap 15.0
netapp solidfire_baseboard_management_controller -
CVE-2019-15221 MEDIUM

An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
debian debian_linux 8.0
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp h410c_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp baseboard_management_controller_h410c_firmware -
opensuse leap 15.0
netapp solidfire_baseboard_management_controller -
CVE-2019-15222 MEDIUM

An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
linux linux_kernel *
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp baseboard_management_controller_h410c_firmware -
opensuse leap 15.0
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp solidfire_baseboard_management_controller -
CVE-2019-15223 MEDIUM

An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
netapp baseboard_management_controller_h410c_firmware -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp h410c_firmware -
netapp solidfire_baseboard_management_controller -
CVE-2019-15538 HIGH

An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp h610s_firmware -
fedoraproject fedora 29
debian debian_linux 8.0
netapp data_availability_services -
netapp hci_management_node -
fedoraproject fedora 30
opensuse leap 15.1
netapp h500s_firmware -
canonical ubuntu_linux 19.04
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel 5.3
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp aff_a700s_firmware -
linux linux_kernel *
netapp solidfire -
opensuse leap 15.0
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2019-1559 MEDIUM

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager_core_package -
fedoraproject fedora 31
netapp storage_automation_store -
opensuse leap 15.1
redhat enterprise_linux_desktop 7.0
oracle business_intelligence 12.2.1.3.0
oracle business_intelligence 12.2.1.4.0
oracle communications_session_border_controller 8.2
oracle peoplesoft_enterprise_peopletools 8.56
f5 big-ip_edge_gateway *
f5 big-iq_centralized_management *
canonical ubuntu_linux 18.04
nodejs node.js *
oracle communications_session_border_controller 8.3
oracle jd_edwards_enterpriseone_tools 9.2
oracle communications_session_router 8.2
openssl openssl *
redhat enterprise_linux_workstation 7.0
netapp storagegrid *
netapp hyper_converged_infrastructure -
netapp hci_management_node -
oracle enterprise_manager_base_platform 13.2.0.0.0
f5 traffix_signaling_delivery_controller 4.4.0
netapp oncommand_insight -
netapp santricity_smi-s_provider -
tenable nessus *
mcafee threat_intelligence_exchange_server *
netapp fas2750_firmware -
netapp smi-s_provider -
netapp element_software -
netapp c190_firmware -
fedoraproject fedora 29
oracle mysql_enterprise_monitor *
fedoraproject fedora 30
netapp snapdrive -
netapp snapprotect -
mcafee web_gateway *
f5 big-ip_local_traffic_manager *
oracle communications_session_border_controller 7.4
f5 big-ip_application_acceleration_manager *
netapp ontap_select_deploy -
redhat virtualization_host 4.0
netapp storagegrid -
oracle communications_session_border_controller 8.0.0
canonical ubuntu_linux 18.10
netapp a320_firmware -
oracle services_tools_bundle 19.2
oracle peoplesoft_enterprise_peopletools 8.57
oracle enterprise_manager_base_platform 12.1.0.5.0
netapp fas2720_firmware -
oracle jd_edwards_world_security a9.3.1
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
paloaltonetworks pan-os *
netapp ontap_select_deploy_administration_utility -
oracle enterprise_manager_ops_center 12.3.3
netapp snapcenter -
f5 big-ip_domain_name_system *
oracle communications_unified_session_manager 8.2.5
oracle communications_diameter_signaling_router 8.1
redhat enterprise_linux_desktop 6.0
oracle secure_global_desktop 5.4
oracle peoplesoft_enterprise_peopletools 8.55
redhat virtualization 4.0
oracle communications_diameter_signaling_router 8.0.0
oracle communications_session_router 8.0
f5 big-ip_webaccelerator *
mcafee agent *
oracle endeca_server 7.7.0
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp a220_firmware -
oracle api_gateway 11.1.2.4.0
netapp cn1610_firmware -
f5 big-ip_application_security_manager *
netapp service_processor -
f5 traffix_signaling_delivery_controller *
f5 big-ip_link_controller *
oracle jd_edwards_world_security a9.3
oracle jd_edwards_world_security a9.4
netapp clustered_data_ontap_antivirus_connector -
redhat jboss_enterprise_web_server 5.0.0
oracle communications_session_router 8.1
netapp a800_firmware -
f5 big-ip_analytics *
oracle enterprise_manager_ops_center 12.4.0
netapp oncommand_unified_manager -
oracle communications_performance_intelligence_center 10.4.0.2
redhat enterprise_linux_server 6.0
mcafee data_exchange_layer *
oracle communications_session_border_controller 8.1.0
canonical ubuntu_linux 16.04
f5 big-ip_policy_enforcement_manager *
f5 big-ip_access_policy_manager *
netapp cloud_backup -
oracle communications_diameter_signaling_router 8.2
netapp solidfire -
opensuse leap 15.0
debian debian_linux 9.0
netapp oncommand_workflow_automation -
oracle communications_session_router 8.3
oracle communications_diameter_signaling_router 8.3
f5 big-ip_advanced_firewall_manager *
debian debian_linux 8.0
netapp altavault -
opensuse leap 42.3
oracle enterprise_manager_base_platform 13.3.0.0.0
netapp active_iq_unified_manager -
oracle business_intelligence 11.1.1.9.0
oracle communications_diameter_signaling_router 8.4
oracle mysql *
oracle mysql_workbench *
oracle communications_session_router 7.4
f5 big-ip_fraud_protection_service *
netapp hci_compute_node -
oracle communications_unified_session_manager 7.3.5
f5 big-ip_global_traffic_manager *
CVE-2019-15874 HIGH

In FreeBSD 12.1-STABLE before r356035, 12.1-RELEASE before 12.1-RELEASE-p4, 11.3-STABLE before r356036, and 11.3-RELEASE before 11.3-RELEASE-p8, incomplete packet data validation may result in memory access after it has been freed leading to a kernel panic or other unpredictable results.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-416,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
freebsd freebsd 12.1
freebsd freebsd 11.3
CVE-2019-15902 MEDIUM

A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N 1.1 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
debian debian_linux 10.0
linux linux_kernel *
netapp service_processor -
debian debian_linux 8.0
opensuse leap 15.1
netapp baseboard_management_controller_firmware -
opensuse leap 15.0
netapp active_iq_performance_analytics_services -
debian debian_linux 9.0
CVE-2019-16168 MEDIUM

In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-369,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 30
netapp ontap_select_deploy_administration_utility -
oracle communications_design_studio 7.3.4.3.0
tenable nessus_agent *
oracle communications_design_studio 7.3.5.5.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle solaris 11
oracle jre 1.8.0
debian debian_linux 9.0
oracle outside_in_technology 8.5.4
netapp oncommand_workflow_automation -
netapp santricity_unified_manager -
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
canonical ubuntu_linux 19.04
oracle communications_design_studio 7.4.0.4.0
canonical ubuntu_linux 12.04
oracle mysql *
sqlite sqlite *
canonical ubuntu_linux 19.10
oracle zfs_storage_appliance 8.8
mcafee policy_auditor *
CVE-2019-16276 MEDIUM

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.1
netapp cloud_insights_telegraf_agent -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
opensuse leap 15.1
golang go *
redhat developer_tools 1.0
redhat openshift_container_platform 4.2
opensuse leap 15.0
debian debian_linux 9.0
CVE-2019-16335 HIGH

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle financial_services_analytical_applications_infrastructure *
oracle banking_platform 2.6.0
redhat jboss_enterprise_application_platform 7.2
oracle weblogic_server 12.2.1.3.0
fedoraproject fedora 31
oracle banking_platform 2.4.1
oracle goldengate_stream_analytics *
oracle retail_xstore_point_of_service 7.1
fedoraproject fedora 30
oracle primavera_gateway *
oracle primavera_gateway 16.1
netapp oncommand_api_services -
oracle banking_platform 2.5.0
oracle retail_xstore_point_of_service 16.0
fasterxml jackson-databind *
debian debian_linux 9.0
oracle banking_platform 2.6.1
oracle global_lifecycle_management_opatch *
netapp oncommand_workflow_automation -
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle goldengate_application_adapters 19.1.0.0.0
debian debian_linux 10.0
debian debian_linux 8.0
oracle primavera_gateway 16.2
netapp steelstore_cloud_integrated_storage -
oracle retail_xstore_point_of_service 15.0
oracle customer_management_and_segmentation_foundation 18.0
oracle banking_platform 2.7.1
oracle banking_platform 2.4.0
oracle retail_xstore_point_of_service 17.0
redhat jboss_enterprise_application_platform 7.3
oracle banking_platform 2.7.0
oracle retail_xstore_point_of_service 18.0
oracle primavera_gateway 18.8.0
oracle primavera_gateway 15.2
CVE-2019-16905 MEDIUM

OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
siemens scalance_x204rna_firmware *
netapp cloud_backup -
openbsd openssh *
netapp steelstore_cloud_integrated_storage -
siemens scalance_x204rna_ecc_firmware *
CVE-2019-16942 HIGH

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform 2.6.0
fedoraproject fedora 31
oracle banking_platform 2.4.1
netapp service_level_manager -
oracle banking_platform 2.5.0
oracle retail_merchandising_system 15.0.3
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle jd_edwards_enterpriseone_tools 9.2
oracle database_server 18c
oracle banking_platform 2.6.1
oracle goldengate_application_adapters 19.1.0.0.0
oracle jd_edwards_enterpriseone_orchestrator 9.2
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.4.0
oracle banking_platform 2.7.1
oracle banking_platform 2.4.0
oracle communications_evolved_communications_application_server 7.1
oracle communications_cloud_native_core_network_slice_selection_function 1.2.1
oracle communications_calendar_server 8.0.0.3.0
oracle retail_merchandising_system 16.0.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_platform 2.7.0
oracle database_server 19c
oracle siebel_ui_framework 20.6
oracle weblogic_server 12.2.1.3.0
redhat jboss_enterprise_application_platform 7.2.0
fedoraproject fedora 30
oracle primavera_gateway *
oracle banking_platform 2.6.2
oracle primavera_unifier 16.1
netapp oncommand_api_services -
oracle retail_sales_audit 14.1
oracle siebel_engineering_-_installer_&_deployment *
oracle database_server 12.2.0.1
oracle communications_calendar_server 8.0.0.2.0
oracle siebel_ui_framework *
oracle primavera_gateway 19.12.0
oracle primavera_unifier *
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
netapp oncommand_workflow_automation -
oracle global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2
debian debian_linux 10.0
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
debian debian_linux 8.0
oracle banking_platform 2.9.0
oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.3.0
oracle webcenter_sites 12.2.1.3.0
oracle retail_merchandising_system 16.0.3
oracle weblogic_server 12.2.1.4.0
oracle webcenter_sites 12.2.1.4.0
redhat jboss_enterprise_application_platform 7.3
CVE-2019-16943 MEDIUM

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform 2.6.0
redhat jboss_enterprise_application_platform 7.2
oracle trace_file_analyzer 18c
fedoraproject fedora 31
oracle banking_platform 2.4.1
netapp service_level_manager -
oracle banking_platform 2.5.0
oracle retail_merchandising_system 15.0.3
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle jd_edwards_enterpriseone_tools 9.2
oracle banking_platform 2.6.1
oracle goldengate_application_adapters 19.1.0.0.0
oracle jd_edwards_enterpriseone_orchestrator 9.2
oracle primavera_gateway 16.2
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.4.0
oracle banking_platform 2.7.1
oracle banking_platform 2.4.0
oracle communications_evolved_communications_application_server 7.1
oracle communications_cloud_native_core_network_slice_selection_function 1.2.1
oracle communications_calendar_server 8.0.0.3.0
oracle retail_merchandising_system 16.0.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_platform 2.7.0
oracle weblogic_server 12.2.1.3.0
fedoraproject fedora 30
oracle primavera_gateway *
oracle banking_platform 2.6.2
oracle trace_file_analyzer 19c
oracle primavera_gateway 16.1
netapp oncommand_api_services -
oracle retail_sales_audit 14.1
oracle trace_file_analyzer 12.2.0.1
oracle siebel_engineering_-_installer_&_deployment *
oracle communications_calendar_server 8.0.0.2.0
oracle primavera_gateway 19.12.0
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
netapp oncommand_workflow_automation -
oracle global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2
debian debian_linux 10.0
oracle webcenter_portal 12.2.1.3.0
debian debian_linux 8.0
oracle banking_platform 2.9.0
oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.3.0
oracle webcenter_sites 12.2.1.3.0
oracle retail_merchandising_system 16.0.3
oracle weblogic_server 12.2.1.4.0
oracle webcenter_sites 12.2.1.4.0
redhat jboss_enterprise_application_platform 7.3
CVE-2019-16995 HIGH

In the Linux kernel before 5.0.3, a memory leak exits in hsr_dev_finalize() in net/hsr/hsr_device.c if hsr_add_port fails to add a port, which may cause denial of service, aka CID-6caabe7f197d.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-401,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp h610s_firmware -
netapp data_availability_services -
netapp hci_management_node -
opensuse leap 15.1
netapp steelstore_cloud_integrated_storage -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp aff_a700s_firmware -
linux linux_kernel *
netapp service_processor -
linux linux_kernel 5.1
netapp solidfire -
opensuse leap 15.0
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2019-17006 HIGH

In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-119,

Products Affected

Vendor Product Version
siemens ruggedcom_rox_rx1400_firmware *
netapp hci_management_node -
netapp hci_storage_node -
siemens ruggedcom_rox_rx5000_firmware *
siemens ruggedcom_rox_rx1500_firmware *
netapp solidfire -
siemens ruggedcom_rox_rx1512_firmware *
siemens ruggedcom_rox_rx1501_firmware *
siemens ruggedcom_rox_rx1510_firmware *
netapp hci_compute_node -
siemens ruggedcom_rox_mx5000_firmware *
mozilla network_security_services *
siemens ruggedcom_rox_rx1511_firmware *
CVE-2019-17069 MEDIUM

PuTTY before 0.73 might allow remote SSH-1 servers to cause a denial of service by accessing freed memory locations via an SSH1_MSG_DISCONNECT message.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager_core_package -
opensuse leap 15.1
putty putty *
opensuse leap 15.0
CVE-2019-17267 HIGH

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle goldengate_application_adapters 19.1.0.0.0
redhat jboss_enterprise_application_platform 7.2
oracle weblogic_server 12.2.1.3.0
debian debian_linux 8.0
oracle customer_management_and_segmentation_foundation *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp oncommand_api_services -
netapp service_level_manager -
fasterxml jackson-databind *
redhat jboss_enterprise_application_platform 7.3
CVE-2019-17272 MEDIUM

All versions of ONTAP Select Deploy administration utility are susceptible to a vulnerability which when successfully exploited could allow an administrative user to escalate their privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility *
CVE-2019-17273 LOW

E-Series SANtricity OS Controller Software version 11.60.0 is susceptible to a vulnerability which allows an attacker to cause a Denial of Service (DoS) in IPv6 environments.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
CVE-2019-17274 HIGH

NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1188,

Products Affected

Vendor Product Version
netapp fabric-attached_storage_8300_firmware *
netapp fabric-attached_storage_8700_firmware *
netapp all_flash_fabric-attached_storage_a400_firmware *
CVE-2019-17275 HIGH

OnCommand Cloud Manager versions prior to 3.8.0 are susceptible to arbitrary code execution by remote attackers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_cloud_manager *
CVE-2019-17276 LOW

OnCommand System Manager versions 9.3 prior to 9.3P18 and 9.4 prior to 9.4P2 are susceptible to a cross site scripting vulnerability that could allow an authenticated attacker to inject arbitrary scripts into the SNMP Community Names label field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
netapp oncommand_system_manager 9.4
netapp oncommand_system_manager 9.3
CVE-2019-17359 MEDIUM

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
oracle financial_services_analytical_applications_infrastructure *
oracle weblogic_server 12.2.1.3.0
apache tomee 7.1.2
oracle peoplesoft_enterprise_hcm_global_payroll_switzerland 9.2
netapp oncommand_api_services -
netapp service_level_manager -
oracle peoplesoft_enterprise_peopletools 8.56
oracle communications_convergence *
oracle communications_diameter_signaling_router *
bouncycastle legion-of-the-bouncy-castle-java-crytography-api 1.63
oracle communications_session_route_manager *
oracle managed_file_transfer 12.2.1.3.0
oracle webcenter_portal 12.2.1.4.0
apache tomee 7.0.7
oracle business_process_management_suite 12.2.1.3.0
oracle retail_xstore_point_of_service 18.0.1
netapp oncommand_workflow_automation -
oracle hospitality_guest_access 4.2.0
oracle webcenter_portal 12.2.1.3.0
bouncycastle bc-java 1.63
oracle flexcube_private_banking 12.1.0
oracle data_integrator 12.2.1.4.0
netapp active_iq_unified_manager *
oracle weblogic_server 12.2.1.4.0
oracle flexcube_private_banking 12.0.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle peoplesoft_enterprise_peopletools 8.57
oracle business_process_management_suite 12.2.1.4.0
oracle managed_file_transfer 12.2.1.4.0
oracle webcenter_portal 11.1.1.9.0
apache tomee 8.0.1
oracle soa_suite 12.2.1.4.0
oracle soa_suite 12.2.1.3.0
CVE-2019-17498 MEDIUM

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp element_software -
fedoraproject fedora 31
debian debian_linux 8.0
netapp hci_management_node -
fedoraproject fedora 30
opensuse leap 15.1
netapp ontap_select_deploy_administration_utility -
netapp active_iq_unified_manager -
netapp bootstrap_os -
netapp solidfire -
debian debian_linux 9.0
libssh2 libssh2 *
CVE-2019-17531 MEDIUM

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform 2.6.0
redhat jboss_enterprise_application_platform 7.2
oracle trace_file_analyzer 18c
oracle weblogic_server 12.2.1.3.0
oracle banking_platform 2.4.1
oracle primavera_gateway *
oracle banking_platform 2.6.2
oracle trace_file_analyzer 19c
oracle primavera_gateway 16.1
oracle retail_sales_audit 14.1
oracle trace_file_analyzer 12.2.0.1
oracle banking_platform 2.5.0
oracle retail_merchandising_system 15.0.3
oracle siebel_engineering_-_installer_&_deployment *
oracle webcenter_portal 12.2.1.4.0
oracle communications_calendar_server 8.0.0.2.0
fasterxml jackson-databind *
oracle primavera_gateway 19.12.0
oracle jd_edwards_enterpriseone_tools 9.2
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle banking_platform 2.6.1
netapp oncommand_workflow_automation -
oracle global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2
oracle goldengate_application_adapters 19.1.0.0.0
oracle jd_edwards_enterpriseone_orchestrator 9.2
oracle webcenter_portal 12.2.1.3.0
debian debian_linux 8.0
oracle primavera_gateway 16.2
oracle banking_platform 2.9.0
netapp steelstore_cloud_integrated_storage -
oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.3.0
oracle webcenter_sites 12.2.1.3.0
oracle retail_merchandising_system 16.0.3
oracle global_lifecycle_management_nextgen_oui_framework 12.2.1.4.0
oracle weblogic_server 12.2.1.4.0
oracle banking_platform 2.7.1
oracle banking_platform 2.4.0
oracle webcenter_sites 12.2.1.4.0
oracle communications_evolved_communications_application_server 7.1
oracle communications_cloud_native_core_network_slice_selection_function 1.2.1
oracle communications_calendar_server 8.0.0.3.0
oracle retail_merchandising_system 16.0.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
redhat jboss_enterprise_application_platform 7.3
oracle banking_platform 2.7.0
CVE-2019-17569 MEDIUM

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,

Products Affected

Vendor Product Version
oracle communications_instant_messaging_server 10.0.1.4.0
oracle hospitality_guest_access 4.2.0
debian debian_linux 10.0
apache tomcat *
oracle health_sciences_empirica_signal 7.3.3
netapp data_availability_services -
oracle mysql_enterprise_monitor *
oracle transportation_management 6.3.7
opensuse leap 15.1
oracle agile_plm 9.3.5
oracle agile_plm 9.3.6
oracle workload_manager 12.2.0.1
oracle hospitality_guest_access 4.2.1
oracle health_sciences_empirica_inspections 1.0.1.2
oracle agile_engineering_data_management 6.2.1.0
netapp oncommand_system_manager *
oracle instantis_enterprisetrack *
apache tomee 7.0.7
oracle workload_manager 19c
oracle workload_manager 18c
oracle agile_plm 9.3.3
debian debian_linux 9.0
CVE-2019-17571 HIGH

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle endeca_information_discovery_studio 3.2.0
oracle retail_service_backbone 15.0
oracle weblogic_server 12.2.1.3.0
oracle weblogic_server 12.1.3.0.0
oracle mysql_enterprise_monitor *
opensuse leap 15.1
oracle primavera_gateway *
oracle retail_service_backbone 14.1
oracle financial_services_lending_and_leasing 12.5.0
netapp oncommand_system_manager *
oracle weblogic_server 10.3.6.0.0
canonical ubuntu_linux 18.04
oracle weblogic_server 14.1.1.0.0
oracle rapid_planning 12.2
apache bookkeeper *
oracle communications_network_integrity *
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
debian debian_linux 8.0
oracle retail_service_backbone 16.0
oracle financial_services_lending_and_leasing *
apache log4j *
oracle rapid_planning 12.1
oracle weblogic_server 12.2.1.4.0
oracle retail_extract_transform_and_load 19.0
CVE-2019-18218 MEDIUM

cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 31
fedoraproject fedora 29
debian debian_linux 8.0
fedoraproject fedora 30
opensuse leap 15.1
netapp active_iq_unified_manager *
canonical ubuntu_linux 19.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
file_project file *
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2019-18276 HIGH

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-273,CWE-273,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_policy 1.14.0
gnu bash *
netapp hci_management_node -
netapp solidfire -
netapp oncommand_unified_manager *
gnu bash 5.0
CVE-2019-18282 MEDIUM

The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value remains the same starting from boot time, and can be inferred by an attacker. This affects net/core/flow_dissector.c and related code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-330,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h610s_firmware -
debian debian_linux 8.0
netapp data_availability_services -
netapp hci_management_node -
netapp 8700_firmware -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp a700s_firmware -
netapp a400_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp solidfire -
netapp 8300_firmware -
CVE-2019-18683 MEDIUM

An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-416,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
netapp h610s_firmware -
debian debian_linux 8.0
netapp data_availability_services -
netapp hci_management_node -
opensuse leap 15.1
netapp 8700_firmware -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp a700s_firmware -
netapp a400_firmware -
canonical ubuntu_linux 19.10
broadcom fabric_operating_system -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
netapp 8300_firmware -
CVE-2019-18805 HIGH

An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel before 5.0.11. There is a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact, aka CID-19fad20d15a6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h610s_firmware -
netapp data_availability_services -
netapp hci_management_node -
opensuse leap 15.1
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
redhat enterprise_linux 7.0
broadcom fabric_operating_system -
netapp hci_storage_node -
netapp aff_a700s_firmware -
linux linux_kernel *
netapp fas8700_firmware -
linux linux_kernel 5.1
netapp solidfire -
opensuse leap 15.0
netapp fas8300_firmware -
netapp hci_compute_node -
netapp aff_a400_firmware -
CVE-2019-19044 HIGH

Two memory leaks in the v3d_submit_cl_ioctl() function in drivers/gpu/drm/v3d/v3d_gem.c in the Linux kernel before 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering kcalloc() or v3d_job_init() failures, aka CID-29cd13cfd762.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-401,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
netapp e-series_santricity_os_controller 11.25
netapp e-series_santricity_os_controller 11.60.1
broadcom brocade_fabric_operating_system_firmware -
netapp e-series_santricity_os_controller 11.0.0
netapp e-series_santricity_os_controller 11.40.5
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp e-series_santricity_os_controller 11.50.1
netapp e-series_santricity_os_controller 11.20
netapp cloud_backup -
netapp e-series_santricity_os_controller 11.0
netapp hci_baseboard_management_controller h610s
netapp fas/aff_baseboard_management_controller -
netapp e-series_santricity_os_controller 11.70.1
netapp e-series_santricity_os_controller 11.60.0
netapp e-series_santricity_os_controller 11.70.2
netapp hci_compute_node_firmware -
netapp aff_baseboard_management_controller -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp e-series_santricity_os_controller 11.40.3r2
canonical ubuntu_linux 19.10
netapp e-series_santricity_os_controller 11.30
netapp e-series_santricity_os_controller 11.60.3
netapp e-series_santricity_os_controller 11.30.5r3
netapp e-series_santricity_os_controller 11.60
netapp e-series_santricity_os_controller 11.40
netapp e-series_santricity_os_controller 11.50.2
CVE-2019-19050 HIGH

A memory leak in the crypto_reportstat() function in crypto/crypto_user_stat.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_reportstat_alg() failures, aka CID-c03b04dcdba1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-401,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
netapp h610s_firmware -
netapp data_availability_services -
netapp hci_management_node -
fedoraproject fedora 30
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
linux linux_kernel 5.5
canonical ubuntu_linux 19.10
broadcom fabric_operating_system -
netapp hci_storage_node -
canonical ubuntu_linux 18.04
netapp aff_a700s_firmware -
linux linux_kernel *
netapp fas8700_firmware -
netapp solidfire -
netapp fas8300_firmware -
netapp hci_compute_node -
netapp aff_a400_firmware -
CVE-2019-19052 HIGH

A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-fb5be6a7b486.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-401,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp e-series_santricity_os_controller 11.25
netapp e-series_santricity_os_controller 11.60.1
broadcom brocade_fabric_operating_system_firmware -
netapp e-series_santricity_os_controller 11.0.0
netapp e-series_santricity_os_controller 11.40.5
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp e-series_santricity_os_controller 11.50.1
netapp e-series_santricity_os_controller 11.20
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp e-series_santricity_os_controller 11.0
netapp hci_baseboard_management_controller h610s
netapp fas/aff_baseboard_management_controller -
netapp e-series_santricity_os_controller 11.70.1
netapp e-series_santricity_os_controller 11.60.0
netapp e-series_santricity_os_controller 11.70.2
netapp hci_compute_node_firmware -
debian debian_linux 8.0
netapp aff_baseboard_management_controller -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp e-series_santricity_os_controller 11.40.3r2
canonical ubuntu_linux 19.10
oracle sd-wan_edge 8.2
netapp e-series_santricity_os_controller 11.30
netapp e-series_santricity_os_controller 11.60.3
netapp e-series_santricity_os_controller 11.30.5r3
netapp e-series_santricity_os_controller 11.60
netapp e-series_santricity_os_controller 11.40
netapp e-series_santricity_os_controller 11.50.2
CVE-2019-19053 HIGH

A memory leak in the rpmsg_eptdev_write_iter() function in drivers/rpmsg/rpmsg_char.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering copy_from_iter_full() failures, aka CID-bbe692e349e2.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-401,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
netapp e-series_santricity_os_controller 11.25
netapp e-series_santricity_os_controller 11.60.1
broadcom brocade_fabric_operating_system_firmware -
netapp e-series_santricity_os_controller 11.0.0
netapp e-series_santricity_os_controller 11.40.5
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp e-series_santricity_os_controller 11.50.1
netapp e-series_santricity_os_controller 11.20
netapp cloud_backup -
netapp e-series_santricity_os_controller 11.0
netapp hci_baseboard_management_controller h610s
netapp fas/aff_baseboard_management_controller -
netapp e-series_santricity_os_controller 11.70.1
netapp e-series_santricity_os_controller 11.60.0
netapp e-series_santricity_os_controller 11.70.2
netapp hci_compute_node_firmware -
netapp aff_baseboard_management_controller -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp e-series_santricity_os_controller 11.40.3r2
canonical ubuntu_linux 19.10
netapp e-series_santricity_os_controller 11.30
netapp e-series_santricity_os_controller 11.60.3
netapp e-series_santricity_os_controller 11.30.5r3
netapp e-series_santricity_os_controller 11.60
netapp e-series_santricity_os_controller 11.40
netapp e-series_santricity_os_controller 11.50.2
CVE-2019-19054 MEDIUM

A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.0 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
fedoraproject fedora 31
netapp solidfire_baseboard_management_controller_firmware -
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
fedoraproject fedora 30
opensuse leap 15.1
netapp e-series_santricity_os_controller 11.25
netapp e-series_santricity_os_controller 11.60.1
broadcom brocade_fabric_operating_system_firmware -
netapp e-series_santricity_os_controller 11.0.0
canonical ubuntu_linux 20.04
netapp e-series_santricity_os_controller 11.40.5
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp e-series_santricity_os_controller 11.50.1
netapp e-series_santricity_os_controller 11.20
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp e-series_santricity_os_controller 11.0
netapp hci_baseboard_management_controller h610s
netapp fas/aff_baseboard_management_controller -
netapp e-series_santricity_os_controller 11.70.1
netapp e-series_santricity_os_controller 11.60.0
netapp e-series_santricity_os_controller 11.70.2
netapp hci_compute_node_firmware -
netapp aff_baseboard_management_controller -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp e-series_santricity_os_controller 11.40.3r2
netapp e-series_santricity_os_controller 11.30
netapp e-series_santricity_os_controller 11.60.3
netapp e-series_santricity_os_controller 11.30.5r3
netapp e-series_santricity_os_controller 11.60
netapp e-series_santricity_os_controller 11.40
netapp e-series_santricity_os_controller 11.50.2
CVE-2019-19057 LOW

Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcb615c8e.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-401,

Products Affected

Vendor Product Version
fedoraproject fedora 31
netapp solidfire_baseboard_management_controller_firmware -
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
fedoraproject fedora 30
opensuse leap 15.1
netapp e-series_santricity_os_controller 11.25
netapp e-series_santricity_os_controller 11.60.1
broadcom brocade_fabric_operating_system_firmware -
netapp e-series_santricity_os_controller 11.0.0
netapp e-series_santricity_os_controller 11.40.5
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp e-series_santricity_os_controller 11.50.1
netapp e-series_santricity_os_controller 11.20
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp e-series_santricity_os_controller 11.0
netapp hci_baseboard_management_controller h610s
netapp fas/aff_baseboard_management_controller -
netapp e-series_santricity_os_controller 11.70.1
netapp e-series_santricity_os_controller 11.60.0
netapp e-series_santricity_os_controller 11.70.2
netapp hci_compute_node_firmware -
debian debian_linux 8.0
netapp aff_baseboard_management_controller -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp e-series_santricity_os_controller 11.40.3r2
canonical ubuntu_linux 19.10
netapp e-series_santricity_os_controller 11.30
netapp e-series_santricity_os_controller 11.60.3
netapp e-series_santricity_os_controller 11.30.5r3
netapp e-series_santricity_os_controller 11.60
netapp e-series_santricity_os_controller 11.40
netapp e-series_santricity_os_controller 11.50.2
CVE-2019-19060 HIGH

A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-401,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp e-series_santricity_os_controller 11.25
netapp e-series_santricity_os_controller 11.60.1
broadcom brocade_fabric_operating_system_firmware -
netapp e-series_santricity_os_controller 11.0.0
netapp e-series_santricity_os_controller 11.40.5
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp e-series_santricity_os_controller 11.50.1
netapp e-series_santricity_os_controller 11.20
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp e-series_santricity_os_controller 11.0
netapp hci_baseboard_management_controller h610s
netapp fas/aff_baseboard_management_controller -
netapp e-series_santricity_os_controller 11.70.1
netapp e-series_santricity_os_controller 11.60.0
netapp e-series_santricity_os_controller 11.70.2
netapp hci_compute_node_firmware -
netapp aff_baseboard_management_controller -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp e-series_santricity_os_controller 11.40.3r2
canonical ubuntu_linux 19.10
netapp e-series_santricity_os_controller 11.30
netapp e-series_santricity_os_controller 11.60.3
netapp e-series_santricity_os_controller 11.30.5r3
netapp e-series_santricity_os_controller 11.60
netapp e-series_santricity_os_controller 11.40
netapp e-series_santricity_os_controller 11.50.2
CVE-2019-19061 HIGH

A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-9c0530e898f3.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-401,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
netapp e-series_santricity_os_controller 11.25
netapp e-series_santricity_os_controller 11.60.1
broadcom brocade_fabric_operating_system_firmware -
netapp e-series_santricity_os_controller 11.0.0
netapp e-series_santricity_os_controller 11.40.5
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp e-series_santricity_os_controller 11.50.1
netapp e-series_santricity_os_controller 11.20
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp e-series_santricity_os_controller 11.0
netapp hci_baseboard_management_controller h610s
netapp fas/aff_baseboard_management_controller -
netapp e-series_santricity_os_controller 11.70.1
netapp e-series_santricity_os_controller 11.60.0
netapp e-series_santricity_os_controller 11.70.2
netapp hci_compute_node_firmware -
netapp aff_baseboard_management_controller -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp e-series_santricity_os_controller 11.40.3r2
canonical ubuntu_linux 19.10
netapp e-series_santricity_os_controller 11.30
netapp e-series_santricity_os_controller 11.60.3
netapp e-series_santricity_os_controller 11.30.5r3
netapp e-series_santricity_os_controller 11.60
netapp e-series_santricity_os_controller 11.40
netapp e-series_santricity_os_controller 11.50.2
CVE-2019-19063 MEDIUM

Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
fedoraproject fedora 31
netapp solidfire_baseboard_management_controller_firmware -
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
fedoraproject fedora 30
opensuse leap 15.1
netapp e-series_santricity_os_controller 11.25
netapp e-series_santricity_os_controller 11.60.1
broadcom brocade_fabric_operating_system_firmware -
netapp e-series_santricity_os_controller 11.0.0
netapp e-series_santricity_os_controller 11.40.5
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp e-series_santricity_os_controller 11.50.1
netapp e-series_santricity_os_controller 11.20
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp e-series_santricity_os_controller 11.0
netapp hci_baseboard_management_controller h610s
netapp fas/aff_baseboard_management_controller -
netapp e-series_santricity_os_controller 11.70.1
netapp e-series_santricity_os_controller 11.60.0
netapp e-series_santricity_os_controller 11.70.2
netapp hci_compute_node_firmware -
netapp aff_baseboard_management_controller -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp e-series_santricity_os_controller 11.40.3r2
canonical ubuntu_linux 19.10
oracle sd-wan_edge 8.2
netapp e-series_santricity_os_controller 11.30
netapp e-series_santricity_os_controller 11.60.3
netapp e-series_santricity_os_controller 11.30.5r3
netapp e-series_santricity_os_controller 11.60
netapp e-series_santricity_os_controller 11.40
netapp e-series_santricity_os_controller 11.50.2
CVE-2019-19069 HIGH

A memory leak in the fastrpc_dma_buf_attach() function in drivers/misc/fastrpc.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering dma_get_sgtable() failures, aka CID-fc739a058d99.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-401,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h610s_firmware -
netapp data_availability_services -
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
linux linux_kernel 5.4
canonical ubuntu_linux 19.10
broadcom fabric_operating_system -
netapp hci_storage_node -
canonical ubuntu_linux 18.04
netapp aff_a700s_firmware -
linux linux_kernel *
netapp fas8700_firmware -
netapp solidfire -
netapp fas8300_firmware -
netapp hci_compute_node -
netapp aff_a400_firmware -
CVE-2019-19317 HIGH

lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-681,

Products Affected

Vendor Product Version
oracle mysql_workbench *
netapp cloud_backup -
netapp ontap_select_deploy_administration_utility -
siemens sinec_infrastructure_network_services *
sqlite sqlite 3.30.1
CVE-2019-19318 LOW

In the Linux kernel 5.3.11, mounting a crafted btrfs image twice can cause an rwsem_down_write_slowpath use-after-free because (in rwsem_can_spin_on_owner in kernel/locking/rwsem.c) rwsem_owner_flags returns an already freed pointer,

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h610s_firmware -
netapp data_availability_services -
linux linux_kernel 5.3.11
netapp hci_management_node -
opensuse leap 15.1
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp aff_a700s_firmware -
netapp fas8700_firmware -
canonical ubuntu_linux 14.04
netapp solidfire -
netapp fas8300_firmware -
debian debian_linux 9.0
linux linux_kernel 5.0.21
netapp aff_a400_firmware -
CVE-2019-19343 MEDIUM

A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-404,

Products Affected

Vendor Product Version
redhat jboss-remoting *
redhat undertow *
netapp active_iq_unified_manager -
redhat undertow 2.0.25
redhat jboss-remoting 5.0.14
redhat jboss_enterprise_application_platform *
CVE-2019-19377 MEDIUM

In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
linux linux_kernel *
netapp cloud_backup -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp solidfire_baseboard_management_controller -
CVE-2019-19447 MEDIUM

In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
linux linux_kernel *
netapp data_availability_services -
netapp cloud_backup -
netapp hci_baseboard_management_controller h610s
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp solidfire_baseboard_management_controller -
CVE-2019-19448 MEDIUM

In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h610s_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp data_availability_services -
netapp aff_8700_firmware -
linux linux_kernel 5.3.11
netapp hci_management_node -
netapp fas_a400_firmware -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp aff_8300_firmware -
netapp fas_8300_firmware -
netapp a700s_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
debian debian_linux 9.0
netapp fas_8700_firmware -
linux linux_kernel 5.0.21
netapp aff_a400_firmware -
CVE-2019-19462 MEDIUM

relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
debian debian_linux 10.0
debian debian_linux 8.0
netapp hci_management_node -
opensuse leap 15.1
netapp active_iq_unified_manager *
canonical ubuntu_linux 20.04
opensuse leap 15.2
netapp hci_storage_node -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp solidfire -
netapp hci_compute_node -
debian debian_linux 9.0
CVE-2019-19603 MEDIUM

SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_workbench *
netapp cloud_backup -
siemens sinec_infrastructure_network_services 1.0.1.1
netapp ontap_select_deploy_administration_utility -
apache guacamole 1.3.0
siemens sinec_infrastructure_network_services *
sqlite sqlite 3.30.1
CVE-2019-19645 LOW

alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-674,

Products Affected

Vendor Product Version
sqlite sqlite *
oracle mysql_workbench *
tenable tenable.sc *
netapp cloud_backup -
netapp ontap_select_deploy_administration_utility -
siemens sinec_infrastructure_network_services *
CVE-2019-19646 HIGH

pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-754,

Products Affected

Vendor Product Version
sqlite sqlite *
oracle mysql_workbench *
tenable tenable.sc *
netapp cloud_backup -
netapp ontap_select_deploy_administration_utility -
siemens sinec_infrastructure_network_services *
CVE-2019-19813 HIGH

In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h610s_firmware -
netapp data_availability_services -
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp aff_a700s_firmware -
netapp fas8700_firmware -
canonical ubuntu_linux 14.04
netapp solidfire -
netapp fas8300_firmware -
debian debian_linux 9.0
linux linux_kernel 5.0.21
netapp aff_a400_firmware -
CVE-2019-19816 HIGH

In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image and performing some operations can cause slab-out-of-bounds write access in __btrfs_map_block in fs/btrfs/volumes.c, because a value of 1 for the number of data stripes is mishandled.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp h610s_firmware -
netapp data_availability_services -
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp aff_a700s_firmware -
linux linux_kernel *
netapp fas8700_firmware -
canonical ubuntu_linux 14.04
netapp solidfire -
netapp fas8300_firmware -
debian debian_linux 9.0
netapp aff_a400_firmware -
CVE-2019-19880 MEDIUM

exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
debian debian_linux 10.0
opensuse leap 15.1
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle mysql_workbench *
netapp cloud_backup -
opensuse backports_sle 15.0
suse package_hub -
debian debian_linux 9.0
siemens sinec_infrastructure_network_services *
sqlite sqlite 3.30.1
CVE-2019-19922 LOW

kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)

CVSS 2.0

Severity: LOW

Problem Type: CWE-400,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
debian debian_linux 8.0
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
netapp aff_baseboard_management_controller a700
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
canonical ubuntu_linux 18.04
oracle sd-wan_edge 8.2
linux linux_kernel *
netapp cloud_backup -
netapp hci_baseboard_management_controller h610s
netapp fas/aff_baseboard_management_controller -
netapp solidfire_baseboard_management_controller -
CVE-2019-19923 MEDIUM

flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
debian debian_linux 10.0
opensuse leap 15.1
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle mysql_workbench *
netapp cloud_backup -
opensuse backports_sle 15.0
suse package_hub -
debian debian_linux 9.0
siemens sinec_infrastructure_network_services *
sqlite sqlite 3.30.1
CVE-2019-19924 MEDIUM

SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
apache bookkeeper 4.12.1
oracle mysql_workbench *
netapp cloud_backup -
siemens sinec_infrastructure_network_services *
sqlite sqlite 3.30.1
CVE-2019-19925 MEDIUM

zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
debian debian_linux 10.0
opensuse leap 15.1
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle mysql_workbench *
netapp cloud_backup -
opensuse backports_sle 15.0
suse package_hub -
debian debian_linux 9.0
siemens sinec_infrastructure_network_services *
sqlite sqlite 3.30.1
CVE-2019-19926 MEDIUM

multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
debian debian_linux 10.0
opensuse leap 15.1
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle mysql_workbench *
netapp cloud_backup -
opensuse backports_sle 15.0
suse package_hub -
debian debian_linux 9.0
siemens sinec_infrastructure_network_services *
sqlite sqlite 3.30.1
CVE-2019-19947 LOW

In the Linux kernel through 5.4.6, there are information leaks of uninitialized memory to a USB device in the drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c driver, aka CID-da2311a6385c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 0.9 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-908,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
debian debian_linux 8.0
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
netapp aff_baseboard_management_controller a700s
canonical ubuntu_linux 14.04
netapp hci_baseboard_management_controller h610s
netapp fas/aff_baseboard_management_controller -
netapp solidfire_baseboard_management_controller -
CVE-2019-19956 MEDIUM

xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,CWE-772,

Products Affected

Vendor Product Version
netapp manageability_software_development_kit -
debian debian_linux 8.0
fedoraproject fedora 30
oracle real_user_experience_insight 13.3.1.0
netapp ontap_select_deploy_administration_utility -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
siemens sinema_remote_connect_server *
canonical ubuntu_linux 12.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap -
xmlsoft libxml2 *
canonical ubuntu_linux 14.04
debian debian_linux 9.0
netapp clustered_data_ontap_antivirus_connector -
CVE-2019-19965 LOW

In the Linux kernel through 5.4.6, there is a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.0 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h610s_firmware -
debian debian_linux 8.0
netapp data_availability_services -
netapp hci_management_node -
opensuse leap 15.1
netapp 8700_firmware -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp a700s_firmware -
netapp a400_firmware -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
netapp 8300_firmware -
CVE-2019-19966 LOW

In the Linux kernel before 5.1.6, there is a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service, aka CID-dea37a972655.

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
debian debian_linux 8.0
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
linux linux_kernel *
netapp cloud_backup -
netapp aff_baseboard_management_controller a700s
netapp hci_baseboard_management_controller h610s
netapp fas/aff_baseboard_management_controller -
netapp solidfire_baseboard_management_controller -
CVE-2019-20054 MEDIUM

In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h610s_firmware -
netapp data_availability_services -
netapp solidfire_&_hci_management_node -
netapp 8700_firmware -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp a400_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp 8300_firmware -
netapp fas/aff_baseboard_management_controller -
netapp solidfire_baseboard_management_controller -
CVE-2019-20095 MEDIUM

mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h610s_firmware -
netapp data_availability_services -
netapp hci_management_node -
opensuse leap 15.1
netapp 8700_firmware -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp a700s_firmware -
netapp a400_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp solidfire -
netapp 8300_firmware -
CVE-2019-20330 HIGH

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform *
oracle trace_file_analyzer 18c
oracle weblogic_server 12.2.1.3.0
oracle goldengate_stream_analytics *
oracle trace_file_analyzer 19c
oracle primavera_unifier 16.1
netapp oncommand_api_services -
netapp snapcenter -
netapp service_level_manager -
oracle retail_sales_audit 14.1
oracle trace_file_analyzer 12.2.0.1
oracle retail_merchandising_system 15.0.3
oracle retail_xstore_point_of_service 16.0
oracle siebel_engineering_-_installer_&_deployment *
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle siebel_ui_framework *
oracle primavera_unifier *
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle global_lifecycle_management_opatch *
oracle communications_instant_messaging_server 10.0.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle goldengate_application_adapters 19.1.0.0.0
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle communications_contacts_server 8.0.0.4.0
oracle communications_network_charging_and_control 6.0.1
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
oracle retail_xstore_point_of_service 15.0
oracle customer_management_and_segmentation_foundation 18.0
oracle retail_merchandising_system 16.0.3
oracle weblogic_server 12.2.1.4.0
oracle enterprise_manager_base_platform 13.4.0.0
oracle communications_evolved_communications_application_server 7.1
oracle communications_cloud_native_core_network_slice_selection_function 1.2.1
oracle retail_merchandising_system 16.0.2
oracle retail_xstore_point_of_service 17.0
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle retail_xstore_point_of_service 18.0
oracle enterprise_manager_base_platform 13.3.0.0
CVE-2019-20372 MEDIUM

NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,

Products Affected

Vendor Product Version
f5 nginx *
netapp cloud_backup -
opensuse leap 15.1
canonical ubuntu_linux 14.04
apple xcode *
CVE-2019-20386 LOW

An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.4 LOW CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 0.9 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-401,CWE-401,

Products Affected

Vendor Product Version
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
systemd_project systemd *
netapp cloud_backup -
fedoraproject fedora 30
opensuse leap 15.1
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
CVE-2019-20388 MEDIUM

xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,CWE-401,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
oracle real_user_experience_insight 13.4.1.0
fedoraproject fedora 31
fedoraproject fedora 30
opensuse leap 15.1
netapp snapdrive -
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp cloud_backup -
debian debian_linux 9.0
oracle real_user_experience_insight 13.5.1.0
netapp plug-in_for_symantec_netbackup -
oracle enterprise_manager_ops_center 12.4.0.0
oracle real_user_experience_insight 13.3.1.0
netapp steelstore_cloud_integrated_storage -
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
oracle enterprise_manager_base_platform 13.5.0.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle enterprise_manager_base_platform 13.4.0.0
netapp smi-s_provider -
fedoraproject fedora 32
oracle mysql_workbench *
xmlsoft libxml2 2.9.10
netapp clustered_data_ontap -
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2019-20446 MEDIUM

In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
gnome librsvg *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
fedoraproject fedora 30
opensuse leap 15.1
netapp active_iq_unified_manager -
debian debian_linux 9.0
CVE-2019-20636 HIGH

In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp fas_a400 -
netapp fas_8300 -
netapp h610c -
netapp fas_baseboard_management_controller_a320 -
netapp steelstore_cloud_integrated_storage -
netapp h700s -
netapp h500s -
netapp h410s -
netapp h615c -
netapp fas_8700 -
netapp h300s -
linux linux_kernel *
netapp cloud_backup -
netapp fas_baseboard_management_controller_c190 -
netapp solidfire -
netapp h610s -
netapp fas_baseboard_management_controller_a220 -
netapp fas_baseboard_management_controller_a800 -
CVE-2019-20907 MEDIUM

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
fedoraproject fedora 31
oracle zfs_storage_appliance_kit 8.8
opensuse leap 15.1
netapp active_iq_unified_manager *
netapp cloud_volumes_ontap_mediator -
canonical ubuntu_linux 12.04
canonical ubuntu_linux 20.04
fedoraproject fedora 32
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
python python *
debian debian_linux 9.0
CVE-2019-2215 MEDIUM

A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
google android -
huawei columbia-l29d_firmware *
huawei dura-al00a_firmware *
netapp h500s_firmware -
netapp h410c_firmware -
huawei johnson-tl00d_firmware *
huawei neo-al00d_firmware *
netapp h410s_firmware -
huawei mate_rs_firmware 9.1.0.321(c786e320r1p1t8)
huawei tony-tl00b_firmware *
huawei barca-al00_firmware *
huawei leland-al10b_firmware *
huawei honor_view_20_firmware *
huawei berkeley-l09_firmware *
huawei rhone-al00_firmware *
huawei y9_2019_firmware *
huawei bla-al00b_firmware *
huawei duke-l09i_firmware *
netapp h610s_firmware -
huawei leland-tl10b_firmware *
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp a220_firmware -
huawei nova_3e_firmware *
huawei nova_2s_firmware *
huawei figo-al00a_firmware *
netapp fas2750_firmware -
netapp aff_baseboard_management_controller_firmware -
netapp service_processor -
huawei alp-tl00b_firmware *
huawei columbia-al00a_firmware *
huawei florida-l21_firmware *
huawei jakarta-al00a_firmware *
huawei lelandp-l22c_firmware *
huawei p20_firmware *
huawei yale-tl00b_firmware *
huawei yale-l21a_firmware *
huawei bla-tl00b_firmware *
netapp h300s_firmware -
huawei bla-l29c_firmware *
huawei stanford-l09_firmware *
netapp a800_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp c190_firmware -
huawei sydney-al00_firmware *
netapp data_availability_services -
huawei ares-tl00chw_firmware *
huawei florida-l03_firmware *
huawei lelandp-al00c_firmware *
huawei nova_3_firmware *
netapp h700s_firmware -
huawei stanford-l09s_firmware *
huawei ares-al10d_firmware *
canonical ubuntu_linux 16.04
huawei leland-l21a_firmware *
huawei leland-tl10c_firmware *
huawei honor_9i_firmware *
netapp cloud_backup -
huawei florida-al20b_firmware *
netapp solidfire -
huawei ares-al00b_firmware *
huawei sydneym-al00_firmware *
netapp a320_firmware -
huawei tony-al00b_firmware *
huawei alp-al00b_firmware *
huawei anne-al00_firmware *
debian debian_linux 8.0
huawei yale-al00a_firmware *
huawei p20_lite_firmware *
huawei florida-tl10b_firmware *
huawei princeton-al10b_firmware *
huawei florida-l22_firmware *
huawei leland-l32a_firmware *
huawei berkeley-tl10_firmware *
netapp fas2720_firmware -
huawei sydney-tl00_firmware *
huawei cornell-tl10b_firmware *
CVE-2019-2420 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp storage_automation_store -
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
redhat software_collections 1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
canonical ubuntu_linux 18.10
CVE-2019-2422 LOW

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp oncommand_workflow_automation *
oracle jre 11.0.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
hp xp7_command_view *
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
canonical ubuntu_linux 14.04
opensuse leap 15.0
netapp snapmanager -
debian debian_linux 9.0
canonical ubuntu_linux 18.10
redhat enterprise_linux 8.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 8.6
oracle jdk 11.0.1
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
oracle jdk 1.8.0
opensuse leap 42.3
redhat satellite 5.8
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server 7.6
redhat enterprise_linux_server_aus 7.6
CVE-2019-2426 MEDIUM

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation *
oracle jdk 11.0.1
oracle jre 1.7.0
oracle jre 1.8.0
oracle jdk 1.8.0
opensuse leap 42.3
oracle jre 11.0.1
oracle jdk 1.7.0
netapp oncommand_unified_manager *
netapp snapmanager -
hp xp7_command_view *
CVE-2019-2434 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp storage_automation_store -
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
redhat software_collections 1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
canonical ubuntu_linux 18.10
CVE-2019-2435 MEDIUM

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Python). Supported versions that are affected are 8.0.13 and prior and 2.1.8 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Connectors accessible data as well as unauthorized access to critical data or complete access to all MySQL Connectors accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_connectors *
netapp active_iq_unified_manager *
netapp snapcenter -
CVE-2019-2436 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp storage_automation_store -
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
redhat software_collections 1.0
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
CVE-2019-2449 LOW

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). The supported version that is affected is Java SE: 8u192. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 8.6
oracle jdk 1.8.0
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
redhat satellite 5.8
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.8.0
netapp snapmanager -
CVE-2019-2455 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
mariadb mariadb *
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_desktop 8.0
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server 8.0
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_workstation 8.0
netapp oncommand_insight -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
canonical ubuntu_linux 18.10
CVE-2019-2481 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
mariadb mariadb *
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp oncommand_insight -
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
canonical ubuntu_linux 18.10
CVE-2019-25013 HIGH

The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
broadcom fabric_operating_system -
netapp 500f_firmware -
netapp service_processor -
gnu glibc *
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 33
netapp a250_firmware -
CVE-2019-2502 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2019-2503 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection Handling). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Difficult to exploit vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.4 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H 1.2 5.2

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_server 8.0
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_desktop 7.0
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
canonical ubuntu_linux 18.10
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
mariadb mariadb *
redhat enterprise_linux_desktop 8.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_workstation 8.0
netapp oncommand_insight -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_eus 8.4
CVE-2019-25044 HIGH

The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel 5.2
netapp cloud_backup -
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2019-25045 MEDIUM

An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free, related to an xfrm_state_fini panic, aka CID-dbb2483b2a46.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp h610s_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp aff_8700_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp h410c_firmware -
netapp aff_8300_firmware -
netapp fas_8300_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
netapp aff_a700s_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
netapp h500e_firmware -
netapp h610c_firmware -
netapp fas_8700_firmware -
netapp fabric-attached_storage_a400_firmware -
netapp aff_a400_firmware -
CVE-2019-2510 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
mariadb mariadb *
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp oncommand_insight -
netapp active_iq_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
canonical ubuntu_linux 18.10
CVE-2019-2513 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Shell). Supported versions that are affected are 8.0.13 and prior. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 2.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.5 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N 0.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp storage_automation_store -
netapp oncommand_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2019-2529 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_server 8.0
redhat enterprise_linux_server_aus 8.6
netapp storage_automation_store -
redhat enterprise_linux_desktop 7.0
netapp oncommand_unified_manager *
netapp snapcenter -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
canonical ubuntu_linux 18.10
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
mariadb mariadb *
redhat enterprise_linux_desktop 8.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_tus 8.2
debian debian_linux 8.0
redhat enterprise_linux_workstation 8.0
redhat enterprise_linux_server_aus 8.4
oracle mysql *
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_eus 8.4
CVE-2019-2530 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp storage_automation_store -
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
redhat software_collections 1.0
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
CVE-2019-2531 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp storage_automation_store -
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
redhat software_collections 1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
canonical ubuntu_linux 18.10
CVE-2019-2532 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp storage_automation_store -
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
redhat software_collections 1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
canonical ubuntu_linux 18.10
CVE-2019-2533 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp storage_automation_store -
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
redhat software_collections 1.0
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
CVE-2019-2534 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp storage_automation_store -
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
redhat software_collections 1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
canonical ubuntu_linux 18.10
CVE-2019-2535 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 8.0.13 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp storage_automation_store -
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
redhat software_collections 1.0
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
CVE-2019-2536 LOW

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 8.0.13 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:H).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp storage_automation_store -
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
redhat software_collections 1.0
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
CVE-2019-2537 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
mariadb mariadb *
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp storage_automation_store -
debian debian_linux 8.0
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
canonical ubuntu_linux 18.10
CVE-2019-2539 MEDIUM

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_tus 8.2
netapp storage_automation_store -
netapp oncommand_unified_manager *
redhat enterprise_linux_server_aus 8.4
oracle mysql *
netapp snapcenter -
redhat enterprise_linux_server_aus 8.2
redhat software_collections 1.0
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_eus 8.4
CVE-2019-2910 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.6.45 and prior and 5.7.27 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
CVE-2019-2911 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Information Schema). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2914 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2922 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.6.45 and prior and 5.7.27 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
CVE-2019-2923 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.6.45 and prior and 5.7.27 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
CVE-2019-2924 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.6.45 and prior and 5.7.27 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
CVE-2019-2938 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
opensuse leap 15.1
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2945 LOW

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
netapp snapmanager -
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
netapp e-series_santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
canonical ubuntu_linux 19.04
redhat satellite 5.8
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
CVE-2019-2946 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2948 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
CVE-2019-2949 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Kerberos). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N 2.2 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
netapp e-series_santricity_os_controller *
oracle jre 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_server 6.0
mcafee epolicy_orchestrator 5.10.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
mcafee epolicy_orchestrator 5.9.0
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp e-series_santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
canonical ubuntu_linux 19.04
mcafee epolicy_orchestrator 5.9.1
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
CVE-2019-2950 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
CVE-2019-2957 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2958 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
netapp e-series_santricity_unified_manager -
oracle jre 11.0.4
debian debian_linux 8.0
oracle jdk 1.8.0
opensuse leap 15.1
oracle jdk 1.7.0
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
netapp e-series_santricity_storage_manager -
oracle jre 1.7.0
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
netapp snapmanager -
CVE-2019-2960 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2962 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
netapp snapmanager -
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
netapp e-series_santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
canonical ubuntu_linux 19.04
redhat satellite 5.8
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
CVE-2019-2963 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2964 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_server_aus 7.7
oracle jre 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
netapp snapmanager -
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
netapp e-series_santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
canonical ubuntu_linux 19.04
redhat satellite 5.8
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
CVE-2019-2966 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2967 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2968 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2969 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 6.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
CVE-2019-2973 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
netapp snapmanager -
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
netapp e-series_santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
netapp active_iq_unified_manager *
canonical ubuntu_linux 19.04
redhat satellite 5.8
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
CVE-2019-2975 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_eus 8.1
oracle jre 11.0.4
opensuse leap 15.1
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 6.0
mcafee epolicy_orchestrator 5.10.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
mcafee epolicy_orchestrator 5.9.0
netapp snapmanager -
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
netapp e-series_santricity_unified_manager -
oracle jdk 1.8.0
canonical ubuntu_linux 19.04
redhat satellite 5.8
mcafee epolicy_orchestrator 5.9.1
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
CVE-2019-2977 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.8 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp e-series_santricity_unified_manager -
oracle jre 11.0.4
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
netapp e-series_santricity_storage_manager -
oracle jre 13.0.0
netapp snapmanager -
CVE-2019-2978 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
netapp snapmanager -
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
netapp e-series_santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
netapp active_iq_unified_manager *
canonical ubuntu_linux 19.04
redhat satellite 5.8
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
CVE-2019-2981 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
netapp snapmanager -
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
netapp e-series_santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
canonical ubuntu_linux 19.04
redhat satellite 5.8
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
CVE-2019-2982 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2983 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
netapp snapmanager -
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
netapp e-series_santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
canonical ubuntu_linux 19.04
redhat satellite 5.8
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
CVE-2019-2987 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp e-series_santricity_unified_manager -
oracle jre 11.0.4
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
redhat enterprise_linux_server 6.0
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_desktop 6.0
oracle jre 13.0.0
netapp snapmanager -
CVE-2019-2988 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
netapp snapmanager -
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
netapp e-series_santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
canonical ubuntu_linux 19.04
redhat satellite 5.8
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
CVE-2019-2989 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 6.8 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N 2.2 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
netapp e-series_santricity_unified_manager -
oracle jre 11.0.4
oracle graalvm 19.2.0
oracle jdk 1.8.0
oracle jdk 1.7.0
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
redhat enterprise_linux_server 6.0
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
oracle jre 13.0.0
oracle jre 1.8.0
netapp snapmanager -
CVE-2019-2991 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.017 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2992 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
netapp snapmanager -
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
netapp e-series_santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
canonical ubuntu_linux 19.04
redhat satellite 5.8
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
CVE-2019-2993 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: C API). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2996 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Deployment). The supported version that is affected is Java SE: 8u221; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.2 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N 1.6 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux 8.0
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 8.6
netapp e-series_santricity_unified_manager -
oracle jdk 1.8.0
redhat enterprise_linux_desktop 7.0
redhat satellite 5.8
netapp e-series_santricity_web_services_proxy -
redhat enterprise_linux_server 6.0
netapp e-series_santricity_storage_manager -
redhat enterprise_linux_desktop 6.0
oracle jre 1.8.0
netapp snapmanager -
CVE-2019-2997 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2998 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-2999 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N 1.6 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 13.0.0
oracle jre 1.8.0
opensuse leap 15.0
netapp snapmanager -
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
netapp e-series_santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
canonical ubuntu_linux 19.04
redhat satellite 5.8
netapp e-series_santricity_web_services_proxy -
oracle jdk 11.0.4
oracle jdk 13.0.0
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
CVE-2019-3003 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
CVE-2019-3004 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-3009 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection). Supported versions that are affected are 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-3011 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: C API). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-3018 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
canonical ubuntu_linux 19.04
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2019-3462 HIGH

Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp element_software -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
debian advanced_package_tool *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
netapp active_iq -
canonical ubuntu_linux 12.04
canonical ubuntu_linux 18.10
CVE-2019-3822 HIGH

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-121,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
oracle mysql_server *
oracle services_tools_bundle 19.2
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle enterprise_manager_ops_center 12.3.3
oracle communications_operations_monitor 4.0
oracle enterprise_manager_ops_center 12.4.0
netapp snapcenter -
oracle communications_operations_monitor 3.4
oracle secure_global_desktop 5.4
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap *
oracle http_server 12.2.1.3.0
siemens sinema_remote_connect_client *
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
haxx libcurl *
CVE-2019-3823 MEDIUM

libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
oracle communications_operations_monitor 3.4
oracle secure_global_desktop 5.4
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap *
oracle http_server 12.2.1.3.0
canonical ubuntu_linux 14.04
oracle communications_operations_monitor 4.0
debian debian_linux 9.0
canonical ubuntu_linux 18.10
haxx libcurl *
CVE-2019-3843 MEDIUM

It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-266,CWE-269,

Products Affected

Vendor Product Version
netapp cn1610_firmware -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
systemd_project systemd *
netapp hci_management_node -
fedoraproject fedora 30
netapp solidfire -
netapp snapprotect -
CVE-2019-3844 MEDIUM

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-268,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp cn1610_firmware -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
systemd_project systemd *
netapp hci_management_node -
netapp solidfire -
netapp snapprotect -
CVE-2019-3846 HIGH

A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
redhat enterprise_linux 8.0
netapp h610s_firmware -
fedoraproject fedora 29
debian debian_linux 8.0
netapp hci_management_node -
fedoraproject fedora 30
opensuse leap 15.1
opensuse leap 42.3
canonical ubuntu_linux 19.04
netapp a700s_firmware -
redhat enterprise_linux 7.0
netapp cn1610_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp solidfire -
opensuse leap 15.0
netapp active_iq_unified_manager_for_vmware_vsphere *
debian debian_linux 9.0
CVE-2019-3855 HIGH

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-787,CWE-190,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux 8.0
fedoraproject fedora 28
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
fedoraproject fedora 29
debian debian_linux 8.0
fedoraproject fedora 30
opensuse leap 42.3
redhat enterprise_linux_desktop 7.0
netapp ontap_select_deploy_administration_utility -
oracle peoplesoft_enterprise_peopletools 8.56
redhat enterprise_linux_server_tus 7.6
oracle peoplesoft_enterprise_peopletools 8.57
redhat enterprise_linux_server_aus 7.6
debian debian_linux 9.0
apple xcode *
libssh2 libssh2 *
CVE-2019-3856 MEDIUM

An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-787,CWE-190,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux 8.0
fedoraproject fedora 28
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
opensuse leap 42.3
redhat enterprise_linux_desktop 7.0
netapp ontap_select_deploy_administration_utility -
oracle peoplesoft_enterprise_peopletools 8.56
redhat enterprise_linux_server_tus 7.6
oracle peoplesoft_enterprise_peopletools 8.57
redhat enterprise_linux_server_aus 7.6
opensuse leap 15.0
debian debian_linux 9.0
libssh2 libssh2 *
CVE-2019-3857 MEDIUM

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-787,CWE-190,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux 8.0
fedoraproject fedora 28
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
opensuse leap 42.3
redhat enterprise_linux_desktop 7.0
netapp ontap_select_deploy_administration_utility -
oracle peoplesoft_enterprise_peopletools 8.56
redhat enterprise_linux_server_tus 7.6
oracle peoplesoft_enterprise_peopletools 8.57
redhat enterprise_linux_server_aus 7.6
opensuse leap 15.0
debian debian_linux 9.0
libssh2 libssh2 *
CVE-2019-3858 MEDIUM

An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
fedoraproject fedora 29
debian debian_linux 8.0
opensuse leap 42.3
netapp ontap_select_deploy_administration_utility -
opensuse leap 15.0
libssh2 libssh2 *
CVE-2019-3859 MEDIUM

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
fedoraproject fedora 28
fedoraproject fedora 29
debian debian_linux 8.0
opensuse leap 42.3
netapp ontap_select_deploy_administration_utility -
opensuse leap 15.0
debian debian_linux 9.0
libssh2 libssh2 *
CVE-2019-3860 MEDIUM

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
debian debian_linux 8.0
opensuse leap 42.3
netapp ontap_select_deploy_administration_utility -
opensuse leap 15.0
libssh2 libssh2 *
CVE-2019-3861 MEDIUM

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
debian debian_linux 8.0
opensuse leap 42.3
netapp ontap_select_deploy_administration_utility -
opensuse leap 15.0
libssh2 libssh2 *
CVE-2019-3862 MEDIUM

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-130,CWE-125,

Products Affected

Vendor Product Version
fedoraproject fedora 29
debian debian_linux 8.0
opensuse leap 42.3
netapp ontap_select_deploy_administration_utility -
libssh2 libssh2 *
CVE-2019-3863 MEDIUM

A flaw was found in libssh2 before 1.8.1 creating a vulnerability on the SSH client side. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used by the SSH client as an index to copy memory causing in an out of bounds memory write error.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-787,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.6
opensuse leap 42.3
redhat enterprise_linux_desktop 7.0
netapp ontap_select_deploy_administration_utility -
opensuse leap 15.0
libssh2 libssh2 *
CVE-2019-3874 LOW

The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-400,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 8.0
netapp hci_management_node -
netapp snapprotect -
canonical ubuntu_linux 19.04
redhat enterprise_linux 7.0
netapp cn1610_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp solidfire -
netapp active_iq_unified_manager_for_vmware_vsphere *
canonical ubuntu_linux 18.10
CVE-2019-3882 MEDIUM

A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
debian debian_linux 10.0
debian debian_linux 8.0
netapp hci_management_node -
opensuse leap 15.1
opensuse leap 42.3
linux linux_kernel 3.10
netapp snapprotect -
linux linux_kernel 4.18
netapp vasa_provider_for_clustered_data_ontap *
canonical ubuntu_linux 19.04
netapp virtual_storage_console_for_vmware_vsphere *
netapp cn1610_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora *
linux linux_kernel 4.14
netapp storage_replication_adapter_for_clustered_data_ontap_for_vmware_vsphere *
canonical ubuntu_linux 14.04
netapp solidfire -
opensuse leap 15.0
netapp active_iq_unified_manager_for_vmware_vsphere *
debian debian_linux 9.0
canonical ubuntu_linux 18.10
CVE-2019-3888 MEDIUM

A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,CWE-532,

Products Affected

Vendor Product Version
redhat virtualization 4.0
redhat virtualization_host 4.0
redhat openshift_application_runtimes -
redhat jboss_data_grid -
redhat undertow *
netapp active_iq_unified_manager -
CVE-2019-3900 MEDIUM

An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 3.1 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,CWE-835,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
fedoraproject fedora 28
debian debian_linux 10.0
fedoraproject fedora 29
debian debian_linux 8.0
netapp hci_management_node -
fedoraproject fedora 30
netapp snapprotect -
netapp vasa_provider_for_clustered_data_ontap *
canonical ubuntu_linux 19.04
netapp virtual_storage_console_for_vmware_vsphere *
redhat enterprise_linux 7.0
netapp cn1610_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle sd-wan_edge 8.2
linux linux_kernel *
netapp storage_replication_adapter_for_clustered_data_ontap_for_vmware_vsphere *
linux linux_kernel 5.1
netapp solidfire -
netapp active_iq_unified_manager_for_vmware_vsphere *
debian debian_linux 9.0
CVE-2019-3901 LOW

A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.0 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-667,CWE-667,

Products Affected

Vendor Product Version
netapp cn1610_firmware -
linux linux_kernel *
debian debian_linux 8.0
netapp storage_replication_adapter_for_clustered_data_ontap_for_vmware_vsphere *
netapp hci_management_node -
netapp solidfire -
netapp snapprotect -
netapp active_iq_unified_manager_for_vmware_vsphere *
netapp vasa_provider_for_clustered_data_ontap *
netapp virtual_storage_console_for_vmware_vsphere *
CVE-2019-4183 HIGH

IBM Cognos Analytics 11.0, and 11.1 is vulnerable to a denial of service attack that could allow a remote user to send specially crafted requests that would consume all available CPU and memory resources. IBM X-Force ID: 158973.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2019-4231 MEDIUM

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 159356.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
netapp oncommand_insight -
ibm cognos_analytics *
ibm cognos_analytics 11.0.13
CVE-2019-4342 LOW

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 161421.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2019-4343 MEDIUM

IBM Cognos Analytics 11.0 and 11.1 allows overly permissive cross-origin resource sharing which could allow an attacker to transfer private information. An attacker could exploit this vulnerability to access content that should be restricted. IBM X-Force ID: 161422.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2019-4471 MEDIUM

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for a sensitive cookie in an HTTPS session. A remote attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 163780.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-311,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2019-4653 LOW

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 170964.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2019-4722 MEDIUM

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information via a stack trace due to mishandling of certain error conditions. IBM X-Force ID: 172128.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2019-4723 MEDIUM

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Data Server Connection page. IBM X-Force ID: 172129.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2019-4724 MEDIUM

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Content Backup page. IBM X-Force ID: 172130.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2019-4729 MEDIUM

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 172519.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-209,

Products Affected

Vendor Product Version
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2019-4730 MEDIUM

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 172533.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L 2.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2019-5094 MEDIUM

An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 31
debian debian_linux 8.0
netapp hci_management_node -
fedoraproject fedora 30
canonical ubuntu_linux 19.04
e2fsprogs_project e2fsprogs *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
netapp solidfire -
debian debian_linux 9.0
CVE-2019-5108 LOW

An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-440,CWE-287,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h610s_firmware -
debian debian_linux 8.0
netapp data_availability_services -
netapp hci_management_node -
netapp 8700_firmware -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp a700s_firmware -
netapp a400_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle sd-wan_edge 8.2
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
netapp 8300_firmware -
debian debian_linux 9.0
CVE-2019-5188 MEDIUM

A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9
talos-cna@cisco.com 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
fedoraproject fedora 31
netapp hci_compute_node_firmware -
debian debian_linux 8.0
fedoraproject fedora 30
opensuse leap 15.1
canonical ubuntu_linux 19.04
e2fsprogs_project e2fsprogs *
canonical ubuntu_linux 12.04
netapp solidfire,_enterprise_sds_&_hci_storage_node -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2019-5436 MEDIUM

A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 29
oracle mysql_server *
netapp hci_management_node -
opensuse leap 15.1
opensuse leap 42.3
netapp steelstore_cloud_integrated_storage -
oracle enterprise_manager_ops_center 12.3.3
oracle enterprise_manager_ops_center 12.4.0
oracle oss_support_tools 20.0
f5 traffix_signaling_delivery_controller *
netapp solidfire -
opensuse leap 15.0
debian debian_linux 9.0
haxx libcurl *
CVE-2019-5443 MEDIUM

A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,CWE-427,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle http_server 12.2.1.4.0
oracle mysql_server *
oracle http_server 12.2.1.3.0
netapp oncommand_insight -
netapp oncommand_unified_manager *
oracle enterprise_manager_ops_center 12.3.3
oracle enterprise_manager_ops_center 12.4.0
oracle oss_support_tools 20.0
haxx curl *
netapp snapcenter -
CVE-2019-5481 HIGH

Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,CWE-415,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 31
netapp solidfire_baseboard_management_controller_firmware -
oracle communications_session_border_controller 8.4
fedoraproject fedora 29
oracle mysql_server *
fedoraproject fedora 30
opensuse leap 15.1
oracle enterprise_manager_ops_center 12.3.3
oracle communications_operations_monitor 4.0
oracle enterprise_manager_ops_center 12.4.0
oracle oss_support_tools 20.0
haxx curl *
netapp steelstore -
oracle communications_operations_monitor 3.4
oracle communications_operations_monitor 4.2
oracle communications_operations_monitor 4.3
oracle communications_session_border_controller 8.3
netapp cloud_backup -
oracle communications_operations_monitor 4.1
opensuse leap 15.0
debian debian_linux 9.0
CVE-2019-5482 HIGH

Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
oracle hyperion_essbase 11.1.2.4
oracle http_server 12.2.1.4.0
fedoraproject fedora 31
fedoraproject fedora 29
fedoraproject fedora 30
opensuse leap 15.1
netapp oncommand_unified_manager *
oracle enterprise_manager_ops_center 12.3.3
oracle enterprise_manager_ops_center 12.4.0
oracle oss_support_tools 20.0
netapp snapcenter -
oracle communications_operations_monitor 4.2
oracle communications_session_border_controller 8.3
netapp cloud_backup -
oracle communications_operations_monitor 4.1
opensuse leap 15.0
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
oracle communications_session_border_controller 8.4
oracle mysql_server *
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
oracle communications_operations_monitor 4.0
haxx curl *
oracle communications_operations_monitor 3.4
oracle communications_operations_monitor 4.3
oracle http_server 12.2.1.3.0
CVE-2019-5489 LOW

The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.

CVSS 2.0

Severity: LOW

Problem Type: CWE-319,

Products Affected

Vendor Product Version
linux linux_kernel *
netapp element_software_management_node -
netapp active_iq_performance_analytics_services -
CVE-2019-5490 HIGH

Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed version of Service Processor firmware IMMEDIATELY.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1188,

Products Affected

Vendor Product Version
netapp service_processor 3.3
netapp service_processor 3.0.4
netapp service_processor 2.8
netapp service_processor 3.7
netapp service_processor 3.1.2
netapp service_processor 4.5
netapp service_processor 2.5
netapp service_processor 5.2
netapp service_processor 5.5
netapp service_processor 2.4.1
netapp service_processor 3.4
netapp service_processor 4.2
netapp service_processor 2.4
netapp service_processor 3.2
netapp service_processor 4.1
netapp service_processor 2.3.2
netapp service_processor 2.2.5
netapp service_processor 5.1
CVE-2019-5491 MEDIUM

Clustered Data ONTAP versions prior to 9.1P15 and 9.3 prior to 9.3P7 are susceptible to a vulnerability which discloses sensitive information to an unauthenticated user.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.3
netapp clustered_data_ontap 9.1
netapp clustered_data_ontap *
CVE-2019-5492 MEDIUM

Element Plug-in for vCenter Server versions prior to 4.2.3 may disclose sensitive account information to an unauthenticated attacker. NetApp HCI Compute Node versions prior to 1.4P2 bundle affected versions of Element Plug-in for vCenter Server.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp element_plug-in_for_vcenter_server *
netapp hyper_converged_infrastructure_compute_node *
CVE-2019-5493 MEDIUM

Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 are susceptible to a vulnerability which discloses information to an unauthenticated attacker. A successful attack requires that multiple non-default options be enabled.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp data_ontap 8.2.5
netapp data_ontap *
CVE-2019-5494 MEDIUM

OnCommand Unified Manager 7-Mode prior to version 5.2.4 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager *
CVE-2019-5495 MEDIUM

OnCommand Unified Manager for VMware vSphere, Linux and Windows prior to 9.5 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager *
CVE-2019-5496 MEDIUM

Oncommand Insight versions prior to 7.3.5 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,

Products Affected

Vendor Product Version
netapp oncommand_insight *
CVE-2019-5497 HIGH

NetApp AFF A700s Baseboard Management Controller (BMC) firmware versions 1.22 and higher were shipped with a default account enabled that could allow unauthorized arbitrary command execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1188,

Products Affected

Vendor Product Version
netapp aff_a700s_firmware *
netapp clustered_data_ontap -
CVE-2019-5498 MEDIUM

OnCommand Insight versions through 7.3.6 may disclose sensitive account information to an authenticated user.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight *
CVE-2019-5500 MEDIUM

Certain versions of the NetApp Service Processor and Baseboard Management Controller firmware allow a remote unauthenticated attacker to cause a Denial of Service (DoS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp fas26x0_firmware -
netapp aff_a220_firmware -
netapp aff_a200_firmware -
netapp fas27x0_firmware -
netapp aff_a300_firmware -
netapp aff_c190_firmware -
netapp fas8200_firmware -
CVE-2019-5501 MEDIUM

Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 may disclose sensitive LDAP account information to unauthenticated remote attackers.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp data_ontap 8.2.5
netapp data_ontap *
CVE-2019-5502 MEDIUM

SMB in Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 has weak cryptography which when exploited could lead to information disclosure or addition or modification of data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
netapp data_ontap 8.2.5
netapp data_ontap *
CVE-2019-5503 MEDIUM

OnCommand Workflow Automation versions prior to 5.0 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation 5.0
CVE-2019-5504 HIGH

ONTAP Select Deploy administration utility versions 2.12 & 2.12.1 ship with an HTTP service bound to the network allowing unauthenticated remote attackers to perform administrative actions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility 2.12.1
netapp ontap_select_deploy_administration_utility 2.12
CVE-2019-5505 MEDIUM

ONTAP Select Deploy administration utility versions 2.2 through 2.12.1 transmit credentials in plaintext.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,CWE-522,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
netapp ontap_select_deploy_administration_utility *
CVE-2019-5506 MEDIUM

Clustered Data ONTAP versions 9.0 and higher do not enforce hostname verification under certain circumstances making them susceptible to impersonation via man-in-the-middle attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
netapp clustered_data_ontap 9.6
CVE-2019-5507 LOW

SnapManager for Oracle prior to version 3.4.2P1 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp snapmanager 3.4.2
netapp snapmanager *
CVE-2019-5508 MEDIUM

Clustered Data ONTAP versions 9.2 through 9.4 are susceptible to a vulnerability which allows an attacker to use l2ping to cause a Denial of Service (DoS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
CVE-2019-5509 HIGH

ONTAP Select Deploy administration utility versions 2.11.2 through 2.12.2 are susceptible to a code injection vulnerability which when successfully exploited could allow an unauthenticated remote attacker to enable and use a privileged user account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility *
CVE-2019-5608 HIGH

In FreeBSD 12.0-STABLE before r350648, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350650, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page and subsequently panic.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
freebsd freebsd 12.0
freebsd freebsd 11.3
freebsd freebsd 11.2
CVE-2019-5610 MEDIUM

In FreeBSD 12.0-STABLE before r350637, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350638, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bsnmp library is not properly validating the submitted length from a type-length-value encoding. A remote user could cause an out-of-bounds read or trigger a crash of the software such as bsnmpd resulting in a denial of service.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
freebsd freebsd 12.0
freebsd freebsd 11.3
freebsd freebsd 11.2
CVE-2019-5611 HIGH

In FreeBSD 12.0-STABLE before r350828, 12.0-RELEASE before 12.0-RELEASE-p10, 11.3-STABLE before r350829, 11.3-RELEASE before 11.3-RELEASE-p3, and 11.2-RELEASE before 11.2-RELEASE-p14, a missing check in the function to arrange data in a chain of mbufs could cause data returned not to be contiguous. Extra checks in the IPv6 stack could catch the error condition and trigger a kernel panic, leading to a remote denial of service.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
freebsd freebsd 12.0
freebsd freebsd 11.3
freebsd freebsd 11.2
CVE-2019-5612 HIGH

In FreeBSD 12.0-STABLE before r351264, 12.0-RELEASE before 12.0-RELEASE-p10, 11.3-STABLE before r351265, 11.3-RELEASE before 11.3-RELEASE-p3, and 11.2-RELEASE before 11.2-RELEASE-p14, the kernel driver for /dev/midistat implements a read handler that is not thread-safe. A multi-threaded program can exploit races in the handler to copy out kernel memory outside the boundaries of midistat's data buffer.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-362,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
freebsd freebsd 12.0
freebsd freebsd 11.3
freebsd freebsd 11.2
CVE-2019-5614 HIGH

In FreeBSD 12.1-STABLE before r356035, 12.1-RELEASE before 12.1-RELEASE-p4, 11.3-STABLE before r356036, and 11.3-RELEASE before 11.3-RELEASE-p8, incomplete packet data validation may result in accessing out-of-bounds memory leading to a kernel panic or other unpredictable results.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-119,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
freebsd freebsd 12.1
freebsd freebsd 11.3
CVE-2019-5736 HIGH

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
docker docker *
redhat container_development_kit 3.7
fedoraproject fedora 29
d2iq kubernetes_engine *
fedoraproject fedora 30
opensuse leap 15.1
linuxfoundation runc *
d2iq dc/os *
linuxcontainers lxc *
microfocus service_management_automation 2018.08
hp onesphere -
redhat openshift 3.4
microfocus service_management_automation 2018.02
microfocus service_management_automation 2018.05
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linuxfoundation runc 1.0.0
netapp solidfire -
opensuse leap 15.0
canonical ubuntu_linux 18.10
redhat enterprise_linux 8.0
google kubernetes_engine -
redhat openshift 3.7
netapp hci_management_node -
opensuse leap 42.3
redhat openshift 3.5
apache mesos *
microfocus service_management_automation 2018.11
canonical ubuntu_linux 19.04
redhat openshift 3.6
opensuse backports_sle 15.0
CVE-2019-6109 MEDIUM

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N 1.6 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-116,

Products Affected

Vendor Product Version
netapp element_software -
redhat enterprise_linux_eus 8.1
winscp winscp *
redhat enterprise_linux_server_aus 8.6
netapp storage_automation_store -
fedoraproject fedora 30
fujitsu m10-4_firmware *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
fujitsu m12-1_firmware *
fujitsu m12-2s_firmware *
netapp ontap_select_deploy -
openbsd openssh *
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
siemens scalance_x204rna_firmware *
redhat enterprise_linux_server_tus 8.2
debian debian_linux 8.0
fujitsu m10-1_firmware *
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_server_aus 8.2
siemens scalance_x204rna_eec_firmware *
fujitsu m10-4s_firmware *
redhat enterprise_linux_eus 8.4
fujitsu m12-2_firmware *
CVE-2019-6110 MEDIUM

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N 1.6 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-838,CWE-838,

Products Affected

Vendor Product Version
netapp element_software -
siemens scalance_x204rna_eec_firmware *
siemens scalance_x204rna_firmware *
netapp ontap_select_deploy -
winscp winscp *
netapp storage_automation_store -
openbsd openssh *
CVE-2019-6260 HIGH

The ASPEED ast2400 and ast2500 Baseband Management Controller (BMC) hardware and firmware implement Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host (or from the network in unusual cases where the BMC console uart is attached to a serial concentrator). This CVE applies to the specific cases of iLPC2AHB bridge Pt I, iLPC2AHB bridge Pt II, PCIe VGA P2A bridge, DMA from/to arbitrary BMC memory via X-DMA, UART-based SoC Debug interface, LPC2AHB bridge, PCIe BMC P2A bridge, and Watchdog setup.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp fas/aff_baseboard_management_controller *
aspeedtech ast2400_firmware *
aspeedtech ast2500_firmware *
CVE-2019-6454 MEDIUM

An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_server_update_services_for_sap_solutions 8.1
redhat enterprise_linux_for_power_little_endian_eus 7.5
canonical ubuntu_linux 18.04
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_ibm_z_systems_eus 8.1
redhat enterprise_linux 8.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_update_services_for_sap_solutions 7.4
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_for_ibm_z_systems_eus 8.2
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_for_power_little_endian_eus 8.1
redhat enterprise_linux_for_power_big_endian_eus 7.4
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.4
redhat enterprise_linux_for_power_little_endian_eus 7.4
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server_update_services_for_sap_solutions 8.0
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
fedoraproject fedora 29
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.3
redhat enterprise_linux_for_ibm_z_systems_eus 7.4
redhat enterprise_linux_for_power_little_endian_eus 8.4
netapp active_iq_performance_analytics_services -
mcafee web_gateway *
redhat enterprise_linux_for_power_little_endian_eus 8.2
canonical ubuntu_linux 16.04
systemd_project systemd 239
redhat enterprise_linux_for_ibm_z_systems_eus 7.5
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.0
opensuse leap 15.0
debian debian_linux 9.0
canonical ubuntu_linux 18.10
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
redhat enterprise_linux_server_tus 8.2
debian debian_linux 8.0
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2
redhat enterprise_linux_server_update_services_for_sap_solutions 7.3
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_compute_node_eus 7.5
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.1
redhat enterprise_linux_eus 7.5
CVE-2019-6977 MEDIUM

gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
libgd libgd 2.2.5
debian debian_linux 8.0
php php 7.3.0
netapp storage_automation_store *
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 18.10
php php *
CVE-2019-7221 MEDIUM

The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
fedoraproject fedora 28
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
fedoraproject fedora 29
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
netapp element_software_management_node -
netapp active_iq_performance_analytics_services -
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat openshift_container_platform 3.11
linux linux_kernel *
redhat enterprise_linux_server_aus 7.6
canonical ubuntu_linux 14.04
opensuse leap 15.0
canonical ubuntu_linux 18.10
CVE-2019-7222 LOW

The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
fedoraproject fedora 28
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_for_real_time 7
fedoraproject fedora 29
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_desktop 7.0
netapp active_iq_performance_analytics_services -
redhat enterprise_linux_for_real_time_tus 8.4
redhat enterprise_linux_for_real_time_for_nfv_tus 8.6
redhat enterprise_linux_for_real_time_for_nfv_tus 8.4
redhat enterprise_linux_for_real_time_tus 8.6
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
redhat enterprise_linux_server_tus 8.6
linux linux_kernel *
canonical ubuntu_linux 14.04
opensuse leap 15.0
redhat enterprise_linux_for_real_time 8
canonical ubuntu_linux 18.10
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_tus 8.2
debian debian_linux 8.0
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
netapp element_software_management_node -
redhat enterprise_linux_server_aus 8.4
canonical ubuntu_linux 12.04
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_for_real_time_for_nfv 7
redhat enterprise_linux_for_real_time_tus 8.2
CVE-2019-7317 LOW

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux 6.0
netapp snapmanager 3.4.2
opensuse leap 15.1
netapp e-series_santricity_web_services *
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_for_power_big_endian 7.0
oracle java_se 8u212
netapp steelstore -
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 18.04
netapp e-series_santricity_management -
redhat enterprise_linux_for_power_little_endian 8.0
hpe xp7_command_view_advanced_edition_suite *
redhat enterprise_linux 8.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_for_power_big_endian 6.0
netapp plug-in_for_symantec_netbackup -
netapp active_iq_unified_manager *
canonical ubuntu_linux 19.04
redhat enterprise_linux_for_ibm_z_systems 6.0
redhat enterprise_linux_for_ibm_z_systems 7.0
netapp snapmanager *
netapp oncommand_workflow_automation *
redhat enterprise_linux_for_scientific_computing 7.0
mozilla firefox -
netapp oncommand_insight *
oracle jdk 12.0.1
oracle java_se 7u221
hp xp7_command_view *
canonical ubuntu_linux 16.04
redhat enterprise_linux_for_power_little_endian 7.0
libpng libpng *
netapp cloud_backup -
opensuse leap 15.0
redhat enterprise_linux_for_ibm_z_systems 8.0
netapp active_iq_unified_manager 9.6
debian debian_linux 9.0
canonical ubuntu_linux 18.10
netapp e-series_santricity_unified_manager *
oracle hyperion_infrastructure_technology 11.2.6.0
debian debian_linux 8.0
opensuse leap 42.3
mozilla thunderbird -
redhat satellite 5.8
opensuse package_hub -
oracle mysql *
redhat enterprise_linux_for_scientific_computing 6.0
redhat enterprise_linux 7.0
oracle jdk 11.0.3
netapp e-series_santricity_storage_manager *
CVE-2019-7612 MEDIUM

A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-209,CWE-532,

Products Affected

Vendor Product Version
elastic logstash *
netapp active_iq_performance_analytics_services -
CVE-2019-8936 MEDIUM

NTP through 4.2.8p12 has a NULL Pointer Dereference.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
fedoraproject fedora 28
hpe hpux-ntp *
netapp clustered_data_ontap *
fedoraproject fedora 29
fedoraproject fedora 30
opensuse leap 42.3
ntp ntp 4.2.8
opensuse leap 15.0
netapp data_ontap -
ntp ntp *
CVE-2019-9003 HIGH

In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp cn1610_firmware -
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp hci_management_node -
linux linux_kernel 5.0
netapp solidfire -
netapp snapprotect -
opensuse leap 15.0
canonical ubuntu_linux 18.10
CVE-2019-9020 HIGH

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,CWE-416,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
netapp storage_automation_store -
opensuse leap 42.3
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 12.04
php php *
CVE-2019-9021 HIGH

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
netapp storage_automation_store -
opensuse leap 42.3
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 12.04
php php *
CVE-2019-9022 MEDIUM

An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parserr in ext/standard/dns.c for DNS_CAA and DNS_ANY queries.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
netapp storage_automation_store -
debian debian_linux 8.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 12.04
php php *
CVE-2019-9023 HIGH

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
netapp storage_automation_store -
opensuse leap 42.3
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 12.04
php php *
CVE-2019-9024 MEDIUM

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
netapp storage_automation_store -
opensuse leap 42.3
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 12.04
php php *
CVE-2019-9025 HIGH

An issue was discovered in PHP 7.3.x before 7.3.1. An invalid multibyte string supplied as an argument to the mb_split() function in ext/mbstring/php_mbregex.c can cause PHP to execute memcpy() with a negative argument, which could read and write past buffers allocated for the data.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
netapp storage_automation_store -
php php *
CVE-2019-9070 MEDIUM

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp element_software_management *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
f5 traffix_signaling_delivery_controller *
gnu binutils 2.32
CVE-2019-9071 MEDIUM

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a stack consumption issue in d_count_templates_scopes in cp-demangle.c after many recursive calls.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
netapp hci_management_node -
gnu binutils 2.32
netapp solidfire -
CVE-2019-9072 MEDIUM

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
netapp hci_management_node -
gnu binutils 2.32
netapp solidfire -
CVE-2019-9073 MEDIUM

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
netapp hci_management_node -
gnu binutils 2.32
netapp solidfire -
CVE-2019-9074 MEDIUM

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
netapp hci_management_node -
gnu binutils 2.32
netapp solidfire -
CVE-2019-9075 MEDIUM

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
f5 big-ip_policy_enforcement_manager 14.1.0
f5 big-ip_application_acceleration_manager 15.0.0
f5 big-ip_local_traffic_manager 14.1.0
f5 big-ip_fraud_protection_service 15.0.0
gnu binutils 2.32
f5 big-ip_access_policy_manager 15.0.0
f5 big-ip_webaccelerator 15.0.0
canonical ubuntu_linux 18.04
f5 big-ip_link_controller 14.1.0
f5 big-ip_link_controller 15.0.0
f5 big-ip_policy_enforcement_manager 15.0.0
netapp solidfire -
f5 big-ip_application_security_manager 14.1.0
f5 big-ip_local_traffic_manager 15.0.0
f5 big-ip_edge_gateway 14.1.0
f5 big-ip_analytics 14.1.0
f5 big-ip_global_traffic_manager 14.1.0
netapp hci_management_node -
f5 big-ip_access_policy_manager 14.1.0
f5 big-ip_domain_name_system 15.0.0
f5 big-ip_fraud_protection_service 14.1.0
f5 big-ip_edge_gateway 15.0.0
f5 big-ip_application_acceleration_manager 14.1.0
f5 big-ip_advanced_firewall_manager 15.0.0
f5 big-ip_advanced_firewall_manager 14.1.0
f5 big-ip_application_security_manager 15.0.0
f5 big-ip_global_traffic_manager 15.0.0
f5 big-ip_analytics 15.0.0
f5 big-ip_domain_name_system 14.1.0
f5 big-ip_policy_webaccelerator 14.1.0
CVE-2019-9076 MEDIUM

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
netapp element_software_management *
gnu binutils 2.32
CVE-2019-9077 MEDIUM

An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp element_software -
canonical ubuntu_linux 18.04
f5 traffix_signaling_delivery_controller *
gnu binutils 2.32
CVE-2019-9162 MEDIUM

In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp cn1610_firmware -
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp hci_management_node -
netapp solidfire -
netapp snapprotect -
canonical ubuntu_linux 18.10
CVE-2019-9169 HIGH

In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp cloud_backup *
gnu glibc *
netapp ontap_select_deploy_administration_utility -
netapp steelstore_cloud_integrated_storage -
mcafee web_gateway *
CVE-2019-9514 HIGH

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,CWE-770,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_eus 8.1
redhat openshift_service_mesh 1.0
redhat jboss_enterprise_application_platform 7.2.0
fedoraproject fedora 29
oracle graalvm 19.2.0
fedoraproject fedora 30
opensuse leap 15.1
apple swiftnio *
redhat developer_tools 1.0
mcafee web_gateway *
redhat software_collections 1.0
f5 big-ip_local_traffic_manager *
netapp cloud_insights -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
apache traffic_server *
nodejs node.js *
synology skynas -
opensuse leap 15.0
debian debian_linux 9.0
redhat quay 3.0.0
redhat openshift_container_platform 3.10
redhat enterprise_linux 8.0
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat jboss_core_services 1.0
synology diskstation_manager 6.2
canonical ubuntu_linux 19.04
redhat openstack 14
redhat single_sign-on 7.3
redhat openshift_container_platform 4.2
netapp trident -
redhat openshift_container_platform 3.11
synology vs960hd_firmware -
redhat openshift_container_platform 3.9
redhat openshift_container_platform 4.1
redhat jboss_enterprise_application_platform 7.3.0
CVE-2019-9517 HIGH

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,CWE-770,

Products Affected

Vendor Product Version
redhat openshift_service_mesh 1.0
redhat jboss_enterprise_application_platform 7.2.0
fedoraproject fedora 29
oracle retail_xstore_point_of_service 7.1
oracle graalvm 19.2.0
fedoraproject fedora 30
opensuse leap 15.1
apple swiftnio *
mcafee web_gateway *
oracle communications_element_manager 8.1.0
redhat software_collections 1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
apache traffic_server *
oracle instantis_enterprisetrack *
oracle communications_element_manager 8.2.0
nodejs node.js *
synology skynas -
opensuse leap 15.0
debian debian_linux 9.0
redhat quay 3.0.0
redhat enterprise_linux 8.0
debian debian_linux 10.0
apache http_server *
redhat jboss_core_services 1.0
synology diskstation_manager 6.2
canonical ubuntu_linux 19.04
oracle communications_element_manager 8.0.0
netapp clustered_data_ontap -
synology vs960hd_firmware -
redhat jboss_enterprise_application_platform 7.3.0
oracle communications_element_manager 8.1.1
CVE-2019-9637 MEDIUM

An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storage_automation_store -
debian debian_linux 8.0
opensuse leap 42.3
canonical ubuntu_linux 14.04
debian debian_linux 9.0
canonical ubuntu_linux 12.04
canonical ubuntu_linux 18.10
php php *
CVE-2019-9638 MEDIUM

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp storage_automation_store -
debian debian_linux 8.0
opensuse leap 15.1
opensuse leap 42.3
canonical ubuntu_linux 12.04
redhat software_collections 1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
opensuse leap 15.0
debian debian_linux 9.0
canonical ubuntu_linux 18.10
php php *
CVE-2019-9639 MEDIUM

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-908,CWE-909,

Products Affected

Vendor Product Version
netapp storage_automation_store -
debian debian_linux 8.0
opensuse leap 15.1
opensuse leap 42.3
canonical ubuntu_linux 12.04
redhat software_collections 1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
opensuse leap 15.0
debian debian_linux 9.0
canonical ubuntu_linux 18.10
php php *
CVE-2019-9640 MEDIUM

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp storage_automation_store -
debian debian_linux 8.0
opensuse leap 15.1
opensuse leap 42.3
canonical ubuntu_linux 12.04
redhat software_collections 1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
opensuse leap 15.0
debian debian_linux 9.0
canonical ubuntu_linux 18.10
php php *
CVE-2019-9641 HIGH

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-908,

Products Affected

Vendor Product Version
netapp storage_automation_store -
debian debian_linux 8.0
opensuse leap 15.1
opensuse leap 42.3
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
opensuse leap 15.0
debian debian_linux 9.0
canonical ubuntu_linux 18.10
php php *
CVE-2019-9674 MEDIUM

Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
python python *
netapp active_iq_unified_manager -
canonical ubuntu_linux 12.04
CVE-2019-9894 MEDIUM

A remotely triggerable memory overwrite in RSA key exchange in PuTTY before 0.71 can occur before host key verification.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-320,

Products Affected

Vendor Product Version
fedoraproject fedora 28
fedoraproject fedora 29
debian debian_linux 8.0
putty putty *
opensuse leap 15.0
debian debian_linux 9.0
netapp oncommand_unified_manager -
CVE-2019-9897 MEDIUM

Multiple denial-of-service attacks that can be triggered by writing to the terminal exist in PuTTY versions before 0.71.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 28
fedoraproject fedora 29
debian debian_linux 8.0
putty putty *
opensuse leap 15.0
debian debian_linux 9.0
netapp oncommand_unified_manager -
CVE-2019-9898 HIGH

Potential recycling of random numbers used in cryptography exists within PuTTY before 0.71.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-330,

Products Affected

Vendor Product Version
fedoraproject fedora 28
fedoraproject fedora 29
debian debian_linux 8.0
putty putty *
opensuse leap 15.0
debian debian_linux 9.0
netapp oncommand_unified_manager -
CVE-2019-9924 HIGH

rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-862,

Products Affected

Vendor Product Version
gnu bash *
canonical ubuntu_linux 16.04
debian debian_linux 8.0
netapp hci_management_node -
gnu bash 4.4
opensuse leap 42.3
canonical ubuntu_linux 14.04
netapp solidfire -
canonical ubuntu_linux 12.04
CVE-2019-9946 MEDIUM

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-670,

Products Affected

Vendor Product Version
cncf portmap *
netapp cloud_insights -
kubernetes kubernetes 1.14.0
kubernetes kubernetes 1.13.6
kubernetes kubernetes *
CVE-2020-0590 MEDIUM

Improper input validation in BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
intel xeon_gold_6130_firmware -
intel xeon_gold_6138t_firmware -
intel xeon_gold_6252_firmware -
intel xeon_gold_6240r_firmware -
intel xeon_gold_5215_firmware -
intel xeon_gold_6126t_firmware -
intel xeon_gold_6248_firmware -
intel xeon_gold_6142_firmware -
intel xeon_gold_6152_firmware -
intel xeon_platinum_8256_firmware -
intel xeon_silver_4214y_firmware -
intel xeon_silver_4215_firmware -
intel xeon_silver_4112_firmware -
intel xeon_gold_5218b_firmware -
intel xeon_gold_6262v_firmware -
intel xeon_gold_6210u_firmware -
intel xeon_gold_6148f_firmware -
intel xeon_silver_4109t_firmware -
intel xeon_gold_6230t_firmware -
intel xeon_platinum_8158_firmware -
intel xeon_gold_5222_firmware -
siemens simatic_ipc847e_firmware *
intel xeon_gold_5217_firmware -
intel xeon_silver_4108_firmware -
intel xeon_gold_5218_firmware -
intel xeon_platinum_9242_firmware -
intel xeon_gold_6238_firmware -
intel xeon_gold_6126f_firmware -
intel xeon_gold_6258r_firmware -
intel xeon_platinum_9282_firmware -
intel xeon_gold_6240_firmware -
intel xeon_platinum_8270_firmware -
intel xeon_platinum_8160_firmware -
intel xeon_gold_5215l_firmware -
intel xeon_gold_6212u_firmware -
intel xeon_bronze_3204_firmware -
intel xeon_gold_5220s_firmware -
intel xeon_platinum_9222_firmware -
siemens simatic_ipc547g_firmware *
intel xeon_gold_6250_firmware -
intel xeon_gold_5122_firmware -
intel xeon_gold_6238l_firmware -
intel xeon_platinum_8176f_firmware -
intel xeon_gold_6136_firmware -
intel xeon_gold_6226r_firmware -
intel xeon_silver_4215r_firmware -
intel xeon_bronze_3106_firmware -
intel xeon_platinum_8260y_firmware -
intel xeon_gold_6146_firmware -
intel xeon_platinum_8156_firmware -
intel xeon_gold_6252n_firmware -
siemens simatic_ipc677e_firmware *
intel xeon_platinum_8253_firmware -
intel xeon_bronze_3206r_firmware -
intel xeon_gold_5218r_firmware -
intel xeon_gold_6138f_firmware -
intel xeon_platinum_8160f_firmware -
siemens simatic_ipc527g_firmware *
intel xeon_platinum_8280_firmware -
intel xeon_platinum_8170_firmware -
intel xeon_gold_6230r_firmware -
intel xeon_gold_6126_firmware -
intel xeon_gold_6154_firmware -
netapp clustered_data_ontap -
intel xeon_gold_6238r_firmware -
intel xeon_gold_5120t_firmware -
intel xeon_silver_4210_firmware -
intel xeon_platinum_8276_firmware -
intel xeon_gold_6142f_firmware -
intel xeon_silver_4208_firmware -
intel xeon_gold_6246r_firmware -
siemens simatic_ipc647e_firmware *
intel xeon_gold_5218t_firmware -
intel xeon_gold_6250l_firmware -
intel xeon_silver_4116_firmware -
intel xeon_platinum_8280l_firmware -
intel xeon_platinum_8268_firmware -
intel xeon_gold_5119t_firmware -
intel xeon_platinum_8180_firmware -
intel xeon_silver_4210r_firmware -
intel xeon_gold_6138p_firmware -
siemens simatic_ipc627e_firmware *
intel xeon_silver_4216_firmware -
intel xeon_platinum_8276l_firmware -
intel xeon_gold_6138_firmware -
intel xeon_gold_6240l_firmware -
intel xeon_platinum_8164_firmware -
intel xeon_silver_4116t_firmware -
intel xeon_gold_6230n_firmware -
intel xeon_bronze_3104_firmware -
intel xeon_gold_6140_firmware -
intel xeon_platinum_8160t_firmware -
intel xeon_gold_5220t_firmware -
intel xeon_gold_6238t_firmware -
intel xeon_gold_5218n_firmware -
intel xeon_platinum_8168_firmware -
intel xeon_gold_6234_firmware -
intel xeon_silver_4110_firmware -
intel xeon_gold_6130t_firmware -
intel xeon_gold_6244_firmware -
intel xeon_gold_5118_firmware -
intel xeon_platinum_8176_firmware -
intel xeon_gold_6230_firmware -
intel xeon_silver_4114t_firmware -
intel xeon_gold_6246_firmware -
intel xeon_gold_6148_firmware -
intel xeon_gold_5220r_firmware -
intel xeon_gold_6128_firmware -
intel xeon_silver_4214r_firmware -
intel xeon_platinum_8153_firmware -
intel xeon_gold_6248r_firmware -
intel xeon_gold_5115_firmware -
intel xeon_platinum_8260_firmware -
intel xeon_gold_6240y_firmware -
netapp cloud_backup -
intel xeon_gold_6254_firmware -
intel xeon_gold_6226_firmware -
intel xeon_gold_5120_firmware -
intel xeon_gold_6256_firmware -
intel xeon_gold_6130f_firmware -
intel xeon_platinum_8260l_firmware -
intel xeon_gold_5220_firmware -
intel xeon_silver_4114_firmware -
intel xeon_platinum_9221_firmware -
intel xeon_gold_6209u_firmware -
intel xeon_gold_6242r_firmware -
intel xeon_gold_6242_firmware -
intel xeon_gold_6208u_firmware -
intel xeon_gold_6132_firmware -
intel xeon_gold_6134_firmware -
netapp fas/aff_bios -
intel xeon_gold_6222v_firmware -
intel xeon_silver_4214_firmware -
intel xeon_silver_4209t_firmware -
intel xeon_gold_6144_firmware -
intel xeon_gold_6150_firmware -
intel xeon_silver_4210t_firmware -
CVE-2020-10029 LOW

The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 31
netapp hci_management_node -
fedoraproject fedora 30
opensuse leap 15.1
gnu glibc *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp h410c_firmware -
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp cloud_backup -
netapp solidfire -
CVE-2020-10650

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

Products Affected

Vendor Product Version
fasterxml jackson-databind 2.10.0
debian debian_linux 10.0
fasterxml jackson-databind *
netapp active_iq_unified_manager -
oracle retail_merchandising_system 15.0
oracle retail_sales_audit 14.1
CVE-2020-10672 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle retail_service_backbone 14.1
oracle agile_plm 9.3.6
oracle communications_diameter_signaling_router *
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
fasterxml jackson-databind *
oracle banking_digital_experience 18.2
oracle global_lifecycle_management_opatch *
oracle communications_instant_messaging_server 10.0.1.4.0
oracle financial_services_institutional_performance_analytics 8.0.6
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle communications_contacts_server 8.0.0.4.0
netapp steelstore_cloud_integrated_storage -
oracle banking_digital_experience 18.1
oracle enterprise_manager_base_platform 13.4.0.0
oracle financial_services_price_creation_and_discovery 8.0.7
oracle communications_evolved_communications_application_server 7.1
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 17.0
oracle banking_digital_experience 19.2
oracle communications_element_manager *
oracle enterprise_manager_base_platform 13.3.0.0
oracle banking_platform *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 15.0
oracle weblogic_server 12.2.1.3.0
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_sales_audit 14.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_calendar_server 8.0.0.4.0
oracle retail_xstore_point_of_service 16.0
oracle communications_session_route_manager *
oracle primavera_unifier *
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle communications_contacts_server 8.0.0.5.0
oracle primavera_unifier 19.12
oracle banking_digital_experience 18.3
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle retail_service_backbone 16.0
oracle communications_network_charging_and_control 6.0.1
oracle retail_xstore_point_of_service 15.0
oracle weblogic_server 12.2.1.4.0
oracle communications_session_report_manager *
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle banking_digital_experience 19.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle retail_xstore_point_of_service 18.0
CVE-2020-10673 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle retail_service_backbone 14.1
oracle agile_plm 9.3.6
oracle communications_diameter_signaling_router *
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
fasterxml jackson-databind *
oracle banking_digital_experience 18.2
oracle global_lifecycle_management_opatch *
oracle communications_instant_messaging_server 10.0.1.4.0
oracle financial_services_institutional_performance_analytics 8.0.6
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle communications_contacts_server 8.0.0.4.0
netapp steelstore_cloud_integrated_storage -
oracle banking_digital_experience 18.1
oracle enterprise_manager_base_platform 13.4.0.0
oracle financial_services_price_creation_and_discovery 8.0.7
oracle communications_evolved_communications_application_server 7.1
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 17.0
oracle banking_digital_experience 19.2
oracle communications_element_manager *
oracle enterprise_manager_base_platform 13.3.0.0
oracle banking_platform *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 15.0
oracle weblogic_server 12.2.1.3.0
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_sales_audit 14.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_calendar_server 8.0.0.4.0
oracle retail_xstore_point_of_service 16.0
oracle communications_session_route_manager *
oracle primavera_unifier *
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle communications_contacts_server 8.0.0.5.0
oracle primavera_unifier 19.12
oracle banking_digital_experience 18.3
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle retail_service_backbone 16.0
oracle communications_network_charging_and_control 6.0.1
oracle retail_xstore_point_of_service 15.0
oracle weblogic_server 12.2.1.4.0
oracle communications_session_report_manager *
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle banking_digital_experience 19.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle retail_xstore_point_of_service 18.0
CVE-2020-10683 HIGH

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-611,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle retail_price_management 16.0.3.0
opensuse leap 15.1
oracle insurance_policy_administration_j2ee 10.2.0
oracle insurance_rules_palette 11.0.2
netapp snapcenter -
oracle retail_integration_bus 15.0
oracle communications_diameter_signaling_router *
oracle webcenter_portal 12.2.1.4.0
oracle retail_customer_management_and_segmentation_foundation 18.0
oracle retail_order_broker 19.1
oracle endeca_information_discovery_integrator 3.2.0
oracle health_sciences_information_manager 3.0.1
netapp snapmanager -
oracle retail_order_broker 18.0
oracle insurance_rules_palette 10.2.4
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle retail_price_management 14.0.3
oracle communications_application_session_controller 3.9m0p1
oracle data_integrator 12.2.1.4.0
oracle flexcube_core_banking 11.7.0
oracle rapid_planning 12.1
netapp snap_creator_framework -
oracle retail_order_broker 16.0
oracle enterprise_manager_base_platform 13.4.0.0
oracle business_process_management_suite 12.2.1.4.0
oracle retail_order_broker 19.0
oracle retail_integration_bus 16.0
oracle insurance_policy_administration_j2ee 11.0.2
oracle webcenter_portal 11.1.1.9.0
oracle agile_plm 9.3.3
oracle communications_unified_inventory_management 7.3.0
oracle retail_xstore_point_of_service 16.0.6
oracle insurance_rules_palette 10.2.0
oracle fusion_middleware 12.2.1.4.0
oracle enterprise_data_quality 11.1.1.9.0
oracle banking_platform *
oracle retail_order_broker 15.0
oracle financial_services_analytical_applications_infrastructure *
oracle utilities_framework *
oracle agile_plm 9.3.5
oracle utilities_framework 4.2.0.3.0
netapp oncommand_api_services -
oracle flexcube_core_banking 11.9.0
oracle retail_xstore_point_of_service 18.0.3
oracle documaker *
oracle insurance_policy_administration_j2ee 10.2.4
canonical ubuntu_linux 16.04
oracle utilities_framework 4.4.0.0.0
oracle flexcube_core_banking 11.8.0
oracle rapid_planning 12.2
oracle business_process_management_suite 12.2.1.3.0
oracle retail_price_management 15.0.3.0
oracle retail_customer_management_and_segmentation_foundation 19.0
oracle storagetek_tape_analytics_sw_tool 2.3
oracle jdeveloper 12.2.1.4.0
netapp oncommand_workflow_automation -
oracle utilities_framework 4.4.0.2.0
oracle retail_customer_management_and_segmentation_foundation 16.0
oracle communications_unified_inventory_management 7.4.0
oracle data_integrator 12.2.1.3.0
oracle webcenter_portal 12.2.1.3.0
dom4j_project dom4j *
oracle flexcube_core_banking 11.10.0
oracle insurance_rules_palette *
oracle enterprise_data_quality 12.2.1.3.0
oracle utilities_framework 4.2.0.2.0
oracle primavera_p6_enterprise_project_portfolio_management *
oracle health_sciences_empirica_signal 9.0
oracle insurance_policy_administration_j2ee *
oracle utilities_framework 2.2.0.0.0
oracle retail_xstore_point_of_service 15.0.4
oracle retail_price_management 14.1.3.0
oracle retail_xstore_point_of_service 17.0.4
CVE-2020-10690 MEDIUM

There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files. The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9
secalert@redhat.com 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H 0.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
netapp h300e_firmware -
opensuse leap 15.1
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
canonical ubuntu_linux 16.04
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp solidfire -
netapp h610c_firmware -
redhat enterprise_linux 8.0
netapp h610s_firmware -
debian debian_linux 8.0
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
redhat enterprise_linux 7.0
netapp h700e_firmware -
netapp hci_compute_node -
netapp h500e_firmware -
CVE-2020-10705 MEDIUM

A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 7.2
redhat openshift_application_runtimes -
netapp oncommand_insight -
redhat undertow *
redhat jboss_enterprise_application_platform -
CVE-2020-10714 MEDIUM

A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-384,CWE-384,

Products Affected

Vendor Product Version
redhat jboss_fuse 7.0.0
redhat codeready_studio 12.0
redhat wildfly_elytron *
netapp oncommand_insight -
redhat process_automation 7.0
redhat descision_manager 7.0
CVE-2020-10719 MEDIUM

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
redhat jboss_enterprise_application_platform 7.2
redhat openshift_application_runtimes -
redhat jboss_enterprise_application_platform 7.3
redhat single_sign-on -
redhat undertow *
netapp active_iq_unified_manager -
netapp oncommand_insight *
redhat jboss_enterprise_application_platform 7.4
redhat fuse 1.0
redhat jboss_enterprise_application_platform -
CVE-2020-10727 LOW

A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the `resetUsers` operation. A local attacker can use this flaw to read the contents of the Artemis shadow file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-312,CWE-522,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
apache activemq_artemis *
CVE-2020-10732 LOW

A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L 1.8 2.5

CVSS 2.0

Severity: LOW

Problem Type: CWE-908,CWE-908,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp aff_a700_firmware -
opensuse leap 15.1
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp solidfire -
netapp aff_a400_firmware -
netapp aff_8700_firmware -
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp aff_8300_firmware -
opensuse leap 15.2
netapp h700e_firmware -
netapp h500e_firmware -
linux linux_kernel -
CVE-2020-10757 MEDIUM

A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-843,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
fedoraproject fedora 31
debian debian_linux 8.0
opensuse leap 15.1
redhat enterprise_mrg 2.0
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
redhat enterprise_linux 7.0
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
linux linux_kernel 4.5
CVE-2020-10771 MEDIUM

A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H 2.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
redhat data_grid 8.0
infinispan infinispan-server-rest 10.0.0
netapp oncommand_insight -
CVE-2020-10878 HIGH

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 3.9 4.7

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
oracle sd-wan_aware 9.0
oracle configuration_manager 12.1.2.0.8
oracle sd-wan_aware 9.1
fedoraproject fedora 31
oracle sd-wan_aware 8.2
oracle communications_eagle_lnp_application_processor 10.1
opensuse leap 15.1
oracle communications_pricing_design_center 12.0.0.3.0
oracle communications_diameter_signaling_router *
oracle communications_eagle_application_processor *
oracle communications_eagle_lnp_application_processor 46.7
oracle communications_eagle_lnp_application_processor 46.9
oracle communications_performance_intelligence_center *
oracle communications_eagle_lnp_application_processor 10.2
netapp oncommand_workflow_automation -
oracle tekelec_platform_distribution *
oracle communications_lsms *
netapp snap_creator_framework -
oracle communications_offline_mediation_controller 12.0.0.3.0
oracle communications_billing_and_revenue_management 12.0.0.2.0
oracle enterprise_manager_base_platform 13.4.0.0
perl perl *
oracle communications_eagle_lnp_application_processor 46.8
oracle communications_billing_and_revenue_management 12.0.0.3.0
CVE-2020-10968 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle retail_service_backbone 14.1
oracle agile_plm 9.3.6
oracle communications_diameter_signaling_router *
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
fasterxml jackson-databind *
oracle banking_digital_experience 18.2
oracle global_lifecycle_management_opatch *
oracle communications_instant_messaging_server 10.0.1.4.0
oracle financial_services_institutional_performance_analytics 8.0.6
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle communications_contacts_server 8.0.0.4.0
netapp steelstore_cloud_integrated_storage -
oracle banking_digital_experience 18.1
oracle enterprise_manager_base_platform 13.4.0.0
oracle financial_services_price_creation_and_discovery 8.0.7
oracle communications_evolved_communications_application_server 7.1
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 17.0
oracle banking_digital_experience 19.2
oracle communications_element_manager *
oracle enterprise_manager_base_platform 13.3.0.0
oracle banking_platform *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 15.0
oracle weblogic_server 12.2.1.3.0
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_sales_audit 14.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_calendar_server 8.0.0.4.0
oracle retail_xstore_point_of_service 16.0
oracle communications_session_route_manager *
oracle primavera_unifier *
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle communications_contacts_server 8.0.0.5.0
oracle primavera_unifier 19.12
oracle banking_digital_experience 18.3
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle retail_service_backbone 16.0
oracle communications_network_charging_and_control 6.0.1
oracle retail_xstore_point_of_service 15.0
oracle weblogic_server 12.2.1.4.0
oracle communications_session_report_manager *
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle banking_digital_experience 19.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle retail_xstore_point_of_service 18.0
CVE-2020-10969 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle retail_service_backbone 14.1
oracle agile_plm 9.3.6
oracle communications_diameter_signaling_router *
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
fasterxml jackson-databind *
oracle banking_digital_experience 18.2
oracle global_lifecycle_management_opatch *
oracle communications_instant_messaging_server 10.0.1.4.0
oracle financial_services_institutional_performance_analytics 8.0.6
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle communications_contacts_server 8.0.0.4.0
netapp steelstore_cloud_integrated_storage -
oracle banking_digital_experience 18.1
oracle enterprise_manager_base_platform 13.4.0.0
oracle financial_services_price_creation_and_discovery 8.0.7
oracle communications_evolved_communications_application_server 7.1
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 17.0
oracle banking_digital_experience 19.2
oracle communications_element_manager *
oracle enterprise_manager_base_platform 13.3.0.0
oracle banking_platform *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 15.0
oracle weblogic_server 12.2.1.3.0
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_sales_audit 14.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_calendar_server 8.0.0.4.0
oracle retail_xstore_point_of_service 16.0
oracle communications_session_route_manager *
oracle primavera_unifier *
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle communications_contacts_server 8.0.0.5.0
oracle primavera_unifier 19.12
oracle banking_digital_experience 18.3
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle retail_service_backbone 16.0
oracle communications_network_charging_and_control 6.0.1
oracle retail_xstore_point_of_service 15.0
oracle weblogic_server 12.2.1.4.0
oracle communications_session_report_manager *
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle banking_digital_experience 19.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle retail_xstore_point_of_service 18.0
CVE-2020-11022 MEDIUM

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N 1.6 4.7
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
fedoraproject fedora 31
oracle policy_automation *
oracle financial_services_funds_transfer_pricing 8.0.6
opensuse leap 15.1
netapp h500s_firmware -
netapp h410c_firmware -
oracle peoplesoft_enterprise_peopletools 8.56
netapp oncommand_system_manager *
oracle weblogic_server 10.3.6.0.0
oracle retail_returns_management 14.0
oracle retail_returns_management 14.1
oracle financial_services_profitability_management 8.1.0
oracle financial_services_market_risk_measurement_and_management 8.0.6
oracle communications_application_session_controller 3.8m0
oracle financial_services_analytical_applications_reconciliation_framework *
fedoraproject fedora 33
oracle banking_digital_experience 18.2
oracle policy_automation_for_mobile_devices *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle healthcare_foundation 7.2.0
netapp oncommand_insight -
oracle financial_services_market_risk_measurement_and_management 8.0.8
oracle enterprise_session_border_controller 8.4
oracle banking_digital_experience 18.1
netapp max_data -
fedoraproject fedora 32
oracle financial_services_hedge_management_and_ifrs_valuations 8.1.0
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_digital_experience 19.2
oracle financial_services_data_governance_for_us_regulatory_reporting *
netapp h700e_firmware -
netapp h500e_firmware -
netapp h300s_firmware -
oracle hospitality_simphony 19.1.0-19.1.2
oracle financial_services_analytical_applications_infrastructure *
oracle hospitality_materials_control 18.1
oracle financial_services_balance_sheet_planning 8.0.8
oracle retail_back_office 14.0
oracle hospitality_simphony *
oracle financial_services_basel_regulatory_capital_internal_ratings_based_approach 8.1.0
oracle insurance_data_foundation 8.0.6-8.1.0
oracle financial_services_asset_liability_management 8.0.7
oracle financial_services_loan_loss_forecasting_and_provisioning 8.1.0
oracle communications_eagle_application_processor *
oracle financial_services_regulatory_reporting_for_european_banking_authority *
oracle financial_services_liquidity_risk_measurement_and_management 8.1.0
oracle retail_customer_management_and_segmentation_foundation 19.0
oracle agile_product_supplier_collaboration_for_process 6.2.0.0
oracle healthcare_foundation 7.2.1
oracle banking_digital_experience 18.3
oracle financial_services_data_integration_hub 8.1.0
oracle financial_services_regulatory_reporting_for_us_federal_reserve *
drupal drupal *
oracle financial_services_liquidity_risk_management 8.0.6
oracle insurance_insbridge_rating_and_underwriting 5.6.1.0
oracle agile_product_lifecycle_management_for_process 6.2.0.0
oracle financial_services_profitability_management 8.0.6
opensuse leap 15.2
oracle peoplesoft_enterprise_peopletools 8.57
oracle communications_webrtc_session_controller 7.2
jquery jquery *
oracle banking_digital_experience 20.1
netapp h300e_firmware -
oracle jdeveloper 12.2.1.3.0
oracle financial_services_funds_transfer_pricing 8.0.7
oracle financial_services_liquidity_risk_measurement_and_management 8.0.7
oracle banking_digital_experience *
netapp snapcenter -
netapp h410s_firmware -
oracle hospitality_simphony 18.2
oracle financial_services_data_integration_hub 8.0.7
oracle blockchain_platform *
oracle financial_services_funds_transfer_pricing 8.1.0
oracle healthcare_foundation 7.3.0
oracle storagetek_acsls 8.5.1
oracle financial_services_institutional_performance_analytics 8.0.6
oracle jdeveloper 11.1.1.9.0
oracle financial_services_asset_liability_management 8.0.6
oracle enterprise_manager_ops_center 12.4.0.0
oracle financial_services_analytical_applications_reconciliation_framework 8.1.0
oracle healthcare_foundation 7.1.1
netapp snap_creator_framework -
oracle insurance_insbridge_rating_and_underwriting *
oracle peoplesoft_enterprise_peopletools 8.58
oracle financial_services_price_creation_and_discovery 8.0.7
oracle financial_services_data_foundation *
oracle financial_services_basel_regulatory_capital_basic 8.1.0
oracle hospitality_simphony 18.1
oracle policy_automation_connector_for_siebel 10.4.6
oracle financial_services_basel_regulatory_capital_internal_ratings_based_approach *
oracle financial_services_liquidity_risk_measurement_and_management 8.0.8
oracle insurance_data_foundation *
oracle weblogic_server 12.2.1.3.0
oracle weblogic_server 12.1.3.0.0
oracle insurance_accounting_analyzer 8.0.9
oracle financial_services_institutional_performance_analytics 8.0.7
netapp h700s_firmware -
tenable log_correlation_engine *
oracle weblogic_server 14.1.1.0.0
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle jdeveloper 12.2.1.4.0
oracle financial_services_loan_loss_forecasting_and_provisioning *
oracle insurance_allocation_manager_for_enterprise_profitability 8.0.8
oracle insurance_allocation_manager_for_enterprise_profitability 8.1.0
oracle financial_services_profitability_management 8.0.7
oracle financial_services_basel_regulatory_capital_basic *
oracle weblogic_server 12.2.1.4.0
oracle communications_services_gatekeeper 7.0
oracle financial_services_hedge_management_and_ifrs_valuations *
oracle siebel_ui_framework 20.8
oracle financial_services_data_integration_hub 8.0.6
oracle retail_back_office 14.1
oracle financial_services_asset_liability_management 8.1.0
oracle banking_digital_experience 19.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle communications_diameter_signaling_router_idih: *
CVE-2020-11023 MEDIUM

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
netapp h300e_firmware -
fedoraproject fedora 31
oracle rest_data_services 19c
netapp h500s_firmware -
netapp h410c_firmware -
oracle communications_session_report_manager 8.1.1
netapp oncommand_system_manager *
oracle storagetek_tape_analytics_sw_tool 2.3.1
oracle rest_data_services 18c
netapp h410s_firmware -
oracle communications_operations_monitor *
oracle blockchain_platform *
oracle banking_enterprise_collections *
oracle rest_data_services 12.1.0.2
oracle storagetek_acsls 8.5.1
fedoraproject fedora 33
oracle health_sciences_inform 6.3.0
netapp snapcenter_server -
oracle financial_services_revenue_management_and_billing_analytics 2.7
oracle jd_edwards_enterpriseone_orchestrator *
oracle siebel_mobile *
oracle peoplesoft_enterprise_human_capital_management_resources 9.2
netapp oncommand_insight -
oracle communications_session_route_manager 8.2.1
oracle healthcare_translational_research 3.2.1
netapp snap_creator_framework -
oracle communications_session_route_manager 8.1.1
netapp max_data -
oracle communications_operations_monitor 3.4
fedoraproject fedora 32
oracle application_express *
netapp cloud_insights_storage_workload_security_agent -
oracle communications_session_report_manager 8.2.0
oracle financial_services_revenue_management_and_billing_analytics 2.8
oracle healthcare_translational_research 3.3.2
oracle business_intelligence 5.9.0.0.0
netapp h700e_firmware -
netapp h500e_firmware -
oracle communications_session_route_manager 8.2.0
oracle oss_support_tools *
netapp hci_baseboard_management_controller -
oracle banking_platform *
oracle communications_element_manager 8.2.1
netapp h300s_firmware -
oracle weblogic_server 12.2.1.3.0
oracle communications_analytics 12.1.1
oracle weblogic_server 12.1.3.0.0
oracle primavera_gateway *
netapp h700s_firmware -
oracle communications_session_report_manager 8.2.1
oracle hyperion_financial_reporting 11.1.2.4
tenable log_correlation_engine *
oracle communications_eagle_application_processor *
oracle communications_element_manager 8.2.0
oracle weblogic_server 14.1.1.0.0
netapp cloud_backup -
oracle blockchain_platform 21.1.2
oracle healthcare_translational_research 3.4.0
debian debian_linux 9.0
oracle healthcare_translational_research 3.3.1
oracle jd_edwards_enterpriseone_tools *
oracle rest_data_services 12.2.0.1
drupal drupal *
netapp active_iq_unified_manager -
oracle webcenter_sites 12.2.1.3.0
oracle weblogic_server 12.2.1.4.0
oracle communications_services_gatekeeper 7.0
oracle rest_data_services 11.2.0.4
oracle webcenter_sites 12.2.1.4.0
oracle communications_interactive_session_recorder *
jquery jquery *
oracle communications_element_manager 8.1.1
oracle financial_services_regulatory_reporting_for_de_nederlandsche_bank 8.0.4
CVE-2020-11110 LOW

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
grafana grafana *
CVE-2020-11111 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform *
oracle banking_digital_experience 20.1
oracle weblogic_server 12.2.1.3.0
oracle agile_plm 9.3.6
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle retail_sales_audit 14.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_calendar_server 8.0.0.4.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 16.0
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle communications_session_route_manager *
fasterxml jackson-databind *
oracle primavera_unifier *
oracle banking_digital_experience 18.2
oracle global_lifecycle_management_opatch *
oracle communications_contacts_server 8.0.0.5.0
oracle communications_instant_messaging_server 10.0.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle primavera_unifier 19.12
oracle banking_digital_experience 18.3
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle communications_contacts_server 8.0.0.4.0
oracle communications_network_charging_and_control 6.0.1
netapp steelstore_cloud_integrated_storage -
oracle retail_xstore_point_of_service 15.0
oracle weblogic_server 12.2.1.4.0
oracle banking_digital_experience 18.1
oracle enterprise_manager_base_platform 13.4.0.0
oracle communications_evolved_communications_application_server 7.1
oracle communications_session_report_manager *
oracle retail_xstore_point_of_service 17.0
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle banking_digital_experience 19.1
oracle banking_digital_experience 19.2
oracle retail_xstore_point_of_service 18.0
oracle communications_element_manager *
oracle enterprise_manager_base_platform 13.3.0.0
CVE-2020-11112 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle retail_service_backbone 14.1
oracle agile_plm 9.3.6
oracle communications_diameter_signaling_router *
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
fasterxml jackson-databind *
oracle banking_digital_experience 18.2
oracle global_lifecycle_management_opatch *
oracle communications_instant_messaging_server 10.0.1.4.0
oracle financial_services_institutional_performance_analytics 8.0.6
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle communications_contacts_server 8.0.0.4.0
netapp steelstore_cloud_integrated_storage -
oracle banking_digital_experience 18.1
oracle enterprise_manager_base_platform 13.4.0.0
oracle financial_services_price_creation_and_discovery 8.0.7
oracle communications_evolved_communications_application_server 7.1
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 17.0
oracle banking_digital_experience 19.2
oracle communications_element_manager *
oracle enterprise_manager_base_platform 13.3.0.0
oracle banking_platform *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 15.0
oracle weblogic_server 12.2.1.3.0
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_sales_audit 14.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_calendar_server 8.0.0.4.0
oracle retail_xstore_point_of_service 16.0
oracle communications_session_route_manager *
oracle primavera_unifier *
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle communications_contacts_server 8.0.0.5.0
oracle primavera_unifier 19.12
oracle banking_digital_experience 18.3
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle retail_service_backbone 16.0
oracle communications_network_charging_and_control 6.0.1
oracle retail_xstore_point_of_service 15.0
oracle weblogic_server 12.2.1.4.0
oracle communications_session_report_manager *
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle banking_digital_experience 19.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle retail_xstore_point_of_service 18.0
CVE-2020-11113 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle retail_service_backbone 14.1
oracle agile_plm 9.3.6
oracle communications_diameter_signaling_router *
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle banking_digital_experience 18.2
oracle global_lifecycle_management_opatch *
oracle communications_instant_messaging_server 10.0.1.4.0
oracle financial_services_institutional_performance_analytics 8.0.6
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
netapp steelstore_cloud_integrated_storage -
oracle banking_digital_experience 18.1
oracle enterprise_manager_base_platform 13.4.0.0
oracle financial_services_price_creation_and_discovery 8.0.7
oracle communications_evolved_communications_application_server 7.1
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 17.0
oracle banking_digital_experience 19.2
oracle communications_element_manager *
oracle enterprise_manager_base_platform 13.3.0.0
oracle banking_platform *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 15.0
oracle weblogic_server 12.2.1.3.0
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_sales_audit 14.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_calendar_server 8.0.0.4.0
oracle retail_xstore_point_of_service 16.0
oracle communications_session_route_manager *
oracle primavera_unifier *
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle communications_contacts_server 8.0.0.5.0
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle retail_service_backbone 16.0
oracle communications_network_charging_and_control 6.0.1
oracle retail_xstore_point_of_service 15.0
oracle weblogic_server 12.2.1.4.0
oracle communications_session_report_manager *
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle banking_digital_experience 19.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle retail_xstore_point_of_service 18.0
CVE-2020-11612 MEDIUM

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
debian debian_linux 10.0
oracle webcenter_portal 12.2.1.3.0
oracle communications_design_studio 7.4.2
oracle siebel_core_-_server_framework *
oracle communications_cloud_native_core_service_communication_proxy 1.5.2
netapp oncommand_insight -
netapp oncommand_api_services -
netty netty *
oracle communications_brm_-_elastic_charging_engine 12.0.0.3
oracle webcenter_portal 12.2.1.4.0
oracle communications_messaging_server 8.1
oracle nosql_database *
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2020-11619 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform *
oracle weblogic_server 12.2.1.3.0
oracle agile_plm 9.3.6
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle retail_sales_audit 14.1
oracle communications_calendar_server 8.0.0.4.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 16.0
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
fasterxml jackson-databind *
oracle primavera_unifier *
oracle global_lifecycle_management_opatch *
oracle communications_contacts_server 8.0.0.5.0
oracle communications_instant_messaging_server 10.0.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle primavera_unifier 19.12
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle communications_contacts_server 8.0.0.4.0
oracle communications_network_charging_and_control 6.0.1
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
oracle retail_xstore_point_of_service 15.0
oracle weblogic_server 12.2.1.4.0
oracle enterprise_manager_base_platform 13.4.0.0
oracle communications_evolved_communications_application_server 7.1
oracle retail_xstore_point_of_service 17.0
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle retail_xstore_point_of_service 18.0
oracle enterprise_manager_base_platform 13.3.0.0
CVE-2020-11620 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform *
oracle weblogic_server 12.2.1.3.0
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle retail_sales_audit 14.1
oracle retail_xstore_point_of_service 16.0
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
fasterxml jackson-databind *
oracle primavera_unifier *
oracle global_lifecycle_management_opatch *
oracle communications_instant_messaging_server 10.0.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle primavera_unifier 19.12
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle communications_contacts_server 8.0.0.4.0
oracle communications_network_charging_and_control 6.0.1
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
oracle retail_xstore_point_of_service 15.0
oracle weblogic_server 12.2.1.4.0
oracle enterprise_manager_base_platform 13.4.0.0
oracle communications_evolved_communications_application_server 7.1
oracle retail_xstore_point_of_service 17.0
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle retail_xstore_point_of_service 18.0
oracle enterprise_manager_base_platform 13.3.0.0
CVE-2020-11655 MEDIUM

SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-665,

Products Affected

Vendor Product Version
oracle hyperion_infrastructure_technology 11.1.2.4
oracle instantis_enterprisetrack 17.3
netapp ontap_select_deploy_administration_utility -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle communications_session_route_manager *
debian debian_linux 9.0
oracle outside_in_technology 8.5.4
oracle instantis_enterprisetrack 17.1
tenable tenable.sc *
oracle zfs_storage_appliance_kit 8.8
oracle enterprise_manager_ops_center 12.4.0.0
debian debian_linux 8.0
oracle communications_network_charging_and_control 6.0.1
oracle mysql *
oracle outside_in_technology 8.5.5
sqlite sqlite *
oracle instantis_enterprisetrack 17.2
oracle communications_session_report_manager *
canonical ubuntu_linux 19.10
oracle mysql_workbench *
oracle communications_messaging_server 8.1
oracle communications_network_charging_and_control *
oracle communications_element_manager *
oracle communications_network_charging_and_control 12.0.2
siemens sinec_infrastructure_network_services *
CVE-2020-11656 HIGH

In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
tenable tenable.sc *
oracle hyperion_infrastructure_technology 11.1.2.4
oracle zfs_storage_appliance_kit 8.8
oracle enterprise_manager_ops_center 12.4.0.0
oracle communications_network_charging_and_control 6.0.1
netapp ontap_select_deploy_administration_utility -
oracle mysql *
oracle outside_in_technology 8.5.5
sqlite sqlite *
oracle mysql_workbench *
oracle communications_messaging_server 8.1
oracle communications_network_charging_and_control *
oracle communications_network_charging_and_control 12.0.2
siemens sinec_infrastructure_network_services *
oracle outside_in_technology 8.5.4
CVE-2020-11868 MEDIUM

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-346,CWE-346,

Products Affected

Vendor Product Version
netapp all_flash_fabric-attached_storage_8300_firmware -
netapp fabric-attached_storage_8300_firmware -
netapp virtual_storage_console *
debian debian_linux 8.0
netapp hci_management_node -
opensuse leap 15.1
ntp ntp 4.2.8
netapp data_ontap -
netapp vasa_provider_for_clustered_data_ontap *
netapp fabric-attached_storage_8700_firmware -
redhat enterprise_linux 7.0
opensuse leap 15.2
netapp hci_storage_node_firmware -
netapp clustered_data_ontap -
netapp all_flash_fabric-attached_storage_a400_firmware -
netapp solidfire -
ntp ntp *
netapp fabric-attached_storage_a400_firmware -
netapp all_flash_fabric-attached_storage_8700_firmware -
CVE-2020-11884 MEDIUM

In the Linux kernel 4.19 through 5.6.7 on the s390 platform, code execution may occur because of a race condition, as demonstrated by code in enable_sacf_uaccess in arch/s390/lib/uaccess.c that fails to protect against a concurrent page table upgrade, aka CID-3f777e19d171. A crash could also occur.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
netapp h300e_firmware -
fedoraproject fedora 31
fedoraproject fedora 30
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
netapp solidfire -
netapp h610c_firmware -
netapp solidfire_baseboard_management_controller -
debian debian_linux 10.0
netapp h610s_firmware -
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp a700s_firmware -
netapp bootstrap_os -
fedoraproject fedora 32
canonical ubuntu_linux 19.10
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2020-11984 HIGH

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle instantis_enterprisetrack 17.1
oracle hyperion_infrastructure_technology 11.1.2.4
apache http_server *
fedoraproject fedora 31
oracle zfs_storage_appliance_kit 8.8
oracle instantis_enterprisetrack 17.3
oracle enterprise_manager_ops_center 12.4.0.0
opensuse leap 15.1
canonical ubuntu_linux 20.04
oracle instantis_enterprisetrack 17.2
oracle communications_session_report_manager *
fedoraproject fedora 32
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap -
oracle communications_session_route_manager *
oracle communications_element_manager *
debian debian_linux 9.0
CVE-2020-11993 MEDIUM

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle instantis_enterprisetrack 17.1
oracle hyperion_infrastructure_technology 11.1.2.4
apache http_server *
fedoraproject fedora 31
oracle zfs_storage_appliance_kit 8.8
oracle instantis_enterprisetrack 17.3
oracle enterprise_manager_ops_center 12.4.0.0
opensuse leap 15.1
canonical ubuntu_linux 20.04
oracle instantis_enterprisetrack 17.2
oracle communications_session_report_manager *
fedoraproject fedora 32
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap -
oracle communications_session_route_manager *
oracle communications_element_manager *
CVE-2020-11996 MEDIUM

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
apache tomcat *
netapp oncommand_system_manager 3.1.3
oracle mysql_enterprise_monitor *
opensuse leap 15.1
oracle workload_manager 12.2.0.1
canonical ubuntu_linux 20.04
opensuse leap 15.2
oracle workload_manager 19c
oracle workload_manager 18c
apache tomcat 9.0.0
netapp oncommand_system_manager 3.0
oracle siebel_ui_framework *
apache tomcat 10.0.0
debian debian_linux 9.0
CVE-2020-12243 MEDIUM

In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
apple mac_os_x 10.13.6
opensuse leap 15.1
broadcom brocade_fabric_operating_system -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
oracle solaris 10
netapp h410s_firmware -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle solaris 11
netapp cloud_backup -
canonical ubuntu_linux 14.04
debian debian_linux 9.0
debian debian_linux 10.0
apple mac_os_x 10.14.6
oracle zfs_storage_appliance_kit 8.8
debian debian_linux 8.0
netapp steelstore_cloud_integrated_storage -
canonical ubuntu_linux 12.04
canonical ubuntu_linux 19.10
netapp h700e_firmware -
netapp h500e_firmware -
apple mac_os_x *
openldap openldap *
CVE-2020-12356 LOW

Out-of-bounds read in subsystem in Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp cloud_backup -
intel active_management_technology_firmware *
CVE-2020-12357 MEDIUM

Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-665,

Products Affected

Vendor Product Version
siemens simatic_field_pg_m6_firmware *
siemens simatic_ipc647e_firmware *
intel bios -
netapp aff_bios -
siemens simatic_ipc547g_firmware *
netapp fas_bios -
siemens simatic_ipc427e_firmware *
netapp hci_storage_node_bios -
siemens simatic_ipc847e_firmware *
netapp solidfire_bios -
netapp hci_compute_node_bios -
netapp e-series_bios -
siemens simatic_ipc477e_pro_firmware *
netapp cloud_backup -
siemens simatic_ipc677e_firmware *
siemens simatic_ipc627e_firmware *
siemens simatic_cpu_1518-4_firmware *
siemens simatic_itp1000_firmware *
siemens simatic_ipc477e_firmware *
CVE-2020-12358 LOW

Out of bounds write in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp solidfire_bios -
netapp hci_compute_node_bios -
netapp e-series_bios -
intel bios -
netapp aff_bios -
siemens simatic_ipc547g_firmware *
netapp cloud_backup -
netapp fas_bios -
netapp hci_storage_node_bios -
CVE-2020-12359 MEDIUM

Insufficient control flow management in the firmware for some Intel(R) Processors may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp solidfire_bios -
netapp hci_compute_node_bios -
netapp e-series_bios -
intel bios -
netapp aff_bios -
netapp cloud_backup -
netapp fas_bios -
netapp hci_storage_node_bios -
CVE-2020-12360 MEDIUM

Out of bounds read in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp solidfire_bios -
siemens simatic_cpu_1518f-4_firmware *
netapp hci_compute_node_bios -
netapp e-series_bios -
intel bios -
netapp aff_bios -
siemens simatic_ipc547g_firmware *
netapp cloud_backup -
netapp fas_bios -
siemens simatic_cpu_1518-4_firmware *
netapp hci_storage_node_bios -
CVE-2020-12464 HIGH

usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h300s
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp hci_baseboard_management_controller h500s
netapp hci_baseboard_management_controller h410c
netapp hci_baseboard_management_controller h615c
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
netapp solidfire_&_hci_storage_node -
netapp cloud_backup -
netapp hci_baseboard_management_controller h610s
netapp hci_baseboard_management_controller h610c
netapp hci_compute_node -
netapp hci_baseboard_management_controller h410s
netapp hci_storage_nodes -
netapp aff_a700s -
netapp solidfire_baseboard_management_controller -
CVE-2020-12465 HIGH

An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp solidfire_&_hci_management_node -
netapp hci_baseboard_management_controller h300s
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp hci_baseboard_management_controller h500s
netapp hci_baseboard_management_controller h410c
netapp hci_baseboard_management_controller h615c
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
netapp cloud_backup -
netapp aff_baseboard_management_controller a700s
netapp hci_baseboard_management_controller h610s
netapp hci_baseboard_management_controller h610c
netapp hci_compute_node -
netapp hci_baseboard_management_controller h410s
netapp solidfire_baseboard_management_controller -
CVE-2020-12653 MEDIUM

An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv() function in drivers/net/wireless/marvell/mwifiex/scan.c allows local users to gain privileges or cause a denial of service because of an incorrect memcpy and buffer overflow, aka CID-b70261a288ea.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
netapp h300e_firmware -
netapp h610s_firmware -
netapp hci_compute_node_firmware -
debian debian_linux 8.0
netapp hci_management_node -
opensuse leap 15.1
netapp steelstore_cloud_integrated_storage -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
netapp a700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp solidfire -
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
netapp h610c_firmware -
CVE-2020-12659 HIGH

An issue was discovered in the Linux kernel before 5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) because of a lack of headroom validation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp solidfire_&_hci_management_node -
netapp hci_baseboard_management_controller h300s
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp hci_baseboard_management_controller h500s
netapp hci_baseboard_management_controller h410c
netapp hci_baseboard_management_controller h615c
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
netapp cloud_backup -
netapp aff_baseboard_management_controller a700s
netapp hci_baseboard_management_controller h610s
netapp hci_baseboard_management_controller h610c
netapp hci_baseboard_management_controller h410s
netapp solidfire_baseboard_management_controller -
CVE-2020-12723 MEDIUM

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle configuration_manager 12.1.2.0.8
oracle tekelec_platform_distribution *
fedoraproject fedora 31
oracle communications_eagle_lnp_application_processor 10.1
oracle communications_lsms *
opensuse leap 15.1
netapp snap_creator_framework -
oracle communications_offline_mediation_controller 12.0.0.3.0
oracle communications_billing_and_revenue_management 12.0.0.2.0
oracle enterprise_manager_base_platform 13.4.0.0
oracle communications_diameter_signaling_router *
oracle sd-wan_edge 9.1
perl perl *
oracle sd-wan_edge 8.2
oracle communications_eagle_application_processor *
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle sd-wan_edge 9.0
oracle communications_performance_intelligence_center *
oracle communications_eagle_lnp_application_processor 10.2
CVE-2020-12769 MEDIUM

An issue was discovered in the Linux kernel before 5.4.17. drivers/spi/spi-dw.c allows attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one, aka CID-19b61392c5a8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-662,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
netapp h300e_firmware -
opensuse leap 15.1
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
canonical ubuntu_linux 16.04
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
netapp h610c_firmware -
netapp h610s_firmware -
netapp hci_compute_node_firmware -
debian debian_linux 8.0
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp a700s_firmware -
opensuse leap 15.2
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2020-12770 MEDIUM

An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
netapp h300e_firmware -
fedoraproject fedora 31
fedoraproject fedora 30
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
debian debian_linux 9.0
netapp h610c_firmware -
debian debian_linux 10.0
netapp h610s_firmware -
debian debian_linux 8.0
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp a700s_firmware -
netapp bootstrap_os -
fedoraproject fedora 32
canonical ubuntu_linux 19.10
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2020-12771 MEDIUM

An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-667,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
netapp h300e_firmware -
opensuse leap 15.1
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
debian debian_linux 9.0
netapp h610c_firmware -
netapp h610s_firmware -
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp a700s_firmware -
opensuse leap 15.2
oracle sd-wan_edge 8.2
netapp hci_bootstrap_os -
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2020-12888 MEDIUM

The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
netapp h300e_firmware -
fedoraproject fedora 31
netapp solidfire_baseboard_management_controller_firmware -
opensuse leap 15.1
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
debian debian_linux 9.0
netapp h610c_firmware -
netapp h610s_firmware -
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp a700s_firmware -
netapp bootstrap_os -
fedoraproject fedora 32
opensuse leap 15.2
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2020-13143 MEDIUM

gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux kernel 3.16 through 5.6.13 relies on kstrdup without considering the possibility of an internal '\0' value, which allows attackers to trigger an out-of-bounds read, aka CID-15753588bcd4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
opensuse leap 15.1
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
debian debian_linux 9.0
netapp h610c_firmware -
debian debian_linux 10.0
netapp h610s_firmware -
debian debian_linux 8.0
netapp hci_management_node -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp a700s_firmware -
netapp bootstrap_os -
canonical ubuntu_linux 19.10
opensuse leap 15.2
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2020-13254 MEDIUM

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle zfs_storage_appliance_kit 8.8
debian debian_linux 8.0
djangoproject django *
netapp steelstore_cloud_integrated_storage -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp sra_plugin -
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2020-13379 MEDIUM

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 3.9 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
fedoraproject fedora 32
opensuse leap 15.2
fedoraproject fedora 31
opensuse backports_sle 15.0
grafana grafana *
CVE-2020-13529 LOW

An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H 1.6 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-290,CWE-290,

Products Affected

Vendor Product Version
netapp cloud_backup -
netapp active_iq_unified_manager -
fedoraproject fedora 33
systemd_project systemd 245
CVE-2020-13596 MEDIUM

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle zfs_storage_appliance_kit 8.8
djangoproject django *
netapp steelstore_cloud_integrated_storage -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp sra_plugin -
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2020-13630 MEDIUM

ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
apple macos *
apple itunes *
canonical ubuntu_linux 20.04
apple iphone_os *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
apple tvos *
netapp cloud_backup -
debian debian_linux 9.0
apple icloud *
oracle outside_in_technology 8.5.4
netapp hci_compute_node_firmware -
oracle zfs_storage_appliance_kit 8.8
apple watchos *
oracle communications_network_charging_and_control 6.0.1
netapp solidfire,_enterprise_sds_&_hci_storage_node -
oracle outside_in_technology 8.5.5
sqlite sqlite *
fedoraproject fedora 32
canonical ubuntu_linux 19.10
apple ipados *
oracle communications_network_charging_and_control *
siemens sinec_infrastructure_network_services *
brocade fabric_operating_system -
CVE-2020-13631 LOW

SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp hci_compute_node_firmware -
oracle zfs_storage_appliance_kit 8.8
apple watchos *
oracle communications_network_charging_and_control 6.0.1
apple macos *
apple itunes *
netapp solidfire,_enterprise_sds_&_hci_storage_node -
oracle outside_in_technology 8.5.5
canonical ubuntu_linux 20.04
apple iphone_os *
sqlite sqlite *
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
apple ipados *
apple tvos *
oracle communications_network_charging_and_control *
netapp cloud_backup -
siemens sinec_infrastructure_network_services *
apple icloud *
brocade fabric_operating_system -
oracle outside_in_technology 8.5.4
CVE-2020-13632 LOW

ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
netapp hci_compute_node_firmware -
oracle zfs_storage_appliance_kit 8.8
oracle communications_network_charging_and_control 6.0.1
netapp solidfire,_enterprise_sds_&_hci_storage_node -
oracle outside_in_technology 8.5.5
canonical ubuntu_linux 20.04
sqlite sqlite *
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle communications_network_charging_and_control *
netapp cloud_backup -
debian debian_linux 9.0
siemens sinec_infrastructure_network_services *
brocade fabric_operating_system -
oracle outside_in_technology 8.5.4
CVE-2020-13645 MEDIUM

In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
gnome glib-networking *
canonical ubuntu_linux 20.04
gnome balsa 2.6.0
fedoraproject fedora 32
canonical ubuntu_linux 19.10
broadcom fabric_operating_system -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp cloud_backup -
gnome balsa *
CVE-2020-13692 MEDIUM

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
postgresql postgresql_jdbc_driver *
quarkus quarkus *
debian debian_linux 10.0
fedoraproject fedora 32
netapp steelstore_cloud_integrated_storage -
debian debian_linux 11.0
CVE-2020-13776 MEDIUM

systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-269,

Products Affected

Vendor Product Version
fedoraproject fedora 32
systemd_project systemd *
netapp solidfire_&_hci_management_node -
netapp active_iq_unified_manager -
CVE-2020-13817 MEDIUM

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim's ntpd instance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H 2.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-330,CWE-330,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
netapp h300e_firmware -
netapp ontap_tools -
opensuse leap 15.1
fujitsu m10-4_firmware *
netapp h500s_firmware -
netapp data_ontap -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
fujitsu m12-1_firmware *
fujitsu m12-2s_firmware *
netapp cloud_backup -
netapp solidfire -
ntp ntp *
netapp hci_compute_node_firmware -
fujitsu m10-1_firmware *
netapp hci_management_node -
ntp ntp 4.2.8
netapp steelstore_cloud_integrated_storage -
opensuse leap 15.2
netapp clustered_data_ontap -
fujitsu m10-4s_firmware *
netapp h700e_firmware -
netapp h500e_firmware -
fujitsu m12-2_firmware *
CVE-2020-13871 MEDIUM

SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
oracle hyperion_infrastructure_technology 11.1.2.4
oracle zfs_storage_appliance_kit 8.8
oracle enterprise_manager_ops_center 12.4.0.0
oracle communications_network_charging_and_control 6.0.1
netapp ontap_select_deploy_administration_utility -
sqlite sqlite 3.32.2
oracle mysql_workbench *
oracle communications_messaging_server 8.1
netapp cloud_backup -
fedoraproject fedora 33
oracle communications_network_charging_and_control 12.0.2
debian debian_linux 9.0
siemens sinec_infrastructure_network_services *
CVE-2020-13934 MEDIUM

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,CWE-476,

Products Affected

Vendor Product Version
apache tomcat *
oracle instantis_enterprisetrack 17.3
oracle mysql_enterprise_monitor *
opensuse leap 15.1
oracle agile_plm 9.3.5
oracle agile_plm 9.3.6
oracle workload_manager 12.2.0.1
oracle agile_engineering_data_management 6.2.1.0
netapp oncommand_system_manager *
canonical ubuntu_linux 20.04
oracle managed_file_transfer 12.2.1.3.0
oracle fmw_platform 12.2.1.3.0
oracle workload_manager 18c
apache tomcat 9.0.0
oracle siebel_ui_framework *
debian debian_linux 9.0
oracle fmw_platform 12.2.1.4.0
debian debian_linux 10.0
oracle instantis_enterprisetrack 17.1
oracle communications_instant_messaging_server 10.0.1.5.0
oracle instantis_enterprisetrack 17.2
opensuse leap 15.2
oracle managed_file_transfer 12.2.1.4.0
oracle workload_manager 19c
apache tomcat 10.0.0
oracle agile_plm 9.3.3
CVE-2020-13935 MEDIUM

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
apache tomcat *
oracle instantis_enterprisetrack 17.3
oracle mysql_enterprise_monitor *
opensuse leap 15.1
oracle commerce_guided_search 11.3.2
oracle agile_plm 9.3.5
oracle agile_plm 9.3.6
oracle workload_manager 12.2.0.1
oracle agile_engineering_data_management 6.2.1.0
netapp oncommand_system_manager *
canonical ubuntu_linux 20.04
mcafee epolicy_orchestrator 5.10.0
canonical ubuntu_linux 16.04
oracle blockchain_platform *
oracle managed_file_transfer 12.2.1.3.0
oracle fmw_platform 12.2.1.3.0
oracle workload_manager 18c
apache tomcat 9.0.0
oracle siebel_ui_framework *
mcafee epolicy_orchestrator 5.9.0
debian debian_linux 9.0
oracle fmw_platform 12.2.1.4.0
oracle communications_cloud_native_core_policy 1.14.0
debian debian_linux 10.0
oracle instantis_enterprisetrack 17.1
oracle communications_instant_messaging_server 10.0.1.5.0
mcafee epolicy_orchestrator 5.9.1
oracle instantis_enterprisetrack 17.2
opensuse leap 15.2
oracle managed_file_transfer 12.2.1.4.0
oracle workload_manager 19c
apache tomcat 10.0.0
oracle agile_plm 9.3.3
CVE-2020-13938 LOW

Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-862,

Products Affected

Vendor Product Version
mcafee epolicy_orchestrator 5.10.0
apache http_server *
mcafee epolicy_orchestrator *
netapp cloud_backup -
CVE-2020-13946 MEDIUM

In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-668,

Products Affected

Vendor Product Version
apache cassandra *
netapp oncommand_insight -
apache cassandra 4.0.0
CVE-2020-13954 MEDIUM

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
apache cxf *
oracle communications_messaging_server 8.1
oracle business_intelligence 12.2.1.3.0
oracle business_intelligence 5.9.0.0.0
oracle business_intelligence 12.2.1.4.0
netapp vasa_provider_for_clustered_data_ontap *
oracle communications_messaging_server 8.0.2
oracle business_intelligence 5.5.0.0.0
oracle retail_order_broker_cloud_service 15.0
netapp snap_creator_framework -
CVE-2020-13956 MEDIUM

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle retail_customer_management_and_segmentation_foundation *
oracle spatial_studio *
oracle commerce_guided_search 11.3.2
oracle primavera_unifier 16.1
netapp snapcenter -
oracle peoplesoft_enterprise_pt_peopletools 8.58
oracle peoplesoft_enterprise_pt_peopletools 8.57
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle weblogic_server 14.1.1.0.0
oracle primavera_unifier 20.12
oracle primavera_unifier *
oracle nosql_database *
oracle jd_edwards_enterpriseone_orchestrator *
oracle primavera_unifier 19.12
oracle data_integrator 12.2.1.3.0
oracle jd_edwards_enterpriseone_tools *
oracle data_integrator 12.2.1.4.0
oracle communications_cloud_native_core_service_communication_proxy 1.14.0
oracle peoplesoft_enterprise_pt_peopletools 8.59
netapp active_iq_unified_manager -
oracle weblogic_server 12.2.1.4.0
oracle sql_developer *
quarkus quarkus *
oracle peoplesoft_enterprise_peopletools 8.58
oracle peoplesoft_enterprise_peopletools 8.57
apache httpclient *
CVE-2020-14002 MEDIUM

PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,

Products Affected

Vendor Product Version
fedoraproject fedora 32
netapp oncommand_unified_manager_core_package -
fedoraproject fedora 31
putty putty *
CVE-2020-14058 MEDIUM

An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 31
netapp cloud_manager -
squid-cache squid *
CVE-2020-14060 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle banking_digital_experience 18.3
oracle agile_plm 9.3.6
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
oracle banking_digital_experience 18.1
oracle communications_calendar_server 8.0.0.4.0
oracle communications_diameter_signaling_router *
oracle communications_evolved_communications_application_server 7.1
oracle communications_session_report_manager *
oracle communications_session_route_manager *
oracle banking_digital_experience 19.1
fasterxml jackson-databind *
oracle banking_digital_experience 19.2
oracle communications_element_manager *
oracle banking_digital_experience 18.2
oracle communications_contacts_server 8.0.0.5.0
CVE-2020-14061 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle communications_instant_messaging_server 10.0.1.4.0
oracle banking_digital_experience 18.3
debian debian_linux 8.0
oracle agile_plm 9.3.6
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
oracle banking_digital_experience 18.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_calendar_server 8.0.0.4.0
oracle communications_diameter_signaling_router *
oracle communications_evolved_communications_application_server 7.1
oracle communications_session_report_manager *
oracle communications_session_route_manager *
oracle banking_digital_experience 19.1
fasterxml jackson-databind *
oracle banking_digital_experience 19.2
oracle communications_element_manager *
oracle banking_digital_experience 18.2
oracle communications_contacts_server 8.0.0.5.0
CVE-2020-14062 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle banking_digital_experience 18.3
debian debian_linux 8.0
oracle agile_plm 9.3.6
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
oracle banking_digital_experience 18.1
oracle communications_calendar_server 8.0.0.4.0
oracle communications_diameter_signaling_router *
oracle communications_evolved_communications_application_server 7.1
oracle communications_session_report_manager *
oracle communications_session_route_manager *
oracle banking_digital_experience 19.1
fasterxml jackson-databind *
oracle banking_digital_experience 19.2
oracle communications_element_manager *
oracle banking_digital_experience 18.2
oracle communications_contacts_server 8.0.0.5.0
CVE-2020-14145 MEDIUM

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,CWE-203,

Products Affected

Vendor Product Version
openbsd openssh 8.5
netapp hci_management_node -
openbsd openssh 8.4
netapp ontap_select_deploy_administration_utility -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp hci_storage_node -
netapp aff_a700s_firmware -
openbsd openssh *
netapp solidfire -
netapp hci_compute_node -
openbsd openssh 8.6
CVE-2020-14155 MEDIUM

libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp h300s_firmware -
apple macos *
netapp ontap_select_deploy_administration_utility -
netapp steelstore_cloud_integrated_storage -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
pcre pcre *
oracle communications_cloud_native_core_policy 1.15.0
netapp h410s_firmware -
netapp clustered_data_ontap -
netapp cloud_backup -
gitlab gitlab *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2020-14195 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle communications_instant_messaging_server 10.0.1.4.0
oracle banking_digital_experience 18.3
debian debian_linux 8.0
oracle agile_plm 9.3.6
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
oracle banking_digital_experience 18.1
oracle communications_calendar_server 8.0.0.4.0
oracle communications_diameter_signaling_router *
oracle communications_evolved_communications_application_server 7.1
oracle communications_session_report_manager *
oracle communications_session_route_manager *
oracle banking_digital_experience 19.1
fasterxml jackson-databind *
oracle banking_digital_experience 19.2
oracle communications_element_manager *
oracle banking_digital_experience 18.2
oracle communications_contacts_server 8.0.0.5.0
CVE-2020-14301 MEDIUM

An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the `dumpxml` command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-212,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat libvirt *
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_for_power_little_endian_eus 8.4
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_server_update_services_for_sap_solutions 8.4
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_tus 8.4
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_ibm_z_systems 8.0
redhat codeready_linux_builder -
CVE-2020-14305 HIGH

An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
netapp fas_500f_firmware -
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
linux linux_kernel 4.12
netapp aff_500f_firmware -
netapp a250_firmware -
CVE-2020-14326 MEDIUM

A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,NVD-CWE-Other,

Products Affected

Vendor Product Version
redhat integration_camel_k -
netapp oncommand_insight -
redhat resteasy *
CVE-2020-14356 HIGH

A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found in the way when reboot the system. A local user could use this flaw to crash the system or escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp solidfire_baseboard_management_controller_firmware -
netapp hci_management_node -
opensuse leap 15.1
netapp active_iq_unified_manager -
canonical ubuntu_linux 20.04
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
debian debian_linux 9.0
CVE-2020-14372 MEDIUM

A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description Table (SSDT) containing code to overwrite the Linux kernel lockdown variable content directly into memory. The table is further loaded and executed by the kernel, defeating its Secure Boot lockdown and allowing the attacker to load unsigned code. The highest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-184,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux 8.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_tus 8.2
gnu grub2 *
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server_tus 7.4
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_server_aus 7.3
fedoraproject fedora 34
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_eus 8.1
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
netapp cloud_backup -
fedoraproject fedora 33
CVE-2020-14539 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.48 and prior, 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14540 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14547 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14550 LOW

Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.48 and prior, 5.7.30 and prior and 8.0.20 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
mariadb mariadb *
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
CVE-2020-14553 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported versions that are affected are 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4
secalert_us@oracle.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14556 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5
secalert_us@oracle.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.6
oracle openjdk 11.0.5
fedoraproject fedora 31
oracle openjdk 11.0.4
opensuse leap 15.1
oracle jdk 11.0.7
oracle openjdk 8
canonical ubuntu_linux 20.04
oracle jre 11.0.7
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
oracle openjdk 13
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
oracle openjdk 11.0.1
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp storagegrid *
oracle openjdk 11
oracle jdk 1.8.0
oracle openjdk 11.0.7
oracle jre 14.0.1
oracle jdk 14.0.1
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
oracle openjdk 13.0.3
netapp e-series_performance_analyzer -
oracle openjdk 14
oracle openjdk 11.0.3
oracle openjdk 13.0.2
fedoraproject fedora 32
opensuse leap 15.2
netapp 7-mode_transition_tool -
oracle openjdk 13.0.1
oracle openjdk 11.0.2
CVE-2020-14559 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 5.6.48 and prior, 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
secalert_us@oracle.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14562 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Java SE: 11.0.7 and 14.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
debian debian_linux 10.0
netapp e-series_santricity_unified_manager -
fedoraproject fedora 31
opensuse leap 15.1
oracle jdk 14.0.1
oracle jdk 11.0.7
netapp e-series_santricity_web_services_proxy -
canonical ubuntu_linux 20.04
netapp e-series_santricity_storage_manager -
fedoraproject fedora 32
opensuse leap 15.2
canonical ubuntu_linux 18.04
CVE-2020-14567 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14568 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14573 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 11.0.7 and 14.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
debian debian_linux 10.0
netapp e-series_santricity_unified_manager -
fedoraproject fedora 31
opensuse leap 15.1
oracle jdk 14.0.1
oracle jdk 11.0.7
netapp e-series_santricity_web_services_proxy -
canonical ubuntu_linux 20.04
netapp e-series_santricity_storage_manager -
fedoraproject fedora 32
opensuse leap 15.2
canonical ubuntu_linux 18.04
CVE-2020-14575 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14576 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF). Supported versions that are affected are 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14577 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.6
oracle openjdk 11.0.5
fedoraproject fedora 31
oracle openjdk 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
oracle jdk 11.0.7
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
canonical ubuntu_linux 20.04
oracle jre 11.0.7
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
oracle openjdk 13
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
oracle openjdk 11.0.1
netapp oncommand_workflow_automation -
netapp santricity_unified_manager -
netapp storagegrid *
oracle openjdk 11
oracle jdk 1.8.0
oracle openjdk 11.0.7
oracle jre 14.0.1
oracle jdk 14.0.1
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
oracle openjdk 13.0.3
netapp e-series_performance_analyzer -
oracle openjdk 14
oracle openjdk 11.0.3
oracle openjdk 13.0.2
fedoraproject fedora 32
opensuse leap 15.2
netapp 7-mode_transition_tool -
oracle openjdk 13.0.1
oracle openjdk 11.0.2
CVE-2020-14578 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
oracle jdk 1.7.0
oracle openjdk 7
oracle openjdk 8
canonical ubuntu_linux 20.04
mcafee epolicy_orchestrator 5.10.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp storagegrid -
netapp cloud_backup -
mcafee epolicy_orchestrator 5.9.0
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp storagegrid *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
mcafee epolicy_orchestrator 5.9.1
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
fedoraproject fedora 32
opensuse leap 15.2
netapp 7-mode_transition_tool -
CVE-2020-14579 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
oracle jdk 1.7.0
oracle openjdk 7
oracle openjdk 8
canonical ubuntu_linux 20.04
mcafee epolicy_orchestrator 5.10.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp storagegrid -
netapp cloud_backup -
mcafee epolicy_orchestrator 5.9.0
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp storagegrid *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
mcafee epolicy_orchestrator 5.9.1
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
fedoraproject fedora 32
opensuse leap 15.2
netapp 7-mode_transition_tool -
CVE-2020-14581 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle openjdk 11.0.6
oracle openjdk 11.0.5
fedoraproject fedora 31
opensuse leap 15.1
oracle jdk 1.7.0
oracle openjdk 7
canonical ubuntu_linux 20.04
mcafee epolicy_orchestrator 5.10.0
oracle jre 11.0.7
canonical ubuntu_linux 18.04
mcafee epolicy_orchestrator 5.9.0
netapp snapmanager -
netapp storagegrid *
oracle openjdk 11
oracle jdk 1.8.0
oracle jdk 14.0.1
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
mcafee epolicy_orchestrator 5.9.1
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
oracle openjdk 11.0.3
oracle openjdk 13.0.2
fedoraproject fedora 32
netapp 7-mode_transition_tool -
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.4
oracle jdk 11.0.7
oracle openjdk 8
canonical ubuntu_linux 16.04
oracle jre 1.8.0
oracle openjdk 13
netapp storagegrid -
netapp cloud_backup -
debian debian_linux 9.0
oracle openjdk 11.0.1
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle openjdk 11.0.7
oracle jre 14.0.1
oracle openjdk 13.0.3
netapp e-series_performance_analyzer -
oracle openjdk 14
opensuse leap 15.2
oracle openjdk 13.0.1
oracle openjdk 11.0.2
CVE-2020-14583 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0
secalert_us@oracle.com 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.6
oracle openjdk 11.0.5
fedoraproject fedora 31
oracle openjdk 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
oracle jdk 11.0.7
oracle openjdk 7
oracle openjdk 8
canonical ubuntu_linux 20.04
oracle jre 11.0.7
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
oracle openjdk 13
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
oracle openjdk 11.0.1
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp storagegrid *
oracle openjdk 11
oracle jdk 1.8.0
oracle openjdk 11.0.7
oracle jre 14.0.1
oracle jdk 14.0.1
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
oracle openjdk 13.0.3
netapp e-series_performance_analyzer -
oracle openjdk 14
oracle openjdk 11.0.3
oracle openjdk 13.0.2
fedoraproject fedora 32
opensuse leap 15.2
netapp 7-mode_transition_tool -
oracle openjdk 13.0.1
oracle openjdk 11.0.2
CVE-2020-14586 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14591 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Audit Plug-in). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14593 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N 2.8 4.0
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N 2.8 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.6
oracle openjdk 11.0.5
fedoraproject fedora 31
oracle openjdk 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
oracle jdk 11.0.7
oracle openjdk 7
oracle openjdk 8
canonical ubuntu_linux 20.04
oracle jre 11.0.7
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
oracle openjdk 13
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
oracle openjdk 11.0.1
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp storagegrid *
oracle openjdk 11
oracle jdk 1.8.0
oracle openjdk 11.0.7
oracle jre 14.0.1
oracle jdk 14.0.1
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
oracle openjdk 13.0.3
netapp e-series_performance_analyzer -
oracle openjdk 14
oracle openjdk 11.0.3
oracle openjdk 13.0.2
fedoraproject fedora 32
opensuse leap 15.2
netapp 7-mode_transition_tool -
oracle openjdk 13.0.1
oracle openjdk 11.0.2
CVE-2020-14597 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14614 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14619 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14620 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14621 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle openjdk 11.0.6
oracle openjdk 11.0.5
netapp oncommand_unified_manager_core_package -
fedoraproject fedora 31
opensuse leap 15.1
oracle jdk 1.7.0
oracle openjdk 7
canonical ubuntu_linux 20.04
mcafee epolicy_orchestrator 5.10.0
oracle jre 11.0.7
oracle jre 1.7.0
canonical ubuntu_linux 18.04
mcafee epolicy_orchestrator 5.9.0
netapp snapmanager -
netapp plug-in_for_symantec_netbackup -
oracle openjdk 11
oracle jdk 1.8.0
oracle jdk 14.0.1
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
mcafee epolicy_orchestrator 5.9.1
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle openjdk 13.0.2
fedoraproject fedora 32
netapp 7-mode_transition_tool -
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.4
oracle jdk 11.0.7
oracle openjdk 8
canonical ubuntu_linux 16.04
oracle jre 1.8.0
oracle openjdk 13
netapp cloud_backup -
debian debian_linux 9.0
oracle openjdk 11.0.1
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle openjdk 11.0.7
oracle jre 14.0.1
netapp active_iq_unified_manager -
oracle openjdk 13.0.3
netapp e-series_performance_analyzer -
oracle openjdk 14
opensuse leap 15.2
oracle openjdk 13.0.1
oracle openjdk 11.0.2
CVE-2020-14623 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14624 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: JSON). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14631 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Audit). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14632 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14633 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N 1.2 1.4
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14634 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4
nvd@nist.gov 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle mysql *
netapp snapcenter -
CVE-2020-14641 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle mysql *
netapp snapcenter -
CVE-2020-14643 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14651 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14654 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14656 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14663 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
secalert_us@oracle.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14664 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: JavaFX). The supported version that is affected is Java SE: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0
secalert_us@oracle.com 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
netapp santricity_unified_manager -
netapp storagegrid *
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
netapp 7-mode_transition_tool -
oracle jre 1.8.0
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
CVE-2020-14672 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
oracle mysql *
CVE-2020-14678 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
secalert_us@oracle.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14680 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14697 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14702 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14725 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp active_iq_unified_manager *
oracle mysql *
CVE-2020-14765 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
debian debian_linux 9.0
oracle mysql *
netapp snapcenter -
CVE-2020-14769 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
oracle mysql *
CVE-2020-14771 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: LDAP Auth). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.2 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 0.7 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14773 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
oracle mysql *
CVE-2020-14775 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
oracle mysql *
CVE-2020-14776 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mariadb mariadb *
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2020-14777 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
oracle mysql *
CVE-2020-14779 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.6
oracle openjdk 11.0.5
oracle jre 15
netapp oncommand_unified_manager_core_package -
oracle jre 11.0.8
fedoraproject fedora 31
oracle openjdk 11.0.4
netapp santricity_cloud_connector -
oracle jdk 11.0.8
oracle jdk 1.7.0
oracle jdk 15
oracle openjdk 7
oracle openjdk 8
oracle jre 1.7.0
oracle jre 1.8.0
oracle openjdk 13
netapp solidfire -
oracle openjdk 13.0.4
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle openjdk 11.0.1
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle openjdk 11
oracle jdk 1.8.0
oracle openjdk 11.0.7
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
oracle openjdk 13.0.3
oracle openjdk 15
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle openjdk 13.0.2
fedoraproject fedora 32
opensuse leap 15.2
netapp hci_storage_node -
netapp 7-mode_transition_tool -
oracle openjdk 13.0.1
oracle openjdk 11.0.8
oracle openjdk 11.0.2
CVE-2020-14781 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.6
oracle openjdk 11.0.5
oracle jre 15
oracle jre 11.0.8
oracle openjdk 11.0.4
netapp santricity_cloud_connector -
oracle jdk 11.0.8
oracle jdk 1.7.0
oracle jdk 15
oracle openjdk 7
oracle openjdk 8
oracle jre 1.7.0
oracle jre 1.8.0
oracle openjdk 13
netapp solidfire -
oracle openjdk 13.0.4
netapp snapmanager -
debian debian_linux 9.0
oracle openjdk 11.0.1
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle openjdk 11
oracle jdk 1.8.0
oracle openjdk 11.0.7
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle openjdk 13.0.3
netapp e-series_santricity_web_services_proxy -
oracle openjdk 15
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle openjdk 13.0.2
opensuse leap 15.2
netapp hci_storage_node -
netapp 7-mode_transition_tool -
oracle openjdk 13.0.1
oracle openjdk 11.0.8
oracle openjdk 11.0.2
CVE-2020-14782 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.6
oracle openjdk 11.0.5
oracle jre 15
oracle jre 11.0.8
oracle openjdk 11.0.4
oracle jdk 11.0.8
oracle jdk 1.7.0
oracle jdk 15
oracle openjdk 7
oracle openjdk 8
mcafee epolicy_orchestrator 5.10.0
oracle jre 1.7.0
oracle jre 1.8.0
oracle openjdk 13
oracle openjdk 13.0.4
mcafee epolicy_orchestrator 5.9.0
debian debian_linux 9.0
oracle openjdk 11.0.1
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle openjdk 11
oracle jdk 1.8.0
oracle openjdk 11.0.7
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
mcafee epolicy_orchestrator 5.9.1
oracle openjdk 13.0.3
netapp e-series_santricity_web_services_proxy -
oracle openjdk 15
netapp e-series_performance_analyzer -
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle openjdk 13.0.2
opensuse leap 15.2
oracle openjdk 13.0.1
oracle openjdk 11.0.8
oracle openjdk 11.0.2
netapp e-series_santricity_management_plug-ins -
CVE-2020-14785 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
oracle mysql *
CVE-2020-14786 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
oracle mysql *
CVE-2020-14789 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
mariadb mariadb *
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
oracle mysql *
CVE-2020-14790 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
oracle mysql *
CVE-2020-14791 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.2 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 0.7 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
oracle mysql *
CVE-2020-14792 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.2 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N 1.6 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.6
oracle openjdk 11.0.5
oracle jre 15
oracle jre 11.0.8
oracle openjdk 11.0.4
netapp santricity_cloud_connector -
oracle jdk 11.0.8
oracle jdk 1.7.0
oracle jdk 15
oracle openjdk 7
oracle openjdk 8
netapp oncommand_unified_manager -
mcafee epolicy_orchestrator 5.10.0
oracle jre 1.7.0
oracle jre 1.8.0
oracle openjdk 13
netapp solidfire -
oracle openjdk 13.0.4
mcafee epolicy_orchestrator 5.9.0
netapp snapmanager -
debian debian_linux 9.0
oracle openjdk 11.0.1
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle openjdk 11
oracle jdk 1.8.0
oracle openjdk 11.0.7
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager *
mcafee epolicy_orchestrator 5.9.1
oracle openjdk 13.0.3
netapp e-series_santricity_web_services_proxy -
oracle openjdk 15
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle openjdk 13.0.2
opensuse leap 15.2
netapp hci_storage_node -
netapp 7-mode_transition_tool -
oracle openjdk 13.0.1
oracle openjdk 11.0.8
oracle openjdk 11.0.2
CVE-2020-14793 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
oracle mysql *
CVE-2020-14794 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
oracle mysql *
CVE-2020-14796 LOW

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.6
oracle openjdk 11.0.5
oracle jre 15
oracle jre 11.0.8
oracle openjdk 11.0.4
netapp santricity_cloud_connector -
oracle jdk 11.0.8
oracle jdk 1.7.0
oracle jdk 15
oracle openjdk 7
oracle openjdk 8
netapp oncommand_unified_manager -
oracle jre 1.7.0
oracle jre 1.8.0
oracle openjdk 13
netapp solidfire -
oracle openjdk 13.0.4
netapp snapmanager -
debian debian_linux 9.0
oracle openjdk 11.0.1
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle openjdk 11
oracle jdk 1.8.0
oracle openjdk 11.0.7
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle openjdk 13.0.3
netapp e-series_santricity_web_services_proxy -
oracle openjdk 15
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle openjdk 13.0.2
opensuse leap 15.2
netapp hci_storage_node -
netapp 7-mode_transition_tool -
oracle openjdk 13.0.1
oracle openjdk 11.0.8
oracle openjdk 11.0.2
CVE-2020-14797 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.6
oracle openjdk 11.0.5
oracle jre 15
oracle jre 11.0.8
oracle openjdk 11.0.4
netapp santricity_cloud_connector -
oracle jdk 11.0.8
oracle jdk 1.7.0
oracle jdk 15
oracle openjdk 7
oracle openjdk 8
netapp oncommand_unified_manager -
oracle jre 1.7.0
oracle jre 1.8.0
oracle openjdk 13
netapp solidfire -
oracle openjdk 13.0.4
netapp snapmanager -
debian debian_linux 9.0
oracle openjdk 11.0.1
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle openjdk 11
oracle jdk 1.8.0
oracle openjdk 11.0.7
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle openjdk 13.0.3
netapp e-series_santricity_web_services_proxy -
oracle openjdk 15
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle openjdk 13.0.2
opensuse leap 15.2
netapp hci_storage_node -
netapp 7-mode_transition_tool -
oracle openjdk 13.0.1
oracle openjdk 11.0.8
oracle openjdk 11.0.2
CVE-2020-14798 LOW

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.6
oracle openjdk 11.0.5
oracle jre 15
oracle jre 11.0.8
oracle openjdk 11.0.4
netapp santricity_cloud_connector -
oracle jdk 11.0.8
oracle jdk 1.7.0
oracle jdk 15
oracle openjdk 7
oracle openjdk 8
netapp oncommand_unified_manager -
oracle jre 1.7.0
oracle jre 1.8.0
oracle openjdk 13
netapp solidfire -
oracle openjdk 13.0.4
netapp snapmanager -
debian debian_linux 9.0
oracle openjdk 11.0.1
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle openjdk 11
oracle jdk 1.8.0
oracle openjdk 11.0.7
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle openjdk 13.0.3
netapp e-series_santricity_web_services_proxy -
oracle openjdk 15
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle openjdk 13.0.2
opensuse leap 15.2
netapp hci_storage_node -
netapp 7-mode_transition_tool -
oracle openjdk 13.0.1
oracle openjdk 11.0.8
oracle openjdk 11.0.2
CVE-2020-14799 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
CVE-2020-14800 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp snapcenter_server -
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
CVE-2020-14803 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle openjdk 11.0.6
oracle openjdk 11.0.5
oracle jre 11.0.8
netapp santricity_cloud_connector -
oracle jdk 1.7.0
oracle openjdk 7
oracle jre 1.7.0
oracle openjdk 13.0.4
netapp snapmanager -
oracle graalvm 20.2.0
oracle openjdk 11
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle jre 7.0
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services_proxy -
oracle openjdk 15
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle openjdk 13.0.2
netapp 7-mode_transition_tool -
netapp e-series_santricity_os_controller *
oracle jre 15.0
oracle graalvm 19.3.4
oracle openjdk 11.0.4
oracle jdk 11.0.8
oracle openjdk 8
netapp oncommand_unified_manager -
oracle jre 1.8.0
oracle openjdk 13
netapp solidfire -
debian debian_linux 9.0
oracle openjdk 11.0.1
oracle jdk 15.0
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle openjdk 11.0.7
oracle graalvm 20.3.0
oracle openjdk 13.0.3
opensuse leap 15.2
netapp hci_storage_node -
oracle jre 8.0
oracle graalvm 19.3.3
oracle jdk 8.0
oracle openjdk 13.0.1
oracle jdk 7.0
oracle openjdk 11.0.8
oracle openjdk 11.0.2
CVE-2020-14804 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14809 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14812 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 32
fedoraproject fedora 31
netapp oncommand_insight -
netapp active_iq_unified_manager *
fedoraproject fedora 33
debian debian_linux 9.0
oracle mysql *
netapp snapcenter -
CVE-2020-14821 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14827 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: LDAP Auth). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14828 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14829 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14830 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14836 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14837 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14838 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14839 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14844 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14845 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14846 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14848 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14852 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Charsets). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14853 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: NDBCluster Plugin). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 4.6 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L 2.1 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_cluster *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2020-14860 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14861 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14866 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14867 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14868 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14869 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: LDAP Auth). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-14966 MEDIUM

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and '0' characters appended or prepended to an integer. The modified signatures are verified as valid. This could have a security-relevant impact if an application relied on a single canonical signature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,

Products Affected

Vendor Product Version
netapp max_data -
jsrsasign_project jsrsasign *
CVE-2020-14967 HIGH

An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts (it decrypts modified ciphertexts without error). An attacker might prepend these bytes with the goal of triggering memory corruption issues.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
netapp max_data -
jsrsasign_project jsrsasign *
CVE-2020-14968 HIGH

An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
netapp max_data -
jsrsasign_project jsrsasign *
CVE-2020-15025 MEDIUM

ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
cve@mitre.org 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
oracle zfs_storage_appliance_kit 8.8
opensuse leap 15.1
netapp 8700_firmware -
ntp ntp 4.2.8
netapp steelstore_cloud_integrated_storage -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp a400_firmware -
opensuse leap 15.2
netapp cloud_backup -
netapp 8300_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
ntp ntp *
CVE-2020-15436 HIGH

Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp fas_500f_firmware -
netapp h610s_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp aff_8700_firmware -
netapp solidfire_&_hci_management_node -
netapp h410c_firmware -
netapp aff_8300_firmware -
netapp fas_8300_firmware -
broadcom brocade_fabric_operating_system_firmware -
netapp a700s_firmware -
netapp h615c_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h610c_firmware -
netapp fas_8700_firmware -
netapp fabric-attached_storage_a400_firmware -
netapp aff_a400_firmware -
netapp aff_500f_firmware -
netapp a250_firmware -
CVE-2020-15523 MEDIUM

In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,CWE-908,

Products Affected

Vendor Product Version
python python 3.9.0
python python 3.8.4
python python *
netapp snapcenter -
CVE-2020-15707 MEDIUM

Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. An attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. This issue affects GRUB2 version 2.04 and prior versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@ubuntu.com 5.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H 0.5 5.2
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-190,CWE-362,

Products Affected

Vendor Product Version
microsoft windows_rt_8.1 -
gnu grub2 *
opensuse leap 15.1
microsoft windows_8.1 -
microsoft windows_server_2016 1909
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
microsoft windows_server_2016 1903
canonical ubuntu_linux 14.04
microsoft windows_10 1903
microsoft windows_10 1803
microsoft windows_server_2016 2004
redhat enterprise_linux 8.0
debian debian_linux 10.0
suse suse_linux_enterprise_server 12
microsoft windows_10 1909
microsoft windows_server_2019 -
microsoft windows_server_2012 -
microsoft windows_10 2004
redhat enterprise_linux_atomic_host -
suse suse_linux_enterprise_server 11
netapp active_iq_unified_manager *
microsoft windows_10 1709
microsoft windows_server_2016 -
microsoft windows_10 1809
redhat enterprise_linux 7.0
opensuse leap 15.2
suse suse_linux_enterprise_server 15
microsoft windows_10 -
microsoft windows_10 1607
microsoft windows_server_2012 r2
redhat openshift_container_platform 4.0
CVE-2020-15778 MEDIUM

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
openbsd openssh 8.3
broadcom fabric_operating_system -
netapp hci_storage_node -
netapp hci_management_node -
openbsd openssh *
netapp solidfire -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp hci_compute_node -
netapp a700s_firmware -
CVE-2020-15801 HIGH

In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The <executable-name>._pth file (e.g., the python._pth file) is not affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-426,

Products Affected

Vendor Product Version
netapp max_data -
python python *
CVE-2020-15852 MEDIUM

An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap mishandling causes a loss of synchronization between the I/O bitmaps of TSS and Xen, aka CID-cadfad870154.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-276,

Products Affected

Vendor Product Version
linux linux_kernel *
netapp cloud_backup -
netapp steelstore_cloud_integrated_storage -
xen xen *
netapp solidfire_baseboard_management_controller -
CVE-2020-15861 HIGH

Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic link (symlink) following.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-59,CWE-59,

Products Affected

Vendor Product Version
canonical ubuntu_linux 20.04
netapp smi-s_provider -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp solidfire_&_hci_management_node -
netapp cloud_backup -
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
net-snmp net-snmp *
CVE-2020-15862 HIGH

Net-SNMP through 5.8 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
canonical ubuntu_linux 20.04
netapp smi-s_provider -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp cloud_backup -
netapp hci_management_node -
canonical ubuntu_linux 14.04
netapp solidfire -
canonical ubuntu_linux 12.04
net-snmp net-snmp *
CVE-2020-15999 MEDIUM

Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-120,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 31
freetype freetype *
netapp ontap_select_deploy_administration_utility -
google chrome *
opensuse backports_sle 15.0
CVE-2020-16166 MEDIUM

The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-330,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
netapp storagegrid *
netapp hci_management_node -
opensuse leap 15.1
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp h410c_firmware -
netapp cloud_volumes_ontap_mediator -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle sd-wan_edge 8.2
netapp hci_bootstrap_os -
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp solidfire -
debian debian_linux 9.0
CVE-2020-16590 MEDIUM

A double free vulnerability exists in the Binary File Descriptor (BFD) (aka libbrd) in GNU Binutils 2.35 in the process_symbol_table, as demonstrated in readelf, via a crafted file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-415,

Products Affected

Vendor Product Version
gnu binutils 2.35
netapp ontap_select_deploy_administration_utility -
CVE-2020-16591 MEDIUM

A Denial of Service vulnerability exists in the Binary File Descriptor (BFD) in GNU Binutils 2.35 due to an invalid read in process_symbol_table, as demonstrated in readeif.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
gnu binutils 2.35
netapp ontap_select_deploy_administration_utility -
CVE-2020-16592 MEDIUM

A use after free issue exists in the Binary File Descriptor (BFD) library (aka libbfd) in GNU Binutils 2.34 in bfd_hash_lookup, as demonstrated in nm-new, that can cause a denial of service via a crafted file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
fedoraproject fedora 32
gnu binutils 2.34
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 33
CVE-2020-16593 MEDIUM

A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
gnu binutils 2.35
netapp solidfire_&_hci_management_node -
netapp cloud_backup -
netapp ontap_select_deploy_administration_utility -
CVE-2020-16599 MEDIUM

A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in _bfd_elf_get_symbol_version_string, as demonstrated in nm-new, that can cause a denial of service via a crafted file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
gnu binutils 2.35
netapp cloud_backup -
netapp hci_management_node -
netapp solidfire -
netapp ontap_select_deploy_administration_utility -
CVE-2020-1730 MEDIUM

A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
fedoraproject fedora 32
canonical ubuntu_linux 19.10
oracle mysql_workbench *
canonical ubuntu_linux 18.04
libssh libssh *
fedoraproject fedora 31
netapp cloud_backup -
CVE-2020-1752 LOW

A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.0 5.9
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
debian debian_linux 10.0
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp hci_management_node -
gnu glibc *
netapp solidfire -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp h410c_firmware -
CVE-2020-17521 LOW

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
oracle hospitality_opera_5 5.6
oracle ilearning 6.3
oracle jd_edwards_enterpriseone_orchestrator 9.2.6.0
oracle primavera_gateway *
oracle agile_plm 9.3.6
oracle retail_store_inventory_management 16.0.3.5
oracle agile_plm_mcad_connector 3.4
apache groovy *
oracle primavera_unifier 16.1
oracle agile_engineering_data_management 6.2.1.0
netapp snapcenter -
apache groovy 4.0.0
oracle communications_brm_-_elastic_charging_engine 12.0.0.3
oracle healthcare_data_repository 7.0.2
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle business_process_management_suite 12.2.1.3.0
oracle retail_store_inventory_management 15.0.3.5
oracle communications_brm_-_elastic_charging_engine 11.3.0.9.0
apache atlas 2.1.0
oracle primavera_unifier 20.12
oracle ilearning 6.2
oracle communications_services_gatekeeper 6.1
oracle primavera_unifier *
oracle communications_services_gatekeeper 6.0
oracle primavera_unifier 19.12
oracle communications_diameter_signaling_router 8.4.0.0
oracle insurance_policy_administration *
oracle retail_merchandising_system 16.0.3
oracle communications_services_gatekeeper 7.0
oracle retail_bulk_data_integration 15.0.3.0
oracle agile_plm_mcad_connector 3.6
oracle communications_evolved_communications_application_server 7.1
oracle business_process_management_suite 12.2.1.4.0
oracle retail_bulk_data_integration 16.0.3.0
oracle agile_plm 9.3.3
oracle retail_store_inventory_management 14.1.3.10
CVE-2020-17527 MEDIUM

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-200,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
apache tomcat *
oracle instantis_enterprisetrack 17.3
oracle mysql_enterprise_monitor *
apache tomcat 9.0.39
netapp oncommand_system_manager *
netapp element_plug-in -
oracle blockchain_platform *
oracle workload_manager 18c
apache tomcat 9.0.0
apache tomcat 9.0.35-3.39.1
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
debian debian_linux 10.0
apache tomcat 9.0.36
oracle instantis_enterprisetrack 17.1
apache tomcat 9.0.38
oracle communications_instant_messaging_server 10.0.1.5.0
apache tomcat 9.0.35-3.57.3
apache tomcat 9.0.37
oracle instantis_enterprisetrack 17.2
oracle workload_manager 19c
oracle sd-wan_edge 9.0
apache tomcat 10.0.0
CVE-2020-19144 MEDIUM

Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the 'in _TIFFmemcpy' funtion in the component 'tif_unix.c'.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
simplesystems libtiff 4.0.10
netapp ontap_select_deploy_administration_utility -
debian debian_linux 9.0
CVE-2020-19185

Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
gnu ncurses 6.1
netapp active_iq_unified_manager -
CVE-2020-19186

Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
gnu ncurses 6.1
netapp active_iq_unified_manager -
CVE-2020-19187

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
gnu ncurses 6.1
netapp active_iq_unified_manager -
CVE-2020-19188

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
gnu ncurses 6.1
netapp active_iq_unified_manager -
CVE-2020-19189

Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
debian debian_linux 10.0
gnu ncurses 6.1
netapp active_iq_unified_manager -
CVE-2020-19190

Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
gnu ncurses 6.1
netapp active_iq_unified_manager -
CVE-2020-1927 MEDIUM

In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,CWE-601,

Products Affected

Vendor Product Version
oracle communications_element_manager 8.2.1
netapp oncommand_unified_manager_core_package -
fedoraproject fedora 31
oracle sd-wan_aware 8.2
opensuse leap 15.1
broadcom brocade_fabric_operating_system -
oracle communications_session_report_manager 8.1.1
canonical ubuntu_linux 20.04
oracle communications_session_report_manager 8.2.1
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle instantis_enterprisetrack *
oracle communications_element_manager 8.2.0
debian debian_linux 9.0
debian debian_linux 10.0
apache http_server *
oracle zfs_storage_appliance_kit 8.8
oracle enterprise_manager_ops_center 12.4.0.0
oracle communications_session_route_manager 8.2.1
oracle communications_session_route_manager 8.1.1
fedoraproject fedora 32
oracle communications_session_report_manager 8.2.0
oracle communications_element_manager 8.1.1
oracle communications_session_route_manager 8.2.0
CVE-2020-1935 MEDIUM

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,

Products Affected

Vendor Product Version
oracle communications_element_manager 8.2.1
oracle retail_order_broker 15.0
apache tomcat *
oracle hyperion_infrastructure_technology 11.1.2.4
netapp data_availability_services -
oracle mysql_enterprise_monitor *
oracle transportation_management 6.3.7
opensuse leap 15.1
oracle workload_manager 12.2.0.1
oracle agile_product_lifecycle_management 9.3.6
oracle hospitality_guest_access 4.2.1
oracle health_sciences_empirica_inspections 1.0.1.2
oracle agile_engineering_data_management 6.2.1.0
netapp oncommand_system_manager *
canonical ubuntu_linux 16.04
oracle instantis_enterprisetrack *
oracle communications_element_manager 8.2.0
oracle workload_manager 18c
apache tomcat 9.0.0
oracle siebel_ui_framework *
debian debian_linux 9.0
oracle communications_instant_messaging_server 10.0.1.4.0
oracle hospitality_guest_access 4.2.0
debian debian_linux 10.0
oracle health_sciences_empirica_signal 7.3.3
debian debian_linux 8.0
oracle agile_product_lifecycle_management 9.3.3
oracle agile_product_lifecycle_management 9.3.5
oracle workload_manager 19c
oracle communications_element_manager 8.1.1
CVE-2020-1938 HIGH

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
oracle communications_element_manager 8.2.1
apache tomcat *
fedoraproject fedora 31
netapp data_availability_services -
oracle mysql_enterprise_monitor *
oracle transportation_management 6.3.7
fedoraproject fedora 30
opensuse leap 15.1
oracle agile_plm 9.3.5
oracle agile_plm 9.3.6
oracle workload_manager 12.2.0.1
oracle hospitality_guest_access 4.2.1
oracle health_sciences_empirica_inspections 1.0.1.2
oracle agile_engineering_data_management 6.2.1.0
netapp oncommand_system_manager *
apache geode 1.12.0
blackberry workspaces_server 8.1.0
oracle instantis_enterprisetrack *
oracle communications_element_manager 8.2.0
oracle workload_manager 18c
blackberry good_control *
oracle siebel_ui_framework *
debian debian_linux 9.0
oracle communications_instant_messaging_server 10.0.1.4.0
oracle hospitality_guest_access 4.2.0
debian debian_linux 10.0
oracle health_sciences_empirica_signal 7.3.3
debian debian_linux 8.0
blackberry workspaces_server 7.0.1
fedoraproject fedora 32
oracle workload_manager 19c
oracle agile_plm 9.3.3
oracle communications_element_manager 8.1.1
blackberry workspaces_server 9.0
blackberry workspaces_server 7.1.2
CVE-2020-1954 LOW

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle communications_diameter_signaling_router *
oracle communications_session_report_manager *
apache cxf *
oracle communications_session_route_manager *
oracle communications_element_manager *
netapp snapmanager -
oracle enterprise_manager_base_platform 13.2.1.0
oracle peoplesoft_enterprise_peopletools 8.56
oracle communications_diameter_signaling_router_idih: *
CVE-2020-1967 MEDIUM

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
oracle http_server 12.2.1.4.0
fedoraproject fedora 31
oracle mysql_enterprise_monitor *
fedoraproject fedora 30
opensuse leap 15.1
oracle enterprise_manager_for_storage_management 13.3.0.0
oracle enterprise_manager_ops_center 12.4.0
netapp snapcenter -
oracle peoplesoft_enterprise_peopletools 8.56
tenable log_correlation_engine *
jdedwards enterpriseone *
oracle mysql_connectors *
oracle application_server 12.1.3
debian debian_linux 9.0
netapp oncommand_workflow_automation -
openssl openssl *
debian debian_linux 10.0
oracle enterprise_manager_for_storage_management 13.4.0.0
freebsd freebsd 12.1
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
oracle mysql *
netapp e-series_performance_analyzer -
oracle peoplesoft_enterprise_peopletools 8.58
oracle enterprise_manager_base_platform 13.4.0.0
netapp smi-s_provider -
fedoraproject fedora 32
oracle mysql_workbench *
opensuse leap 15.2
oracle peoplesoft_enterprise_peopletools 8.57
broadcom fabric_operating_system -
oracle jd_edwards_world_security a9.4
CVE-2020-1971 MEDIUM

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
netapp manageability_software_development_kit -
oracle enterprise_session_border_controller cz8.3
oracle business_intelligence 12.2.1.3.0
oracle business_intelligence 12.2.1.4.0
netapp snapcenter -
oracle peoplesoft_enterprise_peopletools 8.56
nodejs node.js *
oracle communications_session_router cz8.4
netapp ef600a_firmware -
fedoraproject fedora 33
openssl openssl *
oracle communications_subscriber-aware_load_balancer cz8.2
oracle enterprise_session_border_controller cz8.4
oracle enterprise_manager_for_storage_management 13.4.0.0
netapp plug-in_for_symantec_netbackup -
oracle essbase 21.2
oracle enterprise_manager_ops_center 12.4.0.0
oracle communications_subscriber-aware_load_balancer cz8.3
oracle enterprise_communications_broker pcz3.3
oracle mysql_server *
netapp hci_management_node -
netapp oncommand_insight -
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
netapp santricity_smi-s_provider -
oracle peoplesoft_enterprise_peopletools 8.58
oracle enterprise_manager_base_platform 13.4.0.0
oracle api_gateway 11.1.2.4.0
fedoraproject fedora 32
oracle communications_session_border_controller cz8.2
oracle enterprise_session_border_controller cz8.2
oracle business_intelligence 5.9.0.0.0
oracle jd_edwards_world_security a9.4
siemens sinec_infrastructure_network_services *
oracle enterprise_manager_base_platform 13.3.0.0
netapp clustered_data_ontap_antivirus_connector -
netapp e-series_santricity_os_controller *
oracle graalvm 19.3.4
oracle http_server 12.2.1.4.0
netapp data_ontap -
oracle communications_unified_session_manager scz8.2.5
netapp aff_a250_firmware -
tenable log_correlation_engine *
netapp solidfire -
debian debian_linux 9.0
oracle communications_session_border_controller cz8.4
netapp oncommand_workflow_automation -
oracle communications_session_router cz8.2
debian debian_linux 10.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_diameter_intelligence_hub *
oracle graalvm 20.3.0
netapp active_iq_unified_manager -
oracle communications_session_border_controller cz8.3
oracle mysql *
oracle communications_subscriber-aware_load_balancer cz8.4
oracle enterprise_communications_broker pcz3.2
oracle peoplesoft_enterprise_peopletools 8.57
netapp hci_storage_node -
oracle enterprise_communications_broker pcz3.1
tenable nessus_network_monitor *
oracle communications_session_router cz8.3
netapp hci_compute_node -
oracle business_intelligence 5.5.0.0.0
CVE-2020-24486 LOW

Improper input validation in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp solidfire_bios -
netapp hci_compute_node_bios -
netapp e-series_bios -
intel bios -
netapp aff_bios -
siemens simatic_ipc547g_firmware *
netapp cloud_backup -
netapp fas_bios -
netapp hci_storage_node_bios -
CVE-2020-24511 LOW

Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-668,

Products Affected

Vendor Product Version
intel microcode *
netapp solidfire_bios -
netapp fas/aff_bios -
netapp hci_compute_node_bios -
debian debian_linux 10.0
CVE-2020-24512 LOW

Observable timing discrepancy in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-203,

Products Affected

Vendor Product Version
intel microcode *
netapp solidfire_bios -
netapp fas/aff_bios -
netapp hci_compute_node_bios -
debian debian_linux 10.0
CVE-2020-24616 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle communications_policy_management 12.5.0
oracle communications_contacts_server 8.0
oracle communications_unified_inventory_management 7.4.1
oracle agile_plm 9.3.6
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle communications_pricing_design_center 12.0.0.4.0
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_calendar_server 8.0.0.4.0
oracle communications_diameter_signaling_router *
oracle blockchain_platform *
fasterxml jackson-databind *
oracle siebel_ui_framework *
oracle banking_liquidity_management 14.2
oracle communications_cloud_native_core_unified_data_repository 1.4.0
debian debian_linux 9.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_contacts_server 8.0.0.5.0
oracle banking_liquidity_management 14.5
oracle banking_liquidity_management 14.3
oracle communications_calendar_server 8.0
oracle communications_instant_messaging_server 10.0.1.5.0
netapp active_iq_unified_manager -
oracle communications_services_gatekeeper 7.0
oracle communications_evolved_communications_application_server 7.1
oracle communications_session_report_manager *
oracle banking_supply_chain_finance 14.2
oracle communications_messaging_server 8.1
oracle identity_manager_connector 11.1.1.5.0
oracle communications_element_manager *
CVE-2020-24718 HIGH

bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-862,

Products Affected

Vendor Product Version
openindiana openindiana *
netapp clustered_data_ontap -
freebsd freebsd 12.0
freebsd freebsd 12.1
omniosce omnios *
freebsd freebsd 11.4
freebsd freebsd *
freebsd freebsd 11.3
CVE-2020-24977 MEDIUM

GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp hci_h410c_firmware -
oracle http_server 12.2.1.4.0
oracle real_user_experience_insight 13.4.1.0
fedoraproject fedora 31
netapp manageability_software_development_kit -
opensuse leap 15.1
netapp snapdrive -
netapp inventory_collect_tool -
fedoraproject fedora 33
debian debian_linux 9.0
oracle real_user_experience_insight 13.5.1.0
oracle enterprise_manager_ops_center 12.4.0.0
netapp active_iq_unified_manager *
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
oracle enterprise_manager_base_platform 13.5.0.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle enterprise_manager_base_platform 13.4.0.0
fedoraproject fedora 32
oracle mysql_workbench *
opensuse leap 15.2
xmlsoft libxml2 2.9.10
netapp clustered_data_ontap -
oracle http_server 12.2.1.3.0
netapp clustered_data_ontap_antivirus_connector -
CVE-2020-25097 MEDIUM

An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N 3.9 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-444,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
netapp cloud_manager -
fedoraproject fedora 33
fedoraproject fedora 34
squid-cache squid *
CVE-2020-25221 HIGH

get_gate_page in mm/gup.c in the Linux kernel 5.7.x and 5.8.x before 5.8.7 allows privilege escalation because of incorrect reference counting (caused by gate page mishandling) of the struct page that backs the vsyscall page. The result is a refcount underflow. This can be triggered by any 64-bit process that can use ptrace() or process_vm_readv(), aka CID-9fa2dd946743.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-672,

Products Affected

Vendor Product Version
linux linux_kernel *
netapp solidfire_&_hci_management_node -
netapp cloud_backup -
netapp hci_compute_node -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp solidfire_baseboard_management_controller -
CVE-2020-25632 HIGH

A flaw was found in grub2 in versions prior to 2.06. The rmmod implementation allows the unloading of a module used as a dependency without checking if any other dependent module is still loaded leading to a use-after-free scenario. This could allow arbitrary code to be executed or a bypass of Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux 8.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_tus 8.2
gnu grub2 *
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server_tus 7.4
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_server_aus 7.3
fedoraproject fedora 34
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_eus 8.1
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
fedoraproject fedora 33
CVE-2020-25643 HIGH

A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 7.0
debian debian_linux 10.0
opensuse leap 15.2
linux linux_kernel *
opensuse leap 15.1
linux linux_kernel 5.9.0
netapp h410c_firmware -
debian debian_linux 9.0
starwindsoftware starwind_virtual_san v8
CVE-2020-25644 MEDIUM

A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,CWE-401,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
redhat jboss_enterprise_application_platform 7.0.0
redhat single_sign-on 7.0
redhat wildfly_openssl *
redhat data_grid 8.0
redhat jboss_fuse 7.0.0
redhat openshift_application_runtimes -
redhat jboss_data_grid 7.0.0
netapp oncommand_insight -
netapp service_level_manager -
CVE-2020-25645 MEDIUM

A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,CWE-319,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp solidfire_&_hci_management_node -
opensuse leap 15.1
canonical ubuntu_linux 20.04
netapp hci_compute_node_bios -
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp solidfire_&_hci_storage_node -
linux linux_kernel 5.9.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2020-25647 HIGH

A flaw was found in grub2 in versions prior to 2.06. During USB device initialization, descriptors are read with very little bounds checking and assumes the USB device is providing sane values. If properly exploited, an attacker could trigger memory corruption leading to arbitrary code execution allowing a bypass of the Secure Boot mechanism. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.6 HIGH CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 0.9 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux 8.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_tus 8.2
gnu grub2 *
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server_tus 7.4
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_server_aus 7.3
fedoraproject fedora 34
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_eus 8.1
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
fedoraproject fedora 33
CVE-2020-25649 MEDIUM

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle retail_xstore_point_of_service 20.0.1
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle coherence 12.2.1.4.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle banking_apis 19.1
oracle communications_offline_mediation_controller 12.0.0.3
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_treasury_management 4.4
oracle retail_xstore_point_of_service 19.0.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle communications_messaging_server 8.0.2
oracle utilities_framework 4.3.0.6.0
oracle banking_platform 2.7.1
oracle banking_apis 20.1
oracle communications_evolved_communications_application_server 7.1
fedoraproject fedora 32
oracle utilities_framework 4.3.0.5.0
oracle coherence 14.1.1.0.0
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_apis 21.1
oracle banking_platform 2.7.0
oracle retail_xstore_point_of_service 16.0.6
oracle agile_product_lifecycle_management_integration_pack 3.6
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_platform 2.6.2
oracle communications_interactive_session_recorder 6.3
oracle banking_platform 2.10.0
oracle banking_platform 2.8.0
netapp oncommand_api_services -
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle health_sciences_empirica_signal 9.1
oracle utilities_framework 4.4.0.0.0
oracle communications_interactive_session_recorder 6.4
oracle communications_billing_and_revenue_management 7.5.0.23.0
netapp oncommand_workflow_automation -
oracle utilities_framework 4.4.0.2.0
oracle banking_apis *
oracle webcenter_portal 12.2.1.3.0
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle banking_platform 2.9.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
quarkus quarkus *
oracle health_sciences_empirica_signal 9.0
oracle insurance_policy_administration 11.0.2
oracle communications_messaging_server 8.1
oracle retail_service_backbone 16.0.3
oracle retail_service_backbone 15.0.3.1
oracle sd-wan_edge 9.0
apache iotdb *
oracle banking_apis 19.2
oracle retail_xstore_point_of_service 17.0.4
CVE-2020-25668 MEDIUM

A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-662,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp 500f_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
netapp a250_firmware -
CVE-2020-25669 HIGH

A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed. Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still an alias in sunkbd_reinit causing Use After Free.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
netapp solidfire_baseboard_management_controller -
CVE-2020-25670 HIGH

A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
fedoraproject fedora 32
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2020-25671 HIGH

A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
fedoraproject fedora 32
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2020-25672 MEDIUM

A memory leak vulnerability was found in Linux kernel in llcp_sock_connect

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
fedoraproject fedora 32
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2020-25673 MEDIUM

A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
fedoraproject fedora 32
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
CVE-2020-25689 MEDIUM

A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
secalert@redhat.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,CWE-401,

Products Affected

Vendor Product Version
redhat wildfly *
redhat jboss_enterprise_application_platform 7.0.0
redhat single_sign-on 7.0
redhat jboss_fuse 7.0.0
redhat openshift_application_runtimes -
redhat jboss_data_grid 7.0.0
redhat fuse 6.0.0
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp service_level_manager -
CVE-2020-25692 MEDIUM

A NULL pointer dereference was found in OpenLDAP server and was fixed in openldap 2.4.55, during a request for renaming RDNs. An unauthenticated attacker could remotely crash the slapd process by sending a specially crafted request, causing a Denial of Service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
redhat enterprise_linux 7.0
redhat enterprise_linux 5.0
netapp solidfire_baseboard_management_controller_firmware -
netapp cloud_backup -
openldap openldap *
CVE-2020-25711 MEDIUM

A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H 1.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,CWE-862,

Products Affected

Vendor Product Version
redhat data_grid 8.0
infinispan infinispan *
netapp active_iq_unified_manager -
CVE-2020-2572 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Audit Plugin). Supported versions that are affected are 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2573 MEDIUM

Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2574 MEDIUM

Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
opensuse leap 15.1
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2577 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2579 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2580 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2583 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
oracle openjdk 11.0.5
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 13.0.1
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
oracle jdk 11.0.5
oracle openjdk 7
mcafee epolicy_orchestrator 5.10.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 18.04
netapp e-series_santricity_management -
mcafee epolicy_orchestrator 5.9.0
redhat enterprise_linux 8.0
redhat enterprise_linux_workstation 7.0
oracle openjdk 11
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
mcafee epolicy_orchestrator 5.9.1
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle jre 11.0.5
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.4
oracle openjdk 8
redhat enterprise_linux_server 6.0
canonical ubuntu_linux 16.04
oracle jre 1.8.0
oracle openjdk 13
debian debian_linux 9.0
oracle openjdk 11.0.1
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 13.0.1
netapp e-series_performance_analyzer -
redhat enterprise_linux_eus 7.7
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
oracle openjdk 13.0.1
oracle openjdk 11.0.2
CVE-2020-2584 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N 0.7 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2585 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: JavaFX). The supported version that is affected is Java SE: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
netapp plug-in_for_symantec_netbackup -
netapp santricity_unified_manager -
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
netapp e-series_santricity_storage_manager -
oracle jre 1.8.0
netapp cloud_backup -
netapp e-series_santricity_management_plug-ins -
CVE-2020-2588 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2589 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.28 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2590 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
oracle openjdk 11.0.5
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 13.0.1
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
oracle jdk 11.0.5
oracle openjdk 7
mcafee epolicy_orchestrator 5.10.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 18.04
netapp e-series_santricity_management -
mcafee epolicy_orchestrator 5.9.0
redhat enterprise_linux 8.0
redhat enterprise_linux_workstation 7.0
oracle openjdk 11
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
mcafee epolicy_orchestrator 5.9.1
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle jre 11.0.5
netapp e-series_santricity_os_controller *
redhat enterprise_linux_tus 7.7
oracle openjdk 11.0.4
oracle openjdk 8
redhat enterprise_linux_server 6.0
canonical ubuntu_linux 16.04
oracle jre 1.8.0
oracle openjdk 13
debian debian_linux 9.0
oracle openjdk 11.0.1
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 13.0.1
netapp e-series_performance_analyzer -
redhat enterprise_linux_eus 7.7
canonical ubuntu_linux 19.10
oracle openjdk 13.0.1
oracle openjdk 11.0.2
CVE-2020-2593 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
oracle openjdk 11.0.5
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 13.0.1
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
oracle jdk 11.0.5
oracle openjdk 7
mcafee epolicy_orchestrator 5.10.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 18.04
netapp e-series_santricity_management -
mcafee epolicy_orchestrator 5.9.0
redhat enterprise_linux 8.0
redhat enterprise_linux_workstation 7.0
oracle openjdk 11
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
mcafee epolicy_orchestrator 5.9.1
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle jre 11.0.5
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.4
oracle openjdk 8
redhat enterprise_linux_server 6.0
canonical ubuntu_linux 16.04
oracle jre 1.8.0
oracle openjdk 13
debian debian_linux 9.0
oracle openjdk 11.0.1
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 13.0.1
netapp e-series_performance_analyzer -
redhat enterprise_linux_eus 7.7
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
oracle openjdk 13.0.1
oracle openjdk 11.0.2
CVE-2020-2601 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N 2.2 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.5
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 13.0.1
oracle openjdk 11.0.4
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
oracle jdk 11.0.5
oracle openjdk 7
oracle openjdk 8
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp e-series_santricity_management -
oracle openjdk 13
debian debian_linux 9.0
oracle openjdk 11.0.1
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle openjdk 11
debian debian_linux 8.0
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
oracle jdk 13.0.1
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
oracle jre 11.0.5
oracle openjdk 13.0.1
oracle openjdk 11.0.2
CVE-2020-2604 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle commerce_experience_manager 11.3.2
opensuse leap 15.1
oracle commerce_guided_search 11.3.2
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
oracle jdk 11.0.5
oracle openjdk 7
oracle openjdk 8
redhat enterprise_linux_server 6.0
mcafee epolicy_orchestrator 5.10.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
mcafee epolicy_orchestrator 5.9.0
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
netapp santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
oracle graalvm 19.3.0.2
netapp oncommand_insight -
oracle openjdk *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
oracle jdk 13.0.1
mcafee epolicy_orchestrator 5.9.1
netapp e-series_santricity_web_services_proxy -
netapp e-series_performance_analyzer -
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
CVE-2020-26116 MEDIUM

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N 3.9 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
fedoraproject fedora 31
oracle zfs_storage_appliance_kit 8.8
opensuse leap 15.1
canonical ubuntu_linux 12.04
fedoraproject fedora 32
netapp hci_storage_node -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
netapp solidfire -
python python *
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2020-26217 HIGH

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.0 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 1.3 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
oracle banking_credit_facilities_process_management 14.5
oracle communications_policy_management 12.5.0
oracle endeca_information_discovery_studio 3.2.0.0
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle banking_corporate_lending_process_management 14.2
oracle banking_cash_management 14.5
oracle banking_trade_finance_process_management 14.2
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
apache activemq 5.15.4
oracle banking_cash_management 14.2
oracle business_activity_monitoring 12.2.1.3.0
apache activemq *
netapp snapmanager -
debian debian_linux 9.0
debian debian_linux 10.0
oracle banking_corporate_lending_process_management 14.5
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
oracle banking_platform 2.9.0
oracle banking_virtual_account_management 14.5.0
oracle business_activity_monitoring 11.1.1.9.0
oracle banking_virtual_account_management 14.3.0
oracle banking_credit_facilities_process_management 14.3
oracle banking_platform 2.7.1
apache activemq 5.16.0
oracle banking_platform 2.4.0
oracle banking_trade_finance_process_management 14.5
oracle banking_supply_chain_finance 14.2
oracle banking_trade_finance_process_management 14.3
oracle banking_cash_management 14.3
oracle banking_corporate_lending_process_management 14.3
oracle banking_credit_facilities_process_management 14.2
netapp snapmanager *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
oracle banking_virtual_account_management 14.2.0
CVE-2020-2627 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2654 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux 6.0
oracle openjdk 11.0.5
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
oracle jre 13.0.1
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
oracle jdk 11.0.5
oracle openjdk 7
mcafee epolicy_orchestrator 5.10.0
redhat enterprise_linux_desktop 6.0
oracle jre 1.7.0
canonical ubuntu_linux 18.04
mcafee epolicy_orchestrator 5.9.0
redhat enterprise_linux 8.0
redhat enterprise_linux_workstation 7.0
oracle openjdk 11
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
mcafee epolicy_orchestrator 5.9.1
netapp e-series_santricity_web_services_proxy -
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle jre 11.0.5
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.4
oracle openjdk 8
canonical ubuntu_linux 16.04
oracle jre 1.8.0
oracle openjdk 13
debian debian_linux 9.0
oracle openjdk 11.0.1
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 13.0.1
redhat enterprise_linux 7.0
netapp e-series_performance_analyzer -
redhat enterprise_linux_eus 7.7
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
oracle openjdk 13.0.1
oracle openjdk 11.0.2
netapp e-series_santricity_management_plug-ins -
CVE-2020-2659 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241 and 8u231; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 7.0
netapp e-series_santricity_os_controller *
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
opensuse leap 15.1
oracle jdk 1.7.0
redhat enterprise_linux_desktop 7.0
oracle openjdk 7
oracle openjdk 8
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
redhat enterprise_linux_workstation 7.0
netapp santricity_unified_manager -
debian debian_linux 8.0
oracle jdk 1.8.0
netapp oncommand_insight -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services_proxy -
netapp e-series_performance_analyzer -
redhat enterprise_linux_eus 7.7
netapp e-series_santricity_storage_manager -
canonical ubuntu_linux 19.10
redhat enterprise_linux_server_tus 7.7
netapp e-series_santricity_management_plug-ins -
CVE-2020-2660 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2679 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2686 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2694 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.18 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-27216 MEDIUM

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-378,CWE-379,NVD-CWE-Other,

Products Affected

Vendor Product Version
oracle flexcube_core_banking *
netapp storage_replication_adapter *
netapp snapcenter -
oracle communications_pricing_design_center 12.0.0.3.0
oracle communications_application_session_controller 3.9m0p2
apache beam 2.25.0
netapp vasa_provider *
eclipse jetty 10.0.0
apache beam 2.21.0
eclipse jetty 11.0.0
debian debian_linux 9.0
apache beam 2.24.0
debian debian_linux 10.0
netapp virtual_storage_console *
oracle jd_edwards_enterpriseone_tools *
oracle siebel_core_-_automation *
oracle flexcube_private_banking 12.1.0
netapp snap_creator_framework -
oracle communications_services_gatekeeper 7.0
eclipse jetty *
oracle communications_offline_mediation_controller 12.0.0.3.0
oracle flexcube_private_banking 12.0.0
apache beam 2.22.0
apache beam 2.23.0
oracle communications_converged_application_server_-_service_controller 6.2
oracle communications_element_manager *
CVE-2020-27218 MEDIUM

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-226,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle siebel_core_-_automation *
oracle flexcube_private_banking 12.1.0
netapp snap_creator_framework -
netapp oncommand_system_manager *
oracle communications_services_gatekeeper 7.0
oracle communications_pricing_design_center 12.0.0.3.0
eclipse jetty *
oracle communications_offline_mediation_controller 12.0.0.3.0
oracle flexcube_private_banking 12.0.0
oracle blockchain_platform *
oracle communications_session_route_manager *
eclipse jetty 10.0.0
apache spark 3.0.3
oracle communications_converged_application_server_-_service_controller 6.2
oracle hyperion_infrastructure_technology 11.1.2.6.0
apache spark 2.4.8
oracle retail_eftlink 20.0.0
apache kafka 2.7.0
eclipse jetty 11.0.0
oracle rest_data_services *
CVE-2020-27223 MEDIUM

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
emo@eclipse.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-407,CWE-400,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
eclipse jetty 9.4.36
debian debian_linux 10.0
netapp element_plug-in_for_vcenter_server -
eclipse jetty 9.4.6
netapp hci_management_node -
apache spark 3.1.1
netapp e-series_santricity_web_services -
netapp snapcenter -
netapp snap_creator_framework -
netapp management_services_for_element_software -
eclipse jetty *
apache solr 8.8.1
netapp hci -
apache nifi 1.13.0
eclipse jetty 10.0.0
netapp solidfire -
netapp snapmanager -
eclipse jetty 11.0.0
oracle rest_data_services *
CVE-2020-27350 MEDIUM

APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@ubuntu.com 5.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L 1.5 3.7
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L 1.5 3.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
debian advanced_package_tool *
CVE-2020-2752 LOW

Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 32
fedoraproject fedora 31
opensuse leap 15.1
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2020-2754 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
fedoraproject fedora 30
opensuse leap 15.1
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
mcafee epolicy_orchestrator 5.10.0
oracle jre 14.0.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp storagegrid -
mcafee epolicy_orchestrator 5.9.0
netapp snapmanager -
debian debian_linux 9.0
oracle jdk 14.0.0
debian debian_linux 10.0
netapp storagegrid *
oracle jre 11.0.6
oracle jdk 1.8.0
oracle openjdk *
netapp active_iq_unified_manager *
mcafee epolicy_orchestrator 5.9.1
oracle openjdk 14
fedoraproject fedora 32
canonical ubuntu_linux 19.10
opensuse leap 15.2
CVE-2020-2755 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
fedoraproject fedora 30
opensuse leap 15.1
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
mcafee epolicy_orchestrator 5.10.0
oracle jre 14.0.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp storagegrid -
netapp cloud_backup -
mcafee epolicy_orchestrator 5.9.0
netapp snapmanager -
debian debian_linux 9.0
oracle jdk 14.0.0
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp storagegrid *
oracle jre 11.0.6
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
mcafee epolicy_orchestrator 5.9.1
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
oracle openjdk 14
fedoraproject fedora 32
canonical ubuntu_linux 19.10
opensuse leap 15.2
netapp 7-mode_transition_tool -
CVE-2020-2756 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-755,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
mcafee epolicy_orchestrator *
fedoraproject fedora 30
opensuse leap 15.1
oracle jdk 1.7.0
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
mcafee epolicy_orchestrator 5.10.0
oracle jre 14.0.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
oracle jdk 14.0.0
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp storagegrid *
oracle jre 11.0.6
debian debian_linux 8.0
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
oracle openjdk 14
fedoraproject fedora 32
canonical ubuntu_linux 19.10
opensuse leap 15.2
netapp 7-mode_transition_tool -
CVE-2020-2757 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-755,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
mcafee epolicy_orchestrator *
fedoraproject fedora 30
opensuse leap 15.1
oracle jdk 1.7.0
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
mcafee epolicy_orchestrator 5.10.0
oracle jre 14.0.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
oracle jdk 14.0.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp storagegrid *
oracle jre 11.0.6
debian debian_linux 8.0
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
oracle openjdk 14
fedoraproject fedora 32
canonical ubuntu_linux 19.10
opensuse leap 15.2
netapp 7-mode_transition_tool -
CVE-2020-2759 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2760 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 31
fedoraproject fedora 30
opensuse leap 15.1
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2761 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2020-27618 LOW

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,CWE-835,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
gnu glibc *
netapp ontap_select_deploy_administration_utility -
oracle communications_cloud_native_core_service_communication_proxy 1.14.0
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp 500f_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
netapp a250_firmware -
CVE-2020-2762 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2763 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2765 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2767 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
opensuse leap 15.1
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
oracle jre 14.0.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
oracle jdk 14.0.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp plug-in_for_symantec_netbackup -
netapp santricity_unified_manager -
netapp storagegrid *
oracle jre 11.0.6
netapp oncommand_insight -
oracle openjdk *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
oracle openjdk 14
canonical ubuntu_linux 19.10
netapp 7-mode_transition_tool -
CVE-2020-2768 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.3.28 and prior, 7.4.27 and prior, 7.5.17 and prior, 7.6.13 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Cluster as well as unauthorized update, insert or delete access to some of MySQL Cluster accessible data. CVSS 3.0 Base Score 6.3 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H 2.1 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2020-2770 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Logging). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2020-2773 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
fedoraproject fedora 30
opensuse leap 15.1
oracle jdk 1.7.0
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
mcafee epolicy_orchestrator 5.10.0
oracle jre 14.0.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp storagegrid -
netapp cloud_backup -
mcafee epolicy_orchestrator 5.9.0
netapp snapmanager -
debian debian_linux 9.0
oracle jdk 14.0.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp storagegrid *
oracle jre 11.0.6
debian debian_linux 8.0
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
mcafee epolicy_orchestrator 5.9.1
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
oracle openjdk 14
fedoraproject fedora 32
canonical ubuntu_linux 19.10
opensuse leap 15.2
netapp 7-mode_transition_tool -
CVE-2020-27730 HIGH

In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
netapp cloud_backup -
f5 nginx_controller 1.0.1
f5 nginx_controller *
CVE-2020-2774 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2020-27749 HIGH

A flaw was found in grub2 in versions prior to 2.06. Variable names present are expanded in the supplied command line into their corresponding variable contents, using a 1kB stack buffer for temporary storage, without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution which could also circumvent Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-121,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux 8.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_tus 8.2
gnu grub2 *
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server_tus 7.4
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_server_aus 7.3
fedoraproject fedora 34
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_eus 8.1
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
fedoraproject fedora 33
CVE-2020-27779 MEDIUM

A flaw was found in grub2 in versions prior to 2.06. The cutmem command does not honor secure boot locking allowing an privileged attacker to remove address ranges from memory creating an opportunity to circumvent SecureBoot protections after proper triage about grub's memory layout. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-285,NVD-CWE-Other,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux 8.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_tus 8.2
gnu grub2 *
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server_tus 7.4
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_server_aus 7.3
fedoraproject fedora 34
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_eus 8.1
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
fedoraproject fedora 33
CVE-2020-2778 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
opensuse leap 15.1
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
oracle jre 14.0.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
oracle jdk 14.0.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp plug-in_for_symantec_netbackup -
netapp santricity_unified_manager -
netapp storagegrid *
oracle jre 11.0.6
netapp oncommand_insight -
oracle openjdk *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
oracle openjdk 14
canonical ubuntu_linux 19.10
netapp 7-mode_transition_tool -
CVE-2020-27783 MEDIUM

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
oracle communications_offline_mediation_controller 12.0.0.3.0
debian debian_linux 10.0
fedoraproject fedora 32
oracle zfs_storage_appliance_kit 8.8
lxml lxml *
redhat software_collections -
fedoraproject fedora 33
debian debian_linux 9.0
netapp snapcenter -
CVE-2020-27786 HIGH

A flaw was found in the Linux kernel’s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 7.0
redhat openshift_container_platform 4.6
linux linux_kernel *
linux linux_kernel 5.7
netapp cloud_backup -
redhat enterprise_mrg 2.0
redhat openshift_container_platform 4.5
redhat openshift_container_platform 4.4
netapp solidfire_baseboard_management_controller -
CVE-2020-2779 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2020-2780 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2781 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
fedoraproject fedora 30
opensuse leap 15.1
oracle jdk 1.7.0
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
oracle jre 14.0.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp storagegrid -
netapp cloud_backup -
mcafee threat_intelligence_exchange_server 2.0.0
mcafee threat_intelligence_exchange_server 2.1.0
netapp snapmanager -
debian debian_linux 9.0
oracle jdk 14.0.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp storagegrid *
oracle jre 11.0.6
debian debian_linux 8.0
oracle jdk 1.8.0
mcafee threat_intelligence_exchange_server 2.1.1
netapp oncommand_insight -
oracle openjdk *
mcafee threat_intelligence_exchange_server 2.0.1
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
mcafee threat_intelligence_exchange_server 3.0.0
netapp e-series_performance_analyzer -
oracle openjdk 14
fedoraproject fedora 32
canonical ubuntu_linux 19.10
opensuse leap 15.2
netapp 7-mode_transition_tool -
mcafee threat_intelligence_exchange_server 2.3.0
mcafee threat_intelligence_exchange_server 2.3.1
mcafee threat_intelligence_exchange_server 2.2.0
CVE-2020-27815 MEDIUM

A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
netapp h500s_firmware -
linux linux_kernel 5.9.6
netapp h410c_firmware -
netapp aff_a250_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp fas500f_firmware -
linux linux_kernel *
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2020-27825 MEDIUM

A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H 0.5 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 7.0
debian debian_linux 10.0
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel 5.10
netapp cloud_backup -
redhat enterprise_mrg 2.0
netapp h410c_firmware -
debian debian_linux 9.0
CVE-2020-2790 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported versions that are affected are 5.7.28 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2020-2800 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
fedoraproject fedora 30
opensuse leap 15.1
oracle jdk 1.7.0
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
oracle jre 14.0.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
oracle jdk 14.0.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp plug-in_for_symantec_netbackup -
netapp santricity_unified_manager -
netapp storagegrid *
oracle jre 11.0.6
debian debian_linux 8.0
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
oracle openjdk 14
fedoraproject fedora 32
canonical ubuntu_linux 19.10
opensuse leap 15.2
netapp 7-mode_transition_tool -
CVE-2020-2803 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
fedoraproject fedora 30
opensuse leap 15.1
oracle jdk 1.7.0
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
oracle jre 14.0.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
oracle jdk 14.0.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp plug-in_for_symantec_netbackup -
netapp santricity_unified_manager -
netapp storagegrid *
oracle jre 11.0.6
debian debian_linux 8.0
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
oracle openjdk 14
fedoraproject fedora 32
canonical ubuntu_linux 19.10
opensuse leap 15.2
netapp 7-mode_transition_tool -
CVE-2020-2804 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Memcached). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2805 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
fedoraproject fedora 30
opensuse leap 15.1
oracle jdk 1.7.0
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
oracle jre 14.0.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
debian debian_linux 9.0
oracle jdk 14.0.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp plug-in_for_symantec_netbackup -
netapp santricity_unified_manager -
netapp storagegrid *
oracle jre 11.0.6
debian debian_linux 8.0
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
oracle openjdk 14
fedoraproject fedora 32
canonical ubuntu_linux 19.10
opensuse leap 15.2
netapp 7-mode_transition_tool -
CVE-2020-2806 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Compiling). Supported versions that are affected are 5.7.28 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2020-28097 LOW

The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 0.7 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2020-2812 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
debian debian_linux 10.0
fedoraproject fedora 31
debian debian_linux 8.0
fedoraproject fedora 30
opensuse leap 15.1
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
debian debian_linux 9.0
CVE-2020-2814 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.47 and prior, 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
debian debian_linux 10.0
fedoraproject fedora 31
debian debian_linux 8.0
fedoraproject fedora 30
opensuse leap 15.1
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
fedoraproject fedora 32
debian debian_linux 9.0
CVE-2020-2816 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
opensuse leap 15.1
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
oracle jre 14.0.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
oracle jdk 14.0.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp plug-in_for_symantec_netbackup -
netapp santricity_unified_manager -
netapp storagegrid *
oracle jre 11.0.6
netapp oncommand_insight -
oracle openjdk *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
netapp e-series_performance_analyzer -
oracle openjdk 14
canonical ubuntu_linux 19.10
netapp 7-mode_transition_tool -
CVE-2020-28196 MEDIUM

MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,CWE-674,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_policy 1.14.0
oracle communications_offline_mediation_controller 12.0.0.3.0
netapp oncommand_workflow_automation -
fedoraproject fedora 31
oracle mysql_server *
netapp cloud_backup -
netapp oncommand_insight -
netapp active_iq_unified_manager -
mit kerberos_5 *
netapp snapcenter -
oracle communications_pricing_design_center 12.0.0.3.0
CVE-2020-2830 MEDIUM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 31
fedoraproject fedora 30
opensuse leap 15.1
oracle jdk 1.7.0
oracle jdk 11.0.6
oracle openjdk 7
oracle openjdk 8
oracle jre 14.0.0
oracle jre 1.7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle jre 1.8.0
netapp storagegrid -
netapp cloud_backup -
netapp snapmanager -
oracle jdk 14.0.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp plug-in_for_symantec_netbackup -
netapp santricity_unified_manager -
netapp storagegrid *
oracle jre 11.0.6
debian debian_linux 8.0
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager *
netapp e-series_santricity_web_services -
mcafee threat_intelligence_exchange_server 3.0.0
mcafee threat_intelligence_exchange_server *
netapp e-series_performance_analyzer -
oracle openjdk 14
fedoraproject fedora 32
canonical ubuntu_linux 19.10
opensuse leap 15.2
netapp 7-mode_transition_tool -
mcafee threat_intelligence_exchange_server 2.3.1
CVE-2020-28362 MEDIUM

Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
netapp cloud_insights_telegraf_agent -
fedoraproject fedora 32
netapp trident -
fedoraproject fedora 33
golang go *
CVE-2020-28366 MEDIUM

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
netapp cloud_insights_telegraf_agent -
fedoraproject fedora 32
netapp trident -
fedoraproject fedora 33
golang go *
CVE-2020-2853 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2020-2892 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2020-2893 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2020-2895 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2896 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2897 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2898 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Charsets). The supported version that is affected is 8.0.19. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2020-2901 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2903 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2904 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2922 MEDIUM

Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Client accessible data. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
canonical ubuntu_linux 20.04
mariadb mariadb *
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
CVE-2020-2923 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2924 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2925 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-2930 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 8.0.19 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 31
fedoraproject fedora 30
netapp oncommand_insight -
netapp active_iq_unified_manager *
oracle mysql *
netapp snapcenter -
canonical ubuntu_linux 20.04
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-29368 MEDIUM

An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
netapp element_software -
netapp hci_bootstrap_os -
linux linux_kernel *
netapp cloud_backup -
netapp hci_management_node -
netapp solidfire -
netapp h410c_firmware -
CVE-2020-29369 MEDIUM

An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
netapp hci_storage_node -
linux linux_kernel *
netapp hci_management_node -
netapp solidfire -
netapp hci_compute_node -
CVE-2020-29370 MEDIUM

An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp hci_compute_node_firmware -
netapp solidfire_&_hci_management_node -
netapp cloud_backup -
netapp h410c_firmware -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
CVE-2020-29374 LOW

An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access, aka CID-17839856fd58.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.6 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N 1.0 2.5

CVSS 2.0

Severity: LOW

Problem Type: CWE-362,CWE-863,

Products Affected

Vendor Product Version
netapp hci_compute_node_bios -
debian debian_linux 10.0
netapp 500f_firmware -
linux linux_kernel *
netapp solidfire_&_hci_storage_node -
netapp solidfire_&_hci_management_node -
netapp h410c_firmware -
debian debian_linux 9.0
netapp a250_firmware -
CVE-2020-29509 MEDIUM

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 2.2 3.4
responsibledisclosure@mattermost.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-115,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp trident -
golang go *
CVE-2020-29510 MEDIUM

The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
responsibledisclosure@mattermost.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 2.2 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-115,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp trident -
golang go *
CVE-2020-29511 MEDIUM

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 2.2 3.4
responsibledisclosure@mattermost.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-115,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp trident -
golang go *
CVE-2020-29562 LOW

The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-617,CWE-617,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 32
gnu glibc *
CVE-2020-29569 HIGH

An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp hci_compute_node_bios -
debian debian_linux 10.0
linux linux_kernel *
netapp solidfire_&_hci_storage_node -
netapp solidfire_&_hci_management_node -
xen xen *
debian debian_linux 9.0
CVE-2020-29573 MEDIUM

sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to sprintf. NOTE: the issue does not affect glibc by default in 2016 or later (i.e., 2.23 or later) because of commits made in 2015 for inlining of C99 math functions through use of GCC built-ins. In other words, the reference to 2.23 is intentional despite the mention of "Fixed for glibc 2.33" in the 26649 reference.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 7.0
netapp cloud_backup -
gnu glibc *
netapp solidfire_baseboard_management_controller -
CVE-2020-29660 LOW

A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,CWE-667,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp solidfire_baseboard_management_controller_firmware -
netapp 8700_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp a700s_firmware -
netapp a400_firmware -
fedoraproject fedora 32
broadcom fabric_operating_system -
linux linux_kernel *
netapp 8300_firmware -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2020-29661 HIGH

A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-667,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle tekelec_platform_distribution *
netapp solidfire_baseboard_management_controller_firmware -
netapp 8700_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp a700s_firmware -
netapp a400_firmware -
fedoraproject fedora 32
broadcom fabric_operating_system -
linux linux_kernel *
netapp 8300_firmware -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2020-35448 MEDIUM

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
gnu binutils 2.35.1
CVE-2020-35490 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.6.2
oracle agile_plm 9.3.6
oracle communications_interactive_session_recorder 6.3
oracle banking_platform 2.10.0
oracle banking_platform 2.8.0
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_diameter_signaling_router *
oracle retail_merchandising_system 15.0.3
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle documaker 12.6.3
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_interactive_session_recorder 6.4
debian debian_linux 9.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
oracle banking_platform 2.9.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle banking_virtual_account_management 14.5.0
oracle insurance_policy_administration_j2ee 11.2.0
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.7.1
oracle communications_evolved_communications_application_server 7.1
oracle banking_platform 2.7.0
oracle banking_treasury_management 14.4
oracle documaker 12.6.4
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
oracle banking_virtual_account_management 14.2.0
CVE-2020-35491 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.6.2
oracle agile_plm 9.3.6
oracle banking_platform 2.10.0
oracle banking_platform 2.8.0
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle retail_xstore_point_of_service 18.0.3
oracle retail_merchandising_system 15.0.3
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle documaker 12.6.3
oracle communications_cloud_native_core_unified_data_repository 1.4.0
debian debian_linux 9.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle communications_diameter_signaling_route *
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
oracle banking_platform 2.9.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle banking_virtual_account_management 14.5.0
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.7.1
oracle communications_evolved_communications_application_server 7.1
oracle insurance_policy_administration_j2ee 11.0.2
oracle banking_platform 2.7.0
oracle sd-wan_edge 9.0
oracle banking_treasury_management 14.4
oracle documaker 12.6.4
oracle retail_xstore_point_of_service 16.0.6
oracle communications_diameter_signaling_route -
oracle retail_xstore_point_of_service 17.0.4
oracle banking_virtual_account_management 14.2.0
CVE-2020-35493 MEDIUM

A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
fedoraproject fedora 32
netapp hci_compute_node_firmware -
netapp solidfire_&_hci_management_node -
netapp cloud_backup -
netapp ontap_select_deploy_administration_utility -
gnu binutils *
netapp solidfire,_enterprise_sds_&_hci_storage_node -
broadcom brocade_fabric_operating_system_firmware -
CVE-2020-35494 MEDIUM

There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality. This flaw affects binutils versions prior to 2.34.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H 1.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-908,

Products Affected

Vendor Product Version
fedoraproject fedora 32
netapp hci_compute_node_firmware -
netapp solidfire_&_hci_management_node -
netapp cloud_backup -
netapp ontap_select_deploy_administration_utility -
gnu binutils *
netapp solidfire,_enterprise_sds_&_hci_storage_node -
broadcom brocade_fabric_operating_system_firmware -
CVE-2020-35495 MEDIUM

There's a flaw in binutils /bfd/pef.c. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from this flaw is to application availability. This flaw affects binutils versions prior to 2.34.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
fedoraproject fedora 32
netapp hci_compute_node_firmware -
netapp solidfire_&_hci_management_node -
netapp cloud_backup -
netapp ontap_select_deploy_administration_utility -
gnu binutils *
netapp solidfire,_enterprise_sds_&_hci_storage_node -
broadcom brocade_fabric_operating_system_firmware -
CVE-2020-35496 MEDIUM

There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
fedoraproject fedora 32
netapp hci_compute_node_firmware -
netapp solidfire_&_hci_management_node -
netapp cloud_backup -
netapp ontap_select_deploy_administration_utility -
gnu binutils *
netapp solidfire,_enterprise_sds_&_hci_storage_node -
broadcom brocade_fabric_operating_system_firmware -
CVE-2020-35507 MEDIUM

There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp hci_compute_node_firmware -
netapp solidfire_&_hci_management_node -
netapp cloud_backup -
broadcom brocade_fabric_operating_system -
netapp ontap_select_deploy_administration_utility -
gnu binutils *
netapp solidfire,_enterprise_sds_&_hci_storage_node -
CVE-2020-35508 MEDIUM

A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux kernel child/parent process identification handling while filtering signal handlers. A local attacker is able to abuse this flaw to bypass checks to send any signal to a privileged process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.5 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L 1.0 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-665,CWE-362,CWE-665,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
netapp h300e_firmware -
linux linux_kernel 5.12
netapp h610s_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp a700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
netapp brocade_fabric_operating_system_firmware -
linux linux_kernel *
netapp fas8700_firmware -
netapp fas8300_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
netapp h610c_firmware -
netapp aff_a400_firmware -
CVE-2020-35519 MEDIUM

An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2020-35521 MEDIUM

A flaw was found in libtiff. Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 7.0
libtiff libtiff *
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 33
CVE-2020-35522 MEDIUM

In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
redhat enterprise_linux 8.0
redhat enterprise_linux 7.0
libtiff libtiff *
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 33
CVE-2020-35523 MEDIUM

An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
redhat enterprise_linux 8.0
redhat enterprise_linux 7.0
debian debian_linux 10.0
libtiff libtiff *
netapp ontap_select_deploy_administration_utility -
debian debian_linux 9.0
CVE-2020-35524 MEDIUM

A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool. A specially crafted TIFF file can lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
redhat enterprise_linux 8.0
redhat enterprise_linux 7.0
debian debian_linux 10.0
libtiff libtiff *
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2020-35527

In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.

Products Affected

Vendor Product Version
sqlite sqlite 3.31.1
netapp ontap_select_deploy_administration_utility -
CVE-2020-35728 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle banking_credit_facilities_process_management 14.5
oracle communications_policy_management 12.5.0
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
netapp service_level_manager -
oracle retail_merchandising_system 15.0.3
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle primavera_unifier 20.12
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_cloud_native_core_policy 1.14.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle retail_xstore_point_of_service 19.0.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle data_integrator 12.2.1.4.0
oracle banking_extensibility_workbench 14.5
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle banking_virtual_account_management 14.5.0
oracle communications_evolved_communications_application_server 7.1
oracle banking_supply_chain_finance 14.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_credit_facilities_process_management 14.2
oracle communications_element_manager *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_service_backbone 16.0.3.0
oracle banking_virtual_account_management 14.2.0
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle banking_corporate_lending_process_management 14.2
oracle banking_extensibility_workbench 14.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_session_route_manager *
oracle autovue 21.0.2
oracle primavera_unifier *
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_diameter_signaling_route *
oracle webcenter_portal 12.2.1.3.0
oracle banking_corporate_lending_process_management 14.5
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_credit_facilities_process_management 14.3
oracle communications_session_report_manager *
oracle insurance_policy_administration 11.0.2
oracle retail_service_backbone 15.0.3.1
oracle banking_corporate_lending_process_management 14.3
oracle banking_treasury_management 14.4
oracle retail_xstore_point_of_service 17.0.4
oracle banking_extensibility_workbench 14.3
CVE-2020-36158 HIGH

mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2020-36179 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle banking_credit_facilities_process_management 14.5
oracle communications_policy_management 12.5.0
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle retail_merchandising_system 15.0.3
oracle primavera_unifier 18.8
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle primavera_unifier 20.12
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle retail_xstore_point_of_service 19.0.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle data_integrator 12.2.1.4.0
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle banking_virtual_account_management 14.5.0
oracle communications_evolved_communications_application_server 7.1
oracle banking_supply_chain_finance 14.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_credit_facilities_process_management 14.2
oracle communications_element_manager *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_service_backbone 16.0.3.0
oracle banking_virtual_account_management 14.2.0
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle banking_corporate_lending_process_management 14.2
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_session_route_manager *
netapp cloud_backup -
oracle primavera_unifier *
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_diameter_signaling_route *
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_corporate_lending_process_management 14.5
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_credit_facilities_process_management 14.3
oracle communications_session_report_manager *
oracle insurance_policy_administration 11.0.2
oracle retail_service_backbone 15.0.3.1
oracle banking_corporate_lending_process_management 14.3
oracle banking_treasury_management 14.4
oracle retail_xstore_point_of_service 17.0.4
CVE-2020-36180 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle banking_credit_facilities_process_management 14.5
oracle communications_policy_management 12.5.0
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle retail_merchandising_system 15.0.3
oracle primavera_unifier 18.8
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle primavera_unifier 20.12
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_treasury_management 4.4
oracle retail_xstore_point_of_service 19.0.2
oracle primavera_unifier 17.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle data_integrator 12.2.1.4.0
oracle banking_extensibility_workbench 14.5
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle banking_virtual_account_management 14.5.0
oracle communications_evolved_communications_application_server 7.1
oracle banking_supply_chain_finance 14.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_credit_facilities_process_management 14.2
oracle communications_element_manager *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_service_backbone 16.0.3.0
oracle banking_virtual_account_management 14.2.0
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle banking_corporate_lending_process_management 14.2
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle banking_extensibility_workbench 14.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_session_route_manager *
oracle documaker 12.6.3
netapp cloud_backup -
oracle primavera_unifier *
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_diameter_signaling_route *
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_corporate_lending_process_management 14.5
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle documaker 12.6.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_credit_facilities_process_management 14.3
oracle communications_session_report_manager *
oracle insurance_policy_administration 11.0.2
oracle retail_service_backbone 15.0.3.1
oracle banking_corporate_lending_process_management 14.3
oracle documaker 12.6.4
oracle retail_xstore_point_of_service 17.0.4
oracle banking_extensibility_workbench 14.3
CVE-2020-36181 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle banking_credit_facilities_process_management 14.5
oracle communications_policy_management 12.5.0
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle retail_merchandising_system 15.0.3
oracle primavera_unifier 18.8
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle primavera_unifier 20.12
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_treasury_management 4.4
oracle retail_xstore_point_of_service 19.0.2
oracle primavera_unifier 17.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle data_integrator 12.2.1.4.0
oracle banking_extensibility_workbench 14.5
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle banking_virtual_account_management 14.5.0
oracle communications_evolved_communications_application_server 7.1
oracle banking_supply_chain_finance 14.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_credit_facilities_process_management 14.2
oracle communications_element_manager *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_service_backbone 16.0.3.0
oracle banking_virtual_account_management 14.2.0
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle banking_corporate_lending_process_management 14.2
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle banking_extensibility_workbench 14.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_session_route_manager *
oracle documaker 12.6.3
oracle primavera_unifier *
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_diameter_signaling_route *
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_corporate_lending_process_management 14.5
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle documaker 12.6.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_credit_facilities_process_management 14.3
oracle communications_session_report_manager *
oracle insurance_policy_administration 11.0.2
oracle retail_service_backbone 15.0.3.1
oracle banking_corporate_lending_process_management 14.3
oracle documaker 12.6.4
oracle retail_xstore_point_of_service 17.0.4
oracle banking_extensibility_workbench 14.3
CVE-2020-36182 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle banking_credit_facilities_process_management 14.5
oracle communications_policy_management 12.5.0
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle retail_merchandising_system 15.0.3
oracle primavera_unifier 18.8
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle primavera_unifier 20.12
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_treasury_management 4.4
oracle retail_xstore_point_of_service 19.0.2
oracle primavera_unifier 17.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle data_integrator 12.2.1.4.0
oracle banking_extensibility_workbench 14.5
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle banking_virtual_account_management 14.5.0
oracle communications_evolved_communications_application_server 7.1
oracle banking_supply_chain_finance 14.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_credit_facilities_process_management 14.2
oracle communications_element_manager *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_service_backbone 16.0.3.0
oracle banking_virtual_account_management 14.2.0
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle banking_corporate_lending_process_management 14.2
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle banking_extensibility_workbench 14.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_session_route_manager *
oracle documaker 12.6.3
netapp cloud_backup -
oracle primavera_unifier *
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_diameter_signaling_route *
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_corporate_lending_process_management 14.5
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle documaker 12.6.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_credit_facilities_process_management 14.3
oracle communications_session_report_manager *
oracle insurance_policy_administration 11.0.2
oracle retail_service_backbone 15.0.3.1
oracle banking_corporate_lending_process_management 14.3
oracle documaker 12.6.4
oracle retail_xstore_point_of_service 17.0.4
oracle banking_extensibility_workbench 14.3
CVE-2020-36183 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle banking_credit_facilities_process_management 14.5
oracle communications_policy_management 12.5.0
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle retail_merchandising_system 15.0.3
oracle primavera_unifier 18.8
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle primavera_unifier 20.12
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_treasury_management 4.4
oracle retail_xstore_point_of_service 19.0.2
oracle primavera_unifier 17.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle data_integrator 12.2.1.4.0
oracle banking_extensibility_workbench 14.5
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle banking_virtual_account_management 14.5.0
oracle communications_evolved_communications_application_server 7.1
oracle banking_supply_chain_finance 14.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_credit_facilities_process_management 14.2
oracle communications_element_manager *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_service_backbone 16.0.3.0
oracle banking_virtual_account_management 14.2.0
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle banking_corporate_lending_process_management 14.2
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle banking_extensibility_workbench 14.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_session_route_manager *
oracle documaker 12.6.3
netapp cloud_backup -
oracle primavera_unifier *
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_diameter_signaling_route *
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_corporate_lending_process_management 14.5
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle documaker 12.6.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_credit_facilities_process_management 14.3
oracle communications_session_report_manager *
oracle insurance_policy_administration 11.0.2
oracle retail_service_backbone 15.0.3.1
oracle banking_corporate_lending_process_management 14.3
oracle documaker 12.6.4
oracle retail_xstore_point_of_service 17.0.4
oracle banking_extensibility_workbench 14.3
CVE-2020-36184 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle banking_credit_facilities_process_management 14.5
oracle communications_policy_management 12.5.0
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle retail_merchandising_system 15.0.3
oracle primavera_unifier 18.8
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle primavera_unifier 20.12
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_treasury_management 4.4
oracle retail_xstore_point_of_service 19.0.2
oracle primavera_unifier 17.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle data_integrator 12.2.1.4.0
oracle banking_extensibility_workbench 14.5
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle banking_virtual_account_management 14.5.0
oracle communications_evolved_communications_application_server 7.1
oracle banking_supply_chain_finance 14.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_credit_facilities_process_management 14.2
oracle communications_element_manager *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_service_backbone 16.0.3.0
oracle banking_virtual_account_management 14.2.0
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle banking_corporate_lending_process_management 14.2
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle banking_extensibility_workbench 14.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_session_route_manager *
oracle documaker 12.6.3
netapp cloud_backup -
oracle primavera_unifier *
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_diameter_signaling_route *
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_corporate_lending_process_management 14.5
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle documaker 12.6.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_credit_facilities_process_management 14.3
oracle communications_session_report_manager *
oracle insurance_policy_administration 11.0.2
oracle retail_service_backbone 15.0.3.1
oracle banking_corporate_lending_process_management 14.3
oracle documaker 12.6.4
oracle retail_xstore_point_of_service 17.0.4
oracle banking_extensibility_workbench 14.3
CVE-2020-36185 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle banking_credit_facilities_process_management 14.5
oracle communications_policy_management 12.5.0
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle retail_merchandising_system 15.0.3
oracle primavera_unifier 18.8
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle primavera_unifier 20.12
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_treasury_management 4.4
oracle retail_xstore_point_of_service 19.0.2
oracle primavera_unifier 17.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle data_integrator 12.2.1.4.0
oracle banking_extensibility_workbench 14.5
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle banking_virtual_account_management 14.5.0
oracle communications_evolved_communications_application_server 7.1
oracle banking_supply_chain_finance 14.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_credit_facilities_process_management 14.2
oracle communications_element_manager *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_service_backbone 16.0.3.0
oracle banking_virtual_account_management 14.2.0
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle banking_corporate_lending_process_management 14.2
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle banking_extensibility_workbench 14.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_session_route_manager *
oracle documaker 12.6.3
netapp cloud_backup -
oracle primavera_unifier *
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_diameter_signaling_route *
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_corporate_lending_process_management 14.5
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle documaker 12.6.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_credit_facilities_process_management 14.3
oracle communications_session_report_manager *
oracle insurance_policy_administration 11.0.2
oracle retail_service_backbone 15.0.3.1
oracle banking_corporate_lending_process_management 14.3
oracle documaker 12.6.4
oracle retail_xstore_point_of_service 17.0.4
oracle banking_extensibility_workbench 14.3
CVE-2020-36186 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle banking_credit_facilities_process_management 14.5
oracle communications_policy_management 12.5.0
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle retail_merchandising_system 15.0.3
oracle primavera_unifier 18.8
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle primavera_unifier 20.12
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_treasury_management 4.4
oracle retail_xstore_point_of_service 19.0.2
oracle primavera_unifier 17.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle data_integrator 12.2.1.4.0
oracle banking_extensibility_workbench 14.5
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle banking_virtual_account_management 14.5.0
oracle communications_evolved_communications_application_server 7.1
oracle banking_supply_chain_finance 14.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_credit_facilities_process_management 14.2
oracle communications_element_manager *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_service_backbone 16.0.3.0
oracle banking_virtual_account_management 14.2.0
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle banking_corporate_lending_process_management 14.2
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle banking_extensibility_workbench 14.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_session_route_manager *
oracle documaker 12.6.3
netapp cloud_backup -
oracle primavera_unifier *
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_diameter_signaling_route *
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_corporate_lending_process_management 14.5
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle documaker 12.6.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_credit_facilities_process_management 14.3
oracle communications_session_report_manager *
oracle insurance_policy_administration 11.0.2
oracle retail_service_backbone 15.0.3.1
oracle banking_corporate_lending_process_management 14.3
oracle documaker 12.6.4
oracle retail_xstore_point_of_service 17.0.4
oracle banking_extensibility_workbench 14.3
CVE-2020-36187 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle banking_credit_facilities_process_management 14.5
oracle communications_policy_management 12.5.0
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle retail_merchandising_system 15.0.3
oracle primavera_unifier 18.8
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle primavera_unifier 20.12
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_treasury_management 4.4
oracle retail_xstore_point_of_service 19.0.2
oracle primavera_unifier 17.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle data_integrator 12.2.1.4.0
oracle banking_extensibility_workbench 14.5
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle banking_virtual_account_management 14.5.0
oracle communications_evolved_communications_application_server 7.1
oracle banking_supply_chain_finance 14.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_credit_facilities_process_management 14.2
oracle communications_element_manager *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_service_backbone 16.0.3.0
oracle banking_virtual_account_management 14.2.0
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle banking_corporate_lending_process_management 14.2
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle banking_extensibility_workbench 14.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_session_route_manager *
oracle documaker 12.6.3
netapp cloud_backup -
oracle primavera_unifier *
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_diameter_signaling_route *
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_corporate_lending_process_management 14.5
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle documaker 12.6.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_credit_facilities_process_management 14.3
oracle communications_session_report_manager *
oracle insurance_policy_administration 11.0.2
oracle retail_service_backbone 15.0.3.1
oracle banking_corporate_lending_process_management 14.3
oracle documaker 12.6.4
oracle retail_xstore_point_of_service 17.0.4
oracle banking_extensibility_workbench 14.3
CVE-2020-36188 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle banking_credit_facilities_process_management 14.5
oracle communications_policy_management 12.5.0
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle retail_merchandising_system 15.0.3
oracle primavera_unifier 18.8
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle primavera_unifier 20.12
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle banking_treasury_management 4.4
oracle retail_xstore_point_of_service 19.0.2
oracle primavera_unifier 17.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle data_integrator 12.2.1.4.0
oracle banking_extensibility_workbench 14.5
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle banking_virtual_account_management 14.5.0
oracle communications_evolved_communications_application_server 7.1
oracle banking_supply_chain_finance 14.2
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_credit_facilities_process_management 14.2
oracle communications_element_manager *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_service_backbone 16.0.3.0
oracle banking_virtual_account_management 14.2.0
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_supply_chain_finance 14.3
oracle banking_supply_chain_finance 14.5
oracle banking_corporate_lending_process_management 14.2
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle banking_extensibility_workbench 14.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_session_route_manager *
oracle documaker 12.6.3
netapp cloud_backup -
oracle primavera_unifier *
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle communications_diameter_signaling_route *
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_corporate_lending_process_management 14.5
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle documaker 12.6.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle banking_credit_facilities_process_management 14.3
oracle communications_session_report_manager *
oracle insurance_policy_administration 11.0.2
oracle retail_service_backbone 15.0.3.1
oracle banking_corporate_lending_process_management 14.3
oracle documaker 12.6.4
oracle retail_xstore_point_of_service 17.0.4
oracle banking_extensibility_workbench 14.3
CVE-2020-36189 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 14.1.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.0.2
oracle communications_pricing_design_center 12.0.0.4.0
netapp service_level_manager -
oracle communications_diameter_signaling_router *
oracle retail_merchandising_system 15.0.3
oracle primavera_unifier 18.8
oracle blockchain_platform *
oracle webcenter_portal 12.2.1.4.0
fasterxml jackson-databind *
oracle primavera_gateway 20.12.0
oracle primavera_unifier 20.12
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_cloud_native_core_policy 1.14.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle commerce_platform *
oracle goldengate_application_adapters 19.1.0.0.0
oracle retail_xstore_point_of_service 19.0.2
oracle communications_network_charging_and_control 12.0.4.0.0
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle insurance_policy_administration *
oracle communications_messaging_server 8.0.2
oracle banking_virtual_account_management 14.5.0
oracle banking_platform 2.7.1
oracle communications_evolved_communications_application_server 7.1
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle banking_platform 2.7.0
oracle retail_xstore_point_of_service 16.0.6
oracle banking_virtual_account_management 14.2.0
oracle retail_customer_management_and_segmentation_foundation *
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_platform 2.6.2
oracle communications_interactive_session_recorder 6.3
oracle banking_platform 2.10.0
oracle banking_platform 2.8.0
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle retail_xstore_point_of_service 18.0.3
oracle communications_session_route_manager *
oracle documaker 12.6.3
netapp cloud_backup -
oracle primavera_unifier *
oracle communications_interactive_session_recorder 6.4
debian debian_linux 9.0
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle commerce_platform 11.2.0
oracle jd_edwards_enterpriseone_tools *
oracle banking_platform 2.9.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle insurance_rules_palette *
oracle communications_services_gatekeeper 7.0
oracle banking_virtual_account_management 14.3.0
oracle insurance_policy_administration 11.0.2
oracle communications_messaging_server 8.1
oracle retail_service_backbone 16.0.3
oracle retail_service_backbone 15.0.3.1
oracle banking_treasury_management 14.4
oracle documaker 12.6.4
oracle retail_xstore_point_of_service 17.0.4
CVE-2020-36328 HIGH

A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 7.0
debian debian_linux 10.0
webmproject libwebp *
apple iphone_os 14.7
netapp ontap_select_deploy_administration_utility -
debian debian_linux 9.0
apple ipados 14.7
CVE-2020-36329 HIGH

A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 7.0
apple iphone_os *
debian debian_linux 10.0
webmproject libwebp *
apple ipados *
netapp ontap_select_deploy_administration_utility -
debian debian_linux 9.0
CVE-2020-36330 MEDIUM

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
apple iphone_os *
debian debian_linux 10.0
webmproject libwebp *
apple ipados *
netapp ontap_select_deploy_administration_utility -
debian debian_linux 9.0
CVE-2020-36331 MEDIUM

A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
apple iphone_os *
debian debian_linux 10.0
webmproject libwebp *
apple ipados *
netapp ontap_select_deploy_administration_utility -
debian debian_linux 9.0
CVE-2020-36332 MEDIUM

A flaw was found in libwebp in versions before 1.0.1. When reading a file libwebp allocates an excessive amount of memory. The highest threat from this vulnerability is to the service availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-400,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
debian debian_linux 10.0
webmproject libwebp *
netapp ontap_select_deploy_administration_utility -
CVE-2020-36385 MEDIUM

An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
starwindsoftware starwind_san_&_nas v8r12
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
starwindsoftware starwind_virtual_san v8
CVE-2020-36387 HIGH

An issue was discovered in the Linux kernel before 5.8.2. fs/io_uring.c has a use-after-free related to io_async_task_func and ctx reference holding, aka CID-6d816e088c35.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2020-36516 MEDIUM

An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_&_hci_management_node -
netapp baseboard_management_controller_h500e_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp cloud_volumes_ontap_mediator -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
netapp baseboard_management_controller_h700e_firmware -
netapp baseboard_management_controller_h700s_firmware -
linux linux_kernel *
netapp baseboard_management_controller_h410c_firmware -
netapp h610c_firmware -
netapp baseboard_management_controller_h615c_firmware -
netapp baseboard_management_controller_h300s_firmware -
netapp baseboard_management_controller_h610c_firmware -
netapp h610s_firmware -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp baseboard_management_controller_h300e_firmware -
netapp baseboard_management_controller_h610s_firmware -
netapp bootstrap_os -
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2020-36518 MEDIUM

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 22.1.3
oracle commerce_platform 11.3.1
oracle financial_services_trade-based_anti_money_laundering 8.0.8
oracle health_sciences_empirica_signal 9.1.0.5.2
fasterxml jackson-databind *
oracle graph_server_and_client *
oracle primavera_unifier 20.12
oracle communications_billing_and_revenue_management *
oracle global_lifecycle_management_opatch *
oracle primavera_unifier 21.12
oracle retail_sales_audit 15.0.3.1
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle communications_cloud_native_core_console 1.9.0
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
oracle communications_cloud_native_core_network_slice_selection_function 22.1.1
oracle utilities_framework 4.4.0.5.0
oracle utilities_framework 4.3.0.6.0
oracle communications_cloud_native_core_security_edge_protection_proxy 22.1.1
netapp snap_creator_framework -
oracle communications_cloud_native_core_network_repository_function 22.1.2
oracle peoplesoft_enterprise_peopletools 8.58
oracle utilities_framework 4.3.0.5.0
oracle sd-wan_edge 9.1
oracle coherence 14.1.1.0.0
oracle communications_cloud_native_core_network_slice_selection_function 22.1.0
oracle primavera_unifier 18.0
oracle communications_cloud_native_core_service_communication_proxy 22.2.0
oracle spatial_studio *
oracle financial_services_analytical_applications_infrastructure *
oracle financial_services_trade-based_anti_money_laundering 8.0.7
oracle financial_services_enterprise_case_management 8.0.8.1
oracle weblogic_server 12.2.1.3.0
netapp cloud_insights_acquisition_unit -
oracle primavera_gateway *
oracle financial_services_behavior_detection_platform 8.0.7.0.0
oracle global_lifecycle_management_nextgen_oui_framework *
debian debian_linux 11.0
oracle utilities_framework 4.4.0.3.0
oracle financial_services_analytical_applications_infrastructure 8.1.1.0
oracle weblogic_server 14.1.1.0.0
oracle utilities_framework 4.4.0.0.0
oracle financial_services_enterprise_case_management *
oracle primavera_unifier *
oracle financial_services_behavior_detection_platform 8.0.8
oracle financial_services_enterprise_case_management 8.0.8.0
debian debian_linux 9.0
oracle communications_cloud_native_core_unified_data_repository 22.2.0
oracle commerce_platform 11.3.0
netapp oncommand_workflow_automation -
oracle utilities_framework 4.4.0.2.0
oracle global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2
oracle financial_services_analytical_applications_infrastructure 8.1.2.1
debian debian_linux 10.0
oracle primavera_unifier 19.12
oracle communications_cloud_native_core_network_repository_function 22.2.0
netapp active_iq_unified_manager -
oracle weblogic_server 12.2.1.4.0
oracle financial_services_analytical_applications_infrastructure 8.1.2.0
oracle financial_services_enterprise_case_management 8.0.7.2
oracle primavera_p6_enterprise_project_portfolio_management *
oracle big_data_spatial_and_graph *
oracle commerce_platform 11.3.2
oracle sd-wan_edge 9.0
oracle financial_services_behavior_detection_platform *
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
oracle financial_services_enterprise_case_management 8.0.7.1
CVE-2020-4051 LOW

In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N 1.2 2.5
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
debian debian_linux 10.0
openjsf dijit *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2020-4135 MEDIUM

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated user to send specially crafted packets to cause a denial of service from excessive memory usage.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ibm db2 10.5
ibm db2 10.1
netapp oncommand_insight -
ibm db2 9.7
ibm db2 11.1
ibm db2 11.5
CVE-2020-4300 MEDIUM

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 176607.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L 3.9 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2020-4301

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 176609.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2020-4354 LOW

IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 178506.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2020-4520 MEDIUM

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to inject malicious HTML code that when viewed by the authenticated victim would execute the code. IBM X-Force ID: 182395.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2020-4561 HIGH

IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote attacker who can access a valid CA endpoint to read and write files to the Cognos Analytics system. IBM X-Force ID: 183903.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-829,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.0
ibm cognos_analytics 11.0.0
netapp oncommand_insight -
CVE-2020-4951 LOW

IBM Cognos Analytics 11.1.7 and 11.2.0 contains locally cached browser data, that could allow a local attacker to obtain sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
CVE-2020-4976 LOW

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to read and write specific files due to weak file permissions. IBM X-Force ID: 192469.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 1.8 2.5

CVSS 2.0

Severity: LOW

Problem Type: CWE-276,

Products Affected

Vendor Product Version
ibm db2 10.5
ibm db2 10.1
ibm db2 *
netapp oncommand_insight -
ibm db2 9.7
CVE-2020-5024 MEDIUM

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated attacker to cause a denial of service due a hang in the SSL handshake response. IBM X-Force ID: 193660.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ibm db2 10.5
ibm db2 10.1
ibm db2 *
netapp oncommand_insight -
ibm db2 9.7
CVE-2020-5025 HIGH

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 db2fm is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges. IBM X-Force ID: 193661.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
ibm db2 10.5
ibm db2 10.1
ibm db2 *
netapp oncommand_insight -
ibm db2 9.7
CVE-2020-5398 HIGH

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-79,CWE-494,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle communications_policy_management 12.5.0
oracle insurance_policy_administration_j2ee 11.1.0
oracle retail_financial_integration 16.0
oracle insurance_policy_administration_j2ee 10.2.0
oracle retail_integration_bus 15.0.3
oracle insurance_rules_palette 11.0.2
oracle insurance_rules_palette 11.1.0
oracle communications_session_report_manager 8.1.1
netapp snapcenter -
oracle communications_diameter_signaling_router *
oracle healthcare_master_person_index 4.0.2
oracle retail_returns_management 14.1
oracle insurance_rules_palette 10.2.4
oracle retail_assortment_planning 16.0
oracle insurance_rules_palette 11.2.0
oracle insurance_policy_administration_j2ee 11.2.2.0
oracle retail_predictive_application_server 14.1.3.0
oracle communications_session_route_manager 8.2.1
oracle rapid_planning 12.1
oracle insurance_policy_administration_j2ee 11.2.0
oracle communications_session_route_manager 8.1.1
oracle retail_order_broker 16.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle flexcube_private_banking 12.0.0
oracle retail_financial_integration 15.0
oracle financial_services_regulatory_reporting_with_agilereporter 8.0.9.2.0
vmware spring_framework *
oracle insurance_policy_administration_j2ee 11.0.2
oracle communications_session_report_manager 8.2.0
oracle retail_bulk_data_integration 16.0.3.0
oracle communications_cloud_native_core_policy 1.5.0
oracle communications_session_route_manager 8.2.0
oracle insurance_rules_palette 10.2.0
oracle retail_integration_bus 16.0.3
oracle communications_element_manager 8.2.1
oracle retail_order_broker 15.0
oracle retail_central_office 14.1
oracle retail_service_backbone 15.0
oracle weblogic_server 12.2.1.3.0
netapp data_availability_services -
oracle retail_assortment_planning 15.0
oracle retail_point-of-service 14.1
oracle insurance_calculation_engine *
oracle communications_session_report_manager 8.2.1
oracle siebel_engineering_-_installer_&_deployment *
oracle insurance_policy_administration_j2ee 10.2.4
oracle communications_element_manager 8.2.0
oracle rapid_planning 12.2
oracle enterprise_manager_base_platform 13.2.1.0
oracle flexcube_private_banking 12.1.0
oracle retail_service_backbone 16.0
oracle mysql *
oracle weblogic_server 12.2.1.4.0
oracle retail_back_office 14.1
oracle retail_predictive_application_server 16.0.3.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
oracle retail_predictive_application_server 15.0.3
oracle retail_predictive_application_server 14.0.3
oracle communications_element_manager 8.1.1
CVE-2020-5421 LOW

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N 1.3 4.7

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle hyperion_infrastructure_technology 11.1.2.4
oracle retail_financial_integration 15.0.3
oracle commerce_guided_search 11.3.2
oracle retail_integration_bus 15.0.3
oracle insurance_rules_palette 11.0.2
netapp snapcenter -
oracle communications_brm 12.0.0.3
oracle weblogic_server 10.3.6.0.0
oracle retail_returns_management 14.1
oracle endeca_information_discovery_integrator 3.2.0
oracle storagetek_acsls 8.5.1
oracle retail_predictive_application_server 14.1
oracle retail_invoice_matching 14.0
oracle insurance_rules_palette 10.2.4
oracle goldengate_application_adapters 19.1.0.0.0
oracle retail_service_backbone 15.0.3
oracle retail_xstore_point_of_service 19.0.2
oracle retail_integration_bus 14.1.3
oracle fusion_middleware 12.2.1.3.0
netapp oncommand_insight -
oracle insurance_policy_administration *
oracle insurance_policy_administration 10.2
netapp snap_creator_framework -
oracle retail_order_broker 16.0
oracle flexcube_private_banking 12.0.0
oracle retail_assortment_planning 16.0.3.0
oracle insurance_policy_administration 10.2.4
oracle retail_customer_engagement *
vmware spring_framework *
oracle enterprise_data_quality 12.2.1.4.0
oracle communications_brm 11.3.0.9
oracle retail_bulk_data_integration 16.0.3.0
oracle retail_xstore_point_of_service 16.0.6
oracle retail_financial_integration 16.0.3
oracle insurance_rules_palette 10.2.0
oracle retail_integration_bus 16.0.3
oracle fusion_middleware 12.2.1.4.0
oracle retail_order_broker 15.0
oracle retail_customer_management_and_segmentation_foundation *
oracle financial_services_analytical_applications_infrastructure *
oracle communications_design_studio 7.3.5
oracle weblogic_server 12.2.1.3.0
oracle weblogic_server 12.1.3.0.0
oracle mysql_enterprise_monitor *
oracle primavera_gateway *
oracle retail_xstore_point_of_service 18.0.3
oracle communications_design_studio 7.3.4
oracle communications_unified_inventory_management 7.3.4
oracle mysql_enterprise_monitor 8.0.23
oracle weblogic_server 14.1.1.0.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_design_studio 7.4.0
oracle retail_service_backbone 14.1.3
oracle healthcare_master_person_index 4.0.2.5
oracle storagetek_tape_analytics_sw_tool 2.3
oracle flexcube_private_banking 12.1.0
oracle insurance_rules_palette *
oracle retail_merchandising_system 16.0.3
oracle enterprise_data_quality 12.2.1.3.0
oracle weblogic_server 12.2.1.4.0
oracle retail_invoice_matching 14.1
oracle retail_financial_integration 14.1.3
oracle communications_session_report_manager *
oracle primavera_p6_enterprise_project_portfolio_management *
oracle insurance_policy_administration 11.0.2
oracle retail_service_backbone 16.0.3
oracle retail_xstore_point_of_service 15.0.4
oracle retail_xstore_point_of_service 17.0.4
CVE-2020-5863 HIGH

In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other components of the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 3.9 4.7

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp cloud_backup -
f5 nginx_controller 1.0.1
f5 nginx_controller *
CVE-2020-5865 MEDIUM

In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via man-in-the-middle (MiTM) attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,

Products Affected

Vendor Product Version
netapp cloud_backup -
f5 nginx_controller 1.0.1
f5 nginx_controller *
CVE-2020-5867 MEDIUM

In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,CWE-494,

Products Affected

Vendor Product Version
netapp cloud_backup -
f5 nginx_controller 1.0.1
f5 nginx_controller *
CVE-2020-7069 MEDIUM

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-326,

Products Affected

Vendor Product Version
debian debian_linux 10.0
tenable tenable.sc *
fedoraproject fedora 31
opensuse leap 15.1
canonical ubuntu_linux 12.04
canonical ubuntu_linux 20.04
oracle communications_diameter_signaling_router *
fedoraproject fedora 32
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap -
canonical ubuntu_linux 14.04
fedoraproject fedora 33
php php *
CVE-2020-7070 MEDIUM

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-565,

Products Affected

Vendor Product Version
debian debian_linux 10.0
tenable tenable.sc *
fedoraproject fedora 31
opensuse leap 15.1
canonical ubuntu_linux 12.04
canonical ubuntu_linux 20.04
fedoraproject fedora 32
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp clustered_data_ontap -
canonical ubuntu_linux 14.04
fedoraproject fedora 33
debian debian_linux 9.0
php php *
CVE-2020-7071 MEDIUM

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4
security@php.net 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp clustered_data_ontap -
debian debian_linux 9.0
php php *
CVE-2020-7456 HIGH

In FreeBSD 12.1-STABLE before r361918, 12.1-RELEASE before p6, 11.4-STABLE before r361919, 11.3-RELEASE before p10, and 11.4-RC2 before p1, an invalid memory location may be used for HID items if the push/pop level is not restored within the processing of that HID item allowing an attacker with physical access to a USB port to be able to use a specially crafted USB device to gain kernel or user-space code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
freebsd freebsd 12.1
freebsd freebsd 11.4
freebsd freebsd 11.3
CVE-2020-7469 MEDIUM

In FreeBSD 12.2-STABLE before r367402, 11.4-STABLE before r368202, 12.2-RELEASE before p1, 12.1-RELEASE before p11 and 11.4-RELEASE before p5 the handler for a routing option caches a pointer into the packet buffer holding the ICMPv6 message. However, when processing subsequent options the packet buffer may be freed, rendering the cached pointer invalid. The network stack may later dereference the pointer, potentially triggering a use-after-free.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
freebsd freebsd 12.1
freebsd freebsd 11.4
freebsd freebsd 12.2
CVE-2020-7595 MEDIUM

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,CWE-835,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
oracle real_user_experience_insight 13.4.1.0
fedoraproject fedora 31
fedoraproject fedora 30
netapp snapdrive -
netapp symantec_netbackup -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
debian debian_linux 9.0
oracle real_user_experience_insight 13.5.1.0
oracle enterprise_manager_ops_center 12.4.0.0
oracle real_user_experience_insight 13.3.1.0
netapp steelstore_cloud_integrated_storage -
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
siemens sinema_remote_connect_server *
canonical ubuntu_linux 12.04
oracle enterprise_manager_base_platform 13.5.0.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle enterprise_manager_base_platform 13.4.0.0
netapp smi-s_provider -
fedoraproject fedora 32
canonical ubuntu_linux 19.10
oracle mysql_workbench *
xmlsoft libxml2 2.9.10
netapp clustered_data_ontap -
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2020-7656 MEDIUM

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
oracle peoplesoft_enterprise_peopletools 8.58
juniper junos 21.2
netapp cloud_backup -
netapp active_iq_unified_manager -
jquery jquery *
netapp snap_creator_framework -
netapp oncommand_system_manager *
CVE-2020-7699 HIGH

This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1321,

Products Affected

Vendor Product Version
netapp max_data -
express-fileupload_project express-fileupload *
CVE-2020-7919 HIGH

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-295,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 31
golang go *
netapp cloud_insights_telegraf -
CVE-2020-8174 HIGH

napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,CWE-191,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle retail_xstore_point_of_service 19.0.2
oracle banking_extensibility_workbench 14.4.0
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
oracle retail_xstore_point_of_service 20.0.1
oracle banking_extensibility_workbench 14.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle blockchain_platform *
nodejs node.js *
oracle mysql_cluster *
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2020-8284 MEDIUM

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
apple macos 11.0.1
fujitsu m10-4_firmware *
apple macos 11.1
fujitsu m12-1_firmware *
fujitsu m12-2s_firmware *
netapp solidfire -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
debian debian_linux 10.0
apple mac_os_x 10.14.6
oracle essbase 21.2
fujitsu m10-1_firmware *
netapp hci_management_node -
apple mac_os_x 10.15.7
haxx curl *
apple macos 11.2
oracle peoplesoft_enterprise_peopletools 8.58
fedoraproject fedora 32
netapp hci_storage_node -
netapp clustered_data_ontap -
netapp hci_bootstrap_os -
oracle communications_billing_and_revenue_management 12.0.0.3.0
fujitsu m10-4s_firmware *
fujitsu m12-2_firmware *
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
apple mac_os_x *
CVE-2020-8285 MEDIUM

curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,CWE-674,CWE-787,

Products Affected

Vendor Product Version
apple macos *
fujitsu m10-4_firmware *
fujitsu m12-1_firmware *
fujitsu m12-2s_firmware *
netapp solidfire -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
debian debian_linux 10.0
apple mac_os_x 10.14.6
oracle essbase 21.2
fujitsu m10-1_firmware *
netapp hci_management_node -
apple mac_os_x 10.15.7
oracle peoplesoft_enterprise_peopletools 8.58
fedoraproject fedora 32
netapp hci_storage_node_firmware -
netapp clustered_data_ontap -
netapp hci_bootstrap_os -
oracle communications_billing_and_revenue_management 12.0.0.3.0
fujitsu m10-4s_firmware *
fujitsu m12-2_firmware *
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
apple mac_os_x *
haxx libcurl *
CVE-2020-8286 MEDIUM

curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_policy 1.14.0
siemens simatic_tim_1531_irc_firmware *
debian debian_linux 10.0
apple mac_os_x 10.14.6
oracle essbase 21.2
netapp hci_management_node -
apple macos *
apple mac_os_x 10.15.7
oracle peoplesoft_enterprise_peopletools 8.58
fedoraproject fedora 32
netapp hci_storage_node_firmware -
netapp clustered_data_ontap -
netapp hci_bootstrap_os -
oracle communications_billing_and_revenue_management 12.0.0.3.0
netapp solidfire -
fedoraproject fedora 33
debian debian_linux 9.0
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
apple mac_os_x *
haxx libcurl *
CVE-2020-8571 MEDIUM

StorageGRID (formerly StorageGRID Webscale) versions 10.0.0 through 11.3 prior to 11.2.0.8 and 11.3.0.4 are susceptible to a vulnerability which allows an unauthenticated remote attacker to cause a Denial of Service (DoS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2020-8572 MEDIUM

Element OS prior to version 12.0 and Element HealthTools prior to version 2020.04.01.04 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp element_healthtools *
netapp element_os *
CVE-2020-8573 MEDIUM

The NetApp HCI H610C, H615C and H610S Baseboard Management Controllers (BMC) are shipped with a documented default account and password that should be changed during the initial node setup. During upgrades to Element 11.8 and 12.0 or the Compute Firmware Bundle 12.2.92 the BMC account password on the H610C, H615C and H610S platforms is reset to the default documented value which could allow remote attackers to cause a Denial of Service (DoS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
netapp hci_h610s_firmware -
CVE-2020-8574 MEDIUM

Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp active_iq_unified_manager *
CVE-2020-8575 LOW

Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp active_iq_unified_manager *
CVE-2020-8576 MEDIUM

Clustered Data ONTAP versions prior to 9.3P19, 9.5P14, 9.6P9 and 9.7 are susceptible to a vulnerability which when successfully exploited could lead to addition or modification of data or disclosure of sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.3
netapp clustered_data_ontap *
netapp clustered_data_ontap 9.5
netapp clustered_data_ontap 9.6
netapp clustered_data_ontap 9.7
CVE-2020-8577 MEDIUM

SANtricity OS Controller Software versions 11.50.1 and higher are susceptible to a vulnerability which could allow an attacker to discover sensitive information by intercepting its transmission within an https session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
CVE-2020-8578 LOW

Clustered Data ONTAP versions prior to 9.3P20 are susceptible to a vulnerability which could allow an attacker to discover node names via AutoSupport bundles even when the –remove-private-data parameter is set to true.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.3
netapp clustered_data_ontap *
CVE-2020-8579 MEDIUM

Clustered Data ONTAP versions 9.7 through 9.7P7 are susceptible to a vulnerability which allows an attacker with access to an intercluster LIF to cause a Denial of Service (DoS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.7
CVE-2020-8580 MEDIUM

SANtricity OS Controller Software versions 11.30 and higher are susceptible to a vulnerability which allows an unauthenticated attacker with access to the system to cause a Denial of Service (DoS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
CVE-2020-8581 LOW

Clustered Data ONTAP versions prior to 9.3P20 and 9.5 are susceptible to a vulnerability which could allow an authenticated but unauthorized attacker to overwrite arbitrary data when VMware vStorage support is enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.3
netapp clustered_data_ontap *
CVE-2020-8582 MEDIUM

Element Software versions prior to 12.2 and HCI versions prior to 1.8P1 are susceptible to a vulnerability which could allow an authenticated user to view sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp hci *
netapp element_os *
CVE-2020-8583 MEDIUM

Element Software versions prior to 12.2 and HCI versions prior to 1.8P1 are susceptible to a vulnerability which could allow an attacker to discover sensitive information by intercepting its transmission within an https session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp hci *
netapp element_os *
CVE-2020-8584 HIGH

Element OS versions prior to 1.8P1 and 12.2 are susceptible to a vulnerability that could allow an unauthenticated remote attacker to perform arbitrary code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp hci_storage_node -
netapp element_os 1.8
netapp hci_management_node -
netapp solidfire -
netapp element_os *
CVE-2020-8585 LOW

OnCommand Unified Manager Core Package versions prior to 5.2.5 may disclose sensitive account information to unauthorized users via the use of PuTTY Link (plink).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
netapp oncommand_unified_manager *
CVE-2020-8587 LOW

OnCommand System Manager 9.x versions prior to 9.3P20 and 9.4 prior to 9.4P3 are susceptible to a vulnerability that could allow HTTP clients to cache sensitive responses making them accessible to an attacker who has access to the system where the client runs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_system_manager 9.4
netapp oncommand_system_manager 9.3
netapp oncommand_system_manager *
CVE-2020-8588 LOW

Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the existence of data on other Storage Virtual Machines (SVMs).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.5 LOW CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.1 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.3
netapp clustered_data_ontap *
netapp clustered_data_ontap 9.5
CVE-2020-8589 LOW

Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the names of other Storage Virtual Machines (SVMs) and filenames on those SVMs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.5 LOW CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.1 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.3
netapp clustered_data_ontap *
netapp clustered_data_ontap 9.5
CVE-2020-8590 LOW

Clustered Data ONTAP versions prior to 9.1P18 and 9.3P12 are susceptible to a vulnerability which could allow an attacker to discover node names via AutoSupport bundles even when the –remove-private-data parameter is set to true.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.3
netapp clustered_data_ontap 9.1
netapp clustered_data_ontap *
CVE-2020-8618 MEDIUM

An attacker who is permitted to send zone data to a server via zone transfer can exploit this to intentionally trigger the assertion failure with a specially constructed zone, denying service to clients.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
security-officer@isc.org 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
canonical ubuntu_linux 20.04
opensuse leap 15.2
opensuse leap 15.1
isc bind *
netapp steelstore_cloud_integrated_storage -
CVE-2020-8619 MEDIUM

In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
security-officer@isc.org 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-404,

Products Affected

Vendor Product Version
canonical ubuntu_linux 20.04
debian debian_linux 10.0
fedoraproject fedora 32
opensuse leap 15.2
fedoraproject fedora 31
opensuse leap 15.1
isc bind *
netapp steelstore_cloud_integrated_storage -
CVE-2020-8620 MEDIUM

In BIND 9.15.6 -> 9.16.5, 9.17.0 -> 9.17.3, An attacker who can establish a TCP connection with the server and send data on that connection can exploit this to trigger the assertion failure, causing the server to exit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
isc bind 9.11.3
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
isc bind 9.11.21
opensuse leap 15.1
isc bind *
isc bind 9.9.12
netapp steelstore_cloud_integrated_storage -
canonical ubuntu_linux 12.04
isc bind 9.9.13
CVE-2020-8621 MEDIUM

In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
canonical ubuntu_linux 20.04
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
opensuse leap 15.1
isc bind *
netapp steelstore_cloud_integrated_storage -
synology dns_server *
CVE-2020-8622 MEDIUM

In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-officer@isc.org 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 31
isc bind 9.11.21
opensuse leap 15.1
netapp steelstore_cloud_integrated_storage -
canonical ubuntu_linux 12.04
synology dns_server *
canonical ubuntu_linux 20.04
oracle communications_diameter_signaling_router *
fedoraproject fedora 32
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
isc bind 9.9.3
isc bind *
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2020-8623 MEDIUM

In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with "--enable-native-pkcs11" * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 31
isc bind 9.11.21
opensuse leap 15.1
isc bind 9.10.5
netapp steelstore_cloud_integrated_storage -
synology dns_server *
canonical ubuntu_linux 20.04
fedoraproject fedora 32
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
isc bind *
debian debian_linux 9.0
CVE-2020-8624 MEDIUM

In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
isc bind 9.11.3
debian debian_linux 10.0
fedoraproject fedora 31
isc bind 9.11.21
opensuse leap 15.1
isc bind 9.9.12
netapp steelstore_cloud_integrated_storage -
isc bind 9.9.13
canonical ubuntu_linux 20.04
fedoraproject fedora 32
opensuse leap 15.2
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
isc bind *
CVE-2020-8625 MEDIUM

BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
security-officer@isc.org 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
isc bind 9.11.3
isc bind 9.11.27
debian debian_linux 10.0
isc bind 9.11.8
isc bind 9.17.0
isc bind 9.11.21
isc bind 9.11.5
fedoraproject fedora 34
isc bind 9.17.1
fedoraproject fedora 32
isc bind 9.11.6
netapp 500f_firmware -
netapp cloud_backup -
isc bind *
isc bind 9.16.8
isc bind 9.11.7
fedoraproject fedora 33
debian debian_linux 9.0
siemens sinec_infrastructure_network_services *
isc bind 9.16.11
netapp a250_firmware -
CVE-2020-8648 LOW

There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h410c
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
debian debian_linux 8.0
netapp cloud_backup -
opensuse leap 15.1
canonical ubuntu_linux 14.04
netapp active_iq_unified_manager -
broadcom brocade_fabric_operating_system_firmware -
netapp solidfire_baseboard_management_controller -
CVE-2020-8670 MEDIUM

Race condition in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
siemens simatic_ipc527g_firmware *
siemens simatic_field_pg_m6_firmware *
siemens simatic_ipc647e_firmware *
intel bios -
netapp aff_bios -
siemens simatic_ipc547g_firmware *
netapp fas_bios -
siemens simatic_ipc427e_firmware *
netapp hci_storage_node_bios -
siemens simatic_ipc847e_firmware *
netapp solidfire_bios -
netapp hci_compute_node_bios -
siemens simatic_ipc477e_pro_firmware *
netapp cloud_backup -
siemens simatic_ipc677e_firmware *
siemens simatic_ipc627e_firmware *
siemens simatic_itp1000_firmware *
siemens simatic_ipc477e_firmware *
CVE-2020-8696 LOW

Improper removal of sensitive information before storage or transfer in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-212,

Products Affected

Vendor Product Version
intel microcode -
netapp solidfire_bios -
netapp clustered_data_ontap -
fedoraproject fedora 31
debian debian_linux 9.0
netapp hcl_compute_node_bios -
netapp hci_storage_node_bios -
CVE-2020-8698 LOW

Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-668,

Products Affected

Vendor Product Version
siemens simatic_field_pg_m5_firmware *
siemens simatic_field_pg_m6_firmware *
fedoraproject fedora 31
siemens simatic_ipc647e_firmware *
siemens simatic_ipc427e_firmware *
netapp hci_storage_node_bios -
siemens simatic_ipc847e_firmware *
intel microcode -
netapp solidfire_bios -
netapp hci_compute_node_bios -
netapp clustered_data_ontap -
siemens simatic_ipc477e_pro_firmware *
siemens simatic_ipc677e_firmware *
siemens simatic_ipc627e_firmware *
debian debian_linux 9.0
siemens simatic_itp1000_firmware *
siemens simatic_ipc477e_firmware *
CVE-2020-8700 MEDIUM

Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
netapp solidfire_bios -
netapp hci_compute_node_bios -
netapp e-series_bios -
intel bios -
netapp aff_bios -
netapp cloud_backup -
netapp fas_bios -
netapp hci_storage_node_bios -
CVE-2020-8703 MEDIUM

Improper buffer restrictions in a subsystem in the Intel(R) CSME versions before 11.8.86, 11.12.86, 11.22.86, 12.0.81, 13.0.47, 13.30.17, 14.1.53, 14.5.32 and 15.0.22 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
siemens simatic_field_pg_m5_firmware *
siemens simatic_ipc527g_firmware *
siemens simatic_field_pg_m6_firmware *
siemens simatic_ipc647e_firmware *
siemens simatic_ipc547g_firmware *
siemens simatic_ipc427e_firmware *
intel converged_security_and_manageability_engine *
siemens simatic_ipc847e_firmware *
siemens simatic_ipc477e_pro_firmware *
netapp cloud_backup -
siemens simatic_ipc677e_firmware *
siemens simatic_ipc627e_firmware *
siemens simatic_itp1000_firmware *
siemens simatic_ipc477e_firmware *
CVE-2020-8738 MEDIUM

Improper conditions check in Intel BIOS platform sample code for some Intel(R) Processors before may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-754,

Products Affected

Vendor Product Version
netapp solidfire_bios -
netapp fas/aff_bios -
netapp hci_compute_node_bios -
intel bios -
netapp cloud_backup -
netapp hci_storage_node_bios -
CVE-2020-8739 MEDIUM

Use of potentially dangerous function in Intel BIOS platform sample code for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp solidfire_bios -
netapp hci_compute_node_bios -
intel bios -
netapp aff_bios -
netapp fas_bios -
netapp hci_storage_node_bios -
CVE-2020-8740 MEDIUM

Out of bounds write in Intel BIOS platform sample code for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp solidfire_bios -
netapp hci_compute_node_bios -
intel bios -
netapp aff_bios -
netapp fas_bios -
netapp hci_storage_node_bios -
CVE-2020-8746 LOW

Integer overflow in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp cloud_backup -
intel active_management_technology_firmware *
CVE-2020-8747 MEDIUM

Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp cloud_backup -
intel active_management_technology_firmware *
CVE-2020-8749 MEDIUM

Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp cloud_backup -
intel active_management_technology_firmware *
CVE-2020-8752 HIGH

Out-of-bounds write in IPv6 subsystem for Intel(R) AMT, Intel(R) ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 14.0.45 may allow an unauthenticated user to potentially enable escalation of privileges via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp cloud_backup -
intel active_management_technology_firmware *
intel standard_manageability *
CVE-2020-8754 MEDIUM

Out-of-bounds read in subsystem for Intel(R) AMT, Intel(R) ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp cloud_backup -
intel active_management_technology_firmware *
intel standard_manageability *
CVE-2020-8757 MEDIUM

Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp cloud_backup -
intel active_management_technology_firmware *
CVE-2020-8758 HIGH

Improper buffer restrictions in network subsystem in provisioned Intel(R) AMT and Intel(R) ISM versions before 11.8.79, 11.12.79, 11.22.79, 12.0.68 and 14.0.39 may allow an unauthenticated user to potentially enable escalation of privilege via network access. On un-provisioned systems, an authenticated user may potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
intel active_management_technology_firmware *
netapp steelstore_cloud_integrated_storage -
intel standard_manageability *
CVE-2020-8760 MEDIUM

Integer overflow in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp cloud_backup -
intel active_management_technology_firmware *
CVE-2020-8764 MEDIUM

Improper access control in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp solidfire_bios -
netapp hci_compute_node_bios -
intel bios -
netapp aff_bios -
netapp fas_bios -
netapp hci_storage_node_bios -
CVE-2020-8832 LOW

The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 ("The Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.") was discovered to be incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacker could use this vulnerability to expose sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@ubuntu.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 1.8 3.6
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,CWE-200,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp fas8700_firmware -
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp fas_baseboard_management_controller_a320_firmware -
netapp h610c_firmware -
netapp fas_baseboard_management_controller_c190_firmware -
netapp aff_a400_firmware -
netapp aff_a220_firmware -
netapp h610s_firmware -
netapp fas_baseboard_management_controller_a800_firmware -
netapp aff_8700_firmware -
netapp steelstore_cloud_integrated_storage -
netapp aff_8300_firmware -
netapp fas2750_firmware -
netapp aff_a320_firmware -
netapp fas_baseboard_management_controller_a220_firmware -
netapp aff_a700s_firmware -
netapp fas2720_firmware -
netapp fas8300_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
netapp fas_baseboard_management_controller_a400_firmware -
netapp aff_c190_firmware -
CVE-2020-8835 HIGH

In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
security@ubuntu.com 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp a800_firmware -
fedoraproject fedora 31
netapp c190_firmware -
fedoraproject fedora 30
netapp h500s_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
netapp solidfire -
netapp h610c_firmware -
netapp a320_firmware -
netapp h610s_firmware -
netapp hci_management_node -
netapp 8700_firmware -
netapp steelstore_cloud_integrated_storage -
netapp a220_firmware -
netapp a700s_firmware -
netapp a400_firmware -
netapp fas2750_firmware -
fedoraproject fedora 32
canonical ubuntu_linux 19.10
netapp fas2720_firmware -
netapp 8300_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2020-8840 HIGH

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
huawei oceanstor_9000_firmware v300r006c20spc200
huawei oceanstor_9000_firmware v300r006c20spc100
debian debian_linux 8.0
fasterxml jackson-databind *
huawei oceanstor_9000_firmware v300r006c20
huawei oceanstor_9000_firmware v300r006c20spc300
netapp steelstore_cloud_integrated_storage -
netapp oncommand_api_services -
netapp service_level_manager -
oracle global_lifecycle_management_opatch *
CVE-2020-8908 LOW

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4
cve-coordination@google.com 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-378,CWE-732,

Products Affected

Vendor Product Version
oracle retail_customer_management_and_segmentation_foundation *
oracle primavera_unifier 21.12
oracle primavera_unifier 19.12
oracle data_integrator 12.2.1.3.0
oracle data_integrator 12.2.1.4.0
oracle commerce_guided_search 11.3.2
oracle peoplesoft_enterprise_peopletools 8.59
netapp active_iq_unified_manager -
oracle communications_pricing_design_center 12.0.0.4.0
google guava *
quarkus quarkus *
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_pricing_design_center 12.0.0.5.0
oracle communications_cloud_native_core_network_slice_selection_function 1.2.1
oracle peoplesoft_enterprise_peopletools 8.57
oracle primavera_unifier 18.8
oracle weblogic_server 14.1.1.0.0
oracle communications_cloud_native_core_network_repository_function 1.14.0
oracle primavera_unifier 20.12
oracle primavera_unifier *
oracle nosql_database *
CVE-2020-8992 MEDIUM

ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-834,

Products Affected

Vendor Product Version
netapp data_availability_services -
netapp hci_management_node -
opensuse leap 15.1
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp h410c_firmware -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
CVE-2020-9327 MEDIUM

In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
oracle hyperion_infrastructure_technology 11.1.2.4
oracle zfs_storage_appliance_kit 8.8
oracle enterprise_manager_ops_center 12.4.0.0
sqlite sqlite 3.31.1
oracle communications_network_charging_and_control 6.0.1
oracle outside_in_technology 8.5.5
canonical ubuntu_linux 19.10
oracle mysql_workbench *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
oracle communications_messaging_server 8.1
oracle communications_network_charging_and_control *
netapp cloud_backup -
oracle communications_network_charging_and_control 12.0.2
siemens sinec_infrastructure_network_services *
oracle outside_in_technology 8.5.4
CVE-2020-9383 LOW

An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
debian debian_linux 8.0
netapp data_availability_services -
netapp hci_management_node -
opensuse leap 15.1
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp h410c_firmware -
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
netapp cloud_backup -
canonical ubuntu_linux 14.04
netapp solidfire -
debian debian_linux 9.0
CVE-2020-9391 LOW

An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been observed to cause heap corruption with the GNU C Library malloc implementation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
fedoraproject fedora 31
linux linux_kernel *
netapp data_availability_services -
netapp cloud_backup -
netapp hci_management_node -
netapp solidfire -
netapp steelstore_cloud_integrated_storage -
netapp active_iq_unified_manager -
netapp h410c_firmware -
linux linux_kernel 5.4
CVE-2020-9402 MEDIUM

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
canonical ubuntu_linux 19.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
djangoproject django *
netapp steelstore_cloud_integrated_storage -
debian debian_linux 9.0
CVE-2020-9546 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle financial_services_retail_customer_analytics 8.0.6
oracle retail_service_backbone 14.1
oracle agile_plm 9.3.6
oracle communications_diameter_signaling_router *
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
fasterxml jackson-databind *
oracle financial_services_institutional_performance_analytics 8.7.0
oracle banking_digital_experience 18.2
oracle global_lifecycle_management_opatch *
oracle communications_instant_messaging_server 10.0.1.4.0
oracle financial_services_institutional_performance_analytics 8.0.6
oracle jd_edwards_enterpriseone_orchestrator *
oracle financial_services_price_creation_and_discovery 8.0.6
oracle communications_contacts_server 8.0.0.4.0
netapp active_iq_unified_manager *
oracle banking_digital_experience 18.1
oracle enterprise_manager_base_platform 13.4.0.0
oracle financial_services_price_creation_and_discovery 8.0.7
oracle communications_evolved_communications_application_server 7.1
oracle insurance_policy_administration_j2ee 11.0.2.25
oracle retail_xstore_point_of_service 17.0
oracle banking_digital_experience 19.2
oracle communications_element_manager *
oracle enterprise_manager_base_platform 13.3.0.0
oracle banking_platform *
oracle financial_services_analytical_applications_infrastructure *
oracle retail_service_backbone 15.0
oracle weblogic_server 12.2.1.3.0
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle financial_services_institutional_performance_analytics 8.0.7
oracle retail_sales_audit 14.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_calendar_server 8.0.0.4.0
oracle retail_xstore_point_of_service 16.0
oracle communications_session_route_manager *
oracle primavera_unifier *
oracle insurance_policy_administration_j2ee 11.1.0.15
oracle communications_contacts_server 8.0.0.5.0
oracle primavera_unifier 19.12
oracle banking_digital_experience 18.3
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle retail_service_backbone 16.0
oracle communications_network_charging_and_control 6.0.1
oracle retail_xstore_point_of_service 15.0
oracle weblogic_server 12.2.1.4.0
oracle communications_session_report_manager *
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle banking_digital_experience 19.1
oracle financial_services_institutional_performance_analytics 8.1.0
oracle retail_xstore_point_of_service 18.0
CVE-2020-9547 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform *
oracle weblogic_server 12.2.1.3.0
oracle primavera_unifier 16.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle retail_xstore_point_of_service 16.0
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
fasterxml jackson-databind *
oracle primavera_unifier *
oracle global_lifecycle_management_opatch *
oracle communications_instant_messaging_server 10.0.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle primavera_unifier 19.12
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle communications_contacts_server 8.0.0.4.0
oracle communications_network_charging_and_control 6.0.1
netapp active_iq_unified_manager *
oracle retail_xstore_point_of_service 15.0
oracle weblogic_server 12.2.1.4.0
oracle enterprise_manager_base_platform 13.4.0.0
oracle communications_evolved_communications_application_server 7.1
oracle retail_xstore_point_of_service 17.0
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle retail_xstore_point_of_service 18.0
oracle enterprise_manager_base_platform 13.3.0.0
CVE-2020-9548 MEDIUM

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
oracle banking_platform *
oracle banking_digital_experience 20.1
oracle weblogic_server 12.2.1.3.0
oracle agile_plm 9.3.6
oracle primavera_unifier 16.1
oracle retail_merchandising_system 15.0
oracle retail_sales_audit 14.1
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_calendar_server 8.0.0.4.0
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 16.0
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle communications_session_route_manager *
fasterxml jackson-databind *
oracle primavera_unifier *
oracle banking_digital_experience 18.2
oracle global_lifecycle_management_opatch *
oracle communications_contacts_server 8.0.0.5.0
oracle communications_instant_messaging_server 10.0.1.4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle primavera_unifier 19.12
oracle banking_digital_experience 18.3
oracle jd_edwards_enterpriseone_tools *
debian debian_linux 8.0
oracle communications_contacts_server 8.0.0.4.0
oracle communications_network_charging_and_control 6.0.1
netapp active_iq_unified_manager *
oracle retail_xstore_point_of_service 15.0
oracle weblogic_server 12.2.1.4.0
oracle banking_digital_experience 18.1
oracle enterprise_manager_base_platform 13.4.0.0
oracle communications_evolved_communications_application_server 7.1
oracle communications_session_report_manager *
oracle retail_xstore_point_of_service 17.0
oracle retail_xstore_point_of_service 19.0
oracle communications_network_charging_and_control *
oracle banking_digital_experience 19.1
oracle banking_digital_experience 19.2
oracle retail_xstore_point_of_service 18.0
oracle communications_element_manager *
oracle enterprise_manager_base_platform 13.3.0.0
CVE-2021-0060 HIGH

Insufficient compartmentalization in HECI subsystem for the Intel(R) SPS before versions SPS_E5_04.01.04.516.0, SPS_E5_04.04.04.033.0, SPS_E5_04.04.03.281.0, SPS_E5_03.01.03.116.0, SPS_E3_05.01.04.309.0, SPS_02.04.00.101.0, SPS_SoC-A_05.00.03.114.0, SPS_SoC-X_04.00.04.326.0, SPS_SoC-X_03.00.03.117.0, IGN_E5_91.00.00.167.0, SPS_PHI_03.01.03.078.0 may allow an authenticated user to potentially enable escalation of privilege via physical access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.7 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
intel atom_c3000_series_firmware *
intel pentium_gold_series_firmware *
intel celeron_6000_series_firmware *
netapp hci_storage_node_bios -
intel atom_c610_series_firmware *
intel 11th_generation_core_series_firmware *
intel xeon_d-1500_series_firmware *
netapp solidfire_bios -
netapp hci_compute_node_bios -
intel c620_series_firmware *
intel c240_series_firmware *
intel xeon_d_2000_series_firmware *
intel xeon_w-1300_series_firmware *
netapp cloud_backup -
intel c620a_series_firmware *
intel atom_p5000_series_firmware *
CVE-2021-0091 HIGH

Improper access control in the firmware for some Intel(R) Processors may allow an unauthenticated user to potentially enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
intel core_i7-8665ue -
intel core_i7-8809g -
intel xeon_gold_5215 -
intel xeon_e-2126g -
intel core_i5-9300h -
intel core_i5-10400f -
intel core_i5-11400f -
intel core_i7-7920hq -
intel xeon_w-3175x -
intel core_i9-9820x -
intel core_i5-1145g7 -
intel core_i5-1145g7e -
intel core_i7-7700k -
intel xeon_gold_6212u -
intel core_i3-6100t -
intel core_i5-8400b -
intel core_i5-6600 -
intel core_i5-8400h -
intel core_i5-8400 -
intel core_i5-7600t -
intel xeon_w-2123 -
intel xeon_d-2142it -
intel core_i3-10100te -
intel core_i5-11600 -
intel xeon_d-1513n -
intel xeon_silver_4108 -
intel core_i3-1110g4 -
intel xeon_w-1350 -
intel core_i5-6200u -
intel xeon_w-1370p -
intel core_i5-8305g -
intel core_i5-1140g7 -
intel xeon_gold_6130f -
intel core_i5-11400h -
intel core_i5-9300hf -
intel core_i3-6157u -
intel core_i3-6167u -
intel xeon_gold_5220s -
intel core_i5-10600k -
intel core_i9-7960x -
intel xeon_gold_6138 -
intel xeon_platinum_9282 -
intel core_i5-8259u -
intel core_i7-6850k -
intel core_m5-6y57 -
intel xeon_gold_6252n -
intel core_i5-11600k -
intel xeon_w-1390p -
intel xeon_w-2223 -
intel xeon_w-1350p -
intel xeon_gold_6250 -
intel core_m3-7y32 -
intel core_i5-1035g7 -
intel core_i5-9400 -
intel core_i7-6700te -
intel core_i3-6320 -
intel core_i5-8257u -
intel core_i5-10210y -
intel core_i7-6770hq -
intel core_i3-10300t -
intel xeon_w-1290p -
intel core_i7-7800x -
intel atom_c3750 -
intel core_i7-6970hq -
intel core_i3-9350k -
intel core_i7-8700k -
intel core_i3-7101te -
intel atom_c3708 -
intel core_i9-7920x -
intel core_i7-10700k -
intel xeon_gold_6248 -
intel core_i5-10500 -
intel xeon_w-1290te -
intel xeon_gold_6250l -
intel xeon_gold_6242 -
intel core_i7-9700t -
intel core_i3-6100 -
intel xeon_gold_5120t -
intel core_i5-11500t -
intel xeon_w-11865mle -
intel xeon_e-2278ge -
intel core_i5-8350u -
intel xeon_gold_5120 -
intel xeon_w-3323 -
intel core_i7-7560u -
intel xeon_gold_5118 -
intel xeon_w-3265 -
intel xeon_platinum_8260y -
intel xeon_gold_6209u -
intel core_i3-1125g4 -
intel xeon_e-2388g -
intel core_i5-7442eq -
intel xeon_w-1390 -
intel xeon_w-11955m -
intel atom_c3950 -
intel core_i5-8300h -
intel xeon_w-3375 -
intel core_i9-10900t -
intel core_i5-6500 -
intel core_i5-10300h -
intel atom_c3338 -
intel core_i7-9850h -
intel core_i5-8365u -
intel core_i7-1160g7 -
intel xeon_gold_6126t -
intel core_i5-7400 -
intel core_i5-6600k -
intel xeon_d-1528 -
intel core_i7-8700b -
intel core_i7-9800x -
intel core_i7-10810u -
intel core_i5-8200y -
intel core_i3-9100e -
intel xeon_bronze_3204 -
intel core_i3-10110u -
intel core_i5-7287u -
intel core_i7-7660u -
intel xeon_d-2143it -
intel xeon_e-2186m -
intel xeon_silver_4114 -
intel core_i5-6300u -
intel xeon_w-11555mle -
intel xeon_w-2225 -
intel core_i7-9850he -
intel core_i5-10310y -
intel core_i3-7101e -
intel core_i5-6300hq -
intel xeon_gold_6230 -
intel core_i7-3820 -
intel atom_c3558 -
intel core_i5-11500h -
intel xeon_silver_4210t -
intel xeon_e-2134 -
intel core_i7-7500u -
intel core_i7-8565u -
intel xeon_d-1627 -
intel xeon_gold_6130t -
intel xeon_d-1537 -
intel xeon_bronze_3206r -
intel core_i5-9400f -
intel xeon_d-1577 -
intel xeon_d-1533n -
intel xeon_e-2374g -
intel xeon_gold_5218r -
intel xeon_e-2244g -
intel core_i9-11900kf -
intel xeon_d-1539 -
intel core_i9-11900k -
intel xeon_e-2276m -
intel core_i3-7130u -
intel core_i9-10885h -
intel xeon_gold_6246r -
intel core_i5-1155g7 -
intel core_i5-10505 -
intel xeon_d-1518 -
intel core_i9-9940x -
intel core_i7-6567u -
intel core_i7-9750h -
intel atom_c3758r -
intel core_i3-9350kf -
intel xeon_gold_6258r -
intel xeon_gold_5220 -
intel xeon_platinum_8160t -
intel xeon_gold_6126f -
intel core_i5-7300hq -
intel xeon_w-2235 -
intel core_i9-10920x -
intel xeon_gold_6136 -
intel core_i3-7020u -
intel core_i7-11700 -
intel xeon_e-2276g -
intel core_i9-7980xe -
intel core_i7-7y75 -
intel core_i7-6700t -
intel xeon_e-2124g -
intel core_i5-10600kf -
intel atom_c3955 -
intel core_i7-8700 -
intel core_i5-8210y -
intel xeon_w-10885m -
intel xeon_d-1567 -
intel xeon_d-1520 -
intel core_i7-1195g7 -
intel core_i5-6500te -
intel core_i7-9750hf -
intel xeon_w-2175 -
intel xeon_d-1529 -
intel core_i7-8557u -
intel core_i5-7400t -
intel core_i7-10710u -
intel core_i7-10700e -
intel xeon_e-2246g -
intel core_i3-1000g1 -
intel core_m3-6y30 -
intel core_i7-5820k -
intel core_i5-6287u -
intel xeon_d-2123it -
intel core_i7-11700f -
intel xeon_platinum_8158 -
intel xeon_gold_6254 -
intel core_i3-10305 -
intel core_i7-8709g -
intel core_i3-8100 -
intel xeon_gold_6226r -
intel xeon_w-2275 -
intel xeon_gold_6148 -
intel core_i5-8250u -
intel xeon_e-2224g -
intel core_i3-10100e -
intel xeon_gold_5218t -
intel core_i7-6560u -
intel core_i5-11600kf -
intel core_i7-8550u -
intel xeon_e-2278g -
intel xeon_gold_6246 -
intel core_i7-6920hq -
intel xeon_gold_6256 -
intel core_i3-8300 -
intel core_i7-10510y -
intel core_i7-10850h -
intel xeon_silver_4208 -
intel core_i7-8705g -
intel core_i7-1068ng7 -
intel core_i9-11900t -
intel xeon_platinum_8160 -
intel core_i5-6360u -
intel core_i9-9980hk -
intel xeon_d-2161i -
intel xeon_e-2286m -
intel core_i3-10110y -
intel core_i5-10600 -
intel core_i5-7500t -
intel xeon_w-2195 -
intel xeon_e-2278gel -
intel xeon_platinum_8270 -
intel core_i5-10500e -
intel atom_c3338r -
intel xeon_silver_4114t -
intel xeon_w-11155mle -
intel atom_c3958 -
intel xeon_w-1250p -
intel core_i7-6700hq -
intel core_i9-10900 -
intel core_i9-10900kf -
intel xeon_d-1557 -
intel xeon_d-2177nt -
intel core_i5-6402p -
intel core_i7-8559u -
intel xeon_gold_6210u -
intel core_i5-7y57 -
intel atom_c3858 -
intel core_i3-6100te -
intel xeon_e-2226g -
intel core_i3-10105f -
intel core_i5-8500 -
intel xeon_gold_5218b -
intel core_i7-8569u -
intel core_i7-9700e -
intel core_i7-6820hq -
intel xeon_e-2224 -
intel core_i7-11700kf -
intel core_i7-9850hl -
intel xeon_gold_5119t -
intel core_i7-6820hk -
intel core_i5-1145gre -
intel core_i5-6685r -
intel core_i5-1030g7 -
intel core_i7-1185g7e -
intel xeon_d-2166nt -
intel xeon_gold_5215l -
intel core_i5-6260u -
intel core_i3-8145ue -
intel core_i5-11500 -
intel xeon_w-11155mre -
intel xeon_gold_6142 -
intel xeon_d-1602 -
intel xeon_gold_6230t -
intel core_i5-10500te -
intel core_i9-11900h -
intel core_i5-9400h -
intel xeon_e-2324g -
intel core_i7-8750h -
intel core_i7-6700 -
intel core_i7-7820hq -
intel core_i7-8650u -
intel core_i5-9500t -
intel xeon_d-1653n -
intel xeon_d-2173it -
intel core_i7-8665u -
intel xeon_gold_5220r -
intel core_i7-11375h -
intel xeon_w-3275 -
intel xeon_d-2141i -
intel xeon_w-2265 -
intel core_i5-10310u -
intel xeon_platinum_8153 -
intel core_i3-1115gre -
intel xeon_w-1390t -
intel core_i5-7360u -
intel xeon_w-2255 -
intel xeon_gold_6144 -
intel xeon_d-1541 -
intel core_i5-8600 -
intel core_i9-11980hk -
intel core_i7-6820eq -
intel xeon_silver_4112 -
intel core_i3-10105t -
intel core_i5-8260u -
intel xeon_w-1290 -
intel core_i7-7820hk -
intel xeon_w-3365 -
intel core_i7-1180g7 -
intel core_i9-10900k -
intel xeon_w-1270e -
intel xeon_d-1649n -
intel xeon_w-1270te -
intel core_i5-11500he -
intel core_m3-7y30 -
intel core_i5-1130g7 -
intel xeon_platinum_8180 -
intel core_i7+8700 -
intel xeon_gold_5217 -
intel xeon_d-1622 -
intel core_i9-9960x -
intel core_i7-8086k -
intel xeon_gold_6154 -
netapp fas/aff_bios -
intel core_i5-9500 -
intel xeon_silver_4210r -
intel core_i5-6440hq -
intel core_i7-10510u -
intel core_i7-4820k -
intel core_i9-10900te -
intel core_i7-3930k -
intel core_i7-7820x -
intel xeon_e-2176g -
intel xeon_e-2254me -
intel core_i5-10400t -
intel core_i3-10100 -
intel core_i7-10610u -
intel xeon_w-2155 -
intel core_i5-9500e -
intel core_i9-7940x -
intel core_i5-8269u -
intel core_i7-9700k -
intel xeon_gold_6240y -
intel core_i7-11700t -
intel core_i7-1060g7 -
intel xeon_gold_6150 -
intel xeon_e-2236 -
intel core_i3-7100h -
intel core_i3-7350k -
intel xeon_gold_6138f -
intel core_i5-6585r -
intel core_i3-1000g4 -
intel core_i5-10500t -
intel core_i9-11900 -
intel core_i9-10900f -
intel core_i5-7200u -
intel core_i3-8100h -
intel core_i3-1115g4e -
intel xeon_platinum_8268 -
intel xeon_w-2145 -
intel core_i3-7300t -
intel core_i7-11800h -
intel core_i7-10700f -
intel core_i3-9300t -
intel core_i3-7300 -
intel core_i3-6300t -
intel core_i3-7167u -
intel core_i3-9100te -
intel xeon_gold_6138p -
intel xeon_gold_6142f -
intel core_i7-8700t -
intel xeon_platinum_8260l -
intel core_i3-10325 -
intel core_i7-4930mx -
intel core_i5-9600 -
intel core_m3-8100y -
intel xeon_gold_6238r -
intel xeon_gold_6248r -
intel core_i5-7600 -
intel core_i5-7640x -
intel core_m5-6y54 -
intel core_i7-6870hq -
intel core_i9-7900x -
intel xeon_gold_6148f -
intel core_i7-11390h -
intel core_i5-8600k -
intel xeon_w-1270p -
intel xeon_w-3335 -
intel core_i3-6100e -
intel core_i3-6098p -
intel core_i5-8400t -
intel core_i3-10100f -
intel xeon_e-2334 -
intel core_i7-1165g7 -
intel core_i3-7100t -
intel core_i7-1185gre -
intel core_i3-1005g1 -
intel xeon_gold_5220t -
intel xeon_gold_6238t -
intel core_i5-6400t -
intel core_i3-6006u -
intel atom_c3336 -
intel xeon_gold_6230r -
intel core_i9-8950hk -
intel xeon_silver_4216 -
intel core_i9-9900ks -
intel xeon_w-2295 -
intel core_i9-11950h -
intel xeon_gold_6240 -
intel core_i7-6650u -
intel core_i5-10400 -
intel xeon_gold_5218n -
intel xeon_w-11555mre -
intel xeon_w-1250e -
intel xeon_gold_6234 -
intel core_i7-6822eq -
intel core_i5-7300u -
intel xeon_gold_6230n -
intel xeon_gold_5115 -
intel core_i3-9100hl -
intel core_i7-8500y -
intel xeon_e-2234 -
intel xeon_gold_6238l -
intel xeon_w-3223 -
intel xeon_bronze_3106 -
intel core_i5-8365ue -
intel core_i9-9900k -
intel core_m7-6y75 -
intel core_i3-8109u -
intel core_i5-8265u -
intel xeon_d-1623n -
intel xeon_d-1548 -
intel core_i5-8310y -
intel xeon_d-2163it -
intel xeon_platinum_8176f -
intel xeon_platinum_8156 -
intel core_i5-7260u -
intel core_i5-1035g4 -
intel core_i3-9320 -
intel core_i7-7567u -
intel xeon_e-2124 -
intel core_i3-9300 -
intel xeon_gold_6132 -
intel xeon_w-10855m -
intel core_i5-1030g4 -
intel xeon_d-1543n -
intel xeon_platinum_9222 -
intel xeon_gold_6134 -
intel core_i5-9600t -
intel xeon_w-1270 -
intel xeon_bronze_3104 -
intel atom_c3758 -
intel core_i7-6500u -
intel core_i7-7700hq -
intel xeon_e-2144g -
intel core_i5-10500h -
intel core_i3-1120g4 -
intel core_i7-3970x -
intel core_i7-9700 -
intel core_i9-9920x -
intel xeon_platinum_8280l -
intel xeon_silver_4209t -
intel xeon_platinum_8276 -
intel core_i5-1038ng7 -
intel xeon_silver_4116 -
intel core_i7-7700t -
netapp cloud_backup -
intel xeon_w-2125 -
intel core_i7-9700kf -
intel xeon_w-1250te -
intel core_i9-9900 -
intel core_i7-4940mx -
intel xeon_w-3275m -
intel core_i5-9500te -
intel xeon_d-2183it -
intel xeon_w-3235 -
intel core_i5-8600t -
intel xeon_w-3265m -
intel core_i5-10400h -
intel xeon_gold_6242r -
intel core_i3-9100 -
intel xeon_e-2226ge -
intel core_i7-6660u -
intel core_i5-7y54 -
intel xeon_e-2174g -
intel core_i7-10700kf -
intel xeon_gold_5122 -
intel xeon_gold_6240r -
intel xeon_silver_4214 -
intel xeon_e-2286g -
intel core_i3-8145u -
intel core_i7-3960x -
intel xeon_e-2186g -
intel xeon_w-2133 -
intel xeon_platinum_8253 -
intel core_i3-8130u -
intel core_i5-11600t -
intel xeon_d-1571 -
intel core_i3-10100t -
intel core_i7-6800k -
intel xeon_w-1370 -
intel xeon_w-3345 -
intel core_i3-11100he -
intel core_i7-4960x -
intel xeon_e-2276ml -
intel core_i3-7100e -
intel xeon_gold_6146 -
intel core_i3-8100b -
intel core_i7-11700k -
intel core_i5-6400 -
intel core_i3-6100h -
intel core_i7-10750h -
intel xeon_w-1290t -
intel xeon_gold_6222v -
intel core_i5-8500t -
intel xeon_platinum_8280 -
intel core_i7-5930k -
intel core_i3-7102e -
intel core_i5-9600k -
intel core_i7-8850h -
intel core_i3-7100u -
intel core_i3-9100f -
intel core_i9-9980xe -
intel core_i5-8500b -
intel core_i5-10210u -
intel xeon_gold_6262v -
intel core_i3-8140u -
intel xeon_d-1633n -
intel core_i7-10875h -
intel atom_c3808 -
intel atom_c3830 -
intel core_i7-7740x -
intel xeon_gold_6244 -
intel core_i7-10700 -
intel core_i9-10980xe -
intel xeon_d-1637 -
intel xeon_e-2378 -
intel xeon_platinum_8168 -
intel core_i3-8100t -
intel core_i5-7440hq -
intel xeon_e-2274g -
intel core_i9-11900f -
intel xeon_d-1540 -
intel core_i5-11400 -
intel xeon_silver_4215r -
intel xeon_e-2136 -
intel core_i5-10200h -
intel core_i7-8706g -
intel xeon_e-2254ml -
intel core_i5-9500f -
intel xeon_silver_4214y -
intel xeon_w-2245 -
intel core_i5-10600t -
intel core_i5-1135g7 -
intel xeon_w-11865mre -
intel xeon_platinum_8260 -
intel core_i5-1035g1 -
intel core_i5-11260h -
intel core_i3-10100y -
intel xeon_gold_5222 -
intel atom_c3508 -
intel core_i7-3920xm -
intel xeon_gold_6152 -
intel core_i5-7267u -
intel core_i5-6440eq -
intel xeon_w-1290e -
intel core_i5-6350hq -
intel core_i3-6300 -
intel xeon_d-2145nt -
intel xeon_w-2135 -
intel atom_c3538 -
intel xeon_silver_4215 -
intel xeon_gold_6126 -
intel core_i7-3940xm -
intel xeon_gold_6238 -
intel xeon_silver_4214r -
intel core_i3-8300t -
intel core_i3-10300 -
intel xeon_e-2288g -
intel xeon_gold_5218 -
intel core_i7-6700k -
intel core_i3-6102e -
intel core_i5-6267u -
intel core_i9-9900x -
intel xeon_e-2176m -
intel xeon_w-3245 -
intel xeon_gold_6208u -
intel xeon_d-1523n -
intel xeon_platinum_9221 -
intel core_i5-6442eq -
intel core_i7-11850he -
intel core_i7-10700t -
intel xeon_d-2146nt -
intel core_i9-10980hk -
intel atom_c3308 -
intel xeon_silver_4110 -
intel core_i5-9600kf -
intel xeon_e-2356g -
intel xeon_gold_6252 -
intel xeon_silver_4116t -
intel xeon_silver_4109t -
intel core_i7-6900k -
intel xeon_d-1531 -
intel core_i5-6500t -
intel core_i5-11400t -
intel core_i9-9880h -
intel core_i9-10900x -
intel core_i7-5960x -
intel xeon_e-2386g -
intel xeon_gold_6240l -
intel core_i7-10870h -
intel core_i5-8279u -
intel atom_c3850 -
intel core_i5-11300h -
intel core_i5-9400t -
intel core_i3-7100 -
intel core_i3-8350k -
intel core_i3-10320 -
intel xeon_e-2314 -
intel xeon_platinum_9242 -
intel core_i7-10700te -
intel core_i7-7600u -
intel core_i9-9900kf -
intel core_i7-9700f -
intel xeon_platinum_8276l -
intel core_i3-10105 -
intel xeon_d-1553n -
intel core_i7-4930k -
intel xeon_gold_6128 -
intel core_i7-11370h -
intel xeon_platinum_8160f -
intel xeon_e-2276me -
intel xeon_d-1527 -
intel atom_c3436l -
intel core_i7-6600u -
intel core_i3-7320 -
intel core_i9-10900e -
intel core_i7-6950x -
intel core_i7-11850h -
intel xeon_w-3245m -
intel xeon_gold_6138t -
intel xeon_platinum_8164 -
intel xeon_w-11855m -
intel xeon_gold_6130 -
intel core_i9-9900t -
intel core_i5-7600k -
intel xeon_gold_6226 -
intel core_i5-6600t -
intel xeon_d-1559 -
intel xeon_e-2146g -
intel core_i7-1185g7 -
intel xeon_e-2336 -
intel xeon_d-2187nt -
intel core_i3-10305t -
intel core_i7-9700te -
intel xeon_silver_4210 -
intel xeon_d-1521 -
intel core_i5-7500 -
intel core_i7-1065g7 -
intel core_i7-7700 -
intel core_i5-7440eq -
intel core_i5-11320h -
intel core_i7-6785r -
intel xeon_platinum_8256 -
intel core_i3-1115g4 -
intel core_i3-6100u -
intel xeon_w-3225 -
intel core_i9-10940x -
intel core_i3-9100t -
intel xeon_e-2378g -
intel xeon_platinum_8170 -
intel xeon_gold_6140 -
intel xeon_w-1250 -
intel xeon_platinum_8176 -
intel core_i7-7820eq -
intel core_i7-11600h -
intel core_i9-10850k -
intel atom_c3558r -
CVE-2021-0092 LOW

Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
intel core_i7-8665ue -
intel core_i7-8809g -
intel xeon_gold_5215 -
intel xeon_e-2126g -
intel core_i5-9300h -
intel core_i5-10400f -
intel core_i5-11400f -
intel core_i7-7920hq -
intel xeon_w-3175x -
intel core_i9-9820x -
intel core_i5-1145g7 -
intel core_i5-1145g7e -
intel core_i7-7700k -
intel xeon_gold_6212u -
intel core_i3-6100t -
intel core_i5-8400b -
intel core_i5-6600 -
intel core_i5-8400h -
intel core_i5-8400 -
intel core_i5-7600t -
intel xeon_w-2123 -
intel xeon_d-2142it -
intel core_i3-10100te -
intel core_i5-11600 -
intel xeon_d-1513n -
intel xeon_silver_4108 -
intel core_i3-1110g4 -
intel xeon_w-1350 -
intel core_i5-6200u -
intel xeon_w-1370p -
intel core_i5-8305g -
intel core_i5-1140g7 -
intel xeon_gold_6130f -
intel core_i5-11400h -
intel core_i5-9300hf -
intel core_i3-6157u -
intel core_i3-6167u -
intel xeon_gold_5220s -
intel core_i5-10600k -
intel core_i9-7960x -
intel xeon_gold_6138 -
intel xeon_platinum_9282 -
intel core_i5-8259u -
intel core_i7-6850k -
intel core_m5-6y57 -
intel xeon_gold_6252n -
intel core_i5-11600k -
intel xeon_w-1390p -
intel xeon_w-2223 -
intel xeon_w-1350p -
intel xeon_gold_6250 -
intel core_m3-7y32 -
intel core_i5-1035g7 -
intel core_i5-9400 -
intel core_i7-6700te -
intel core_i3-6320 -
intel core_i5-8257u -
intel core_i5-10210y -
intel core_i7-6770hq -
intel core_i3-10300t -
intel xeon_w-1290p -
intel core_i7-7800x -
intel atom_c3750 -
intel core_i7-6970hq -
intel core_i3-9350k -
intel core_i7-8700k -
intel core_i3-7101te -
intel atom_c3708 -
intel core_i9-7920x -
intel core_i7-10700k -
intel xeon_gold_6248 -
intel core_i5-10500 -
intel xeon_w-1290te -
intel xeon_gold_6250l -
intel xeon_gold_6242 -
intel core_i7-9700t -
intel core_i3-6100 -
intel xeon_gold_5120t -
intel core_i5-11500t -
intel xeon_w-11865mle -
intel xeon_e-2278ge -
intel core_i5-8350u -
intel xeon_gold_5120 -
intel xeon_w-3323 -
intel core_i7-7560u -
intel xeon_gold_5118 -
intel xeon_w-3265 -
intel xeon_platinum_8260y -
intel xeon_gold_6209u -
intel core_i3-1125g4 -
intel xeon_e-2388g -
intel core_i5-7442eq -
intel xeon_w-1390 -
intel xeon_w-11955m -
intel atom_c3950 -
intel core_i5-8300h -
intel xeon_w-3375 -
intel core_i9-10900t -
intel core_i5-6500 -
intel core_i5-10300h -
intel atom_c3338 -
intel core_i7-9850h -
intel core_i5-8365u -
intel core_i7-1160g7 -
intel xeon_gold_6126t -
intel core_i5-7400 -
intel core_i5-6600k -
intel xeon_d-1528 -
intel core_i7-8700b -
intel core_i7-9800x -
intel core_i7-10810u -
intel core_i5-8200y -
intel core_i3-9100e -
intel xeon_bronze_3204 -
intel core_i3-10110u -
intel core_i5-7287u -
intel core_i7-7660u -
intel xeon_d-2143it -
intel xeon_e-2186m -
intel xeon_silver_4114 -
intel core_i5-6300u -
intel xeon_w-11555mle -
intel xeon_w-2225 -
intel core_i7-9850he -
intel core_i5-10310y -
intel core_i3-7101e -
intel core_i5-6300hq -
intel xeon_gold_6230 -
intel core_i7-3820 -
intel atom_c3558 -
intel core_i5-11500h -
intel xeon_silver_4210t -
intel xeon_e-2134 -
intel core_i7-7500u -
intel core_i7-8565u -
intel xeon_d-1627 -
intel xeon_gold_6130t -
intel xeon_d-1537 -
intel xeon_bronze_3206r -
intel core_i5-9400f -
intel xeon_d-1577 -
intel xeon_d-1533n -
intel xeon_e-2374g -
intel xeon_gold_5218r -
intel xeon_e-2244g -
intel core_i9-11900kf -
intel xeon_d-1539 -
intel core_i9-11900k -
intel xeon_e-2276m -
intel core_i3-7130u -
intel core_i9-10885h -
intel xeon_gold_6246r -
intel core_i5-1155g7 -
intel core_i5-10505 -
intel xeon_d-1518 -
intel core_i9-9940x -
intel core_i7-6567u -
intel core_i7-9750h -
intel atom_c3758r -
intel core_i3-9350kf -
intel xeon_gold_6258r -
intel xeon_gold_5220 -
intel xeon_platinum_8160t -
intel xeon_gold_6126f -
intel core_i5-7300hq -
intel xeon_w-2235 -
intel core_i9-10920x -
intel xeon_gold_6136 -
intel core_i3-7020u -
intel core_i7-11700 -
intel xeon_e-2276g -
intel core_i9-7980xe -
intel core_i7-7y75 -
intel core_i7-6700t -
intel xeon_e-2124g -
intel core_i5-10600kf -
intel atom_c3955 -
intel core_i7-8700 -
intel core_i5-8210y -
intel xeon_w-10885m -
intel xeon_d-1567 -
intel xeon_d-1520 -
intel core_i7-1195g7 -
intel core_i5-6500te -
intel core_i7-9750hf -
intel xeon_w-2175 -
intel xeon_d-1529 -
intel core_i7-8557u -
intel core_i5-7400t -
intel core_i7-10710u -
intel core_i7-10700e -
intel xeon_e-2246g -
intel core_i3-1000g1 -
intel core_m3-6y30 -
intel core_i7-5820k -
intel core_i5-6287u -
intel xeon_d-2123it -
intel core_i7-11700f -
intel xeon_platinum_8158 -
intel xeon_gold_6254 -
intel core_i3-10305 -
intel core_i7-8709g -
intel core_i3-8100 -
intel xeon_gold_6226r -
intel xeon_w-2275 -
intel xeon_gold_6148 -
intel core_i5-8250u -
intel xeon_e-2224g -
intel core_i3-10100e -
intel xeon_gold_5218t -
intel core_i7-6560u -
intel core_i5-11600kf -
intel core_i7-8550u -
intel xeon_e-2278g -
intel xeon_gold_6246 -
intel core_i7-6920hq -
intel xeon_gold_6256 -
intel core_i3-8300 -
intel core_i7-10510y -
intel core_i7-10850h -
intel xeon_silver_4208 -
intel core_i7-8705g -
intel core_i7-1068ng7 -
intel core_i9-11900t -
intel xeon_platinum_8160 -
intel core_i5-6360u -
intel core_i9-9980hk -
intel xeon_d-2161i -
intel xeon_e-2286m -
intel core_i3-10110y -
intel core_i5-10600 -
intel core_i5-7500t -
intel xeon_w-2195 -
intel xeon_e-2278gel -
intel xeon_platinum_8270 -
intel core_i5-10500e -
intel atom_c3338r -
intel xeon_silver_4114t -
intel xeon_w-11155mle -
intel atom_c3958 -
intel xeon_w-1250p -
intel core_i7-6700hq -
intel core_i9-10900 -
intel core_i9-10900kf -
intel xeon_d-1557 -
intel xeon_d-2177nt -
intel core_i5-6402p -
intel core_i7-8559u -
intel xeon_gold_6210u -
intel core_i5-7y57 -
intel atom_c3858 -
intel core_i3-6100te -
intel xeon_e-2226g -
intel core_i3-10105f -
intel core_i5-8500 -
intel xeon_gold_5218b -
intel core_i7-8569u -
intel core_i7-9700e -
intel core_i7-6820hq -
intel xeon_e-2224 -
intel core_i7-11700kf -
intel core_i7-9850hl -
intel xeon_gold_5119t -
intel core_i7-6820hk -
intel core_i5-1145gre -
intel core_i5-6685r -
intel core_i5-1030g7 -
intel core_i7-1185g7e -
intel xeon_d-2166nt -
intel xeon_gold_5215l -
intel core_i5-6260u -
intel core_i3-8145ue -
intel core_i5-11500 -
intel xeon_w-11155mre -
intel xeon_gold_6142 -
intel xeon_d-1602 -
intel xeon_gold_6230t -
intel core_i5-10500te -
intel core_i9-11900h -
intel core_i5-9400h -
intel xeon_e-2324g -
intel core_i7-8750h -
intel core_i7-6700 -
intel core_i7-7820hq -
intel core_i7-8650u -
intel core_i5-9500t -
intel xeon_d-1653n -
intel xeon_d-2173it -
intel core_i7-8665u -
intel xeon_gold_5220r -
intel core_i7-11375h -
intel xeon_w-3275 -
intel xeon_d-2141i -
intel xeon_w-2265 -
intel core_i5-10310u -
intel xeon_platinum_8153 -
intel core_i3-1115gre -
intel xeon_w-1390t -
intel core_i5-7360u -
intel xeon_w-2255 -
intel xeon_gold_6144 -
intel xeon_d-1541 -
intel core_i5-8600 -
intel core_i9-11980hk -
intel core_i7-6820eq -
intel xeon_silver_4112 -
intel core_i3-10105t -
intel core_i5-8260u -
intel xeon_w-1290 -
intel core_i7-7820hk -
intel xeon_w-3365 -
intel core_i7-1180g7 -
intel core_i9-10900k -
intel xeon_w-1270e -
intel xeon_d-1649n -
intel xeon_w-1270te -
intel core_i5-11500he -
intel core_m3-7y30 -
intel core_i5-1130g7 -
intel xeon_platinum_8180 -
intel core_i7+8700 -
intel xeon_gold_5217 -
intel xeon_d-1622 -
intel core_i9-9960x -
intel core_i7-8086k -
intel xeon_gold_6154 -
netapp fas/aff_bios -
intel core_i5-9500 -
intel xeon_silver_4210r -
intel core_i5-6440hq -
intel core_i7-10510u -
intel core_i7-4820k -
intel core_i9-10900te -
intel core_i7-3930k -
intel core_i7-7820x -
intel xeon_e-2176g -
intel xeon_e-2254me -
intel core_i5-10400t -
intel core_i3-10100 -
intel core_i7-10610u -
intel xeon_w-2155 -
intel core_i5-9500e -
intel core_i9-7940x -
intel core_i5-8269u -
intel core_i7-9700k -
intel xeon_gold_6240y -
intel core_i7-11700t -
intel core_i7-1060g7 -
intel xeon_gold_6150 -
intel xeon_e-2236 -
intel core_i3-7100h -
intel core_i3-7350k -
intel xeon_gold_6138f -
intel core_i5-6585r -
intel core_i3-1000g4 -
intel core_i5-10500t -
intel core_i9-11900 -
intel core_i9-10900f -
intel core_i5-7200u -
intel core_i3-8100h -
intel core_i3-1115g4e -
intel xeon_platinum_8268 -
intel xeon_w-2145 -
intel core_i3-7300t -
intel core_i7-11800h -
intel core_i7-10700f -
intel core_i3-9300t -
intel core_i3-7300 -
intel core_i3-6300t -
intel core_i3-7167u -
intel core_i3-9100te -
intel xeon_gold_6138p -
intel xeon_gold_6142f -
intel core_i7-8700t -
intel xeon_platinum_8260l -
intel core_i3-10325 -
intel core_i7-4930mx -
intel core_i5-9600 -
intel core_m3-8100y -
intel xeon_gold_6238r -
intel xeon_gold_6248r -
intel core_i5-7600 -
intel core_i5-7640x -
intel core_m5-6y54 -
intel core_i7-6870hq -
intel core_i9-7900x -
intel xeon_gold_6148f -
intel core_i7-11390h -
intel core_i5-8600k -
intel xeon_w-1270p -
intel xeon_w-3335 -
intel core_i3-6100e -
intel core_i3-6098p -
intel core_i5-8400t -
intel core_i3-10100f -
intel xeon_e-2334 -
intel core_i7-1165g7 -
intel core_i3-7100t -
intel core_i7-1185gre -
intel core_i3-1005g1 -
intel xeon_gold_5220t -
intel xeon_gold_6238t -
intel core_i5-6400t -
intel core_i3-6006u -
intel atom_c3336 -
intel xeon_gold_6230r -
intel core_i9-8950hk -
intel xeon_silver_4216 -
intel core_i9-9900ks -
intel xeon_w-2295 -
intel core_i9-11950h -
intel xeon_gold_6240 -
intel core_i7-6650u -
intel core_i5-10400 -
intel xeon_gold_5218n -
intel xeon_w-11555mre -
intel xeon_w-1250e -
intel xeon_gold_6234 -
intel core_i7-6822eq -
intel core_i5-7300u -
intel xeon_gold_6230n -
intel xeon_gold_5115 -
intel core_i3-9100hl -
intel core_i7-8500y -
intel xeon_e-2234 -
intel xeon_gold_6238l -
intel xeon_w-3223 -
intel xeon_bronze_3106 -
intel core_i5-8365ue -
intel core_i9-9900k -
intel core_m7-6y75 -
intel core_i3-8109u -
intel core_i5-8265u -
intel xeon_d-1623n -
intel xeon_d-1548 -
intel core_i5-8310y -
intel xeon_d-2163it -
intel xeon_platinum_8176f -
intel xeon_platinum_8156 -
intel core_i5-7260u -
intel core_i5-1035g4 -
intel core_i3-9320 -
intel core_i7-7567u -
intel xeon_e-2124 -
intel core_i3-9300 -
intel xeon_gold_6132 -
intel xeon_w-10855m -
intel core_i5-1030g4 -
intel xeon_d-1543n -
intel xeon_platinum_9222 -
intel xeon_gold_6134 -
intel core_i5-9600t -
intel xeon_w-1270 -
intel xeon_bronze_3104 -
intel atom_c3758 -
intel core_i7-6500u -
intel core_i7-7700hq -
intel xeon_e-2144g -
intel core_i5-10500h -
intel core_i3-1120g4 -
intel core_i7-3970x -
intel core_i7-9700 -
intel core_i9-9920x -
intel xeon_platinum_8280l -
intel xeon_silver_4209t -
intel xeon_platinum_8276 -
intel core_i5-1038ng7 -
intel xeon_silver_4116 -
intel core_i7-7700t -
netapp cloud_backup -
intel xeon_w-2125 -
intel core_i7-9700kf -
intel xeon_w-1250te -
intel core_i9-9900 -
intel core_i7-4940mx -
intel xeon_w-3275m -
intel core_i5-9500te -
intel xeon_d-2183it -
intel xeon_w-3235 -
intel core_i5-8600t -
intel xeon_w-3265m -
intel core_i5-10400h -
intel xeon_gold_6242r -
intel core_i3-9100 -
intel xeon_e-2226ge -
intel core_i7-6660u -
intel core_i5-7y54 -
intel xeon_e-2174g -
intel core_i7-10700kf -
intel xeon_gold_5122 -
intel xeon_gold_6240r -
intel xeon_silver_4214 -
intel xeon_e-2286g -
intel core_i3-8145u -
intel core_i7-3960x -
intel xeon_e-2186g -
intel xeon_w-2133 -
intel xeon_platinum_8253 -
intel core_i3-8130u -
intel core_i5-11600t -
intel xeon_d-1571 -
intel core_i3-10100t -
intel core_i7-6800k -
intel xeon_w-1370 -
intel xeon_w-3345 -
intel core_i3-11100he -
intel core_i7-4960x -
intel xeon_e-2276ml -
intel core_i3-7100e -
intel xeon_gold_6146 -
intel core_i3-8100b -
intel core_i7-11700k -
intel core_i5-6400 -
intel core_i3-6100h -
intel core_i7-10750h -
intel xeon_w-1290t -
intel xeon_gold_6222v -
intel core_i5-8500t -
intel xeon_platinum_8280 -
intel core_i7-5930k -
intel core_i3-7102e -
intel core_i5-9600k -
intel core_i7-8850h -
intel core_i3-7100u -
intel core_i3-9100f -
intel core_i9-9980xe -
intel core_i5-8500b -
intel core_i5-10210u -
intel xeon_gold_6262v -
intel core_i3-8140u -
intel xeon_d-1633n -
intel core_i7-10875h -
intel atom_c3808 -
intel atom_c3830 -
intel core_i7-7740x -
intel xeon_gold_6244 -
intel core_i7-10700 -
intel core_i9-10980xe -
intel xeon_d-1637 -
intel xeon_e-2378 -
intel xeon_platinum_8168 -
intel core_i3-8100t -
intel core_i5-7440hq -
intel xeon_e-2274g -
intel core_i9-11900f -
intel xeon_d-1540 -
intel core_i5-11400 -
intel xeon_silver_4215r -
intel xeon_e-2136 -
intel core_i5-10200h -
intel core_i7-8706g -
intel xeon_e-2254ml -
intel core_i5-9500f -
intel xeon_silver_4214y -
intel xeon_w-2245 -
intel core_i5-10600t -
intel core_i5-1135g7 -
intel xeon_w-11865mre -
intel xeon_platinum_8260 -
intel core_i5-1035g1 -
intel core_i5-11260h -
intel core_i3-10100y -
intel xeon_gold_5222 -
intel atom_c3508 -
intel core_i7-3920xm -
intel xeon_gold_6152 -
intel core_i5-7267u -
intel core_i5-6440eq -
intel xeon_w-1290e -
intel core_i5-6350hq -
intel core_i3-6300 -
intel xeon_d-2145nt -
intel xeon_w-2135 -
intel atom_c3538 -
intel xeon_silver_4215 -
intel xeon_gold_6126 -
intel core_i7-3940xm -
intel xeon_gold_6238 -
intel xeon_silver_4214r -
intel core_i3-8300t -
intel core_i3-10300 -
intel xeon_e-2288g -
intel xeon_gold_5218 -
intel core_i7-6700k -
intel core_i3-6102e -
intel core_i5-6267u -
intel core_i9-9900x -
intel xeon_e-2176m -
intel xeon_w-3245 -
intel xeon_gold_6208u -
intel xeon_d-1523n -
intel xeon_platinum_9221 -
intel core_i5-6442eq -
intel core_i7-11850he -
intel core_i7-10700t -
intel xeon_d-2146nt -
intel core_i9-10980hk -
intel atom_c3308 -
intel xeon_silver_4110 -
intel core_i5-9600kf -
intel xeon_e-2356g -
intel xeon_gold_6252 -
intel xeon_silver_4116t -
intel xeon_silver_4109t -
intel core_i7-6900k -
intel xeon_d-1531 -
intel core_i5-6500t -
intel core_i5-11400t -
intel core_i9-9880h -
intel core_i9-10900x -
intel core_i7-5960x -
intel xeon_e-2386g -
intel xeon_gold_6240l -
intel core_i7-10870h -
intel core_i5-8279u -
intel atom_c3850 -
intel core_i5-11300h -
intel core_i5-9400t -
intel core_i3-7100 -
intel core_i3-8350k -
intel core_i3-10320 -
intel xeon_e-2314 -
intel xeon_platinum_9242 -
intel core_i7-10700te -
intel core_i7-7600u -
intel core_i9-9900kf -
intel core_i7-9700f -
intel xeon_platinum_8276l -
intel core_i3-10105 -
intel xeon_d-1553n -
intel core_i7-4930k -
intel xeon_gold_6128 -
intel core_i7-11370h -
intel xeon_platinum_8160f -
intel xeon_e-2276me -
intel xeon_d-1527 -
intel atom_c3436l -
intel core_i7-6600u -
intel core_i3-7320 -
intel core_i9-10900e -
intel core_i7-6950x -
intel core_i7-11850h -
intel xeon_w-3245m -
intel xeon_gold_6138t -
intel xeon_platinum_8164 -
intel xeon_w-11855m -
intel xeon_gold_6130 -
intel core_i9-9900t -
intel core_i5-7600k -
intel xeon_gold_6226 -
intel core_i5-6600t -
intel xeon_d-1559 -
intel xeon_e-2146g -
intel core_i7-1185g7 -
intel xeon_e-2336 -
intel xeon_d-2187nt -
intel core_i3-10305t -
intel core_i7-9700te -
intel xeon_silver_4210 -
intel xeon_d-1521 -
intel core_i5-7500 -
intel core_i7-1065g7 -
intel core_i7-7700 -
intel core_i5-7440eq -
intel core_i5-11320h -
intel core_i7-6785r -
intel xeon_platinum_8256 -
intel core_i3-1115g4 -
intel core_i3-6100u -
intel xeon_w-3225 -
intel core_i9-10940x -
intel core_i3-9100t -
intel xeon_e-2378g -
intel xeon_platinum_8170 -
intel xeon_gold_6140 -
intel xeon_w-1250 -
intel xeon_platinum_8176 -
intel core_i7-7820eq -
intel core_i7-11600h -
intel core_i9-10850k -
intel atom_c3558r -
CVE-2021-0093 LOW

Incorrect default permissions in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-276,CWE-276,

Products Affected

Vendor Product Version
intel core_i7-8665ue -
intel core_i7-8809g -
intel xeon_gold_5215 -
intel xeon_e-2126g -
intel core_i5-9300h -
intel core_i5-10400f -
intel core_i5-11400f -
intel core_i7-7920hq -
intel xeon_w-3175x -
intel core_i9-9820x -
intel core_i5-1145g7 -
intel core_i5-1145g7e -
intel core_i7-7700k -
intel xeon_gold_6212u -
intel core_i3-6100t -
intel core_i5-8400b -
intel core_i5-6600 -
intel core_i5-8400h -
intel core_i5-8400 -
intel core_i5-7600t -
intel xeon_w-2123 -
intel xeon_d-2142it -
intel core_i3-10100te -
intel core_i5-11600 -
intel xeon_d-1513n -
intel xeon_silver_4108 -
intel core_i3-1110g4 -
intel xeon_w-1350 -
intel core_i5-6200u -
intel xeon_w-1370p -
intel core_i5-8305g -
intel core_i5-1140g7 -
intel xeon_gold_6130f -
intel core_i5-11400h -
intel core_i5-9300hf -
intel core_i3-6157u -
intel core_i3-6167u -
intel xeon_gold_5220s -
intel core_i5-10600k -
intel core_i9-7960x -
intel xeon_gold_6138 -
intel xeon_platinum_9282 -
intel core_i5-8259u -
intel core_i7-6850k -
intel core_m5-6y57 -
intel xeon_gold_6252n -
intel core_i5-11600k -
intel xeon_w-1390p -
intel xeon_w-2223 -
intel xeon_w-1350p -
intel xeon_gold_6250 -
intel core_m3-7y32 -
intel core_i5-1035g7 -
intel core_i5-9400 -
intel core_i7-6700te -
intel core_i3-6320 -
intel core_i5-8257u -
intel core_i5-10210y -
intel core_i7-6770hq -
intel core_i3-10300t -
intel xeon_w-1290p -
intel core_i7-7800x -
intel atom_c3750 -
intel core_i7-6970hq -
intel core_i3-9350k -
intel core_i7-8700k -
intel core_i3-7101te -
intel atom_c3708 -
intel core_i9-7920x -
intel core_i7-10700k -
intel xeon_gold_6248 -
intel core_i5-10500 -
intel xeon_w-1290te -
intel xeon_gold_6250l -
intel xeon_gold_6242 -
intel core_i7-9700t -
intel core_i3-6100 -
intel xeon_gold_5120t -
intel core_i5-11500t -
intel xeon_w-11865mle -
intel xeon_e-2278ge -
intel core_i5-8350u -
intel xeon_gold_5120 -
intel xeon_w-3323 -
intel core_i7-7560u -
intel xeon_gold_5118 -
intel xeon_w-3265 -
intel xeon_platinum_8260y -
intel xeon_gold_6209u -
intel core_i3-1125g4 -
intel xeon_e-2388g -
intel core_i5-7442eq -
intel xeon_w-1390 -
intel xeon_w-11955m -
intel atom_c3950 -
intel core_i5-8300h -
intel xeon_w-3375 -
intel core_i9-10900t -
intel core_i5-6500 -
intel core_i5-10300h -
intel atom_c3338 -
intel core_i7-9850h -
intel core_i5-8365u -
intel core_i7-1160g7 -
intel xeon_gold_6126t -
intel core_i5-7400 -
intel core_i5-6600k -
intel xeon_d-1528 -
intel core_i7-8700b -
intel core_i7-9800x -
intel core_i7-10810u -
intel core_i5-8200y -
intel core_i3-9100e -
intel xeon_bronze_3204 -
intel core_i3-10110u -
intel core_i5-7287u -
intel core_i7-7660u -
intel xeon_d-2143it -
intel xeon_e-2186m -
intel xeon_silver_4114 -
intel core_i5-6300u -
intel xeon_w-11555mle -
intel xeon_w-2225 -
intel core_i7-9850he -
intel core_i5-10310y -
intel core_i3-7101e -
intel core_i5-6300hq -
intel xeon_gold_6230 -
intel core_i7-3820 -
intel atom_c3558 -
intel core_i5-11500h -
intel xeon_silver_4210t -
intel xeon_e-2134 -
intel core_i7-7500u -
intel core_i7-8565u -
intel xeon_d-1627 -
intel xeon_gold_6130t -
intel xeon_d-1537 -
intel xeon_bronze_3206r -
intel core_i5-9400f -
intel xeon_d-1577 -
intel xeon_d-1533n -
intel xeon_e-2374g -
intel xeon_gold_5218r -
intel xeon_e-2244g -
intel core_i9-11900kf -
intel xeon_d-1539 -
intel core_i9-11900k -
intel xeon_e-2276m -
intel core_i3-7130u -
intel core_i9-10885h -
intel xeon_gold_6246r -
intel core_i5-1155g7 -
intel core_i5-10505 -
intel xeon_d-1518 -
intel core_i9-9940x -
intel core_i7-6567u -
intel core_i7-9750h -
intel atom_c3758r -
intel core_i3-9350kf -
intel xeon_gold_6258r -
intel xeon_gold_5220 -
intel xeon_platinum_8160t -
intel xeon_gold_6126f -
intel core_i5-7300hq -
intel xeon_w-2235 -
intel core_i9-10920x -
intel xeon_gold_6136 -
intel core_i3-7020u -
intel core_i7-11700 -
intel xeon_e-2276g -
intel core_i9-7980xe -
intel core_i7-7y75 -
intel core_i7-6700t -
intel xeon_e-2124g -
intel core_i5-10600kf -
intel atom_c3955 -
intel core_i7-8700 -
intel core_i5-8210y -
intel xeon_w-10885m -
intel xeon_d-1567 -
intel xeon_d-1520 -
intel core_i7-1195g7 -
intel core_i5-6500te -
intel core_i7-9750hf -
intel xeon_w-2175 -
intel xeon_d-1529 -
intel core_i7-8557u -
intel core_i5-7400t -
intel core_i7-10710u -
intel core_i7-10700e -
intel xeon_e-2246g -
intel core_i3-1000g1 -
intel core_m3-6y30 -
intel core_i7-5820k -
intel core_i5-6287u -
intel xeon_d-2123it -
intel core_i7-11700f -
intel xeon_platinum_8158 -
intel xeon_gold_6254 -
intel core_i3-10305 -
intel core_i7-8709g -
intel core_i3-8100 -
intel xeon_gold_6226r -
intel xeon_w-2275 -
intel xeon_gold_6148 -
intel core_i5-8250u -
intel xeon_e-2224g -
intel core_i3-10100e -
intel xeon_gold_5218t -
intel core_i7-6560u -
intel core_i5-11600kf -
intel core_i7-8550u -
intel xeon_e-2278g -
intel xeon_gold_6246 -
intel core_i7-6920hq -
intel xeon_gold_6256 -
intel core_i3-8300 -
intel core_i7-10510y -
intel core_i7-10850h -
intel xeon_silver_4208 -
intel core_i7-8705g -
intel core_i7-1068ng7 -
intel core_i9-11900t -
intel xeon_platinum_8160 -
intel core_i5-6360u -
intel core_i9-9980hk -
intel xeon_d-2161i -
intel xeon_e-2286m -
intel core_i3-10110y -
intel core_i5-10600 -
intel core_i5-7500t -
intel xeon_w-2195 -
intel xeon_e-2278gel -
intel xeon_platinum_8270 -
intel core_i5-10500e -
intel atom_c3338r -
intel xeon_silver_4114t -
intel xeon_w-11155mle -
intel atom_c3958 -
intel xeon_w-1250p -
intel core_i7-6700hq -
intel core_i9-10900 -
intel core_i9-10900kf -
intel xeon_d-1557 -
intel xeon_d-2177nt -
intel core_i5-6402p -
intel core_i7-8559u -
intel xeon_gold_6210u -
intel core_i5-7y57 -
intel atom_c3858 -
intel core_i3-6100te -
intel xeon_e-2226g -
intel core_i3-10105f -
intel core_i5-8500 -
intel xeon_gold_5218b -
intel core_i7-8569u -
intel core_i7-9700e -
intel core_i7-6820hq -
intel xeon_e-2224 -
intel core_i7-11700kf -
intel core_i7-9850hl -
intel xeon_gold_5119t -
intel core_i7-6820hk -
intel core_i5-1145gre -
intel core_i5-6685r -
intel core_i5-1030g7 -
intel core_i7-1185g7e -
intel xeon_d-2166nt -
intel xeon_gold_5215l -
intel core_i5-6260u -
intel core_i3-8145ue -
intel core_i5-11500 -
intel xeon_w-11155mre -
intel xeon_gold_6142 -
intel xeon_d-1602 -
intel xeon_gold_6230t -
intel core_i5-10500te -
intel core_i9-11900h -
intel core_i5-9400h -
intel xeon_e-2324g -
intel core_i7-8750h -
intel core_i7-6700 -
intel core_i7-7820hq -
intel core_i7-8650u -
intel core_i5-9500t -
intel xeon_d-1653n -
intel xeon_d-2173it -
intel core_i7-8665u -
intel xeon_gold_5220r -
intel core_i7-11375h -
intel xeon_w-3275 -
intel xeon_d-2141i -
intel xeon_w-2265 -
intel core_i5-10310u -
intel xeon_platinum_8153 -
intel core_i3-1115gre -
intel xeon_w-1390t -
intel core_i5-7360u -
intel xeon_w-2255 -
intel xeon_gold_6144 -
intel xeon_d-1541 -
intel core_i5-8600 -
intel core_i9-11980hk -
intel core_i7-6820eq -
intel xeon_silver_4112 -
intel core_i3-10105t -
intel core_i5-8260u -
intel xeon_w-1290 -
intel core_i7-7820hk -
intel xeon_w-3365 -
intel core_i7-1180g7 -
intel core_i9-10900k -
intel xeon_w-1270e -
intel xeon_d-1649n -
intel xeon_w-1270te -
intel core_i5-11500he -
intel core_m3-7y30 -
intel core_i5-1130g7 -
intel xeon_platinum_8180 -
intel core_i7+8700 -
intel xeon_gold_5217 -
intel xeon_d-1622 -
intel core_i9-9960x -
intel core_i7-8086k -
intel xeon_gold_6154 -
netapp fas/aff_bios -
intel core_i5-9500 -
intel xeon_silver_4210r -
intel core_i5-6440hq -
intel core_i7-10510u -
intel core_i7-4820k -
intel core_i9-10900te -
intel core_i7-3930k -
intel core_i7-7820x -
intel xeon_e-2176g -
intel xeon_e-2254me -
intel core_i5-10400t -
intel core_i3-10100 -
intel core_i7-10610u -
intel xeon_w-2155 -
intel core_i5-9500e -
intel core_i9-7940x -
intel core_i5-8269u -
intel core_i7-9700k -
intel xeon_gold_6240y -
intel core_i7-11700t -
intel core_i7-1060g7 -
intel xeon_gold_6150 -
intel xeon_e-2236 -
intel core_i3-7100h -
intel core_i3-7350k -
intel xeon_gold_6138f -
intel core_i5-6585r -
intel core_i3-1000g4 -
intel core_i5-10500t -
intel core_i9-11900 -
intel core_i9-10900f -
intel core_i5-7200u -
intel core_i3-8100h -
intel core_i3-1115g4e -
intel xeon_platinum_8268 -
intel xeon_w-2145 -
intel core_i3-7300t -
intel core_i7-11800h -
intel core_i7-10700f -
intel core_i3-9300t -
intel core_i3-7300 -
intel core_i3-6300t -
intel core_i3-7167u -
intel core_i3-9100te -
intel xeon_gold_6138p -
intel xeon_gold_6142f -
intel core_i7-8700t -
intel xeon_platinum_8260l -
intel core_i3-10325 -
intel core_i7-4930mx -
intel core_i5-9600 -
intel core_m3-8100y -
intel xeon_gold_6238r -
intel xeon_gold_6248r -
intel core_i5-7600 -
intel core_i5-7640x -
intel core_m5-6y54 -
intel core_i7-6870hq -
intel core_i9-7900x -
intel xeon_gold_6148f -
intel core_i7-11390h -
intel core_i5-8600k -
intel xeon_w-1270p -
intel xeon_w-3335 -
intel core_i3-6100e -
intel core_i3-6098p -
intel core_i5-8400t -
intel core_i3-10100f -
intel xeon_e-2334 -
intel core_i7-1165g7 -
intel core_i3-7100t -
intel core_i7-1185gre -
intel core_i3-1005g1 -
intel xeon_gold_5220t -
intel xeon_gold_6238t -
intel core_i5-6400t -
intel core_i3-6006u -
intel atom_c3336 -
intel xeon_gold_6230r -
intel core_i9-8950hk -
intel xeon_silver_4216 -
intel core_i9-9900ks -
intel xeon_w-2295 -
intel core_i9-11950h -
intel xeon_gold_6240 -
intel core_i7-6650u -
intel core_i5-10400 -
intel xeon_gold_5218n -
intel xeon_w-11555mre -
intel xeon_w-1250e -
intel xeon_gold_6234 -
intel core_i7-6822eq -
intel core_i5-7300u -
intel xeon_gold_6230n -
intel xeon_gold_5115 -
intel core_i3-9100hl -
intel core_i7-8500y -
intel xeon_e-2234 -
intel xeon_gold_6238l -
intel xeon_w-3223 -
intel xeon_bronze_3106 -
intel core_i5-8365ue -
intel core_i9-9900k -
intel core_m7-6y75 -
intel core_i3-8109u -
intel core_i5-8265u -
intel xeon_d-1623n -
intel xeon_d-1548 -
intel core_i5-8310y -
intel xeon_d-2163it -
intel xeon_platinum_8176f -
intel xeon_platinum_8156 -
intel core_i5-7260u -
intel core_i5-1035g4 -
intel core_i3-9320 -
intel core_i7-7567u -
intel xeon_e-2124 -
intel core_i3-9300 -
intel xeon_gold_6132 -
intel xeon_w-10855m -
intel core_i5-1030g4 -
intel xeon_d-1543n -
intel xeon_platinum_9222 -
intel xeon_gold_6134 -
intel core_i5-9600t -
intel xeon_w-1270 -
intel xeon_bronze_3104 -
intel atom_c3758 -
intel core_i7-6500u -
intel core_i7-7700hq -
intel xeon_e-2144g -
intel core_i5-10500h -
intel core_i3-1120g4 -
intel core_i7-3970x -
intel core_i7-9700 -
intel core_i9-9920x -
intel xeon_platinum_8280l -
intel xeon_silver_4209t -
intel xeon_platinum_8276 -
intel core_i5-1038ng7 -
intel xeon_silver_4116 -
intel core_i7-7700t -
netapp cloud_backup -
intel xeon_w-2125 -
intel core_i7-9700kf -
intel xeon_w-1250te -
intel core_i9-9900 -
intel core_i7-4940mx -
intel xeon_w-3275m -
intel core_i5-9500te -
intel xeon_d-2183it -
intel xeon_w-3235 -
intel core_i5-8600t -
intel xeon_w-3265m -
intel core_i5-10400h -
intel xeon_gold_6242r -
intel core_i3-9100 -
intel xeon_e-2226ge -
intel core_i7-6660u -
intel core_i5-7y54 -
intel xeon_e-2174g -
intel core_i7-10700kf -
intel xeon_gold_5122 -
intel xeon_gold_6240r -
intel xeon_silver_4214 -
intel xeon_e-2286g -
intel core_i3-8145u -
intel core_i7-3960x -
intel xeon_e-2186g -
intel xeon_w-2133 -
intel xeon_platinum_8253 -
intel core_i3-8130u -
intel core_i5-11600t -
intel xeon_d-1571 -
intel core_i3-10100t -
intel core_i7-6800k -
intel xeon_w-1370 -
intel xeon_w-3345 -
intel core_i3-11100he -
intel core_i7-4960x -
intel xeon_e-2276ml -
intel core_i3-7100e -
intel xeon_gold_6146 -
intel core_i3-8100b -
intel core_i7-11700k -
intel core_i5-6400 -
intel core_i3-6100h -
intel core_i7-10750h -
intel xeon_w-1290t -
intel xeon_gold_6222v -
intel core_i5-8500t -
intel xeon_platinum_8280 -
intel core_i7-5930k -
intel core_i3-7102e -
intel core_i5-9600k -
intel core_i7-8850h -
intel core_i3-7100u -
intel core_i3-9100f -
intel core_i9-9980xe -
intel core_i5-8500b -
intel core_i5-10210u -
intel xeon_gold_6262v -
intel core_i3-8140u -
intel xeon_d-1633n -
intel core_i7-10875h -
intel atom_c3808 -
intel atom_c3830 -
intel core_i7-7740x -
intel xeon_gold_6244 -
intel core_i7-10700 -
intel core_i9-10980xe -
intel xeon_d-1637 -
intel xeon_e-2378 -
intel xeon_platinum_8168 -
intel core_i3-8100t -
intel core_i5-7440hq -
intel xeon_e-2274g -
intel core_i9-11900f -
intel xeon_d-1540 -
intel core_i5-11400 -
intel xeon_silver_4215r -
intel xeon_e-2136 -
intel core_i5-10200h -
intel core_i7-8706g -
intel xeon_e-2254ml -
intel core_i5-9500f -
intel xeon_silver_4214y -
intel xeon_w-2245 -
intel core_i5-10600t -
intel core_i5-1135g7 -
intel xeon_w-11865mre -
intel xeon_platinum_8260 -
intel core_i5-1035g1 -
intel core_i5-11260h -
intel core_i3-10100y -
intel xeon_gold_5222 -
intel atom_c3508 -
intel core_i7-3920xm -
intel xeon_gold_6152 -
intel core_i5-7267u -
intel core_i5-6440eq -
intel xeon_w-1290e -
intel core_i5-6350hq -
intel core_i3-6300 -
intel xeon_d-2145nt -
intel xeon_w-2135 -
intel atom_c3538 -
intel xeon_silver_4215 -
intel xeon_gold_6126 -
intel core_i7-3940xm -
intel xeon_gold_6238 -
intel xeon_silver_4214r -
intel core_i3-8300t -
intel core_i3-10300 -
intel xeon_e-2288g -
intel xeon_gold_5218 -
intel core_i7-6700k -
intel core_i3-6102e -
intel core_i5-6267u -
intel core_i9-9900x -
intel xeon_e-2176m -
intel xeon_w-3245 -
intel xeon_gold_6208u -
intel xeon_d-1523n -
intel xeon_platinum_9221 -
intel core_i5-6442eq -
intel core_i7-11850he -
intel core_i7-10700t -
intel xeon_d-2146nt -
intel core_i9-10980hk -
intel atom_c3308 -
intel xeon_silver_4110 -
intel core_i5-9600kf -
intel xeon_e-2356g -
intel xeon_gold_6252 -
intel xeon_silver_4116t -
intel xeon_silver_4109t -
intel core_i7-6900k -
intel xeon_d-1531 -
intel core_i5-6500t -
intel core_i5-11400t -
intel core_i9-9880h -
intel core_i9-10900x -
intel core_i7-5960x -
intel xeon_e-2386g -
intel xeon_gold_6240l -
intel core_i7-10870h -
intel core_i5-8279u -
intel atom_c3850 -
intel core_i5-11300h -
intel core_i5-9400t -
intel core_i3-7100 -
intel core_i3-8350k -
intel core_i3-10320 -
intel xeon_e-2314 -
intel xeon_platinum_9242 -
intel core_i7-10700te -
intel core_i7-7600u -
intel core_i9-9900kf -
intel core_i7-9700f -
intel xeon_platinum_8276l -
intel core_i3-10105 -
intel xeon_d-1553n -
intel core_i7-4930k -
intel xeon_gold_6128 -
intel core_i7-11370h -
intel xeon_platinum_8160f -
intel xeon_e-2276me -
intel xeon_d-1527 -
intel atom_c3436l -
intel core_i7-6600u -
intel core_i3-7320 -
intel core_i9-10900e -
intel core_i7-6950x -
intel core_i7-11850h -
intel xeon_w-3245m -
intel xeon_gold_6138t -
intel xeon_platinum_8164 -
intel xeon_w-11855m -
intel xeon_gold_6130 -
intel core_i9-9900t -
intel core_i5-7600k -
intel xeon_gold_6226 -
intel core_i5-6600t -
intel xeon_d-1559 -
intel xeon_e-2146g -
intel core_i7-1185g7 -
intel xeon_e-2336 -
intel xeon_d-2187nt -
intel core_i3-10305t -
intel core_i7-9700te -
intel xeon_silver_4210 -
intel xeon_d-1521 -
intel core_i5-7500 -
intel core_i7-1065g7 -
intel core_i7-7700 -
intel core_i5-7440eq -
intel core_i5-11320h -
intel core_i7-6785r -
intel xeon_platinum_8256 -
intel core_i3-1115g4 -
intel core_i3-6100u -
intel xeon_w-3225 -
intel core_i9-10940x -
intel core_i3-9100t -
intel xeon_e-2378g -
intel xeon_platinum_8170 -
intel xeon_gold_6140 -
intel xeon_w-1250 -
intel xeon_platinum_8176 -
intel core_i7-7820eq -
intel core_i7-11600h -
intel core_i9-10850k -
intel atom_c3558r -
CVE-2021-0099 MEDIUM

Insufficient control flow management in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
intel core_i7-8665ue -
intel core_i7-8809g -
intel xeon_gold_5215 -
intel xeon_e-2126g -
intel core_i5-9300h -
intel core_i5-10400f -
intel core_i5-11400f -
intel core_i7-7920hq -
intel xeon_w-3175x -
intel core_i9-9820x -
intel core_i5-1145g7 -
intel core_i5-1145g7e -
intel core_i7-7700k -
intel xeon_gold_6212u -
intel core_i3-6100t -
intel core_i5-8400b -
intel core_i5-6600 -
intel core_i5-8400h -
intel core_i5-8400 -
intel core_i5-7600t -
intel xeon_w-2123 -
intel xeon_d-2142it -
intel core_i3-10100te -
intel core_i5-11600 -
intel xeon_d-1513n -
intel xeon_silver_4108 -
intel core_i3-1110g4 -
intel xeon_w-1350 -
intel core_i5-6200u -
intel xeon_w-1370p -
intel core_i5-8305g -
intel core_i5-1140g7 -
intel xeon_gold_6130f -
intel core_i5-11400h -
intel core_i5-9300hf -
intel core_i3-6157u -
intel core_i3-6167u -
intel xeon_gold_5220s -
intel core_i5-10600k -
intel core_i9-7960x -
intel xeon_gold_6138 -
intel xeon_platinum_9282 -
intel core_i5-8259u -
intel core_i7-6850k -
intel core_m5-6y57 -
intel xeon_gold_6252n -
intel core_i5-11600k -
intel xeon_w-1390p -
intel xeon_w-2223 -
intel xeon_w-1350p -
intel xeon_gold_6250 -
intel core_m3-7y32 -
intel core_i5-1035g7 -
intel core_i5-9400 -
intel core_i7-6700te -
intel core_i3-6320 -
intel core_i5-8257u -
intel core_i5-10210y -
intel core_i7-6770hq -
intel core_i3-10300t -
intel xeon_w-1290p -
intel core_i7-7800x -
intel atom_c3750 -
intel core_i7-6970hq -
intel core_i3-9350k -
intel core_i7-8700k -
intel core_i3-7101te -
intel atom_c3708 -
intel core_i9-7920x -
intel core_i7-10700k -
intel xeon_gold_6248 -
intel core_i5-10500 -
intel xeon_w-1290te -
intel xeon_gold_6250l -
intel xeon_gold_6242 -
intel core_i7-9700t -
intel core_i3-6100 -
intel xeon_gold_5120t -
intel core_i5-11500t -
intel xeon_w-11865mle -
intel xeon_e-2278ge -
intel core_i5-8350u -
intel xeon_gold_5120 -
intel xeon_w-3323 -
intel core_i7-7560u -
intel xeon_gold_5118 -
intel xeon_w-3265 -
intel xeon_platinum_8260y -
intel xeon_gold_6209u -
intel core_i3-1125g4 -
intel xeon_e-2388g -
intel core_i5-7442eq -
intel xeon_w-1390 -
intel xeon_w-11955m -
intel atom_c3950 -
intel core_i5-8300h -
intel xeon_w-3375 -
intel core_i9-10900t -
intel core_i5-6500 -
intel core_i5-10300h -
intel atom_c3338 -
intel core_i7-9850h -
intel core_i5-8365u -
intel core_i7-1160g7 -
intel xeon_gold_6126t -
intel core_i5-7400 -
intel core_i5-6600k -
intel xeon_d-1528 -
intel core_i7-8700b -
intel core_i7-9800x -
intel core_i7-10810u -
intel core_i5-8200y -
intel core_i3-9100e -
intel xeon_bronze_3204 -
intel core_i3-10110u -
intel core_i5-7287u -
intel core_i7-7660u -
intel xeon_d-2143it -
intel xeon_e-2186m -
intel xeon_silver_4114 -
intel core_i5-6300u -
intel xeon_w-11555mle -
intel xeon_w-2225 -
intel core_i7-9850he -
intel core_i5-10310y -
intel core_i3-7101e -
intel core_i5-6300hq -
intel xeon_gold_6230 -
intel core_i7-3820 -
intel atom_c3558 -
intel core_i5-11500h -
intel xeon_silver_4210t -
intel xeon_e-2134 -
intel core_i7-7500u -
intel core_i7-8565u -
intel xeon_d-1627 -
intel xeon_gold_6130t -
intel xeon_d-1537 -
intel xeon_bronze_3206r -
intel core_i5-9400f -
intel xeon_d-1577 -
intel xeon_d-1533n -
intel xeon_e-2374g -
intel xeon_gold_5218r -
intel xeon_e-2244g -
intel core_i9-11900kf -
intel xeon_d-1539 -
intel core_i9-11900k -
intel xeon_e-2276m -
intel core_i3-7130u -
intel core_i9-10885h -
intel xeon_gold_6246r -
intel core_i5-1155g7 -
intel core_i5-10505 -
intel xeon_d-1518 -
intel core_i9-9940x -
intel core_i7-6567u -
intel core_i7-9750h -
intel atom_c3758r -
intel core_i3-9350kf -
intel xeon_gold_6258r -
intel xeon_gold_5220 -
intel xeon_platinum_8160t -
intel xeon_gold_6126f -
intel core_i5-7300hq -
intel xeon_w-2235 -
intel core_i9-10920x -
intel xeon_gold_6136 -
intel core_i3-7020u -
intel core_i7-11700 -
intel xeon_e-2276g -
intel core_i9-7980xe -
intel core_i7-7y75 -
intel core_i7-6700t -
intel xeon_e-2124g -
intel core_i5-10600kf -
intel atom_c3955 -
intel core_i7-8700 -
intel core_i5-8210y -
intel xeon_w-10885m -
intel xeon_d-1567 -
intel xeon_d-1520 -
intel core_i7-1195g7 -
intel core_i5-6500te -
intel core_i7-9750hf -
intel xeon_w-2175 -
intel xeon_d-1529 -
intel core_i7-8557u -
intel core_i5-7400t -
intel core_i7-10710u -
intel core_i7-10700e -
intel xeon_e-2246g -
intel core_i3-1000g1 -
intel core_m3-6y30 -
intel core_i7-5820k -
intel core_i5-6287u -
intel xeon_d-2123it -
intel core_i7-11700f -
intel xeon_platinum_8158 -
intel xeon_gold_6254 -
intel core_i3-10305 -
intel core_i7-8709g -
intel core_i3-8100 -
intel xeon_gold_6226r -
intel xeon_w-2275 -
intel xeon_gold_6148 -
intel core_i5-8250u -
intel xeon_e-2224g -
intel core_i3-10100e -
intel xeon_gold_5218t -
intel core_i7-6560u -
intel core_i5-11600kf -
intel core_i7-8550u -
intel xeon_e-2278g -
intel xeon_gold_6246 -
intel core_i7-6920hq -
intel xeon_gold_6256 -
intel core_i3-8300 -
intel core_i7-10510y -
intel core_i7-10850h -
intel xeon_silver_4208 -
intel core_i7-8705g -
intel core_i7-1068ng7 -
intel core_i9-11900t -
intel xeon_platinum_8160 -
intel core_i5-6360u -
intel core_i9-9980hk -
intel xeon_d-2161i -
intel xeon_e-2286m -
intel core_i3-10110y -
intel core_i5-10600 -
intel core_i5-7500t -
intel xeon_w-2195 -
intel xeon_e-2278gel -
intel xeon_platinum_8270 -
intel core_i5-10500e -
intel atom_c3338r -
intel xeon_silver_4114t -
intel xeon_w-11155mle -
intel atom_c3958 -
intel xeon_w-1250p -
intel core_i7-6700hq -
intel core_i9-10900 -
intel core_i9-10900kf -
intel xeon_d-1557 -
intel xeon_d-2177nt -
intel core_i5-6402p -
intel core_i7-8559u -
intel xeon_gold_6210u -
intel core_i5-7y57 -
intel atom_c3858 -
intel core_i3-6100te -
intel xeon_e-2226g -
intel core_i3-10105f -
intel core_i5-8500 -
intel xeon_gold_5218b -
intel core_i7-8569u -
intel core_i7-9700e -
intel core_i7-6820hq -
intel xeon_e-2224 -
intel core_i7-11700kf -
intel core_i7-9850hl -
intel xeon_gold_5119t -
intel core_i7-6820hk -
intel core_i5-1145gre -
intel core_i5-6685r -
intel core_i5-1030g7 -
intel core_i7-1185g7e -
intel xeon_d-2166nt -
intel xeon_gold_5215l -
intel core_i5-6260u -
intel core_i3-8145ue -
intel core_i5-11500 -
intel xeon_w-11155mre -
intel xeon_gold_6142 -
intel xeon_d-1602 -
intel xeon_gold_6230t -
intel core_i5-10500te -
intel core_i9-11900h -
intel core_i5-9400h -
intel xeon_e-2324g -
intel core_i7-8750h -
intel core_i7-6700 -
intel core_i7-7820hq -
intel core_i7-8650u -
intel core_i5-9500t -
intel xeon_d-1653n -
intel xeon_d-2173it -
intel core_i7-8665u -
intel xeon_gold_5220r -
intel core_i7-11375h -
intel xeon_w-3275 -
intel xeon_d-2141i -
intel xeon_w-2265 -
intel core_i5-10310u -
intel xeon_platinum_8153 -
intel core_i3-1115gre -
intel xeon_w-1390t -
intel core_i5-7360u -
intel xeon_w-2255 -
intel xeon_gold_6144 -
intel xeon_d-1541 -
intel core_i5-8600 -
intel core_i9-11980hk -
intel core_i7-6820eq -
intel xeon_silver_4112 -
intel core_i3-10105t -
intel core_i5-8260u -
intel xeon_w-1290 -
intel core_i7-7820hk -
intel xeon_w-3365 -
intel core_i7-1180g7 -
intel core_i9-10900k -
intel xeon_w-1270e -
intel xeon_d-1649n -
intel xeon_w-1270te -
intel core_i5-11500he -
intel core_m3-7y30 -
intel core_i5-1130g7 -
intel xeon_platinum_8180 -
intel core_i7+8700 -
intel xeon_gold_5217 -
intel xeon_d-1622 -
intel core_i9-9960x -
intel core_i7-8086k -
intel xeon_gold_6154 -
netapp fas/aff_bios -
intel core_i5-9500 -
intel xeon_silver_4210r -
intel core_i5-6440hq -
intel core_i7-10510u -
intel core_i7-4820k -
intel core_i9-10900te -
intel core_i7-3930k -
intel core_i7-7820x -
intel xeon_e-2176g -
intel xeon_e-2254me -
intel core_i5-10400t -
intel core_i3-10100 -
intel core_i7-10610u -
intel xeon_w-2155 -
intel core_i5-9500e -
intel core_i9-7940x -
intel core_i5-8269u -
intel core_i7-9700k -
intel xeon_gold_6240y -
intel core_i7-11700t -
intel core_i7-1060g7 -
intel xeon_gold_6150 -
intel xeon_e-2236 -
intel core_i3-7100h -
intel core_i3-7350k -
intel xeon_gold_6138f -
intel core_i5-6585r -
intel core_i3-1000g4 -
intel core_i5-10500t -
intel core_i9-11900 -
intel core_i9-10900f -
intel core_i5-7200u -
intel core_i3-8100h -
intel core_i3-1115g4e -
intel xeon_platinum_8268 -
intel xeon_w-2145 -
intel core_i3-7300t -
intel core_i7-11800h -
intel core_i7-10700f -
intel core_i3-9300t -
intel core_i3-7300 -
intel core_i3-6300t -
intel core_i3-7167u -
intel core_i3-9100te -
intel xeon_gold_6138p -
intel xeon_gold_6142f -
intel core_i7-8700t -
intel xeon_platinum_8260l -
intel core_i3-10325 -
intel core_i7-4930mx -
intel core_i5-9600 -
intel core_m3-8100y -
intel xeon_gold_6238r -
intel xeon_gold_6248r -
intel core_i5-7600 -
intel core_i5-7640x -
intel core_m5-6y54 -
intel core_i7-6870hq -
intel core_i9-7900x -
intel xeon_gold_6148f -
intel core_i7-11390h -
intel core_i5-8600k -
intel xeon_w-1270p -
intel xeon_w-3335 -
intel core_i3-6100e -
intel core_i3-6098p -
intel core_i5-8400t -
intel core_i3-10100f -
intel xeon_e-2334 -
intel core_i7-1165g7 -
intel core_i3-7100t -
intel core_i7-1185gre -
intel core_i3-1005g1 -
intel xeon_gold_5220t -
intel xeon_gold_6238t -
intel core_i5-6400t -
intel core_i3-6006u -
intel atom_c3336 -
intel xeon_gold_6230r -
intel core_i9-8950hk -
intel xeon_silver_4216 -
intel core_i9-9900ks -
intel xeon_w-2295 -
intel core_i9-11950h -
intel xeon_gold_6240 -
intel core_i7-6650u -
intel core_i5-10400 -
intel xeon_gold_5218n -
intel xeon_w-11555mre -
intel xeon_w-1250e -
intel xeon_gold_6234 -
intel core_i7-6822eq -
intel core_i5-7300u -
intel xeon_gold_6230n -
intel xeon_gold_5115 -
intel core_i3-9100hl -
intel core_i7-8500y -
intel xeon_e-2234 -
intel xeon_gold_6238l -
intel xeon_w-3223 -
intel xeon_bronze_3106 -
intel core_i5-8365ue -
intel core_i9-9900k -
intel core_m7-6y75 -
intel core_i3-8109u -
intel core_i5-8265u -
intel xeon_d-1623n -
intel xeon_d-1548 -
intel core_i5-8310y -
intel xeon_d-2163it -
intel xeon_platinum_8176f -
intel xeon_platinum_8156 -
intel core_i5-7260u -
intel core_i5-1035g4 -
intel core_i3-9320 -
intel core_i7-7567u -
intel xeon_e-2124 -
intel core_i3-9300 -
intel xeon_gold_6132 -
intel xeon_w-10855m -
intel core_i5-1030g4 -
intel xeon_d-1543n -
intel xeon_platinum_9222 -
intel xeon_gold_6134 -
intel core_i5-9600t -
intel xeon_w-1270 -
intel xeon_bronze_3104 -
intel atom_c3758 -
intel core_i7-6500u -
intel core_i7-7700hq -
intel xeon_e-2144g -
intel core_i5-10500h -
intel core_i3-1120g4 -
intel core_i7-3970x -
intel core_i7-9700 -
intel core_i9-9920x -
intel xeon_platinum_8280l -
intel xeon_silver_4209t -
intel xeon_platinum_8276 -
intel core_i5-1038ng7 -
intel xeon_silver_4116 -
intel core_i7-7700t -
netapp cloud_backup -
intel xeon_w-2125 -
intel core_i7-9700kf -
intel xeon_w-1250te -
intel core_i9-9900 -
intel core_i7-4940mx -
intel xeon_w-3275m -
intel core_i5-9500te -
intel xeon_d-2183it -
intel xeon_w-3235 -
intel core_i5-8600t -
intel xeon_w-3265m -
intel core_i5-10400h -
intel xeon_gold_6242r -
intel core_i3-9100 -
intel xeon_e-2226ge -
intel core_i7-6660u -
intel core_i5-7y54 -
intel xeon_e-2174g -
intel core_i7-10700kf -
intel xeon_gold_5122 -
intel xeon_gold_6240r -
intel xeon_silver_4214 -
intel xeon_e-2286g -
intel core_i3-8145u -
intel core_i7-3960x -
intel xeon_e-2186g -
intel xeon_w-2133 -
intel xeon_platinum_8253 -
intel core_i3-8130u -
intel core_i5-11600t -
intel xeon_d-1571 -
intel core_i3-10100t -
intel core_i7-6800k -
intel xeon_w-1370 -
intel xeon_w-3345 -
intel core_i3-11100he -
intel core_i7-4960x -
intel xeon_e-2276ml -
intel core_i3-7100e -
intel xeon_gold_6146 -
intel core_i3-8100b -
intel core_i7-11700k -
intel core_i5-6400 -
intel core_i3-6100h -
intel core_i7-10750h -
intel xeon_w-1290t -
intel xeon_gold_6222v -
intel core_i5-8500t -
intel xeon_platinum_8280 -
intel core_i7-5930k -
intel core_i3-7102e -
intel core_i5-9600k -
intel core_i7-8850h -
intel core_i3-7100u -
intel core_i3-9100f -
intel core_i9-9980xe -
intel core_i5-8500b -
intel core_i5-10210u -
intel xeon_gold_6262v -
intel core_i3-8140u -
intel xeon_d-1633n -
intel core_i7-10875h -
intel atom_c3808 -
intel atom_c3830 -
intel core_i7-7740x -
intel xeon_gold_6244 -
intel core_i7-10700 -
intel core_i9-10980xe -
intel xeon_d-1637 -
intel xeon_e-2378 -
intel xeon_platinum_8168 -
intel core_i3-8100t -
intel core_i5-7440hq -
intel xeon_e-2274g -
intel core_i9-11900f -
intel xeon_d-1540 -
intel core_i5-11400 -
intel xeon_silver_4215r -
intel xeon_e-2136 -
intel core_i5-10200h -
intel core_i7-8706g -
intel xeon_e-2254ml -
intel core_i5-9500f -
intel xeon_silver_4214y -
intel xeon_w-2245 -
intel core_i5-10600t -
intel core_i5-1135g7 -
intel xeon_w-11865mre -
intel xeon_platinum_8260 -
intel core_i5-1035g1 -
intel core_i5-11260h -
intel core_i3-10100y -
intel xeon_gold_5222 -
intel atom_c3508 -
intel core_i7-3920xm -
intel xeon_gold_6152 -
intel core_i5-7267u -
intel core_i5-6440eq -
intel xeon_w-1290e -
intel core_i5-6350hq -
intel core_i3-6300 -
intel xeon_d-2145nt -
intel xeon_w-2135 -
intel atom_c3538 -
intel xeon_silver_4215 -
intel xeon_gold_6126 -
intel core_i7-3940xm -
intel xeon_gold_6238 -
intel xeon_silver_4214r -
intel core_i3-8300t -
intel core_i3-10300 -
intel xeon_e-2288g -
intel xeon_gold_5218 -
intel core_i7-6700k -
intel core_i3-6102e -
intel core_i5-6267u -
intel core_i9-9900x -
intel xeon_e-2176m -
intel xeon_w-3245 -
intel xeon_gold_6208u -
intel xeon_d-1523n -
intel xeon_platinum_9221 -
intel core_i5-6442eq -
intel core_i7-11850he -
intel core_i7-10700t -
intel xeon_d-2146nt -
intel core_i9-10980hk -
intel atom_c3308 -
intel xeon_silver_4110 -
intel core_i5-9600kf -
intel xeon_e-2356g -
intel xeon_gold_6252 -
intel xeon_silver_4116t -
intel xeon_silver_4109t -
intel core_i7-6900k -
intel xeon_d-1531 -
intel core_i5-6500t -
intel core_i5-11400t -
intel core_i9-9880h -
intel core_i9-10900x -
intel core_i7-5960x -
intel xeon_e-2386g -
intel xeon_gold_6240l -
intel core_i7-10870h -
intel core_i5-8279u -
intel atom_c3850 -
intel core_i5-11300h -
intel core_i5-9400t -
intel core_i3-7100 -
intel core_i3-8350k -
intel core_i3-10320 -
intel xeon_e-2314 -
intel xeon_platinum_9242 -
intel core_i7-10700te -
intel core_i7-7600u -
intel core_i9-9900kf -
intel core_i7-9700f -
intel xeon_platinum_8276l -
intel core_i3-10105 -
intel xeon_d-1553n -
intel core_i7-4930k -
intel xeon_gold_6128 -
intel core_i7-11370h -
intel xeon_platinum_8160f -
intel xeon_e-2276me -
intel xeon_d-1527 -
intel atom_c3436l -
intel core_i7-6600u -
intel core_i3-7320 -
intel core_i9-10900e -
intel core_i7-6950x -
intel core_i7-11850h -
intel xeon_w-3245m -
intel xeon_gold_6138t -
intel xeon_platinum_8164 -
intel xeon_w-11855m -
intel xeon_gold_6130 -
intel core_i9-9900t -
intel core_i5-7600k -
intel xeon_gold_6226 -
intel core_i5-6600t -
intel xeon_d-1559 -
intel xeon_e-2146g -
intel core_i7-1185g7 -
intel xeon_e-2336 -
intel xeon_d-2187nt -
intel core_i3-10305t -
intel core_i7-9700te -
intel xeon_silver_4210 -
intel xeon_d-1521 -
intel core_i5-7500 -
intel core_i7-1065g7 -
intel core_i7-7700 -
intel core_i5-7440eq -
intel core_i5-11320h -
intel core_i7-6785r -
intel xeon_platinum_8256 -
intel core_i3-1115g4 -
intel core_i3-6100u -
intel xeon_w-3225 -
intel core_i9-10940x -
intel core_i3-9100t -
intel xeon_e-2378g -
intel xeon_platinum_8170 -
intel xeon_gold_6140 -
intel xeon_w-1250 -
intel xeon_platinum_8176 -
intel core_i7-7820eq -
intel core_i7-11600h -
intel core_i9-10850k -
intel atom_c3558r -
CVE-2021-0103 MEDIUM

Insufficient control flow management in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
intel core_i7-8665ue -
intel core_i7-8809g -
intel xeon_gold_5215 -
intel xeon_e-2126g -
intel core_i5-9300h -
intel core_i5-10400f -
intel core_i5-11400f -
intel core_i7-7920hq -
intel xeon_w-3175x -
intel core_i9-9820x -
intel core_i5-1145g7 -
intel core_i5-1145g7e -
intel core_i7-7700k -
intel xeon_gold_6212u -
intel core_i3-6100t -
intel core_i5-8400b -
intel core_i5-6600 -
intel core_i5-8400h -
intel core_i5-8400 -
intel core_i5-7600t -
intel xeon_w-2123 -
intel xeon_d-2142it -
intel core_i3-10100te -
intel core_i5-11600 -
intel xeon_d-1513n -
intel xeon_silver_4108 -
intel core_i3-1110g4 -
intel xeon_w-1350 -
intel core_i5-6200u -
intel xeon_w-1370p -
intel core_i5-8305g -
intel core_i5-1140g7 -
intel xeon_gold_6130f -
intel core_i5-11400h -
intel core_i5-9300hf -
intel core_i3-6157u -
intel core_i3-6167u -
intel xeon_gold_5220s -
intel core_i5-10600k -
intel core_i9-7960x -
intel xeon_gold_6138 -
intel xeon_platinum_9282 -
intel core_i5-8259u -
intel core_i7-6850k -
intel core_m5-6y57 -
intel xeon_gold_6252n -
intel core_i5-11600k -
intel xeon_w-1390p -
intel xeon_w-2223 -
intel xeon_w-1350p -
intel xeon_gold_6250 -
intel core_m3-7y32 -
intel core_i5-1035g7 -
intel core_i5-9400 -
intel core_i7-6700te -
intel core_i3-6320 -
intel core_i5-8257u -
intel core_i5-10210y -
intel core_i7-6770hq -
intel core_i3-10300t -
intel xeon_w-1290p -
intel core_i7-7800x -
intel atom_c3750 -
intel core_i7-6970hq -
intel core_i3-9350k -
intel core_i7-8700k -
intel core_i3-7101te -
intel atom_c3708 -
intel core_i9-7920x -
intel core_i7-10700k -
intel xeon_gold_6248 -
intel core_i5-10500 -
intel xeon_w-1290te -
intel xeon_gold_6250l -
intel xeon_gold_6242 -
intel core_i7-9700t -
intel core_i3-6100 -
intel xeon_gold_5120t -
intel core_i5-11500t -
intel xeon_w-11865mle -
intel xeon_e-2278ge -
intel core_i5-8350u -
intel xeon_gold_5120 -
intel xeon_w-3323 -
intel core_i7-7560u -
intel xeon_gold_5118 -
intel xeon_w-3265 -
intel xeon_platinum_8260y -
intel xeon_gold_6209u -
intel core_i3-1125g4 -
intel xeon_e-2388g -
intel core_i5-7442eq -
intel xeon_w-1390 -
intel xeon_w-11955m -
intel atom_c3950 -
intel core_i5-8300h -
intel xeon_w-3375 -
intel core_i9-10900t -
intel core_i5-6500 -
intel core_i5-10300h -
intel atom_c3338 -
intel core_i7-9850h -
intel core_i5-8365u -
intel core_i7-1160g7 -
intel xeon_gold_6126t -
intel core_i5-7400 -
intel core_i5-6600k -
intel xeon_d-1528 -
intel core_i7-8700b -
intel core_i7-9800x -
intel core_i7-10810u -
intel core_i5-8200y -
intel core_i3-9100e -
intel xeon_bronze_3204 -
intel core_i3-10110u -
intel core_i5-7287u -
intel core_i7-7660u -
intel xeon_d-2143it -
intel xeon_e-2186m -
intel xeon_silver_4114 -
intel core_i5-6300u -
intel xeon_w-11555mle -
intel xeon_w-2225 -
intel core_i7-9850he -
intel core_i5-10310y -
intel core_i3-7101e -
intel core_i5-6300hq -
intel xeon_gold_6230 -
intel core_i7-3820 -
intel atom_c3558 -
intel core_i5-11500h -
intel xeon_silver_4210t -
intel xeon_e-2134 -
intel core_i7-7500u -
intel core_i7-8565u -
intel xeon_d-1627 -
intel xeon_gold_6130t -
intel xeon_d-1537 -
intel xeon_bronze_3206r -
intel core_i5-9400f -
intel xeon_d-1577 -
intel xeon_d-1533n -
intel xeon_e-2374g -
intel xeon_gold_5218r -
intel xeon_e-2244g -
intel core_i9-11900kf -
intel xeon_d-1539 -
intel core_i9-11900k -
intel xeon_e-2276m -
intel core_i3-7130u -
intel core_i9-10885h -
intel xeon_gold_6246r -
intel core_i5-1155g7 -
intel core_i5-10505 -
intel xeon_d-1518 -
intel core_i9-9940x -
intel core_i7-6567u -
intel core_i7-9750h -
intel atom_c3758r -
intel core_i3-9350kf -
intel xeon_gold_6258r -
intel xeon_gold_5220 -
intel xeon_platinum_8160t -
intel xeon_gold_6126f -
intel core_i5-7300hq -
intel xeon_w-2235 -
intel core_i9-10920x -
intel xeon_gold_6136 -
intel core_i3-7020u -
intel core_i7-11700 -
intel xeon_e-2276g -
intel core_i9-7980xe -
intel core_i7-7y75 -
intel core_i7-6700t -
intel xeon_e-2124g -
intel core_i5-10600kf -
intel atom_c3955 -
intel core_i7-8700 -
intel core_i5-8210y -
intel xeon_w-10885m -
intel xeon_d-1567 -
intel xeon_d-1520 -
intel core_i7-1195g7 -
intel core_i5-6500te -
intel core_i7-9750hf -
intel xeon_w-2175 -
intel xeon_d-1529 -
intel core_i7-8557u -
intel core_i5-7400t -
intel core_i7-10710u -
intel core_i7-10700e -
intel xeon_e-2246g -
intel core_i3-1000g1 -
intel core_m3-6y30 -
intel core_i7-5820k -
intel core_i5-6287u -
intel xeon_d-2123it -
intel core_i7-11700f -
intel xeon_platinum_8158 -
intel xeon_gold_6254 -
intel core_i3-10305 -
intel core_i7-8709g -
intel core_i3-8100 -
intel xeon_gold_6226r -
intel xeon_w-2275 -
intel xeon_gold_6148 -
intel core_i5-8250u -
intel xeon_e-2224g -
intel core_i3-10100e -
intel xeon_gold_5218t -
intel core_i7-6560u -
intel core_i5-11600kf -
intel core_i7-8550u -
intel xeon_e-2278g -
intel xeon_gold_6246 -
intel core_i7-6920hq -
intel xeon_gold_6256 -
intel core_i3-8300 -
intel core_i7-10510y -
intel core_i7-10850h -
intel xeon_silver_4208 -
intel core_i7-8705g -
intel core_i7-1068ng7 -
intel core_i9-11900t -
intel xeon_platinum_8160 -
intel core_i5-6360u -
intel core_i9-9980hk -
intel xeon_d-2161i -
intel xeon_e-2286m -
intel core_i3-10110y -
intel core_i5-10600 -
intel core_i5-7500t -
intel xeon_w-2195 -
intel xeon_e-2278gel -
intel xeon_platinum_8270 -
intel core_i5-10500e -
intel atom_c3338r -
intel xeon_silver_4114t -
intel xeon_w-11155mle -
intel atom_c3958 -
intel xeon_w-1250p -
intel core_i7-6700hq -
intel core_i9-10900 -
intel core_i9-10900kf -
intel xeon_d-1557 -
intel xeon_d-2177nt -
intel core_i5-6402p -
intel core_i7-8559u -
intel xeon_gold_6210u -
intel core_i5-7y57 -
intel atom_c3858 -
intel core_i3-6100te -
intel xeon_e-2226g -
intel core_i3-10105f -
intel core_i5-8500 -
intel xeon_gold_5218b -
intel core_i7-8569u -
intel core_i7-9700e -
intel core_i7-6820hq -
intel xeon_e-2224 -
intel core_i7-11700kf -
intel core_i7-9850hl -
intel xeon_gold_5119t -
intel core_i7-6820hk -
intel core_i5-1145gre -
intel core_i5-6685r -
intel core_i5-1030g7 -
intel core_i7-1185g7e -
intel xeon_d-2166nt -
intel xeon_gold_5215l -
intel core_i5-6260u -
intel core_i3-8145ue -
intel core_i5-11500 -
intel xeon_w-11155mre -
intel xeon_gold_6142 -
intel xeon_d-1602 -
intel xeon_gold_6230t -
intel core_i5-10500te -
intel core_i9-11900h -
intel core_i5-9400h -
intel xeon_e-2324g -
intel core_i7-8750h -
intel core_i7-6700 -
intel core_i7-7820hq -
intel core_i7-8650u -
intel core_i5-9500t -
intel xeon_d-1653n -
intel xeon_d-2173it -
intel core_i7-8665u -
intel xeon_gold_5220r -
intel core_i7-11375h -
intel xeon_w-3275 -
intel xeon_d-2141i -
intel xeon_w-2265 -
intel core_i5-10310u -
intel xeon_platinum_8153 -
intel core_i3-1115gre -
intel xeon_w-1390t -
intel core_i5-7360u -
intel xeon_w-2255 -
intel xeon_gold_6144 -
intel xeon_d-1541 -
intel core_i5-8600 -
intel core_i9-11980hk -
intel core_i7-6820eq -
intel xeon_silver_4112 -
intel core_i3-10105t -
intel core_i5-8260u -
intel xeon_w-1290 -
intel core_i7-7820hk -
intel xeon_w-3365 -
intel core_i7-1180g7 -
intel core_i9-10900k -
intel xeon_w-1270e -
intel xeon_d-1649n -
intel xeon_w-1270te -
intel core_i5-11500he -
intel core_m3-7y30 -
intel core_i5-1130g7 -
intel xeon_platinum_8180 -
intel core_i7+8700 -
intel xeon_gold_5217 -
intel xeon_d-1622 -
intel core_i9-9960x -
intel core_i7-8086k -
intel xeon_gold_6154 -
netapp fas/aff_bios -
intel core_i5-9500 -
intel xeon_silver_4210r -
intel core_i5-6440hq -
intel core_i7-10510u -
intel core_i7-4820k -
intel core_i9-10900te -
intel core_i7-3930k -
intel core_i7-7820x -
intel xeon_e-2176g -
intel xeon_e-2254me -
intel core_i5-10400t -
intel core_i3-10100 -
intel core_i7-10610u -
intel xeon_w-2155 -
intel core_i5-9500e -
intel core_i9-7940x -
intel core_i5-8269u -
intel core_i7-9700k -
intel xeon_gold_6240y -
intel core_i7-11700t -
intel core_i7-1060g7 -
intel xeon_gold_6150 -
intel xeon_e-2236 -
intel core_i3-7100h -
intel core_i3-7350k -
intel xeon_gold_6138f -
intel core_i5-6585r -
intel core_i3-1000g4 -
intel core_i5-10500t -
intel core_i9-11900 -
intel core_i9-10900f -
intel core_i5-7200u -
intel core_i3-8100h -
intel core_i3-1115g4e -
intel xeon_platinum_8268 -
intel xeon_w-2145 -
intel core_i3-7300t -
intel core_i7-11800h -
intel core_i7-10700f -
intel core_i3-9300t -
intel core_i3-7300 -
intel core_i3-6300t -
intel core_i3-7167u -
intel core_i3-9100te -
intel xeon_gold_6138p -
intel xeon_gold_6142f -
intel core_i7-8700t -
intel xeon_platinum_8260l -
intel core_i3-10325 -
intel core_i7-4930mx -
intel core_i5-9600 -
intel core_m3-8100y -
intel xeon_gold_6238r -
intel xeon_gold_6248r -
intel core_i5-7600 -
intel core_i5-7640x -
intel core_m5-6y54 -
intel core_i7-6870hq -
intel core_i9-7900x -
intel xeon_gold_6148f -
intel core_i7-11390h -
intel core_i5-8600k -
intel xeon_w-1270p -
intel xeon_w-3335 -
intel core_i3-6100e -
intel core_i3-6098p -
intel core_i5-8400t -
intel core_i3-10100f -
intel xeon_e-2334 -
intel core_i7-1165g7 -
intel core_i3-7100t -
intel core_i7-1185gre -
intel core_i3-1005g1 -
intel xeon_gold_5220t -
intel xeon_gold_6238t -
intel core_i5-6400t -
intel core_i3-6006u -
intel atom_c3336 -
intel xeon_gold_6230r -
intel core_i9-8950hk -
intel xeon_silver_4216 -
intel core_i9-9900ks -
intel xeon_w-2295 -
intel core_i9-11950h -
intel xeon_gold_6240 -
intel core_i7-6650u -
intel core_i5-10400 -
intel xeon_gold_5218n -
intel xeon_w-11555mre -
intel xeon_w-1250e -
intel xeon_gold_6234 -
intel core_i7-6822eq -
intel core_i5-7300u -
intel xeon_gold_6230n -
intel xeon_gold_5115 -
intel core_i3-9100hl -
intel core_i7-8500y -
intel xeon_e-2234 -
intel xeon_gold_6238l -
intel xeon_w-3223 -
intel xeon_bronze_3106 -
intel core_i5-8365ue -
intel core_i9-9900k -
intel core_m7-6y75 -
intel core_i3-8109u -
intel core_i5-8265u -
intel xeon_d-1623n -
intel xeon_d-1548 -
intel core_i5-8310y -
intel xeon_d-2163it -
intel xeon_platinum_8176f -
intel xeon_platinum_8156 -
intel core_i5-7260u -
intel core_i5-1035g4 -
intel core_i3-9320 -
intel core_i7-7567u -
intel xeon_e-2124 -
intel core_i3-9300 -
intel xeon_gold_6132 -
intel xeon_w-10855m -
intel core_i5-1030g4 -
intel xeon_d-1543n -
intel xeon_platinum_9222 -
intel xeon_gold_6134 -
intel core_i5-9600t -
intel xeon_w-1270 -
intel xeon_bronze_3104 -
intel atom_c3758 -
intel core_i7-6500u -
intel core_i7-7700hq -
intel xeon_e-2144g -
intel core_i5-10500h -
intel core_i3-1120g4 -
intel core_i7-3970x -
intel core_i7-9700 -
intel core_i9-9920x -
intel xeon_platinum_8280l -
intel xeon_silver_4209t -
intel xeon_platinum_8276 -
intel core_i5-1038ng7 -
intel xeon_silver_4116 -
intel core_i7-7700t -
netapp cloud_backup -
intel xeon_w-2125 -
intel core_i7-9700kf -
intel xeon_w-1250te -
intel core_i9-9900 -
intel core_i7-4940mx -
intel xeon_w-3275m -
intel core_i5-9500te -
intel xeon_d-2183it -
intel xeon_w-3235 -
intel core_i5-8600t -
intel xeon_w-3265m -
intel core_i5-10400h -
intel xeon_gold_6242r -
intel core_i3-9100 -
intel xeon_e-2226ge -
intel core_i7-6660u -
intel core_i5-7y54 -
intel xeon_e-2174g -
intel core_i7-10700kf -
intel xeon_gold_5122 -
intel xeon_gold_6240r -
intel xeon_silver_4214 -
intel xeon_e-2286g -
intel core_i3-8145u -
intel core_i7-3960x -
intel xeon_e-2186g -
intel xeon_w-2133 -
intel xeon_platinum_8253 -
intel core_i3-8130u -
intel core_i5-11600t -
intel xeon_d-1571 -
intel core_i3-10100t -
intel core_i7-6800k -
intel xeon_w-1370 -
intel xeon_w-3345 -
intel core_i3-11100he -
intel core_i7-4960x -
intel xeon_e-2276ml -
intel core_i3-7100e -
intel xeon_gold_6146 -
intel core_i3-8100b -
intel core_i7-11700k -
intel core_i5-6400 -
intel core_i3-6100h -
intel core_i7-10750h -
intel xeon_w-1290t -
intel xeon_gold_6222v -
intel core_i5-8500t -
intel xeon_platinum_8280 -
intel core_i7-5930k -
intel core_i3-7102e -
intel core_i5-9600k -
intel core_i7-8850h -
intel core_i3-7100u -
intel core_i3-9100f -
intel core_i9-9980xe -
intel core_i5-8500b -
intel core_i5-10210u -
intel xeon_gold_6262v -
intel core_i3-8140u -
intel xeon_d-1633n -
intel core_i7-10875h -
intel atom_c3808 -
intel atom_c3830 -
intel core_i7-7740x -
intel xeon_gold_6244 -
intel core_i7-10700 -
intel core_i9-10980xe -
intel xeon_d-1637 -
intel xeon_e-2378 -
intel xeon_platinum_8168 -
intel core_i3-8100t -
intel core_i5-7440hq -
intel xeon_e-2274g -
intel core_i9-11900f -
intel xeon_d-1540 -
intel core_i5-11400 -
intel xeon_silver_4215r -
intel xeon_e-2136 -
intel core_i5-10200h -
intel core_i7-8706g -
intel xeon_e-2254ml -
intel core_i5-9500f -
intel xeon_silver_4214y -
intel xeon_w-2245 -
intel core_i5-10600t -
intel core_i5-1135g7 -
intel xeon_w-11865mre -
intel xeon_platinum_8260 -
intel core_i5-1035g1 -
intel core_i5-11260h -
intel core_i3-10100y -
intel xeon_gold_5222 -
intel atom_c3508 -
intel core_i7-3920xm -
intel xeon_gold_6152 -
intel core_i5-7267u -
intel core_i5-6440eq -
intel xeon_w-1290e -
intel core_i5-6350hq -
intel core_i3-6300 -
intel xeon_d-2145nt -
intel xeon_w-2135 -
intel atom_c3538 -
intel xeon_silver_4215 -
intel xeon_gold_6126 -
intel core_i7-3940xm -
intel xeon_gold_6238 -
intel xeon_silver_4214r -
intel core_i3-8300t -
intel core_i3-10300 -
intel xeon_e-2288g -
intel xeon_gold_5218 -
intel core_i7-6700k -
intel core_i3-6102e -
intel core_i5-6267u -
intel core_i9-9900x -
intel xeon_e-2176m -
intel xeon_w-3245 -
intel xeon_gold_6208u -
intel xeon_d-1523n -
intel xeon_platinum_9221 -
intel core_i5-6442eq -
intel core_i7-11850he -
intel core_i7-10700t -
intel xeon_d-2146nt -
intel core_i9-10980hk -
intel atom_c3308 -
intel xeon_silver_4110 -
intel core_i5-9600kf -
intel xeon_e-2356g -
intel xeon_gold_6252 -
intel xeon_silver_4116t -
intel xeon_silver_4109t -
intel core_i7-6900k -
intel xeon_d-1531 -
intel core_i5-6500t -
intel core_i5-11400t -
intel core_i9-9880h -
intel core_i9-10900x -
intel core_i7-5960x -
intel xeon_e-2386g -
intel xeon_gold_6240l -
intel core_i7-10870h -
intel core_i5-8279u -
intel atom_c3850 -
intel core_i5-11300h -
intel core_i5-9400t -
intel core_i3-7100 -
intel core_i3-8350k -
intel core_i3-10320 -
intel xeon_e-2314 -
intel xeon_platinum_9242 -
intel core_i7-10700te -
intel core_i7-7600u -
intel core_i9-9900kf -
intel core_i7-9700f -
intel xeon_platinum_8276l -
intel core_i3-10105 -
intel xeon_d-1553n -
intel core_i7-4930k -
intel xeon_gold_6128 -
intel core_i7-11370h -
intel xeon_platinum_8160f -
intel xeon_e-2276me -
intel xeon_d-1527 -
intel atom_c3436l -
intel core_i7-6600u -
intel core_i3-7320 -
intel core_i9-10900e -
intel core_i7-6950x -
intel core_i7-11850h -
intel xeon_w-3245m -
intel xeon_gold_6138t -
intel xeon_platinum_8164 -
intel xeon_w-11855m -
intel xeon_gold_6130 -
intel core_i9-9900t -
intel core_i5-7600k -
intel xeon_gold_6226 -
intel core_i5-6600t -
intel xeon_d-1559 -
intel xeon_e-2146g -
intel core_i7-1185g7 -
intel xeon_e-2336 -
intel xeon_d-2187nt -
intel core_i3-10305t -
intel core_i7-9700te -
intel xeon_silver_4210 -
intel xeon_d-1521 -
intel core_i5-7500 -
intel core_i7-1065g7 -
intel core_i7-7700 -
intel core_i5-7440eq -
intel core_i5-11320h -
intel core_i7-6785r -
intel xeon_platinum_8256 -
intel core_i3-1115g4 -
intel core_i3-6100u -
intel xeon_w-3225 -
intel core_i9-10940x -
intel core_i3-9100t -
intel xeon_e-2378g -
intel xeon_platinum_8170 -
intel xeon_gold_6140 -
intel xeon_w-1250 -
intel xeon_platinum_8176 -
intel core_i7-7820eq -
intel core_i7-11600h -
intel core_i9-10850k -
intel atom_c3558r -
CVE-2021-0107 MEDIUM

Unchecked return value in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-252,CWE-252,

Products Affected

Vendor Product Version
intel core_i7-8665ue -
intel core_i7-8809g -
intel xeon_gold_5215 -
intel xeon_e-2126g -
intel core_i5-9300h -
intel core_i5-10400f -
intel core_i5-11400f -
intel core_i7-7920hq -
intel xeon_w-3175x -
intel core_i9-9820x -
intel core_i5-1145g7 -
intel core_i5-1145g7e -
intel core_i7-7700k -
intel xeon_gold_6212u -
intel core_i3-6100t -
intel core_i5-8400b -
intel core_i5-6600 -
intel core_i5-8400h -
intel core_i5-8400 -
intel core_i5-7600t -
intel xeon_w-2123 -
intel xeon_d-2142it -
intel core_i3-10100te -
intel core_i5-11600 -
intel xeon_d-1513n -
intel xeon_silver_4108 -
intel core_i3-1110g4 -
intel xeon_w-1350 -
intel core_i5-6200u -
intel xeon_w-1370p -
intel core_i5-8305g -
intel core_i5-1140g7 -
intel xeon_gold_6130f -
intel core_i5-11400h -
intel core_i5-9300hf -
intel core_i3-6157u -
intel core_i3-6167u -
intel xeon_gold_5220s -
intel core_i5-10600k -
intel core_i9-7960x -
intel xeon_gold_6138 -
intel xeon_platinum_9282 -
intel core_i5-8259u -
intel core_i7-6850k -
intel core_m5-6y57 -
intel xeon_gold_6252n -
intel core_i5-11600k -
intel xeon_w-1390p -
intel xeon_w-2223 -
intel xeon_w-1350p -
intel xeon_gold_6250 -
intel core_m3-7y32 -
intel core_i5-1035g7 -
intel core_i5-9400 -
intel core_i7-6700te -
intel core_i3-6320 -
intel core_i5-8257u -
intel core_i5-10210y -
intel core_i7-6770hq -
intel core_i3-10300t -
intel xeon_w-1290p -
intel core_i7-7800x -
intel atom_c3750 -
intel core_i7-6970hq -
intel core_i3-9350k -
intel core_i7-8700k -
intel core_i3-7101te -
intel atom_c3708 -
intel core_i9-7920x -
intel core_i7-10700k -
intel xeon_gold_6248 -
intel core_i5-10500 -
intel xeon_w-1290te -
intel xeon_gold_6250l -
intel xeon_gold_6242 -
intel core_i7-9700t -
intel core_i3-6100 -
intel xeon_gold_5120t -
intel core_i5-11500t -
intel xeon_w-11865mle -
intel xeon_e-2278ge -
intel core_i5-8350u -
intel xeon_gold_5120 -
intel xeon_w-3323 -
intel core_i7-7560u -
intel xeon_gold_5118 -
intel xeon_w-3265 -
intel xeon_platinum_8260y -
intel xeon_gold_6209u -
intel core_i3-1125g4 -
intel xeon_e-2388g -
intel core_i5-7442eq -
intel xeon_w-1390 -
intel xeon_w-11955m -
intel atom_c3950 -
intel core_i5-8300h -
intel xeon_w-3375 -
intel core_i9-10900t -
intel core_i5-6500 -
intel core_i5-10300h -
intel atom_c3338 -
intel core_i7-9850h -
intel core_i5-8365u -
intel core_i7-1160g7 -
intel xeon_gold_6126t -
intel core_i5-7400 -
intel core_i5-6600k -
intel xeon_d-1528 -
intel core_i7-8700b -
intel core_i7-9800x -
intel core_i7-10810u -
intel core_i5-8200y -
intel core_i3-9100e -
intel xeon_bronze_3204 -
intel core_i3-10110u -
intel core_i5-7287u -
intel core_i7-7660u -
intel xeon_d-2143it -
intel xeon_e-2186m -
intel xeon_silver_4114 -
intel core_i5-6300u -
intel xeon_w-11555mle -
intel xeon_w-2225 -
intel core_i7-9850he -
intel core_i5-10310y -
intel core_i3-7101e -
intel core_i5-6300hq -
intel xeon_gold_6230 -
intel core_i7-3820 -
intel atom_c3558 -
intel core_i5-11500h -
intel xeon_silver_4210t -
intel xeon_e-2134 -
intel core_i7-7500u -
intel core_i7-8565u -
intel xeon_d-1627 -
intel xeon_gold_6130t -
intel xeon_d-1537 -
intel xeon_bronze_3206r -
intel core_i5-9400f -
intel xeon_d-1577 -
intel xeon_d-1533n -
intel xeon_e-2374g -
intel xeon_gold_5218r -
intel xeon_e-2244g -
intel core_i9-11900kf -
intel xeon_d-1539 -
intel core_i9-11900k -
intel xeon_e-2276m -
intel core_i3-7130u -
intel core_i9-10885h -
intel xeon_gold_6246r -
intel core_i5-1155g7 -
intel core_i5-10505 -
intel xeon_d-1518 -
intel core_i9-9940x -
intel core_i7-6567u -
intel core_i7-9750h -
intel atom_c3758r -
intel core_i3-9350kf -
intel xeon_gold_6258r -
intel xeon_gold_5220 -
intel xeon_platinum_8160t -
intel xeon_gold_6126f -
intel core_i5-7300hq -
intel xeon_w-2235 -
intel core_i9-10920x -
intel xeon_gold_6136 -
intel core_i3-7020u -
intel core_i7-11700 -
intel xeon_e-2276g -
intel core_i9-7980xe -
intel core_i7-7y75 -
intel core_i7-6700t -
intel xeon_e-2124g -
intel core_i5-10600kf -
intel atom_c3955 -
intel core_i7-8700 -
intel core_i5-8210y -
intel xeon_w-10885m -
intel xeon_d-1567 -
intel xeon_d-1520 -
intel core_i7-1195g7 -
intel core_i5-6500te -
intel core_i7-9750hf -
intel xeon_w-2175 -
intel xeon_d-1529 -
intel core_i7-8557u -
intel core_i5-7400t -
intel core_i7-10710u -
intel core_i7-10700e -
intel xeon_e-2246g -
intel core_i3-1000g1 -
intel core_m3-6y30 -
intel core_i7-5820k -
intel core_i5-6287u -
intel xeon_d-2123it -
intel core_i7-11700f -
intel xeon_platinum_8158 -
intel xeon_gold_6254 -
intel core_i3-10305 -
intel core_i7-8709g -
intel core_i3-8100 -
intel xeon_gold_6226r -
intel xeon_w-2275 -
intel xeon_gold_6148 -
intel core_i5-8250u -
intel xeon_e-2224g -
intel core_i3-10100e -
intel xeon_gold_5218t -
intel core_i7-6560u -
intel core_i5-11600kf -
intel core_i7-8550u -
intel xeon_e-2278g -
intel xeon_gold_6246 -
intel core_i7-6920hq -
intel xeon_gold_6256 -
intel core_i3-8300 -
intel core_i7-10510y -
intel core_i7-10850h -
intel xeon_silver_4208 -
intel core_i7-8705g -
intel core_i7-1068ng7 -
intel core_i9-11900t -
intel xeon_platinum_8160 -
intel core_i5-6360u -
intel core_i9-9980hk -
intel xeon_d-2161i -
intel xeon_e-2286m -
intel core_i3-10110y -
intel core_i5-10600 -
intel core_i5-7500t -
intel xeon_w-2195 -
intel xeon_e-2278gel -
intel xeon_platinum_8270 -
intel core_i5-10500e -
intel atom_c3338r -
intel xeon_silver_4114t -
intel xeon_w-11155mle -
intel atom_c3958 -
intel xeon_w-1250p -
intel core_i7-6700hq -
intel core_i9-10900 -
intel core_i9-10900kf -
intel xeon_d-1557 -
intel xeon_d-2177nt -
intel core_i5-6402p -
intel core_i7-8559u -
intel xeon_gold_6210u -
intel core_i5-7y57 -
intel atom_c3858 -
intel core_i3-6100te -
intel xeon_e-2226g -
intel core_i3-10105f -
intel core_i5-8500 -
intel xeon_gold_5218b -
intel core_i7-8569u -
intel core_i7-9700e -
intel core_i7-6820hq -
intel xeon_e-2224 -
intel core_i7-11700kf -
intel core_i7-9850hl -
intel xeon_gold_5119t -
intel core_i7-6820hk -
intel core_i5-1145gre -
intel core_i5-6685r -
intel core_i5-1030g7 -
intel core_i7-1185g7e -
intel xeon_d-2166nt -
intel xeon_gold_5215l -
intel core_i5-6260u -
intel core_i3-8145ue -
intel core_i5-11500 -
intel xeon_w-11155mre -
intel xeon_gold_6142 -
intel xeon_d-1602 -
intel xeon_gold_6230t -
intel core_i5-10500te -
intel core_i9-11900h -
intel core_i5-9400h -
intel xeon_e-2324g -
intel core_i7-8750h -
intel core_i7-6700 -
intel core_i7-7820hq -
intel core_i7-8650u -
intel core_i5-9500t -
intel xeon_d-1653n -
intel xeon_d-2173it -
intel core_i7-8665u -
intel xeon_gold_5220r -
intel core_i7-11375h -
intel xeon_w-3275 -
intel xeon_d-2141i -
intel xeon_w-2265 -
intel core_i5-10310u -
intel xeon_platinum_8153 -
intel core_i3-1115gre -
intel xeon_w-1390t -
intel core_i5-7360u -
intel xeon_w-2255 -
intel xeon_gold_6144 -
intel xeon_d-1541 -
intel core_i5-8600 -
intel core_i9-11980hk -
intel core_i7-6820eq -
intel xeon_silver_4112 -
intel core_i3-10105t -
intel core_i5-8260u -
intel xeon_w-1290 -
intel core_i7-7820hk -
intel xeon_w-3365 -
intel core_i7-1180g7 -
intel core_i9-10900k -
intel xeon_w-1270e -
intel xeon_d-1649n -
intel xeon_w-1270te -
intel core_i5-11500he -
intel core_m3-7y30 -
intel core_i5-1130g7 -
intel xeon_platinum_8180 -
intel core_i7+8700 -
intel xeon_gold_5217 -
intel xeon_d-1622 -
intel core_i9-9960x -
intel core_i7-8086k -
intel xeon_gold_6154 -
netapp fas/aff_bios -
intel core_i5-9500 -
intel xeon_silver_4210r -
intel core_i5-6440hq -
intel core_i7-10510u -
intel core_i7-4820k -
intel core_i9-10900te -
intel core_i7-3930k -
intel core_i7-7820x -
intel xeon_e-2176g -
intel xeon_e-2254me -
intel core_i5-10400t -
intel core_i3-10100 -
intel core_i7-10610u -
intel xeon_w-2155 -
intel core_i5-9500e -
intel core_i9-7940x -
intel core_i5-8269u -
intel core_i7-9700k -
intel xeon_gold_6240y -
intel core_i7-11700t -
intel core_i7-1060g7 -
intel xeon_gold_6150 -
intel xeon_e-2236 -
intel core_i3-7100h -
intel core_i3-7350k -
intel xeon_gold_6138f -
intel core_i5-6585r -
intel core_i3-1000g4 -
intel core_i5-10500t -
intel core_i9-11900 -
intel core_i9-10900f -
intel core_i5-7200u -
intel core_i3-8100h -
intel core_i3-1115g4e -
intel xeon_platinum_8268 -
intel xeon_w-2145 -
intel core_i3-7300t -
intel core_i7-11800h -
intel core_i7-10700f -
intel core_i3-9300t -
intel core_i3-7300 -
intel core_i3-6300t -
intel core_i3-7167u -
intel core_i3-9100te -
intel xeon_gold_6138p -
intel xeon_gold_6142f -
intel core_i7-8700t -
intel xeon_platinum_8260l -
intel core_i3-10325 -
intel core_i7-4930mx -
intel core_i5-9600 -
intel core_m3-8100y -
intel xeon_gold_6238r -
intel xeon_gold_6248r -
intel core_i5-7600 -
intel core_i5-7640x -
intel core_m5-6y54 -
intel core_i7-6870hq -
intel core_i9-7900x -
intel xeon_gold_6148f -
intel core_i7-11390h -
intel core_i5-8600k -
intel xeon_w-1270p -
intel xeon_w-3335 -
intel core_i3-6100e -
intel core_i3-6098p -
intel core_i5-8400t -
intel core_i3-10100f -
intel xeon_e-2334 -
intel core_i7-1165g7 -
intel core_i3-7100t -
intel core_i7-1185gre -
intel core_i3-1005g1 -
intel xeon_gold_5220t -
intel xeon_gold_6238t -
intel core_i5-6400t -
intel core_i3-6006u -
intel atom_c3336 -
intel xeon_gold_6230r -
intel core_i9-8950hk -
intel xeon_silver_4216 -
intel core_i9-9900ks -
intel xeon_w-2295 -
intel core_i9-11950h -
intel xeon_gold_6240 -
intel core_i7-6650u -
intel core_i5-10400 -
intel xeon_gold_5218n -
intel xeon_w-11555mre -
intel xeon_w-1250e -
intel xeon_gold_6234 -
intel core_i7-6822eq -
intel core_i5-7300u -
intel xeon_gold_6230n -
intel xeon_gold_5115 -
intel core_i3-9100hl -
intel core_i7-8500y -
intel xeon_e-2234 -
intel xeon_gold_6238l -
intel xeon_w-3223 -
intel xeon_bronze_3106 -
intel core_i5-8365ue -
intel core_i9-9900k -
intel core_m7-6y75 -
intel core_i3-8109u -
intel core_i5-8265u -
intel xeon_d-1623n -
intel xeon_d-1548 -
intel core_i5-8310y -
intel xeon_d-2163it -
intel xeon_platinum_8176f -
intel xeon_platinum_8156 -
intel core_i5-7260u -
intel core_i5-1035g4 -
intel core_i3-9320 -
intel core_i7-7567u -
intel xeon_e-2124 -
intel core_i3-9300 -
intel xeon_gold_6132 -
intel xeon_w-10855m -
intel core_i5-1030g4 -
intel xeon_d-1543n -
intel xeon_platinum_9222 -
intel xeon_gold_6134 -
intel core_i5-9600t -
intel xeon_w-1270 -
intel xeon_bronze_3104 -
intel atom_c3758 -
intel core_i7-6500u -
intel core_i7-7700hq -
intel xeon_e-2144g -
intel core_i5-10500h -
intel core_i3-1120g4 -
intel core_i7-3970x -
intel core_i7-9700 -
intel core_i9-9920x -
intel xeon_platinum_8280l -
intel xeon_silver_4209t -
intel xeon_platinum_8276 -
intel core_i5-1038ng7 -
intel xeon_silver_4116 -
intel core_i7-7700t -
netapp cloud_backup -
intel xeon_w-2125 -
intel core_i7-9700kf -
intel xeon_w-1250te -
intel core_i9-9900 -
intel core_i7-4940mx -
intel xeon_w-3275m -
intel core_i5-9500te -
intel xeon_d-2183it -
intel xeon_w-3235 -
intel core_i5-8600t -
intel xeon_w-3265m -
intel core_i5-10400h -
intel xeon_gold_6242r -
intel core_i3-9100 -
intel xeon_e-2226ge -
intel core_i7-6660u -
intel core_i5-7y54 -
intel xeon_e-2174g -
intel core_i7-10700kf -
intel xeon_gold_5122 -
intel xeon_gold_6240r -
intel xeon_silver_4214 -
intel xeon_e-2286g -
intel core_i3-8145u -
intel core_i7-3960x -
intel xeon_e-2186g -
intel xeon_w-2133 -
intel xeon_platinum_8253 -
intel core_i3-8130u -
intel core_i5-11600t -
intel xeon_d-1571 -
intel core_i3-10100t -
intel core_i7-6800k -
intel xeon_w-1370 -
intel xeon_w-3345 -
intel core_i3-11100he -
intel core_i7-4960x -
intel xeon_e-2276ml -
intel core_i3-7100e -
intel xeon_gold_6146 -
intel core_i3-8100b -
intel core_i7-11700k -
intel core_i5-6400 -
intel core_i3-6100h -
intel core_i7-10750h -
intel xeon_w-1290t -
intel xeon_gold_6222v -
intel core_i5-8500t -
intel xeon_platinum_8280 -
intel core_i7-5930k -
intel core_i3-7102e -
intel core_i5-9600k -
intel core_i7-8850h -
intel core_i3-7100u -
intel core_i3-9100f -
intel core_i9-9980xe -
intel core_i5-8500b -
intel core_i5-10210u -
intel xeon_gold_6262v -
intel core_i3-8140u -
intel xeon_d-1633n -
intel core_i7-10875h -
intel atom_c3808 -
intel atom_c3830 -
intel core_i7-7740x -
intel xeon_gold_6244 -
intel core_i7-10700 -
intel core_i9-10980xe -
intel xeon_d-1637 -
intel xeon_e-2378 -
intel xeon_platinum_8168 -
intel core_i3-8100t -
intel core_i5-7440hq -
intel xeon_e-2274g -
intel core_i9-11900f -
intel xeon_d-1540 -
intel core_i5-11400 -
intel xeon_silver_4215r -
intel xeon_e-2136 -
intel core_i5-10200h -
intel core_i7-8706g -
intel xeon_e-2254ml -
intel core_i5-9500f -
intel xeon_silver_4214y -
intel xeon_w-2245 -
intel core_i5-10600t -
intel core_i5-1135g7 -
intel xeon_w-11865mre -
intel xeon_platinum_8260 -
intel core_i5-1035g1 -
intel core_i5-11260h -
intel core_i3-10100y -
intel xeon_gold_5222 -
intel atom_c3508 -
intel core_i7-3920xm -
intel xeon_gold_6152 -
intel core_i5-7267u -
intel core_i5-6440eq -
intel xeon_w-1290e -
intel core_i5-6350hq -
intel core_i3-6300 -
intel xeon_d-2145nt -
intel xeon_w-2135 -
intel atom_c3538 -
intel xeon_silver_4215 -
intel xeon_gold_6126 -
intel core_i7-3940xm -
intel xeon_gold_6238 -
intel xeon_silver_4214r -
intel core_i3-8300t -
intel core_i3-10300 -
intel xeon_e-2288g -
intel xeon_gold_5218 -
intel core_i7-6700k -
intel core_i3-6102e -
intel core_i5-6267u -
intel core_i9-9900x -
intel xeon_e-2176m -
intel xeon_w-3245 -
intel xeon_gold_6208u -
intel xeon_d-1523n -
intel xeon_platinum_9221 -
intel core_i5-6442eq -
intel core_i7-11850he -
intel core_i7-10700t -
intel xeon_d-2146nt -
intel core_i9-10980hk -
intel atom_c3308 -
intel xeon_silver_4110 -
intel core_i5-9600kf -
intel xeon_e-2356g -
intel xeon_gold_6252 -
intel xeon_silver_4116t -
intel xeon_silver_4109t -
intel core_i7-6900k -
intel xeon_d-1531 -
intel core_i5-6500t -
intel core_i5-11400t -
intel core_i9-9880h -
intel core_i9-10900x -
intel core_i7-5960x -
intel xeon_e-2386g -
intel xeon_gold_6240l -
intel core_i7-10870h -
intel core_i5-8279u -
intel atom_c3850 -
intel core_i5-11300h -
intel core_i5-9400t -
intel core_i3-7100 -
intel core_i3-8350k -
intel core_i3-10320 -
intel xeon_e-2314 -
intel xeon_platinum_9242 -
intel core_i7-10700te -
intel core_i7-7600u -
intel core_i9-9900kf -
intel core_i7-9700f -
intel xeon_platinum_8276l -
intel core_i3-10105 -
intel xeon_d-1553n -
intel core_i7-4930k -
intel xeon_gold_6128 -
intel core_i7-11370h -
intel xeon_platinum_8160f -
intel xeon_e-2276me -
intel xeon_d-1527 -
intel atom_c3436l -
intel core_i7-6600u -
intel core_i3-7320 -
intel core_i9-10900e -
intel core_i7-6950x -
intel core_i7-11850h -
intel xeon_w-3245m -
intel xeon_gold_6138t -
intel xeon_platinum_8164 -
intel xeon_w-11855m -
intel xeon_gold_6130 -
intel core_i9-9900t -
intel core_i5-7600k -
intel xeon_gold_6226 -
intel core_i5-6600t -
intel xeon_d-1559 -
intel xeon_e-2146g -
intel core_i7-1185g7 -
intel xeon_e-2336 -
intel xeon_d-2187nt -
intel core_i3-10305t -
intel core_i7-9700te -
intel xeon_silver_4210 -
intel xeon_d-1521 -
intel core_i5-7500 -
intel core_i7-1065g7 -
intel core_i7-7700 -
intel core_i5-7440eq -
intel core_i5-11320h -
intel core_i7-6785r -
intel xeon_platinum_8256 -
intel core_i3-1115g4 -
intel core_i3-6100u -
intel xeon_w-3225 -
intel core_i9-10940x -
intel core_i3-9100t -
intel xeon_e-2378g -
intel xeon_platinum_8170 -
intel xeon_gold_6140 -
intel xeon_w-1250 -
intel xeon_platinum_8176 -
intel core_i7-7820eq -
intel core_i7-11600h -
intel core_i9-10850k -
intel atom_c3558r -
CVE-2021-0111 MEDIUM

NULL pointer dereference in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
intel core_i7-8665ue -
intel core_i7-8809g -
intel xeon_gold_5215 -
intel xeon_e-2126g -
intel core_i5-9300h -
intel core_i5-10400f -
intel core_i5-11400f -
intel core_i7-7920hq -
intel xeon_w-3175x -
intel core_i9-9820x -
intel core_i5-1145g7 -
intel core_i5-1145g7e -
intel core_i7-7700k -
intel xeon_gold_6212u -
intel core_i3-6100t -
intel core_i5-8400b -
intel core_i5-6600 -
intel core_i5-8400h -
intel core_i5-8400 -
intel core_i5-7600t -
intel xeon_w-2123 -
intel xeon_d-2142it -
intel core_i3-10100te -
intel core_i5-11600 -
intel xeon_d-1513n -
intel xeon_silver_4108 -
intel core_i3-1110g4 -
intel xeon_w-1350 -
intel core_i5-6200u -
intel xeon_w-1370p -
intel core_i5-8305g -
intel core_i5-1140g7 -
intel xeon_gold_6130f -
intel core_i5-11400h -
intel core_i5-9300hf -
intel core_i3-6157u -
intel core_i3-6167u -
intel xeon_gold_5220s -
intel core_i5-10600k -
intel core_i9-7960x -
intel xeon_gold_6138 -
intel xeon_platinum_9282 -
intel core_i5-8259u -
intel core_i7-6850k -
intel core_m5-6y57 -
intel xeon_gold_6252n -
intel core_i5-11600k -
intel xeon_w-1390p -
intel xeon_w-2223 -
intel xeon_w-1350p -
intel xeon_gold_6250 -
intel core_m3-7y32 -
intel core_i5-1035g7 -
intel core_i5-9400 -
intel core_i7-6700te -
intel core_i3-6320 -
intel core_i5-8257u -
intel core_i5-10210y -
intel core_i7-6770hq -
intel core_i3-10300t -
intel xeon_w-1290p -
intel core_i7-7800x -
intel atom_c3750 -
intel core_i7-6970hq -
intel core_i3-9350k -
intel core_i7-8700k -
intel core_i3-7101te -
intel atom_c3708 -
intel core_i9-7920x -
intel core_i7-10700k -
intel xeon_gold_6248 -
intel core_i5-10500 -
intel xeon_w-1290te -
intel xeon_gold_6250l -
intel xeon_gold_6242 -
intel core_i7-9700t -
intel core_i3-6100 -
intel xeon_gold_5120t -
intel core_i5-11500t -
intel xeon_w-11865mle -
intel xeon_e-2278ge -
intel core_i5-8350u -
intel xeon_gold_5120 -
intel xeon_w-3323 -
intel core_i7-7560u -
intel xeon_gold_5118 -
intel xeon_w-3265 -
intel xeon_platinum_8260y -
intel xeon_gold_6209u -
intel core_i3-1125g4 -
intel xeon_e-2388g -
intel core_i5-7442eq -
intel xeon_w-1390 -
intel xeon_w-11955m -
intel atom_c3950 -
intel core_i5-8300h -
intel xeon_w-3375 -
intel core_i9-10900t -
intel core_i5-6500 -
intel core_i5-10300h -
intel atom_c3338 -
intel core_i7-9850h -
intel core_i5-8365u -
intel core_i7-1160g7 -
intel xeon_gold_6126t -
intel core_i5-7400 -
intel core_i5-6600k -
intel xeon_d-1528 -
intel core_i7-8700b -
intel core_i7-9800x -
intel core_i7-10810u -
intel core_i5-8200y -
intel core_i3-9100e -
intel xeon_bronze_3204 -
intel core_i3-10110u -
intel core_i5-7287u -
intel core_i7-7660u -
intel xeon_d-2143it -
intel xeon_e-2186m -
intel xeon_silver_4114 -
intel core_i5-6300u -
intel xeon_w-11555mle -
intel xeon_w-2225 -
intel core_i7-9850he -
intel core_i5-10310y -
intel core_i3-7101e -
intel core_i5-6300hq -
intel xeon_gold_6230 -
intel core_i7-3820 -
intel atom_c3558 -
intel core_i5-11500h -
intel xeon_silver_4210t -
intel xeon_e-2134 -
intel core_i7-7500u -
intel core_i7-8565u -
intel xeon_d-1627 -
intel xeon_gold_6130t -
intel xeon_d-1537 -
intel xeon_bronze_3206r -
intel core_i5-9400f -
intel xeon_d-1577 -
intel xeon_d-1533n -
intel xeon_e-2374g -
intel xeon_gold_5218r -
intel xeon_e-2244g -
intel core_i9-11900kf -
intel xeon_d-1539 -
intel core_i9-11900k -
intel xeon_e-2276m -
intel core_i3-7130u -
intel core_i9-10885h -
intel xeon_gold_6246r -
intel core_i5-1155g7 -
intel core_i5-10505 -
intel xeon_d-1518 -
intel core_i9-9940x -
intel core_i7-6567u -
intel core_i7-9750h -
intel atom_c3758r -
intel core_i3-9350kf -
intel xeon_gold_6258r -
intel xeon_gold_5220 -
intel xeon_platinum_8160t -
intel xeon_gold_6126f -
intel core_i5-7300hq -
intel xeon_w-2235 -
intel core_i9-10920x -
intel xeon_gold_6136 -
intel core_i3-7020u -
intel core_i7-11700 -
intel xeon_e-2276g -
intel core_i9-7980xe -
intel core_i7-7y75 -
intel core_i7-6700t -
intel xeon_e-2124g -
intel core_i5-10600kf -
intel atom_c3955 -
intel core_i7-8700 -
intel core_i5-8210y -
intel xeon_w-10885m -
intel xeon_d-1567 -
intel xeon_d-1520 -
intel core_i7-1195g7 -
intel core_i5-6500te -
intel core_i7-9750hf -
intel xeon_w-2175 -
intel xeon_d-1529 -
intel core_i7-8557u -
intel core_i5-7400t -
intel core_i7-10710u -
intel core_i7-10700e -
intel xeon_e-2246g -
intel core_i3-1000g1 -
intel core_m3-6y30 -
intel core_i7-5820k -
intel core_i5-6287u -
intel xeon_d-2123it -
intel core_i7-11700f -
intel xeon_platinum_8158 -
intel xeon_gold_6254 -
intel core_i3-10305 -
intel core_i7-8709g -
intel core_i3-8100 -
intel xeon_gold_6226r -
intel xeon_w-2275 -
intel xeon_gold_6148 -
intel core_i5-8250u -
intel xeon_e-2224g -
intel core_i3-10100e -
intel xeon_gold_5218t -
intel core_i7-6560u -
intel core_i5-11600kf -
intel core_i7-8550u -
intel xeon_e-2278g -
intel xeon_gold_6246 -
intel core_i7-6920hq -
intel xeon_gold_6256 -
intel core_i3-8300 -
intel core_i7-10510y -
intel core_i7-10850h -
intel xeon_silver_4208 -
intel core_i7-8705g -
intel core_i7-1068ng7 -
intel core_i9-11900t -
intel xeon_platinum_8160 -
intel core_i5-6360u -
intel core_i9-9980hk -
intel xeon_d-2161i -
intel xeon_e-2286m -
intel core_i3-10110y -
intel core_i5-10600 -
intel core_i5-7500t -
intel xeon_w-2195 -
intel xeon_e-2278gel -
intel xeon_platinum_8270 -
intel core_i5-10500e -
intel atom_c3338r -
intel xeon_silver_4114t -
intel xeon_w-11155mle -
intel atom_c3958 -
intel xeon_w-1250p -
intel core_i7-6700hq -
intel core_i9-10900 -
intel core_i9-10900kf -
intel xeon_d-1557 -
intel xeon_d-2177nt -
intel core_i5-6402p -
intel core_i7-8559u -
intel xeon_gold_6210u -
intel core_i5-7y57 -
intel atom_c3858 -
intel core_i3-6100te -
intel xeon_e-2226g -
intel core_i3-10105f -
intel core_i5-8500 -
intel xeon_gold_5218b -
intel core_i7-8569u -
intel core_i7-9700e -
intel core_i7-6820hq -
intel xeon_e-2224 -
intel core_i7-11700kf -
intel core_i7-9850hl -
intel xeon_gold_5119t -
intel core_i7-6820hk -
intel core_i5-1145gre -
intel core_i5-6685r -
intel core_i5-1030g7 -
intel core_i7-1185g7e -
intel xeon_d-2166nt -
intel xeon_gold_5215l -
intel core_i5-6260u -
intel core_i3-8145ue -
intel core_i5-11500 -
intel xeon_w-11155mre -
intel xeon_gold_6142 -
intel xeon_d-1602 -
intel xeon_gold_6230t -
intel core_i5-10500te -
intel core_i9-11900h -
intel core_i5-9400h -
intel xeon_e-2324g -
intel core_i7-8750h -
intel core_i7-6700 -
intel core_i7-7820hq -
intel core_i7-8650u -
intel core_i5-9500t -
intel xeon_d-1653n -
intel xeon_d-2173it -
intel core_i7-8665u -
intel xeon_gold_5220r -
intel core_i7-11375h -
intel xeon_w-3275 -
intel xeon_d-2141i -
intel xeon_w-2265 -
intel core_i5-10310u -
intel xeon_platinum_8153 -
intel core_i3-1115gre -
intel xeon_w-1390t -
intel core_i5-7360u -
intel xeon_w-2255 -
intel xeon_gold_6144 -
intel xeon_d-1541 -
intel core_i5-8600 -
intel core_i9-11980hk -
intel core_i7-6820eq -
intel xeon_silver_4112 -
intel core_i3-10105t -
intel core_i5-8260u -
intel xeon_w-1290 -
intel core_i7-7820hk -
intel xeon_w-3365 -
intel core_i7-1180g7 -
intel core_i9-10900k -
intel xeon_w-1270e -
intel xeon_d-1649n -
intel xeon_w-1270te -
intel core_i5-11500he -
intel core_m3-7y30 -
intel core_i5-1130g7 -
intel xeon_platinum_8180 -
intel core_i7+8700 -
intel xeon_gold_5217 -
intel xeon_d-1622 -
intel core_i9-9960x -
intel core_i7-8086k -
intel xeon_gold_6154 -
netapp fas/aff_bios -
intel core_i5-9500 -
intel xeon_silver_4210r -
intel core_i5-6440hq -
intel core_i7-10510u -
intel core_i7-4820k -
intel core_i9-10900te -
intel core_i7-3930k -
intel core_i7-7820x -
intel xeon_e-2176g -
intel xeon_e-2254me -
intel core_i5-10400t -
intel core_i3-10100 -
intel core_i7-10610u -
intel xeon_w-2155 -
intel core_i5-9500e -
intel core_i9-7940x -
intel core_i5-8269u -
intel core_i7-9700k -
intel xeon_gold_6240y -
intel core_i7-11700t -
intel core_i7-1060g7 -
intel xeon_gold_6150 -
intel xeon_e-2236 -
intel core_i3-7100h -
intel core_i3-7350k -
intel xeon_gold_6138f -
intel core_i5-6585r -
intel core_i3-1000g4 -
intel core_i5-10500t -
intel core_i9-11900 -
intel core_i9-10900f -
intel core_i5-7200u -
intel core_i3-8100h -
intel core_i3-1115g4e -
intel xeon_platinum_8268 -
intel xeon_w-2145 -
intel core_i3-7300t -
intel core_i7-11800h -
intel core_i7-10700f -
intel core_i3-9300t -
intel core_i3-7300 -
intel core_i3-6300t -
intel core_i3-7167u -
intel core_i3-9100te -
intel xeon_gold_6138p -
intel xeon_gold_6142f -
intel core_i7-8700t -
intel xeon_platinum_8260l -
intel core_i3-10325 -
intel core_i7-4930mx -
intel core_i5-9600 -
intel core_m3-8100y -
intel xeon_gold_6238r -
intel xeon_gold_6248r -
intel core_i5-7600 -
intel core_i5-7640x -
intel core_m5-6y54 -
intel core_i7-6870hq -
intel core_i9-7900x -
intel xeon_gold_6148f -
intel core_i7-11390h -
intel core_i5-8600k -
intel xeon_w-1270p -
intel xeon_w-3335 -
intel core_i3-6100e -
intel core_i3-6098p -
intel core_i5-8400t -
intel core_i3-10100f -
intel xeon_e-2334 -
intel core_i7-1165g7 -
intel core_i3-7100t -
intel core_i7-1185gre -
intel core_i3-1005g1 -
intel xeon_gold_5220t -
intel xeon_gold_6238t -
intel core_i5-6400t -
intel core_i3-6006u -
intel atom_c3336 -
intel xeon_gold_6230r -
intel core_i9-8950hk -
intel xeon_silver_4216 -
intel core_i9-9900ks -
intel xeon_w-2295 -
intel core_i9-11950h -
intel xeon_gold_6240 -
intel core_i7-6650u -
intel core_i5-10400 -
intel xeon_gold_5218n -
intel xeon_w-11555mre -
intel xeon_w-1250e -
intel xeon_gold_6234 -
intel core_i7-6822eq -
intel core_i5-7300u -
intel xeon_gold_6230n -
intel xeon_gold_5115 -
intel core_i3-9100hl -
intel core_i7-8500y -
intel xeon_e-2234 -
intel xeon_gold_6238l -
intel xeon_w-3223 -
intel xeon_bronze_3106 -
intel core_i5-8365ue -
intel core_i9-9900k -
intel core_m7-6y75 -
intel core_i3-8109u -
intel core_i5-8265u -
intel xeon_d-1623n -
intel xeon_d-1548 -
intel core_i5-8310y -
intel xeon_d-2163it -
intel xeon_platinum_8176f -
intel xeon_platinum_8156 -
intel core_i5-7260u -
intel core_i5-1035g4 -
intel core_i3-9320 -
intel core_i7-7567u -
intel xeon_e-2124 -
intel core_i3-9300 -
intel xeon_gold_6132 -
intel xeon_w-10855m -
intel core_i5-1030g4 -
intel xeon_d-1543n -
intel xeon_platinum_9222 -
intel xeon_gold_6134 -
intel core_i5-9600t -
intel xeon_w-1270 -
intel xeon_bronze_3104 -
intel atom_c3758 -
intel core_i7-6500u -
intel core_i7-7700hq -
intel xeon_e-2144g -
intel core_i5-10500h -
intel core_i3-1120g4 -
intel core_i7-3970x -
intel core_i7-9700 -
intel core_i9-9920x -
intel xeon_platinum_8280l -
intel xeon_silver_4209t -
intel xeon_platinum_8276 -
intel core_i5-1038ng7 -
intel xeon_silver_4116 -
intel core_i7-7700t -
netapp cloud_backup -
intel xeon_w-2125 -
intel core_i7-9700kf -
intel xeon_w-1250te -
intel core_i9-9900 -
intel core_i7-4940mx -
intel xeon_w-3275m -
intel core_i5-9500te -
intel xeon_d-2183it -
intel xeon_w-3235 -
intel core_i5-8600t -
intel xeon_w-3265m -
intel core_i5-10400h -
intel xeon_gold_6242r -
intel core_i3-9100 -
intel xeon_e-2226ge -
intel core_i7-6660u -
intel core_i5-7y54 -
intel xeon_e-2174g -
intel core_i7-10700kf -
intel xeon_gold_5122 -
intel xeon_gold_6240r -
intel xeon_silver_4214 -
intel xeon_e-2286g -
intel core_i3-8145u -
intel core_i7-3960x -
intel xeon_e-2186g -
intel xeon_w-2133 -
intel xeon_platinum_8253 -
intel core_i3-8130u -
intel core_i5-11600t -
intel xeon_d-1571 -
intel core_i3-10100t -
intel core_i7-6800k -
intel xeon_w-1370 -
intel xeon_w-3345 -
intel core_i3-11100he -
intel core_i7-4960x -
intel xeon_e-2276ml -
intel core_i3-7100e -
intel xeon_gold_6146 -
intel core_i3-8100b -
intel core_i7-11700k -
intel core_i5-6400 -
intel core_i3-6100h -
intel core_i7-10750h -
intel xeon_w-1290t -
intel xeon_gold_6222v -
intel core_i5-8500t -
intel xeon_platinum_8280 -
intel core_i7-5930k -
intel core_i3-7102e -
intel core_i5-9600k -
intel core_i7-8850h -
intel core_i3-7100u -
intel core_i3-9100f -
intel core_i9-9980xe -
intel core_i5-8500b -
intel core_i5-10210u -
intel xeon_gold_6262v -
intel core_i3-8140u -
intel xeon_d-1633n -
intel core_i7-10875h -
intel atom_c3808 -
intel atom_c3830 -
intel core_i7-7740x -
intel xeon_gold_6244 -
intel core_i7-10700 -
intel core_i9-10980xe -
intel xeon_d-1637 -
intel xeon_e-2378 -
intel xeon_platinum_8168 -
intel core_i3-8100t -
intel core_i5-7440hq -
intel xeon_e-2274g -
intel core_i9-11900f -
intel xeon_d-1540 -
intel core_i5-11400 -
intel xeon_silver_4215r -
intel xeon_e-2136 -
intel core_i5-10200h -
intel core_i7-8706g -
intel xeon_e-2254ml -
intel core_i5-9500f -
intel xeon_silver_4214y -
intel xeon_w-2245 -
intel core_i5-10600t -
intel core_i5-1135g7 -
intel xeon_w-11865mre -
intel xeon_platinum_8260 -
intel core_i5-1035g1 -
intel core_i5-11260h -
intel core_i3-10100y -
intel xeon_gold_5222 -
intel atom_c3508 -
intel core_i7-3920xm -
intel xeon_gold_6152 -
intel core_i5-7267u -
intel core_i5-6440eq -
intel xeon_w-1290e -
intel core_i5-6350hq -
intel core_i3-6300 -
intel xeon_d-2145nt -
intel xeon_w-2135 -
intel atom_c3538 -
intel xeon_silver_4215 -
intel xeon_gold_6126 -
intel core_i7-3940xm -
intel xeon_gold_6238 -
intel xeon_silver_4214r -
intel core_i3-8300t -
intel core_i3-10300 -
intel xeon_e-2288g -
intel xeon_gold_5218 -
intel core_i7-6700k -
intel core_i3-6102e -
intel core_i5-6267u -
intel core_i9-9900x -
intel xeon_e-2176m -
intel xeon_w-3245 -
intel xeon_gold_6208u -
intel xeon_d-1523n -
intel xeon_platinum_9221 -
intel core_i5-6442eq -
intel core_i7-11850he -
intel core_i7-10700t -
intel xeon_d-2146nt -
intel core_i9-10980hk -
intel atom_c3308 -
intel xeon_silver_4110 -
intel core_i5-9600kf -
intel xeon_e-2356g -
intel xeon_gold_6252 -
intel xeon_silver_4116t -
intel xeon_silver_4109t -
intel core_i7-6900k -
intel xeon_d-1531 -
intel core_i5-6500t -
intel core_i5-11400t -
intel core_i9-9880h -
intel core_i9-10900x -
intel core_i7-5960x -
intel xeon_e-2386g -
intel xeon_gold_6240l -
intel core_i7-10870h -
intel core_i5-8279u -
intel atom_c3850 -
intel core_i5-11300h -
intel core_i5-9400t -
intel core_i3-7100 -
intel core_i3-8350k -
intel core_i3-10320 -
intel xeon_e-2314 -
intel xeon_platinum_9242 -
intel core_i7-10700te -
intel core_i7-7600u -
intel core_i9-9900kf -
intel core_i7-9700f -
intel xeon_platinum_8276l -
intel core_i3-10105 -
intel xeon_d-1553n -
intel core_i7-4930k -
intel xeon_gold_6128 -
intel core_i7-11370h -
intel xeon_platinum_8160f -
intel xeon_e-2276me -
intel xeon_d-1527 -
intel atom_c3436l -
intel core_i7-6600u -
intel core_i3-7320 -
intel core_i9-10900e -
intel core_i7-6950x -
intel core_i7-11850h -
intel xeon_w-3245m -
intel xeon_gold_6138t -
intel xeon_platinum_8164 -
intel xeon_w-11855m -
intel xeon_gold_6130 -
intel core_i9-9900t -
intel core_i5-7600k -
intel xeon_gold_6226 -
intel core_i5-6600t -
intel xeon_d-1559 -
intel xeon_e-2146g -
intel core_i7-1185g7 -
intel xeon_e-2336 -
intel xeon_d-2187nt -
intel core_i3-10305t -
intel core_i7-9700te -
intel xeon_silver_4210 -
intel xeon_d-1521 -
intel core_i5-7500 -
intel core_i7-1065g7 -
intel core_i7-7700 -
intel core_i5-7440eq -
intel core_i5-11320h -
intel core_i7-6785r -
intel xeon_platinum_8256 -
intel core_i3-1115g4 -
intel core_i3-6100u -
intel xeon_w-3225 -
intel core_i9-10940x -
intel core_i3-9100t -
intel xeon_e-2378g -
intel xeon_platinum_8170 -
intel xeon_gold_6140 -
intel xeon_w-1250 -
intel xeon_platinum_8176 -
intel core_i7-7820eq -
intel core_i7-11600h -
intel core_i9-10850k -
intel atom_c3558r -
CVE-2021-0115 MEDIUM

Buffer overflow in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
intel core_i7-8665ue -
intel core_i7-8809g -
intel xeon_gold_5215 -
intel xeon_e-2126g -
intel core_i5-9300h -
intel core_i5-10400f -
intel core_i5-11400f -
intel core_i7-7920hq -
intel xeon_w-3175x -
intel core_i9-9820x -
intel core_i5-1145g7 -
intel core_i5-1145g7e -
intel core_i7-7700k -
intel xeon_gold_6212u -
intel core_i3-6100t -
intel core_i5-8400b -
intel core_i5-6600 -
intel core_i5-8400h -
intel core_i5-8400 -
intel core_i5-7600t -
intel xeon_w-2123 -
intel xeon_d-2142it -
intel core_i3-10100te -
intel core_i5-11600 -
intel xeon_d-1513n -
intel xeon_silver_4108 -
intel core_i3-1110g4 -
intel xeon_w-1350 -
intel core_i5-6200u -
intel xeon_w-1370p -
intel core_i5-8305g -
intel core_i5-1140g7 -
intel xeon_gold_6130f -
intel core_i5-11400h -
intel core_i5-9300hf -
intel core_i3-6157u -
intel core_i3-6167u -
intel xeon_gold_5220s -
intel core_i5-10600k -
intel core_i9-7960x -
intel xeon_gold_6138 -
intel xeon_platinum_9282 -
intel core_i5-8259u -
intel core_i7-6850k -
intel core_m5-6y57 -
intel xeon_gold_6252n -
intel core_i5-11600k -
intel xeon_w-1390p -
intel xeon_w-2223 -
intel xeon_w-1350p -
intel xeon_gold_6250 -
intel core_m3-7y32 -
intel core_i5-1035g7 -
intel core_i5-9400 -
intel core_i7-6700te -
intel core_i3-6320 -
intel core_i5-8257u -
intel core_i5-10210y -
intel core_i7-6770hq -
intel core_i3-10300t -
intel xeon_w-1290p -
intel core_i7-7800x -
intel atom_c3750 -
intel core_i7-6970hq -
intel core_i3-9350k -
intel core_i7-8700k -
intel core_i3-7101te -
intel atom_c3708 -
intel core_i9-7920x -
intel core_i7-10700k -
intel xeon_gold_6248 -
intel core_i5-10500 -
intel xeon_w-1290te -
intel xeon_gold_6250l -
intel xeon_gold_6242 -
intel core_i7-9700t -
intel core_i3-6100 -
intel xeon_gold_5120t -
intel core_i5-11500t -
intel xeon_w-11865mle -
intel xeon_e-2278ge -
intel core_i5-8350u -
intel xeon_gold_5120 -
intel xeon_w-3323 -
intel core_i7-7560u -
intel xeon_gold_5118 -
intel xeon_w-3265 -
intel xeon_platinum_8260y -
intel xeon_gold_6209u -
intel core_i3-1125g4 -
intel xeon_e-2388g -
intel core_i5-7442eq -
intel xeon_w-1390 -
intel xeon_w-11955m -
intel atom_c3950 -
intel core_i5-8300h -
intel xeon_w-3375 -
intel core_i9-10900t -
intel core_i5-6500 -
intel core_i5-10300h -
intel atom_c3338 -
intel core_i7-9850h -
intel core_i5-8365u -
intel core_i7-1160g7 -
intel xeon_gold_6126t -
intel core_i5-7400 -
intel core_i5-6600k -
intel xeon_d-1528 -
intel core_i7-8700b -
intel core_i7-9800x -
intel core_i7-10810u -
intel core_i5-8200y -
intel core_i3-9100e -
intel xeon_bronze_3204 -
intel core_i3-10110u -
intel core_i5-7287u -
intel core_i7-7660u -
intel xeon_d-2143it -
intel xeon_e-2186m -
intel xeon_silver_4114 -
intel core_i5-6300u -
intel xeon_w-11555mle -
intel xeon_w-2225 -
intel core_i7-9850he -
intel core_i5-10310y -
intel core_i3-7101e -
intel core_i5-6300hq -
intel xeon_gold_6230 -
intel core_i7-3820 -
intel atom_c3558 -
intel core_i5-11500h -
intel xeon_silver_4210t -
intel xeon_e-2134 -
intel core_i7-7500u -
intel core_i7-8565u -
intel xeon_d-1627 -
intel xeon_gold_6130t -
intel xeon_d-1537 -
intel xeon_bronze_3206r -
intel core_i5-9400f -
intel xeon_d-1577 -
intel xeon_d-1533n -
intel xeon_e-2374g -
intel xeon_gold_5218r -
intel xeon_e-2244g -
intel core_i9-11900kf -
intel xeon_d-1539 -
intel core_i9-11900k -
intel xeon_e-2276m -
intel core_i3-7130u -
intel core_i9-10885h -
intel xeon_gold_6246r -
intel core_i5-1155g7 -
intel core_i5-10505 -
intel xeon_d-1518 -
intel core_i9-9940x -
intel core_i7-6567u -
intel core_i7-9750h -
intel atom_c3758r -
intel core_i3-9350kf -
intel xeon_gold_6258r -
intel xeon_gold_5220 -
intel xeon_platinum_8160t -
intel xeon_gold_6126f -
intel core_i5-7300hq -
intel xeon_w-2235 -
intel core_i9-10920x -
intel xeon_gold_6136 -
intel core_i3-7020u -
intel core_i7-11700 -
intel xeon_e-2276g -
intel core_i9-7980xe -
intel core_i7-7y75 -
intel core_i7-6700t -
intel xeon_e-2124g -
intel core_i5-10600kf -
intel atom_c3955 -
intel core_i7-8700 -
intel core_i5-8210y -
intel xeon_w-10885m -
intel xeon_d-1567 -
intel xeon_d-1520 -
intel core_i7-1195g7 -
intel core_i5-6500te -
intel core_i7-9750hf -
intel xeon_w-2175 -
intel xeon_d-1529 -
intel core_i7-8557u -
intel core_i5-7400t -
intel core_i7-10710u -
intel core_i7-10700e -
intel xeon_e-2246g -
intel core_i3-1000g1 -
intel core_m3-6y30 -
intel core_i7-5820k -
intel core_i5-6287u -
intel xeon_d-2123it -
intel core_i7-11700f -
intel xeon_platinum_8158 -
intel xeon_gold_6254 -
intel core_i3-10305 -
intel core_i7-8709g -
intel core_i3-8100 -
intel xeon_gold_6226r -
intel xeon_w-2275 -
intel xeon_gold_6148 -
intel core_i5-8250u -
intel xeon_e-2224g -
intel core_i3-10100e -
intel xeon_gold_5218t -
intel core_i7-6560u -
intel core_i5-11600kf -
intel core_i7-8550u -
intel xeon_e-2278g -
intel xeon_gold_6246 -
intel core_i7-6920hq -
intel xeon_gold_6256 -
intel core_i3-8300 -
intel core_i7-10510y -
intel core_i7-10850h -
intel xeon_silver_4208 -
intel core_i7-8705g -
intel core_i7-1068ng7 -
intel core_i9-11900t -
intel xeon_platinum_8160 -
intel core_i5-6360u -
intel core_i9-9980hk -
intel xeon_d-2161i -
intel xeon_e-2286m -
intel core_i3-10110y -
intel core_i5-10600 -
intel core_i5-7500t -
intel xeon_w-2195 -
intel xeon_e-2278gel -
intel xeon_platinum_8270 -
intel core_i5-10500e -
intel atom_c3338r -
intel xeon_silver_4114t -
intel xeon_w-11155mle -
intel atom_c3958 -
intel xeon_w-1250p -
intel core_i7-6700hq -
intel core_i9-10900 -
intel core_i9-10900kf -
intel xeon_d-1557 -
intel xeon_d-2177nt -
intel core_i5-6402p -
intel core_i7-8559u -
intel xeon_gold_6210u -
intel core_i5-7y57 -
intel atom_c3858 -
intel core_i3-6100te -
intel xeon_e-2226g -
intel core_i3-10105f -
intel core_i5-8500 -
intel xeon_gold_5218b -
intel core_i7-8569u -
intel core_i7-9700e -
intel core_i7-6820hq -
intel xeon_e-2224 -
intel core_i7-11700kf -
intel core_i7-9850hl -
intel xeon_gold_5119t -
intel core_i7-6820hk -
intel core_i5-1145gre -
intel core_i5-6685r -
intel core_i5-1030g7 -
intel core_i7-1185g7e -
intel xeon_d-2166nt -
intel xeon_gold_5215l -
intel core_i5-6260u -
intel core_i3-8145ue -
intel core_i5-11500 -
intel xeon_w-11155mre -
intel xeon_gold_6142 -
intel xeon_d-1602 -
intel xeon_gold_6230t -
intel core_i5-10500te -
intel core_i9-11900h -
intel core_i5-9400h -
intel xeon_e-2324g -
intel core_i7-8750h -
intel core_i7-6700 -
intel core_i7-7820hq -
intel core_i7-8650u -
intel core_i5-9500t -
intel xeon_d-1653n -
intel xeon_d-2173it -
intel core_i7-8665u -
intel xeon_gold_5220r -
intel core_i7-11375h -
intel xeon_w-3275 -
intel xeon_d-2141i -
intel xeon_w-2265 -
intel core_i5-10310u -
intel xeon_platinum_8153 -
intel core_i3-1115gre -
intel xeon_w-1390t -
intel core_i5-7360u -
intel xeon_w-2255 -
intel xeon_gold_6144 -
intel xeon_d-1541 -
intel core_i5-8600 -
intel core_i9-11980hk -
intel core_i7-6820eq -
intel xeon_silver_4112 -
intel core_i3-10105t -
intel core_i5-8260u -
intel xeon_w-1290 -
intel core_i7-7820hk -
intel xeon_w-3365 -
intel core_i7-1180g7 -
intel core_i9-10900k -
intel xeon_w-1270e -
intel xeon_d-1649n -
intel xeon_w-1270te -
intel core_i5-11500he -
intel core_m3-7y30 -
intel core_i5-1130g7 -
intel xeon_platinum_8180 -
intel core_i7+8700 -
intel xeon_gold_5217 -
intel xeon_d-1622 -
intel core_i9-9960x -
intel core_i7-8086k -
intel xeon_gold_6154 -
netapp fas/aff_bios -
intel core_i5-9500 -
intel xeon_silver_4210r -
intel core_i5-6440hq -
intel core_i7-10510u -
intel core_i7-4820k -
intel core_i9-10900te -
intel core_i7-3930k -
intel core_i7-7820x -
intel xeon_e-2176g -
intel xeon_e-2254me -
intel core_i5-10400t -
intel core_i3-10100 -
intel core_i7-10610u -
intel xeon_w-2155 -
intel core_i5-9500e -
intel core_i9-7940x -
intel core_i5-8269u -
intel core_i7-9700k -
intel xeon_gold_6240y -
intel core_i7-11700t -
intel core_i7-1060g7 -
intel xeon_gold_6150 -
intel xeon_e-2236 -
intel core_i3-7100h -
intel core_i3-7350k -
intel xeon_gold_6138f -
intel core_i5-6585r -
intel core_i3-1000g4 -
intel core_i5-10500t -
intel core_i9-11900 -
intel core_i9-10900f -
intel core_i5-7200u -
intel core_i3-8100h -
intel core_i3-1115g4e -
intel xeon_platinum_8268 -
intel xeon_w-2145 -
intel core_i3-7300t -
intel core_i7-11800h -
intel core_i7-10700f -
intel core_i3-9300t -
intel core_i3-7300 -
intel core_i3-6300t -
intel core_i3-7167u -
intel core_i3-9100te -
intel xeon_gold_6138p -
intel xeon_gold_6142f -
intel core_i7-8700t -
intel xeon_platinum_8260l -
intel core_i3-10325 -
intel core_i7-4930mx -
intel core_i5-9600 -
intel core_m3-8100y -
intel xeon_gold_6238r -
intel xeon_gold_6248r -
intel core_i5-7600 -
intel core_i5-7640x -
intel core_m5-6y54 -
intel core_i7-6870hq -
intel core_i9-7900x -
intel xeon_gold_6148f -
intel core_i7-11390h -
intel core_i5-8600k -
intel xeon_w-1270p -
intel xeon_w-3335 -
intel core_i3-6100e -
intel core_i3-6098p -
intel core_i5-8400t -
intel core_i3-10100f -
intel xeon_e-2334 -
intel core_i7-1165g7 -
intel core_i3-7100t -
intel core_i7-1185gre -
intel core_i3-1005g1 -
intel xeon_gold_5220t -
intel xeon_gold_6238t -
intel core_i5-6400t -
intel core_i3-6006u -
intel atom_c3336 -
intel xeon_gold_6230r -
intel core_i9-8950hk -
intel xeon_silver_4216 -
intel core_i9-9900ks -
intel xeon_w-2295 -
intel core_i9-11950h -
intel xeon_gold_6240 -
intel core_i7-6650u -
intel core_i5-10400 -
intel xeon_gold_5218n -
intel xeon_w-11555mre -
intel xeon_w-1250e -
intel xeon_gold_6234 -
intel core_i7-6822eq -
intel core_i5-7300u -
intel xeon_gold_6230n -
intel xeon_gold_5115 -
intel core_i3-9100hl -
intel core_i7-8500y -
intel xeon_e-2234 -
intel xeon_gold_6238l -
intel xeon_w-3223 -
intel xeon_bronze_3106 -
intel core_i5-8365ue -
intel core_i9-9900k -
intel core_m7-6y75 -
intel core_i3-8109u -
intel core_i5-8265u -
intel xeon_d-1623n -
intel xeon_d-1548 -
intel core_i5-8310y -
intel xeon_d-2163it -
intel xeon_platinum_8176f -
intel xeon_platinum_8156 -
intel core_i5-7260u -
intel core_i5-1035g4 -
intel core_i3-9320 -
intel core_i7-7567u -
intel xeon_e-2124 -
intel core_i3-9300 -
intel xeon_gold_6132 -
intel xeon_w-10855m -
intel core_i5-1030g4 -
intel xeon_d-1543n -
intel xeon_platinum_9222 -
intel xeon_gold_6134 -
intel core_i5-9600t -
intel xeon_w-1270 -
intel xeon_bronze_3104 -
intel atom_c3758 -
intel core_i7-6500u -
intel core_i7-7700hq -
intel xeon_e-2144g -
intel core_i5-10500h -
intel core_i3-1120g4 -
intel core_i7-3970x -
intel core_i7-9700 -
intel core_i9-9920x -
intel xeon_platinum_8280l -
intel xeon_silver_4209t -
intel xeon_platinum_8276 -
intel core_i5-1038ng7 -
intel xeon_silver_4116 -
intel core_i7-7700t -
netapp cloud_backup -
intel xeon_w-2125 -
intel core_i7-9700kf -
intel xeon_w-1250te -
intel core_i9-9900 -
intel core_i7-4940mx -
intel xeon_w-3275m -
intel core_i5-9500te -
intel xeon_d-2183it -
intel xeon_w-3235 -
intel core_i5-8600t -
intel xeon_w-3265m -
intel core_i5-10400h -
intel xeon_gold_6242r -
intel core_i3-9100 -
intel xeon_e-2226ge -
intel core_i7-6660u -
intel core_i5-7y54 -
intel xeon_e-2174g -
intel core_i7-10700kf -
intel xeon_gold_5122 -
intel xeon_gold_6240r -
intel xeon_silver_4214 -
intel xeon_e-2286g -
intel core_i3-8145u -
intel core_i7-3960x -
intel xeon_e-2186g -
intel xeon_w-2133 -
intel xeon_platinum_8253 -
intel core_i3-8130u -
intel core_i5-11600t -
intel xeon_d-1571 -
intel core_i3-10100t -
intel core_i7-6800k -
intel xeon_w-1370 -
intel xeon_w-3345 -
intel core_i3-11100he -
intel core_i7-4960x -
intel xeon_e-2276ml -
intel core_i3-7100e -
intel xeon_gold_6146 -
intel core_i3-8100b -
intel core_i7-11700k -
intel core_i5-6400 -
intel core_i3-6100h -
intel core_i7-10750h -
intel xeon_w-1290t -
intel xeon_gold_6222v -
intel core_i5-8500t -
intel xeon_platinum_8280 -
intel core_i7-5930k -
intel core_i3-7102e -
intel core_i5-9600k -
intel core_i7-8850h -
intel core_i3-7100u -
intel core_i3-9100f -
intel core_i9-9980xe -
intel core_i5-8500b -
intel core_i5-10210u -
intel xeon_gold_6262v -
intel core_i3-8140u -
intel xeon_d-1633n -
intel core_i7-10875h -
intel atom_c3808 -
intel atom_c3830 -
intel core_i7-7740x -
intel xeon_gold_6244 -
intel core_i7-10700 -
intel core_i9-10980xe -
intel xeon_d-1637 -
intel xeon_e-2378 -
intel xeon_platinum_8168 -
intel core_i3-8100t -
intel core_i5-7440hq -
intel xeon_e-2274g -
intel core_i9-11900f -
intel xeon_d-1540 -
intel core_i5-11400 -
intel xeon_silver_4215r -
intel xeon_e-2136 -
intel core_i5-10200h -
intel core_i7-8706g -
intel xeon_e-2254ml -
intel core_i5-9500f -
intel xeon_silver_4214y -
intel xeon_w-2245 -
intel core_i5-10600t -
intel core_i5-1135g7 -
intel xeon_w-11865mre -
intel xeon_platinum_8260 -
intel core_i5-1035g1 -
intel core_i5-11260h -
intel core_i3-10100y -
intel xeon_gold_5222 -
intel atom_c3508 -
intel core_i7-3920xm -
intel xeon_gold_6152 -
intel core_i5-7267u -
intel core_i5-6440eq -
intel xeon_w-1290e -
intel core_i5-6350hq -
intel core_i3-6300 -
intel xeon_d-2145nt -
intel xeon_w-2135 -
intel atom_c3538 -
intel xeon_silver_4215 -
intel xeon_gold_6126 -
intel core_i7-3940xm -
intel xeon_gold_6238 -
intel xeon_silver_4214r -
intel core_i3-8300t -
intel core_i3-10300 -
intel xeon_e-2288g -
intel xeon_gold_5218 -
intel core_i7-6700k -
intel core_i3-6102e -
intel core_i5-6267u -
intel core_i9-9900x -
intel xeon_e-2176m -
intel xeon_w-3245 -
intel xeon_gold_6208u -
intel xeon_d-1523n -
intel xeon_platinum_9221 -
intel core_i5-6442eq -
intel core_i7-11850he -
intel core_i7-10700t -
intel xeon_d-2146nt -
intel core_i9-10980hk -
intel atom_c3308 -
intel xeon_silver_4110 -
intel core_i5-9600kf -
intel xeon_e-2356g -
intel xeon_gold_6252 -
intel xeon_silver_4116t -
intel xeon_silver_4109t -
intel core_i7-6900k -
intel xeon_d-1531 -
intel core_i5-6500t -
intel core_i5-11400t -
intel core_i9-9880h -
intel core_i9-10900x -
intel core_i7-5960x -
intel xeon_e-2386g -
intel xeon_gold_6240l -
intel core_i7-10870h -
intel core_i5-8279u -
intel atom_c3850 -
intel core_i5-11300h -
intel core_i5-9400t -
intel core_i3-7100 -
intel core_i3-8350k -
intel core_i3-10320 -
intel xeon_e-2314 -
intel xeon_platinum_9242 -
intel core_i7-10700te -
intel core_i7-7600u -
intel core_i9-9900kf -
intel core_i7-9700f -
intel xeon_platinum_8276l -
intel core_i3-10105 -
intel xeon_d-1553n -
intel core_i7-4930k -
intel xeon_gold_6128 -
intel core_i7-11370h -
intel xeon_platinum_8160f -
intel xeon_e-2276me -
intel xeon_d-1527 -
intel atom_c3436l -
intel core_i7-6600u -
intel core_i3-7320 -
intel core_i9-10900e -
intel core_i7-6950x -
intel core_i7-11850h -
intel xeon_w-3245m -
intel xeon_gold_6138t -
intel xeon_platinum_8164 -
intel xeon_w-11855m -
intel xeon_gold_6130 -
intel core_i9-9900t -
intel core_i5-7600k -
intel xeon_gold_6226 -
intel core_i5-6600t -
intel xeon_d-1559 -
intel xeon_e-2146g -
intel core_i7-1185g7 -
intel xeon_e-2336 -
intel xeon_d-2187nt -
intel core_i3-10305t -
intel core_i7-9700te -
intel xeon_silver_4210 -
intel xeon_d-1521 -
intel core_i5-7500 -
intel core_i7-1065g7 -
intel core_i7-7700 -
intel core_i5-7440eq -
intel core_i5-11320h -
intel core_i7-6785r -
intel xeon_platinum_8256 -
intel core_i3-1115g4 -
intel core_i3-6100u -
intel xeon_w-3225 -
intel core_i9-10940x -
intel core_i3-9100t -
intel xeon_e-2378g -
intel xeon_platinum_8170 -
intel xeon_gold_6140 -
intel xeon_w-1250 -
intel xeon_platinum_8176 -
intel core_i7-7820eq -
intel core_i7-11600h -
intel core_i9-10850k -
intel atom_c3558r -
CVE-2021-0116 MEDIUM

Out-of-bounds write in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
intel core_i7-6650u_firmware -
intel xeon_d-1528_firmware -
intel core_i7-9700k_firmware -
intel xeon_d-1523n_firmware -
intel xeon_platinum_8256_firmware -
intel core_i7-8709g_firmware -
intel xeon_gold_5218b_firmware -
intel core_m7-6y75_firmware -
intel xeon_gold_6262v_firmware -
intel xeon_w-3323_firmware -
intel xeon_d-1541_firmware -
intel core_i7-10510u_firmware -
intel core_i9-10900f_firmware -
intel core_i9-10940x_firmware -
intel core_i9-11900t_firmware -
intel xeon_silver_4109t_firmware -
intel core_i5-9500_firmware -
intel core_i5-10500t_firmware -
intel core_i7-10610u_firmware -
intel core_i7-10700k_firmware -
intel xeon_gold_6230t_firmware -
intel core_i5-9500t_firmware -
intel core_i5-9400f_firmware -
intel xeon_platinum_8158_firmware -
intel core_i5-1030g4_firmware -
intel xeon_gold_5222_firmware -
intel core_i7-8700k_firmware -
intel core_i7-9700e_firmware -
intel core_i3-6100u_firmware -
intel xeon_w-11155mle_firmware -
intel core_i7-10870h_firmware -
intel atom_c3808_firmware -
intel core_i5-8400h_firmware -
intel core_i7-6820hk_firmware -
intel core_i5-8600_firmware -
intel xeon_e-2124_firmware -
intel core_i5-6500_firmware -
intel xeon_w-11855m_firmware -
intel xeon_e-2286m_firmware -
intel core_i3-10305_firmware -
intel xeon_gold_5215l_firmware -
intel xeon_w-1290e_firmware -
intel xeon_bronze_3204_firmware -
intel core_i7-6660u_firmware -
intel core_i7-5930k_firmware -
intel core_i7-7500u_firmware -
intel core_i3-8145ue_firmware -
intel core_i7-1060g7_firmware -
intel core_i5-6500te_firmware -
intel core_i7-11600h_firmware -
intel core_i9-11900k_firmware -
intel xeon_platinum_8176f_firmware -
intel core_i5-8200y_firmware -
intel xeon_gold_6136_firmware -
intel core_i7-6700t_firmware -
intel xeon_bronze_3106_firmware -
intel xeon_d-1577_firmware -
intel core_i5-1038ng7_firmware -
intel core_i5-1030g7_firmware -
intel xeon_d-2145nt_firmware -
intel xeon_gold_6138f_firmware -
intel core_i9-10900k_firmware -
intel core_i7-11375h_firmware -
intel core_i9-7980xe_firmware -
intel atom_c3508_firmware -
intel xeon_platinum_8280_firmware -
intel core_i3-10325_firmware -
intel core_i5-10400_firmware -
intel xeon_w-2275_firmware -
intel core_i9-7960x_firmware -
intel xeon_gold_6230r_firmware -
intel xeon_e-2386g_firmware -
intel xeon_w-3275m_firmware -
intel core_i3-7101te_firmware -
intel core_i9-11900f_firmware -
intel xeon_d-2143it_firmware -
intel xeon_silver_4210_firmware -
intel core_i7-1195g7_firmware -
intel xeon_gold_6142f_firmware -
intel core_i5-8279u_firmware -
intel xeon_w-11865mre_firmware -
intel core_i3-6098p_firmware -
intel core_i9-10900x_firmware -
intel core_i7-8809g_firmware -
intel core_i3-9100hl_firmware -
intel xeon_platinum_8268_firmware -
intel xeon_platinum_8180_firmware -
intel xeon_e-2278ge_firmware -
intel core_i5-6260u_firmware -
intel core_i9-9980hk_firmware -
intel core_i7-1185g7e_firmware -
intel xeon_gold_6138p_firmware -
intel core_i5-8365u_firmware -
intel core_i3-1000g1_firmware -
intel xeon_e-2186m_firmware -
intel xeon_e-2224g_firmware -
intel xeon_d-1602_firmware -
intel core_i3-8140u_firmware -
intel core_i7-6567u_firmware -
intel core_i5-9500te_firmware -
intel xeon_w-3225_firmware -
intel xeon_d-2177nt_firmware -
intel xeon_w-2155_firmware -
intel xeon_w-2145_firmware -
intel core_i3-9100_firmware -
intel core_i9-11900kf_firmware -
intel core_i5-10600k_firmware -
intel core_i7-6700_firmware -
intel xeon_w-1270_firmware -
intel xeon_w-1250te_firmware -
intel xeon_w-1390t_firmware -
intel xeon_w-10885m_firmware -
intel core_i7-6700te_firmware -
intel core_i5-6442eq_firmware -
intel core_i7-10850h_firmware -
intel core_i7-7740x_firmware -
intel core_i3-6006u_firmware -
intel core_i5-8600k_firmware -
intel xeon_w-3175x_firmware -
intel xeon_e-2276g_firmware -
intel xeon_d-1633n_firmware -
intel core_i3-7300_firmware -
intel core_i7-4820k_firmware -
intel core_i5-1035g4_firmware -
intel core_i7-8565u_firmware -
intel xeon_d-1559_firmware -
intel core_i3-6100t_firmware -
intel xeon_e-2378g_firmware -
intel xeon_gold_6254_firmware -
intel core_i9-9900k_firmware -
intel core_i7-10700t_firmware -
intel xeon_gold_6256_firmware -
intel core_i5-9600k_firmware -
intel xeon_w-1350_firmware -
intel core_i5-11500he_firmware -
intel xeon_platinum_9221_firmware -
intel xeon_w-11865mle_firmware -
intel xeon_d-1537_firmware -
intel core_i5-10310y_firmware -
intel core_i7-1180g7_firmware -
intel xeon_gold_6222v_firmware -
intel core_i9-9900_firmware -
intel core_i9-11980hk_firmware -
intel core_i5-7267u_firmware -
intel core_i5-11260h_firmware -
intel core_i7-1185g7_firmware -
intel atom_c3858_firmware -
intel core_i7-7820hq_firmware -
intel core_i5-11600k_firmware -
intel core_i7-5960x_firmware -
intel xeon_w-2135_firmware -
intel xeon_gold_6138t_firmware -
intel xeon_gold_6252_firmware -
intel xeon_gold_6240r_firmware -
intel core_i5-10210u_firmware -
intel xeon_gold_6126t_firmware -
intel xeon_gold_6248_firmware -
intel core_i3-7020u_firmware -
intel xeon_gold_6142_firmware -
intel core_i7-8086k_firmware -
intel core_i5-6267u_firmware -
intel xeon_silver_4214y_firmware -
intel core_i5-1035g7_firmware -
intel xeon_d-2187nt_firmware -
intel core_i9-10900e_firmware -
intel core_i5-7y54_firmware -
intel xeon_e-2176m_firmware -
intel core_i7-9850h_firmware -
intel core_i7-8665ue_firmware -
intel xeon_d-1518_firmware -
intel xeon_d-1529_firmware -
intel core_i7-8550u_firmware -
intel xeon_w-1390p_firmware -
intel core_i7-5820k_firmware -
intel xeon_d-1557_firmware -
intel core_i5-8305g_firmware -
intel core_i3-7100_firmware -
intel atom_c3950_firmware -
intel core_i7-9700f_firmware -
intel xeon_w-3265m_firmware -
intel core_i3-8130u_firmware -
intel core_i7-7800x_firmware -
intel core_i3-10110y_firmware -
intel core_i5-9600t_firmware -
intel core_i7-3940xm_firmware -
intel xeon_w-2133_firmware -
intel xeon_gold_5218_firmware -
intel core_i5-8600t_firmware -
intel core_i7-7700k_firmware -
intel xeon_gold_6238_firmware -
intel core_i7-6870hq_firmware -
intel xeon_gold_6258r_firmware -
intel core_i5-9500e_firmware -
intel atom_c3336_firmware -
intel atom_c3850_firmware -
intel core_i3-1115g4e_firmware -
intel core_i7-6785r_firmware -
intel core_i5-7600k_firmware -
intel core_i3-6102e_firmware -
intel xeon_e-2124g_firmware -
intel core_i7-7700_firmware -
intel core_i7-9750hf_firmware -
intel core_i5-10500_firmware -
intel core_i5-8300h_firmware -
intel core_i7-6950x_firmware -
intel xeon_d-1521_firmware -
intel core_i7-11370h_firmware -
intel xeon_w-1270p_firmware -
intel core_i7-3930k_firmware -
intel xeon_w-2245_firmware -
intel xeon_w-2123_firmware -
intel core_i5-6500t_firmware -
intel core_i5-10300h_firmware -
intel core_i7-8706g_firmware -
intel xeon_silver_4215r_firmware -
intel xeon_platinum_8260y_firmware -
intel core_i7-10700f_firmware -
intel xeon_gold_6252n_firmware -
intel xeon_gold_5218r_firmware -
intel core_i5-7442eq_firmware -
intel core_i5-7y57_firmware -
intel core_i5-6350hq_firmware -
intel core_i5-11400f_firmware -
intel core_i5-8500t_firmware -
intel core_i7-1068ng7_firmware -
intel core_i3-10105_firmware -
intel core_i7-9700te_firmware -
intel core_i3-6320_firmware -
intel core_i9-11900h_firmware -
intel core_i3-9300t_firmware -
intel xeon_gold_6126_firmware -
intel core_i5-11400_firmware -
intel xeon_gold_6154_firmware -
intel xeon_e-2144g_firmware -
intel core_i3-1005g1_firmware -
intel xeon_e-2126g_firmware -
intel xeon_d-1527_firmware -
intel core_i7-10875h_firmware -
intel xeon_gold_6238r_firmware -
intel core_i3-9100te_firmware -
intel xeon_w-1250_firmware -
intel core_i7+8700_firmware -
intel xeon_e-2278gel_firmware -
intel core_i7-6820hq_firmware -
intel atom_c3758_firmware -
intel xeon_silver_4208_firmware -
intel xeon_e-2254ml_firmware -
intel core_i7-11390h_firmware -
intel core_m3-6y30_firmware -
intel xeon_silver_4116_firmware -
intel core_i7-10700e_firmware -
intel core_i9-10900te_firmware -
intel core_i5-9600kf_firmware -
intel xeon_d-1531_firmware -
intel xeon_w-2225_firmware -
intel core_i7-9750h_firmware -
intel xeon_silver_4216_firmware -
intel xeon_e-2244g_firmware -
intel xeon_platinum_8276l_firmware -
intel core_i5-6600t_firmware -
intel core_i5-9400h_firmware -
intel xeon_w-1370_firmware -
intel core_i3-7100t_firmware -
intel core_i7-11850he_firmware -
intel xeon_gold_6230n_firmware -
intel core_i7-10700_firmware -
intel core_i3-9350kf_firmware -
intel xeon_gold_6238t_firmware -
intel core_i5-6440eq_firmware -
intel xeon_w-11955m_firmware -
intel core_i5-11300h_firmware -
intel xeon_silver_4110_firmware -
intel core_i3-8100h_firmware -
intel xeon_w-1270e_firmware -
intel atom_c3708_firmware -
intel core_i7-6822eq_firmware -
intel core_i3-10305t_firmware -
intel core_i7-7820hk_firmware -
intel xeon_gold_6230_firmware -
intel xeon_w-2223_firmware -
intel core_i7-6500u_firmware -
intel xeon_e-2278g_firmware -
intel core_i5-7300u_firmware -
intel xeon_w-3265_firmware -
intel core_i5-10500e_firmware -
intel xeon_w-11555mle_firmware -
intel core_m3-7y30_firmware -
intel xeon_e-2388g_firmware -
intel xeon_d-1571_firmware -
intel xeon_gold_5220r_firmware -
intel xeon_e-2136_firmware -
intel core_i7-4940mx_firmware -
intel xeon_platinum_8153_firmware -
intel xeon_gold_6248r_firmware -
intel xeon_platinum_8260_firmware -
intel xeon_e-2174g_firmware -
intel core_i5-10600kf_firmware -
intel core_i3-6157u_firmware -
intel core_i9-9920x_firmware -
intel core_i7-9850he_firmware -
intel core_i7-10810u_firmware -
intel xeon_e-2314_firmware -
intel xeon_gold_6130f_firmware -
intel xeon_e-2254me_firmware -
intel core_i5-1155g7_firmware -
intel xeon_w-3365_firmware -
intel xeon_d-1649n_firmware -
intel xeon_w-2255_firmware -
intel core_i3-8109u_firmware -
intel xeon_gold_6132_firmware -
netapp fas/aff_bios -
intel core_i3-7350k_firmware -
intel core_i7-9800x_firmware -
intel core_i7-8850h_firmware -
intel xeon_d-2123it_firmware -
intel xeon_e-2134_firmware -
intel xeon_d-1637_firmware -
intel core_i5-8350u_firmware -
intel core_i3-9320_firmware -
intel xeon_d-2173it_firmware -
intel core_i3-7101e_firmware -
intel core_i3-7102e_firmware -
intel core_i5-6300hq_firmware -
intel core_i5-7200u_firmware -
intel xeon_gold_5215_firmware -
intel atom_c3538_firmware -
intel core_i5-6585r_firmware -
intel xeon_gold_6152_firmware -
intel core_i9-8950hk_firmware -
intel xeon_e-2336_firmware -
intel core_i5-9300hf_firmware -
intel core_i3-6100h_firmware -
intel core_i9-9820x_firmware -
intel xeon_w-1290te_firmware -
intel xeon_silver_4215_firmware -
intel xeon_w-3245_firmware -
intel core_i5-6600_firmware -
intel core_i5-6402p_firmware -
intel core_i5-7300hq_firmware -
intel core_i7-1065g7_firmware -
intel core_i5-1130g7_firmware -
intel xeon_e-2324g_firmware -
intel xeon_d-2183it_firmware -
intel xeon_gold_6210u_firmware -
intel core_i7-6700hq_firmware -
intel xeon_d-1533n_firmware -
intel core_i7-8569u_firmware -
intel xeon_d-2141i_firmware -
intel xeon_w-1270te_firmware -
intel xeon_w-3275_firmware -
intel core_i7-11700k_firmware -
intel core_i5-11500t_firmware -
intel core_i7-3820_firmware -
intel xeon_silver_4108_firmware -
intel core_i5-1035g1_firmware -
intel xeon_w-2125_firmware -
intel core_i3-9100f_firmware -
intel core_i5-7500_firmware -
intel xeon_d-1623n_firmware -
intel xeon_platinum_8160_firmware -
intel core_i3-10100y_firmware -
intel xeon_gold_6212u_firmware -
intel core_i5-8260u_firmware -
intel core_i3-7100u_firmware -
intel atom_c3338_firmware -
intel xeon_platinum_9222_firmware -
intel core_i5-6440hq_firmware -
intel xeon_e-2378_firmware -
intel core_i5-11320h_firmware -
intel core_i7-11800h_firmware -
intel xeon_w-11155mre_firmware -
intel xeon_gold_6250_firmware -
intel core_i7-6820eq_firmware -
intel core_i3-9100e_firmware -
intel core_i7-10700te_firmware -
intel core_i9-10980xe_firmware -
intel xeon_gold_5122_firmware -
intel xeon_gold_6238l_firmware -
intel core_i7-6600u_firmware -
intel xeon_gold_6226r_firmware -
intel core_i9-10900t_firmware -
intel xeon_gold_6146_firmware -
intel xeon_platinum_8253_firmware -
intel xeon_bronze_3206r_firmware -
intel core_i5-11600kf_firmware -
intel xeon_d-1567_firmware -
intel core_i7-1165g7_firmware -
intel xeon_platinum_8160f_firmware -
intel xeon_w-1390_firmware -
intel core_i3-1110g4_firmware -
intel core_i5-10600t_firmware -
intel xeon_w-1250e_firmware -
intel xeon_platinum_8170_firmware -
intel core_i3-10105t_firmware -
intel core_i7-10710u_firmware -
intel xeon_d-2161i_firmware -
intel core_i9-9940x_firmware -
intel core_i9-9880h_firmware -
intel core_i3-10100t_firmware -
intel core_i9-9900kf_firmware -
intel xeon_e-2226g_firmware -
intel core_i5-8400t_firmware -
intel xeon_gold_5218t_firmware -
intel core_i9-9980xe_firmware -
intel core_i9-9900x_firmware -
intel xeon_gold_6250l_firmware -
intel core_m3-8100y_firmware -
intel xeon_platinum_8280l_firmware -
intel xeon_w-2295_firmware -
intel core_i3-1000g4_firmware -
intel core_i5-9500f_firmware -
intel core_i9-10920x_firmware -
intel core_i3-10100f_firmware -
intel core_i7-11700t_firmware -
intel core_i3-10300_firmware -
intel core_i3-6300t_firmware -
intel xeon_d-1540_firmware -
intel core_i9-9900ks_firmware -
intel core_i3-6100_firmware -
intel core_i7-11700_firmware -
intel core_i7-8750h_firmware -
intel core_i5-6600k_firmware -
intel core_i7-10700kf_firmware -
intel xeon_e-2276m_firmware -
intel xeon_w-2195_firmware -
intel xeon_gold_6240l_firmware -
intel core_i7-3970x_firmware -
intel xeon_platinum_8164_firmware -
intel core_m3-7y32_firmware -
intel core_i5-7287u_firmware -
intel xeon_silver_4116t_firmware -
intel xeon_e-2246g_firmware -
intel atom_c3558r_firmware -
intel core_i7-7700hq_firmware -
intel core_i7-6920hq_firmware -
intel xeon_gold_5218n_firmware -
intel core_i5-8250u_firmware -
intel core_i9-7900x_firmware -
intel core_i7-6700k_firmware -
intel core_i7-11850h_firmware -
intel core_i9-10980hk_firmware -
intel core_i9-11950h_firmware -
intel xeon_e-2186g_firmware -
intel core_i3-9100t_firmware -
intel core_i7-8700_firmware -
intel xeon_d-1520_firmware -
intel xeon_d-2163it_firmware -
intel xeon_silver_4114t_firmware -
intel core_i5-7260u_firmware -
intel core_i5-7640x_firmware -
intel core_i9-7920x_firmware -
intel xeon_d-1513n_firmware -
intel xeon_e-2334_firmware -
intel core_i3-1120g4_firmware -
intel xeon_gold_6240y_firmware -
intel xeon_e-2176g_firmware -
netapp cloud_backup -
intel atom_c3436l_firmware -
intel core_i3-7320_firmware -
intel xeon_platinum_8260l_firmware -
intel xeon_gold_5220_firmware -
intel core_i7-6850k_firmware -
intel core_i7-7820x_firmware -
intel core_i5-8400b_firmware -
intel core_i5-10500te_firmware -
intel xeon_gold_6209u_firmware -
intel xeon_gold_6242_firmware -
intel core_m5-6y57_firmware -
intel xeon_w-10855m_firmware -
intel xeon_e-2226ge_firmware -
intel atom_c3955_firmware -
intel core_i5-10500h_firmware -
intel core_i5-1145g7e_firmware -
intel core_i7-7700t_firmware -
intel xeon_w-3235_firmware -
intel core_i3-10300t_firmware -
intel xeon_silver_4214_firmware -
intel core_i5-9400_firmware -
intel core_i5-8259u_firmware -
intel xeon_e-2288g_firmware -
intel xeon_gold_6144_firmware -
intel core_i3-8350k_firmware -
intel core_i3-6100te_firmware -
intel xeon_silver_4210t_firmware -
intel xeon_e-2224_firmware -
intel core_i9-9900t_firmware -
intel core_i7-9700t_firmware -
intel xeon_gold_6130_firmware -
intel core_i7-8559u_firmware -
intel xeon_w-3335_firmware -
intel core_i3-10105f_firmware -
intel core_i7-10750h_firmware -
intel core_i3-8100_firmware -
intel core_i7-7567u_firmware -
intel xeon_d-1543n_firmware -
intel core_i5-6400_firmware -
intel core_i5-11600t_firmware -
intel core_i7-11700f_firmware -
intel core_i9-10885h_firmware -
intel core_i5-1140g7_firmware -
intel core_i5-7500t_firmware -
intel atom_c3958_firmware -
intel core_i7-7y75_firmware -
intel xeon_w-3345_firmware -
intel xeon_w-1290_firmware -
intel xeon_silver_4112_firmware -
intel core_i3-1125g4_firmware -
intel core_i7-8650u_firmware -
intel xeon_d-1653n_firmware -
intel core_i5-8210y_firmware -
intel xeon_d-1622_firmware -
intel xeon_d-2142it_firmware -
intel xeon_d-1627_firmware -
intel core_i7-6770hq_firmware -
intel xeon_gold_6148f_firmware -
intel core_i5-10310u_firmware -
intel xeon_w-1290p_firmware -
intel core_i7-4930k_firmware -
intel core_i5-6287u_firmware -
intel core_i3-10100te_firmware -
intel core_i5-8265u_firmware -
intel xeon_w-3375_firmware -
intel xeon_w-2235_firmware -
intel core_i7-8700t_firmware -
intel xeon_gold_5217_firmware -
intel core_i9-10900_firmware -
intel xeon_platinum_9242_firmware -
intel xeon_gold_6126f_firmware -
intel core_i3-6167u_firmware -
intel xeon_platinum_9282_firmware -
intel xeon_gold_6240_firmware -
intel xeon_platinum_8270_firmware -
intel xeon_e-2374g_firmware -
intel core_i7-9700_firmware -
intel core_i5-6685r_firmware -
intel core_i5-8269u_firmware -
intel xeon_gold_5220s_firmware -
intel core_i5-11600_firmware -
intel core_i7-7600u_firmware -
intel core_i7-9700kf_firmware -
intel core_i9-9960x_firmware -
intel core_i5-6360u_firmware -
intel core_i5-1145gre_firmware -
intel core_i3-7130u_firmware -
intel core_i5-10400t_firmware -
intel core_i7-1160g7_firmware -
intel xeon_e-2286g_firmware -
intel xeon_platinum_8156_firmware -
intel core_i7-8500y_firmware -
intel atom_c3558_firmware -
intel core_i5-6200u_firmware -
intel core_i5-8365ue_firmware -
intel core_i5-9300h_firmware -
intel core_i3-7100h_firmware -
intel core_i3-8300_firmware -
intel core_i3-10100_firmware -
intel xeon_w-11555mre_firmware -
intel core_i5-7440hq_firmware -
intel core_i5-1145g7_firmware -
intel core_i5-7360u_firmware -
intel core_i3-6300_firmware -
intel core_i5-10400f_firmware -
intel xeon_d-1548_firmware -
intel core_i7-6560u_firmware -
intel core_i7-6900k_firmware -
intel core_i7-7660u_firmware -
intel atom_c3750_firmware -
intel core_i5-8500_firmware -
intel xeon_e-2276ml_firmware -
intel core_i3-1115gre_firmware -
intel xeon_gold_5120t_firmware -
intel core_i7-8705g_firmware -
intel core_i7-9850hl_firmware -
intel core_i3-7300t_firmware -
intel xeon_platinum_8276_firmware -
intel core_i3-11100he_firmware -
intel xeon_w-1370p_firmware -
intel xeon_e-2274g_firmware -
intel xeon_gold_6246r_firmware -
intel core_i7-7920hq_firmware -
intel xeon_d-1553n_firmware -
intel core_i3-7100e_firmware -
intel core_i7-1185gre_firmware -
intel core_i7-8665u_firmware -
intel xeon_gold_5119t_firmware -
intel xeon_silver_4210r_firmware -
intel core_i9-11900_firmware -
intel core_i9-10900kf_firmware -
intel core_i5-10400h_firmware -
intel xeon_e-2356g_firmware -
intel core_i7-10510y_firmware -
intel core_i3-9300_firmware -
intel core_i5-10200h_firmware -
intel core_i5-9400t_firmware -
intel core_i5-7600_firmware -
intel core_i3-8100b_firmware -
intel xeon_gold_6138_firmware -
intel core_i5-7400t_firmware -
intel xeon_e-2234_firmware -
intel core_i5-9600_firmware -
intel core_i5-8500b_firmware -
intel core_i3-9350k_firmware -
intel core_i5-8400_firmware -
intel xeon_bronze_3104_firmware -
intel xeon_gold_6140_firmware -
intel xeon_w-2175_firmware -
intel xeon_platinum_8160t_firmware -
intel core_i7-7820eq_firmware -
intel core_i5-8257u_firmware -
intel core_i7-4960x_firmware -
intel xeon_gold_5220t_firmware -
intel xeon_w-2265_firmware -
intel xeon_w-3223_firmware -
intel xeon_w-1350p_firmware -
intel xeon_platinum_8168_firmware -
intel core_i7-8700b_firmware -
intel xeon_gold_6234_firmware -
intel xeon_gold_6130t_firmware -
intel core_i5-7400_firmware -
intel xeon_e-2236_firmware -
intel xeon_gold_6244_firmware -
intel xeon_w-1250p_firmware -
intel xeon_gold_5118_firmware -
intel xeon_e-2146g_firmware -
intel xeon_platinum_8176_firmware -
intel core_i5-7600t_firmware -
intel core_i5-1135g7_firmware -
intel core_i5-7440eq_firmware -
intel core_i3-1115g4_firmware -
intel core_i5-6300u_firmware -
intel core_i5-11500h_firmware -
intel core_i7-11700kf_firmware -
intel core_i7-6800k_firmware -
intel atom_c3758r_firmware -
intel core_i5-11400h_firmware -
intel atom_c3338r_firmware -
intel xeon_gold_6246_firmware -
intel xeon_gold_6148_firmware -
intel core_i3-10110u_firmware -
intel xeon_gold_6128_firmware -
intel xeon_d-1539_firmware -
intel xeon_w-1290t_firmware -
intel xeon_silver_4214r_firmware -
intel core_i3-7167u_firmware -
intel core_i7-8557u_firmware -
intel xeon_gold_5115_firmware -
intel core_i3-8145u_firmware -
intel core_i7-6970hq_firmware -
intel core_i3-8100t_firmware -
intel core_i5-11400t_firmware -
intel xeon_gold_6226_firmware -
intel xeon_gold_5120_firmware -
intel core_i5-11500_firmware -
intel xeon_silver_4114_firmware -
intel core_m5-6y54_firmware -
intel core_i5-10210y_firmware -
intel core_i5-10505_firmware -
intel xeon_d-2166nt_firmware -
intel core_i5-6400t_firmware -
intel core_i5-8310y_firmware -
intel core_i9-7940x_firmware -
intel xeon_gold_6242r_firmware -
intel xeon_gold_6208u_firmware -
intel core_i3-6100e_firmware -
intel core_i7-3960x_firmware -
intel xeon_gold_6134_firmware -
intel core_i7-4930mx_firmware -
intel core_i3-8300t_firmware -
intel atom_c3308_firmware -
intel core_i7-3920xm_firmware -
intel core_i7-7560u_firmware -
intel xeon_d-2146nt_firmware -
intel xeon_silver_4209t_firmware -
intel xeon_e-2276me_firmware -
intel core_i3-10100e_firmware -
intel core_i3-10320_firmware -
intel core_i9-10850k_firmware -
intel xeon_gold_6150_firmware -
intel atom_c3830_firmware -
intel core_i5-10600_firmware -
intel xeon_w-3245m_firmware -
CVE-2021-0117 MEDIUM

Pointer issues in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
intel core_i7-6650u_firmware -
intel xeon_d-1528_firmware -
intel core_i7-9700k_firmware -
intel xeon_d-1523n_firmware -
intel xeon_platinum_8256_firmware -
intel core_i7-8709g_firmware -
intel xeon_gold_5218b_firmware -
intel core_m7-6y75_firmware -
intel xeon_gold_6262v_firmware -
intel xeon_w-3323_firmware -
intel xeon_d-1541_firmware -
intel core_i7-10510u_firmware -
intel core_i9-10900f_firmware -
intel core_i9-10940x_firmware -
intel core_i9-11900t_firmware -
intel xeon_silver_4109t_firmware -
intel core_i5-9500_firmware -
intel core_i5-10500t_firmware -
intel core_i7-10610u_firmware -
intel core_i7-10700k_firmware -
intel xeon_gold_6230t_firmware -
intel core_i5-9500t_firmware -
intel core_i5-9400f_firmware -
intel xeon_platinum_8158_firmware -
intel core_i5-1030g4_firmware -
intel xeon_gold_5222_firmware -
intel core_i7-8700k_firmware -
intel core_i7-9700e_firmware -
intel core_i3-6100u_firmware -
intel xeon_w-11155mle_firmware -
intel core_i7-10870h_firmware -
intel atom_c3808_firmware -
intel core_i5-8400h_firmware -
intel core_i7-6820hk_firmware -
intel core_i5-8600_firmware -
intel xeon_e-2124_firmware -
intel core_i5-6500_firmware -
intel xeon_w-11855m_firmware -
intel xeon_e-2286m_firmware -
intel core_i3-10305_firmware -
intel xeon_gold_5215l_firmware -
intel xeon_w-1290e_firmware -
intel xeon_bronze_3204_firmware -
intel core_i7-6660u_firmware -
intel core_i7-5930k_firmware -
intel core_i7-7500u_firmware -
intel core_i3-8145ue_firmware -
intel core_i7-1060g7_firmware -
intel core_i5-6500te_firmware -
intel core_i7-11600h_firmware -
intel core_i9-11900k_firmware -
intel xeon_platinum_8176f_firmware -
intel core_i5-8200y_firmware -
intel xeon_gold_6136_firmware -
intel core_i7-6700t_firmware -
intel xeon_bronze_3106_firmware -
intel xeon_d-1577_firmware -
intel core_i5-1038ng7_firmware -
intel core_i5-1030g7_firmware -
intel xeon_d-2145nt_firmware -
intel xeon_gold_6138f_firmware -
intel core_i9-10900k_firmware -
intel core_i7-11375h_firmware -
intel core_i9-7980xe_firmware -
intel atom_c3508_firmware -
intel xeon_platinum_8280_firmware -
intel core_i3-10325_firmware -
intel core_i5-10400_firmware -
intel xeon_w-2275_firmware -
intel core_i9-7960x_firmware -
intel xeon_gold_6230r_firmware -
intel xeon_e-2386g_firmware -
intel xeon_w-3275m_firmware -
intel core_i3-7101te_firmware -
intel core_i9-11900f_firmware -
intel xeon_d-2143it_firmware -
intel xeon_silver_4210_firmware -
intel core_i7-1195g7_firmware -
intel xeon_gold_6142f_firmware -
intel core_i5-8279u_firmware -
intel xeon_w-11865mre_firmware -
intel core_i3-6098p_firmware -
intel core_i9-10900x_firmware -
intel core_i7-8809g_firmware -
intel core_i3-9100hl_firmware -
intel xeon_platinum_8268_firmware -
intel xeon_platinum_8180_firmware -
intel xeon_e-2278ge_firmware -
intel core_i5-6260u_firmware -
intel core_i9-9980hk_firmware -
intel core_i7-1185g7e_firmware -
intel xeon_gold_6138p_firmware -
intel core_i5-8365u_firmware -
intel core_i3-1000g1_firmware -
intel xeon_e-2186m_firmware -
intel xeon_e-2224g_firmware -
intel xeon_d-1602_firmware -
intel core_i3-8140u_firmware -
intel core_i7-6567u_firmware -
intel core_i5-9500te_firmware -
intel xeon_w-3225_firmware -
intel xeon_d-2177nt_firmware -
intel xeon_w-2155_firmware -
intel xeon_w-2145_firmware -
intel core_i3-9100_firmware -
intel core_i9-11900kf_firmware -
intel core_i5-10600k_firmware -
intel core_i7-6700_firmware -
intel xeon_w-1270_firmware -
intel xeon_w-1250te_firmware -
intel xeon_w-1390t_firmware -
intel xeon_w-10885m_firmware -
intel core_i7-6700te_firmware -
intel core_i5-6442eq_firmware -
intel core_i7-10850h_firmware -
intel core_i7-7740x_firmware -
intel core_i3-6006u_firmware -
intel core_i5-8600k_firmware -
intel xeon_w-3175x_firmware -
intel xeon_e-2276g_firmware -
intel xeon_d-1633n_firmware -
intel core_i3-7300_firmware -
intel core_i7-4820k_firmware -
intel core_i5-1035g4_firmware -
intel core_i7-8565u_firmware -
intel xeon_d-1559_firmware -
intel core_i3-6100t_firmware -
intel xeon_e-2378g_firmware -
intel xeon_gold_6254_firmware -
intel core_i9-9900k_firmware -
intel core_i7-10700t_firmware -
intel xeon_gold_6256_firmware -
intel core_i5-9600k_firmware -
intel xeon_w-1350_firmware -
intel core_i5-11500he_firmware -
intel xeon_platinum_9221_firmware -
intel xeon_w-11865mle_firmware -
intel xeon_d-1537_firmware -
intel core_i5-10310y_firmware -
intel core_i7-1180g7_firmware -
intel xeon_gold_6222v_firmware -
intel core_i9-9900_firmware -
intel core_i9-11980hk_firmware -
intel core_i5-7267u_firmware -
intel core_i5-11260h_firmware -
intel core_i7-1185g7_firmware -
intel atom_c3858_firmware -
intel core_i7-7820hq_firmware -
intel core_i5-11600k_firmware -
intel core_i7-5960x_firmware -
intel xeon_w-2135_firmware -
intel xeon_gold_6138t_firmware -
intel xeon_gold_6252_firmware -
intel xeon_gold_6240r_firmware -
intel core_i5-10210u_firmware -
intel xeon_gold_6126t_firmware -
intel xeon_gold_6248_firmware -
intel core_i3-7020u_firmware -
intel xeon_gold_6142_firmware -
intel core_i7-8086k_firmware -
intel core_i5-6267u_firmware -
intel xeon_silver_4214y_firmware -
intel core_i5-1035g7_firmware -
intel xeon_d-2187nt_firmware -
intel core_i9-10900e_firmware -
intel core_i5-7y54_firmware -
intel xeon_e-2176m_firmware -
intel core_i7-9850h_firmware -
intel core_i7-8665ue_firmware -
intel xeon_d-1518_firmware -
intel xeon_d-1529_firmware -
intel core_i7-8550u_firmware -
intel xeon_w-1390p_firmware -
intel core_i7-5820k_firmware -
intel xeon_d-1557_firmware -
intel core_i5-8305g_firmware -
intel core_i3-7100_firmware -
intel atom_c3950_firmware -
intel core_i7-9700f_firmware -
intel xeon_w-3265m_firmware -
intel core_i3-8130u_firmware -
intel core_i7-7800x_firmware -
intel core_i3-10110y_firmware -
intel core_i5-9600t_firmware -
intel core_i7-3940xm_firmware -
intel xeon_w-2133_firmware -
intel xeon_gold_5218_firmware -
intel core_i5-8600t_firmware -
intel core_i7-7700k_firmware -
intel xeon_gold_6238_firmware -
intel core_i7-6870hq_firmware -
intel xeon_gold_6258r_firmware -
intel core_i5-9500e_firmware -
intel atom_c3336_firmware -
intel atom_c3850_firmware -
intel core_i3-1115g4e_firmware -
intel core_i7-6785r_firmware -
intel core_i5-7600k_firmware -
intel core_i3-6102e_firmware -
intel xeon_e-2124g_firmware -
intel core_i7-7700_firmware -
intel core_i7-9750hf_firmware -
intel core_i5-10500_firmware -
intel core_i5-8300h_firmware -
intel core_i7-6950x_firmware -
intel xeon_d-1521_firmware -
intel core_i7-11370h_firmware -
intel xeon_w-1270p_firmware -
intel core_i7-3930k_firmware -
intel xeon_w-2245_firmware -
intel xeon_w-2123_firmware -
intel core_i5-6500t_firmware -
intel core_i5-10300h_firmware -
intel core_i7-8706g_firmware -
intel xeon_silver_4215r_firmware -
intel xeon_platinum_8260y_firmware -
intel core_i7-10700f_firmware -
intel xeon_gold_6252n_firmware -
intel xeon_gold_5218r_firmware -
intel core_i5-7442eq_firmware -
intel core_i5-7y57_firmware -
intel core_i5-6350hq_firmware -
intel core_i5-11400f_firmware -
intel core_i5-8500t_firmware -
intel core_i7-1068ng7_firmware -
intel core_i3-10105_firmware -
intel core_i7-9700te_firmware -
intel core_i3-6320_firmware -
intel core_i9-11900h_firmware -
intel core_i3-9300t_firmware -
intel xeon_gold_6126_firmware -
intel core_i5-11400_firmware -
intel xeon_gold_6154_firmware -
intel xeon_e-2144g_firmware -
intel core_i3-1005g1_firmware -
intel xeon_e-2126g_firmware -
intel xeon_d-1527_firmware -
intel core_i7-10875h_firmware -
intel xeon_gold_6238r_firmware -
intel core_i3-9100te_firmware -
intel xeon_w-1250_firmware -
intel core_i7+8700_firmware -
intel xeon_e-2278gel_firmware -
intel core_i7-6820hq_firmware -
intel atom_c3758_firmware -
intel xeon_silver_4208_firmware -
intel xeon_e-2254ml_firmware -
intel core_i7-11390h_firmware -
intel core_m3-6y30_firmware -
intel xeon_silver_4116_firmware -
intel core_i7-10700e_firmware -
intel core_i9-10900te_firmware -
intel core_i5-9600kf_firmware -
intel xeon_d-1531_firmware -
intel xeon_w-2225_firmware -
intel core_i7-9750h_firmware -
intel xeon_silver_4216_firmware -
intel xeon_e-2244g_firmware -
intel xeon_platinum_8276l_firmware -
intel core_i5-6600t_firmware -
intel core_i5-9400h_firmware -
intel xeon_w-1370_firmware -
intel core_i3-7100t_firmware -
intel core_i7-11850he_firmware -
intel xeon_gold_6230n_firmware -
intel core_i7-10700_firmware -
intel core_i3-9350kf_firmware -
intel xeon_gold_6238t_firmware -
intel core_i5-6440eq_firmware -
intel xeon_w-11955m_firmware -
intel core_i5-11300h_firmware -
intel xeon_silver_4110_firmware -
intel core_i3-8100h_firmware -
intel xeon_w-1270e_firmware -
intel atom_c3708_firmware -
intel core_i7-6822eq_firmware -
intel core_i3-10305t_firmware -
intel core_i7-7820hk_firmware -
intel xeon_gold_6230_firmware -
intel xeon_w-2223_firmware -
intel core_i7-6500u_firmware -
intel xeon_e-2278g_firmware -
intel core_i5-7300u_firmware -
intel xeon_w-3265_firmware -
intel core_i5-10500e_firmware -
intel xeon_w-11555mle_firmware -
intel core_m3-7y30_firmware -
intel xeon_e-2388g_firmware -
intel xeon_d-1571_firmware -
intel xeon_gold_5220r_firmware -
intel xeon_e-2136_firmware -
intel core_i7-4940mx_firmware -
intel xeon_platinum_8153_firmware -
intel xeon_gold_6248r_firmware -
intel xeon_platinum_8260_firmware -
intel xeon_e-2174g_firmware -
intel core_i5-10600kf_firmware -
intel core_i3-6157u_firmware -
intel core_i9-9920x_firmware -
intel core_i7-9850he_firmware -
intel core_i7-10810u_firmware -
intel xeon_e-2314_firmware -
intel xeon_gold_6130f_firmware -
intel xeon_e-2254me_firmware -
intel core_i5-1155g7_firmware -
intel xeon_w-3365_firmware -
intel xeon_d-1649n_firmware -
intel xeon_w-2255_firmware -
intel core_i3-8109u_firmware -
intel xeon_gold_6132_firmware -
netapp fas/aff_bios -
intel core_i3-7350k_firmware -
intel core_i7-9800x_firmware -
intel core_i7-8850h_firmware -
intel xeon_d-2123it_firmware -
intel xeon_e-2134_firmware -
intel xeon_d-1637_firmware -
intel core_i5-8350u_firmware -
intel core_i3-9320_firmware -
intel xeon_d-2173it_firmware -
intel core_i3-7101e_firmware -
intel core_i3-7102e_firmware -
intel core_i5-6300hq_firmware -
intel core_i5-7200u_firmware -
intel xeon_gold_5215_firmware -
intel atom_c3538_firmware -
intel core_i5-6585r_firmware -
intel xeon_gold_6152_firmware -
intel core_i9-8950hk_firmware -
intel xeon_e-2336_firmware -
intel core_i5-9300hf_firmware -
intel core_i3-6100h_firmware -
intel core_i9-9820x_firmware -
intel xeon_w-1290te_firmware -
intel xeon_silver_4215_firmware -
intel xeon_w-3245_firmware -
intel core_i5-6600_firmware -
intel core_i5-6402p_firmware -
intel core_i5-7300hq_firmware -
intel core_i7-1065g7_firmware -
intel core_i5-1130g7_firmware -
intel xeon_e-2324g_firmware -
intel xeon_d-2183it_firmware -
intel xeon_gold_6210u_firmware -
intel core_i7-6700hq_firmware -
intel xeon_d-1533n_firmware -
intel core_i7-8569u_firmware -
intel xeon_d-2141i_firmware -
intel xeon_w-1270te_firmware -
intel xeon_w-3275_firmware -
intel core_i7-11700k_firmware -
intel core_i5-11500t_firmware -
intel core_i7-3820_firmware -
intel xeon_silver_4108_firmware -
intel core_i5-1035g1_firmware -
intel xeon_w-2125_firmware -
intel core_i3-9100f_firmware -
intel core_i5-7500_firmware -
intel xeon_d-1623n_firmware -
intel xeon_platinum_8160_firmware -
intel core_i3-10100y_firmware -
intel xeon_gold_6212u_firmware -
intel core_i5-8260u_firmware -
intel core_i3-7100u_firmware -
intel atom_c3338_firmware -
intel xeon_platinum_9222_firmware -
intel core_i5-6440hq_firmware -
intel xeon_e-2378_firmware -
intel core_i5-11320h_firmware -
intel core_i7-11800h_firmware -
intel xeon_w-11155mre_firmware -
intel xeon_gold_6250_firmware -
intel core_i7-6820eq_firmware -
intel core_i3-9100e_firmware -
intel core_i7-10700te_firmware -
intel core_i9-10980xe_firmware -
intel xeon_gold_5122_firmware -
intel xeon_gold_6238l_firmware -
intel core_i7-6600u_firmware -
intel xeon_gold_6226r_firmware -
intel core_i9-10900t_firmware -
intel xeon_gold_6146_firmware -
intel xeon_platinum_8253_firmware -
intel xeon_bronze_3206r_firmware -
intel core_i5-11600kf_firmware -
intel xeon_d-1567_firmware -
intel core_i7-1165g7_firmware -
intel xeon_platinum_8160f_firmware -
intel xeon_w-1390_firmware -
intel core_i3-1110g4_firmware -
intel core_i5-10600t_firmware -
intel xeon_platinum_8170_firmware -
intel xeon_w-1250e_firmware -
intel core_i3-10105t_firmware -
intel core_i7-10710u_firmware -
intel xeon_d-2161i_firmware -
intel core_i9-9940x_firmware -
intel core_i9-9880h_firmware -
intel core_i3-10100t_firmware -
intel core_i9-9900kf_firmware -
intel xeon_e-2226g_firmware -
intel core_i5-8400t_firmware -
intel xeon_gold_5218t_firmware -
intel core_i9-9980xe_firmware -
intel core_i9-9900x_firmware -
intel xeon_gold_6250l_firmware -
intel core_m3-8100y_firmware -
intel xeon_platinum_8280l_firmware -
intel xeon_w-2295_firmware -
intel core_i3-1000g4_firmware -
intel core_i5-9500f_firmware -
intel core_i9-10920x_firmware -
intel core_i3-10100f_firmware -
intel core_i7-11700t_firmware -
intel core_i3-10300_firmware -
intel core_i3-6300t_firmware -
intel xeon_d-1540_firmware -
intel core_i9-9900ks_firmware -
intel core_i3-6100_firmware -
intel core_i7-11700_firmware -
intel core_i7-8750h_firmware -
intel core_i5-6600k_firmware -
intel core_i7-10700kf_firmware -
intel xeon_e-2276m_firmware -
intel xeon_w-2195_firmware -
intel xeon_gold_6240l_firmware -
intel core_i7-3970x_firmware -
intel xeon_platinum_8164_firmware -
intel core_m3-7y32_firmware -
intel core_i5-7287u_firmware -
intel xeon_silver_4116t_firmware -
intel xeon_e-2246g_firmware -
intel atom_c3558r_firmware -
intel core_i7-7700hq_firmware -
intel core_i7-6920hq_firmware -
intel xeon_gold_5218n_firmware -
intel core_i5-8250u_firmware -
intel core_i9-7900x_firmware -
intel core_i7-6700k_firmware -
intel core_i7-11850h_firmware -
intel core_i9-10980hk_firmware -
intel core_i9-11950h_firmware -
intel xeon_e-2186g_firmware -
intel core_i3-9100t_firmware -
intel core_i7-8700_firmware -
intel xeon_d-1520_firmware -
intel xeon_d-2163it_firmware -
intel xeon_silver_4114t_firmware -
intel core_i5-7260u_firmware -
intel core_i5-7640x_firmware -
intel core_i9-7920x_firmware -
intel xeon_d-1513n_firmware -
intel xeon_e-2334_firmware -
intel core_i3-1120g4_firmware -
intel xeon_gold_6240y_firmware -
intel xeon_e-2176g_firmware -
netapp cloud_backup -
intel atom_c3436l_firmware -
intel core_i3-7320_firmware -
intel xeon_platinum_8260l_firmware -
intel xeon_gold_5220_firmware -
intel core_i7-6850k_firmware -
intel core_i7-7820x_firmware -
intel core_i5-8400b_firmware -
intel core_i5-10500te_firmware -
intel xeon_gold_6209u_firmware -
intel xeon_gold_6242_firmware -
intel core_m5-6y57_firmware -
intel xeon_w-10855m_firmware -
intel xeon_e-2226ge_firmware -
intel atom_c3955_firmware -
intel core_i5-10500h_firmware -
intel core_i5-1145g7e_firmware -
intel core_i7-7700t_firmware -
intel xeon_w-3235_firmware -
intel core_i3-10300t_firmware -
intel xeon_silver_4214_firmware -
intel core_i5-9400_firmware -
intel core_i5-8259u_firmware -
intel xeon_e-2288g_firmware -
intel xeon_gold_6144_firmware -
intel core_i3-8350k_firmware -
intel core_i3-6100te_firmware -
intel xeon_silver_4210t_firmware -
intel xeon_e-2224_firmware -
intel core_i9-9900t_firmware -
intel core_i7-9700t_firmware -
intel xeon_gold_6130_firmware -
intel core_i7-8559u_firmware -
intel xeon_w-3335_firmware -
intel core_i3-10105f_firmware -
intel core_i7-10750h_firmware -
intel core_i3-8100_firmware -
intel core_i7-7567u_firmware -
intel xeon_d-1543n_firmware -
intel core_i5-6400_firmware -
intel core_i5-11600t_firmware -
intel core_i7-11700f_firmware -
intel core_i9-10885h_firmware -
intel core_i5-1140g7_firmware -
intel core_i5-7500t_firmware -
intel atom_c3958_firmware -
intel core_i7-7y75_firmware -
intel xeon_w-3345_firmware -
intel xeon_w-1290_firmware -
intel xeon_silver_4112_firmware -
intel core_i3-1125g4_firmware -
intel core_i7-8650u_firmware -
intel xeon_d-1653n_firmware -
intel core_i5-8210y_firmware -
intel xeon_d-1622_firmware -
intel xeon_d-2142it_firmware -
intel xeon_d-1627_firmware -
intel core_i7-6770hq_firmware -
intel xeon_gold_6148f_firmware -
intel core_i5-10310u_firmware -
intel xeon_w-1290p_firmware -
intel core_i7-4930k_firmware -
intel core_i5-6287u_firmware -
intel core_i3-10100te_firmware -
intel core_i5-8265u_firmware -
intel xeon_w-3375_firmware -
intel xeon_w-2235_firmware -
intel core_i7-8700t_firmware -
intel xeon_gold_5217_firmware -
intel core_i9-10900_firmware -
intel xeon_platinum_9242_firmware -
intel xeon_gold_6126f_firmware -
intel core_i3-6167u_firmware -
intel xeon_platinum_9282_firmware -
intel xeon_gold_6240_firmware -
intel xeon_platinum_8270_firmware -
intel xeon_e-2374g_firmware -
intel core_i7-9700_firmware -
intel core_i5-6685r_firmware -
intel core_i5-8269u_firmware -
intel xeon_gold_5220s_firmware -
intel core_i5-11600_firmware -
intel core_i7-7600u_firmware -
intel core_i7-9700kf_firmware -
intel core_i9-9960x_firmware -
intel core_i5-6360u_firmware -
intel core_i5-1145gre_firmware -
intel core_i3-7130u_firmware -
intel core_i5-10400t_firmware -
intel core_i7-1160g7_firmware -
intel xeon_e-2286g_firmware -
intel xeon_platinum_8156_firmware -
intel core_i7-8500y_firmware -
intel atom_c3558_firmware -
intel core_i5-6200u_firmware -
intel core_i5-8365ue_firmware -
intel core_i5-9300h_firmware -
intel core_i3-7100h_firmware -
intel core_i3-8300_firmware -
intel core_i3-10100_firmware -
intel xeon_w-11555mre_firmware -
intel core_i5-7440hq_firmware -
intel core_i5-1145g7_firmware -
intel core_i5-7360u_firmware -
intel core_i3-6300_firmware -
intel core_i5-10400f_firmware -
intel xeon_d-1548_firmware -
intel core_i7-6560u_firmware -
intel core_i7-6900k_firmware -
intel core_i7-7660u_firmware -
intel atom_c3750_firmware -
intel core_i5-8500_firmware -
intel xeon_e-2276ml_firmware -
intel core_i3-1115gre_firmware -
intel xeon_gold_5120t_firmware -
intel core_i7-8705g_firmware -
intel core_i7-9850hl_firmware -
intel core_i3-7300t_firmware -
intel xeon_platinum_8276_firmware -
intel core_i3-11100he_firmware -
intel xeon_w-1370p_firmware -
intel xeon_e-2274g_firmware -
intel xeon_gold_6246r_firmware -
intel core_i7-7920hq_firmware -
intel xeon_d-1553n_firmware -
intel core_i3-7100e_firmware -
intel core_i7-1185gre_firmware -
intel core_i7-8665u_firmware -
intel xeon_gold_5119t_firmware -
intel xeon_silver_4210r_firmware -
intel core_i9-11900_firmware -
intel core_i9-10900kf_firmware -
intel core_i5-10400h_firmware -
intel xeon_e-2356g_firmware -
intel core_i7-10510y_firmware -
intel core_i3-9300_firmware -
intel core_i5-10200h_firmware -
intel core_i5-9400t_firmware -
intel core_i5-7600_firmware -
intel core_i3-8100b_firmware -
intel xeon_gold_6138_firmware -
intel core_i5-7400t_firmware -
intel xeon_e-2234_firmware -
intel core_i5-9600_firmware -
intel core_i5-8500b_firmware -
intel core_i3-9350k_firmware -
intel core_i5-8400_firmware -
intel xeon_bronze_3104_firmware -
intel xeon_gold_6140_firmware -
intel xeon_w-2175_firmware -
intel xeon_platinum_8160t_firmware -
intel core_i7-7820eq_firmware -
intel core_i5-8257u_firmware -
intel core_i7-4960x_firmware -
intel xeon_gold_5220t_firmware -
intel xeon_w-2265_firmware -
intel xeon_w-3223_firmware -
intel xeon_w-1350p_firmware -
intel xeon_platinum_8168_firmware -
intel core_i7-8700b_firmware -
intel xeon_gold_6234_firmware -
intel xeon_gold_6130t_firmware -
intel core_i5-7400_firmware -
intel xeon_e-2236_firmware -
intel xeon_gold_6244_firmware -
intel xeon_w-1250p_firmware -
intel xeon_gold_5118_firmware -
intel xeon_e-2146g_firmware -
intel xeon_platinum_8176_firmware -
intel core_i5-7600t_firmware -
intel core_i5-1135g7_firmware -
intel core_i5-7440eq_firmware -
intel core_i3-1115g4_firmware -
intel core_i5-6300u_firmware -
intel core_i5-11500h_firmware -
intel core_i7-11700kf_firmware -
intel core_i7-6800k_firmware -
intel atom_c3758r_firmware -
intel core_i5-11400h_firmware -
intel atom_c3338r_firmware -
intel xeon_gold_6246_firmware -
intel xeon_gold_6148_firmware -
intel core_i3-10110u_firmware -
intel xeon_gold_6128_firmware -
intel xeon_d-1539_firmware -
intel xeon_w-1290t_firmware -
intel xeon_silver_4214r_firmware -
intel core_i3-7167u_firmware -
intel core_i7-8557u_firmware -
intel xeon_gold_5115_firmware -
intel core_i3-8145u_firmware -
intel core_i7-6970hq_firmware -
intel core_i3-8100t_firmware -
intel core_i5-11400t_firmware -
intel xeon_gold_6226_firmware -
intel xeon_gold_5120_firmware -
intel core_i5-11500_firmware -
intel xeon_silver_4114_firmware -
intel core_m5-6y54_firmware -
intel core_i5-10210y_firmware -
intel core_i5-10505_firmware -
intel xeon_d-2166nt_firmware -
intel core_i5-6400t_firmware -
intel core_i5-8310y_firmware -
intel core_i9-7940x_firmware -
intel xeon_gold_6242r_firmware -
intel xeon_gold_6208u_firmware -
intel core_i3-6100e_firmware -
intel core_i7-3960x_firmware -
intel xeon_gold_6134_firmware -
intel core_i7-4930mx_firmware -
intel core_i3-8300t_firmware -
intel atom_c3308_firmware -
intel core_i7-3920xm_firmware -
intel core_i7-7560u_firmware -
intel xeon_d-2146nt_firmware -
intel xeon_silver_4209t_firmware -
intel xeon_e-2276me_firmware -
intel core_i3-10100e_firmware -
intel core_i3-10320_firmware -
intel core_i9-10850k_firmware -
intel xeon_gold_6150_firmware -
intel atom_c3830_firmware -
intel core_i5-10600_firmware -
intel xeon_w-3245m_firmware -
CVE-2021-0118 MEDIUM

Out-of-bounds read in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
intel core_i7-6650u_firmware -
intel xeon_d-1528_firmware -
intel core_i7-9700k_firmware -
intel xeon_d-1523n_firmware -
intel xeon_platinum_8256_firmware -
intel core_i7-8709g_firmware -
intel xeon_gold_5218b_firmware -
intel core_m7-6y75_firmware -
intel xeon_gold_6262v_firmware -
intel xeon_w-3323_firmware -
intel xeon_d-1541_firmware -
intel core_i7-10510u_firmware -
intel core_i9-10900f_firmware -
intel core_i9-10940x_firmware -
intel core_i9-11900t_firmware -
intel xeon_silver_4109t_firmware -
intel core_i5-9500_firmware -
intel core_i5-10500t_firmware -
intel core_i7-10610u_firmware -
intel core_i7-10700k_firmware -
intel xeon_gold_6230t_firmware -
intel core_i5-9500t_firmware -
intel core_i5-9400f_firmware -
intel xeon_platinum_8158_firmware -
intel core_i5-1030g4_firmware -
intel xeon_gold_5222_firmware -
intel core_i7-8700k_firmware -
intel core_i7-9700e_firmware -
intel core_i3-6100u_firmware -
intel xeon_w-11155mle_firmware -
intel core_i7-10870h_firmware -
intel atom_c3808_firmware -
intel core_i5-8400h_firmware -
intel core_i7-6820hk_firmware -
intel core_i5-8600_firmware -
intel xeon_e-2124_firmware -
intel core_i5-6500_firmware -
intel xeon_w-11855m_firmware -
intel xeon_e-2286m_firmware -
intel core_i3-10305_firmware -
intel xeon_gold_5215l_firmware -
intel xeon_w-1290e_firmware -
intel xeon_bronze_3204_firmware -
intel core_i7-6660u_firmware -
intel core_i7-5930k_firmware -
intel core_i7-7500u_firmware -
intel core_i3-8145ue_firmware -
intel core_i7-1060g7_firmware -
intel core_i5-6500te_firmware -
intel core_i7-11600h_firmware -
intel core_i9-11900k_firmware -
intel xeon_platinum_8176f_firmware -
intel core_i5-8200y_firmware -
intel xeon_gold_6136_firmware -
intel core_i7-6700t_firmware -
intel xeon_bronze_3106_firmware -
intel xeon_d-1577_firmware -
intel core_i5-1038ng7_firmware -
intel core_i5-1030g7_firmware -
intel xeon_d-2145nt_firmware -
intel xeon_gold_6138f_firmware -
intel core_i9-10900k_firmware -
intel core_i7-11375h_firmware -
intel core_i9-7980xe_firmware -
intel atom_c3508_firmware -
intel xeon_platinum_8280_firmware -
intel core_i3-10325_firmware -
intel core_i5-10400_firmware -
intel xeon_w-2275_firmware -
intel core_i9-7960x_firmware -
intel xeon_gold_6230r_firmware -
intel xeon_e-2386g_firmware -
intel xeon_w-3275m_firmware -
intel core_i3-7101te_firmware -
intel core_i9-11900f_firmware -
intel xeon_d-2143it_firmware -
intel xeon_silver_4210_firmware -
intel core_i7-1195g7_firmware -
intel xeon_gold_6142f_firmware -
intel core_i5-8279u_firmware -
intel xeon_w-11865mre_firmware -
intel core_i3-6098p_firmware -
intel core_i9-10900x_firmware -
intel core_i7-8809g_firmware -
intel core_i3-9100hl_firmware -
intel xeon_platinum_8268_firmware -
intel xeon_platinum_8180_firmware -
intel xeon_e-2278ge_firmware -
intel core_i5-6260u_firmware -
intel core_i9-9980hk_firmware -
intel core_i7-1185g7e_firmware -
intel xeon_gold_6138p_firmware -
intel core_i5-8365u_firmware -
intel core_i3-1000g1_firmware -
intel xeon_e-2186m_firmware -
intel xeon_e-2224g_firmware -
intel xeon_d-1602_firmware -
intel core_i3-8140u_firmware -
intel core_i7-6567u_firmware -
intel core_i5-9500te_firmware -
intel xeon_w-3225_firmware -
intel xeon_d-2177nt_firmware -
intel xeon_w-2155_firmware -
intel xeon_w-2145_firmware -
intel core_i3-9100_firmware -
intel core_i9-11900kf_firmware -
intel core_i5-10600k_firmware -
intel core_i7-6700_firmware -
intel xeon_w-1270_firmware -
intel xeon_w-1250te_firmware -
intel xeon_w-1390t_firmware -
intel xeon_w-10885m_firmware -
intel core_i7-6700te_firmware -
intel core_i5-6442eq_firmware -
intel core_i7-10850h_firmware -
intel core_i7-7740x_firmware -
intel core_i3-6006u_firmware -
intel core_i5-8600k_firmware -
intel xeon_w-3175x_firmware -
intel xeon_e-2276g_firmware -
intel xeon_d-1633n_firmware -
intel core_i3-7300_firmware -
intel core_i7-4820k_firmware -
intel core_i5-1035g4_firmware -
intel core_i7-8565u_firmware -
intel xeon_d-1559_firmware -
intel core_i3-6100t_firmware -
intel xeon_e-2378g_firmware -
intel xeon_gold_6254_firmware -
intel core_i9-9900k_firmware -
intel core_i7-10700t_firmware -
intel xeon_gold_6256_firmware -
intel core_i5-9600k_firmware -
intel xeon_w-1350_firmware -
intel core_i5-11500he_firmware -
intel xeon_platinum_9221_firmware -
intel xeon_w-11865mle_firmware -
intel xeon_d-1537_firmware -
intel core_i5-10310y_firmware -
intel core_i7-1180g7_firmware -
intel xeon_gold_6222v_firmware -
intel core_i9-9900_firmware -
intel core_i9-11980hk_firmware -
intel core_i5-7267u_firmware -
intel core_i5-11260h_firmware -
intel core_i7-1185g7_firmware -
intel atom_c3858_firmware -
intel core_i7-7820hq_firmware -
intel core_i5-11600k_firmware -
intel core_i7-5960x_firmware -
intel xeon_w-2135_firmware -
intel xeon_gold_6138t_firmware -
intel xeon_gold_6252_firmware -
intel xeon_gold_6240r_firmware -
intel core_i5-10210u_firmware -
intel xeon_gold_6126t_firmware -
intel xeon_gold_6248_firmware -
intel core_i3-7020u_firmware -
intel xeon_gold_6142_firmware -
intel core_i7-8086k_firmware -
intel core_i5-6267u_firmware -
intel xeon_silver_4214y_firmware -
intel core_i5-1035g7_firmware -
intel xeon_d-2187nt_firmware -
intel core_i9-10900e_firmware -
intel core_i5-7y54_firmware -
intel xeon_e-2176m_firmware -
intel core_i7-9850h_firmware -
intel core_i7-8665ue_firmware -
intel xeon_d-1518_firmware -
intel xeon_d-1529_firmware -
intel core_i7-8550u_firmware -
intel xeon_w-1390p_firmware -
intel core_i7-5820k_firmware -
intel xeon_d-1557_firmware -
intel core_i5-8305g_firmware -
intel core_i3-7100_firmware -
intel atom_c3950_firmware -
intel core_i7-9700f_firmware -
intel xeon_w-3265m_firmware -
intel core_i3-8130u_firmware -
intel core_i7-7800x_firmware -
intel core_i3-10110y_firmware -
intel core_i5-9600t_firmware -
intel core_i7-3940xm_firmware -
intel xeon_w-2133_firmware -
intel xeon_gold_5218_firmware -
intel core_i5-8600t_firmware -
intel core_i7-7700k_firmware -
intel xeon_gold_6238_firmware -
intel core_i7-6870hq_firmware -
intel xeon_gold_6258r_firmware -
intel core_i5-9500e_firmware -
intel atom_c3336_firmware -
intel atom_c3850_firmware -
intel core_i3-1115g4e_firmware -
intel core_i7-6785r_firmware -
intel core_i5-7600k_firmware -
intel core_i3-6102e_firmware -
intel xeon_e-2124g_firmware -
intel core_i7-7700_firmware -
intel core_i7-9750hf_firmware -
intel core_i5-10500_firmware -
intel core_i5-8300h_firmware -
intel core_i7-6950x_firmware -
intel xeon_d-1521_firmware -
intel core_i7-11370h_firmware -
intel xeon_w-1270p_firmware -
intel core_i7-3930k_firmware -
intel xeon_w-2245_firmware -
intel xeon_w-2123_firmware -
intel core_i5-6500t_firmware -
intel core_i5-10300h_firmware -
intel core_i7-8706g_firmware -
intel xeon_silver_4215r_firmware -
intel xeon_platinum_8260y_firmware -
intel core_i7-10700f_firmware -
intel xeon_gold_6252n_firmware -
intel xeon_gold_5218r_firmware -
intel core_i5-7442eq_firmware -
intel core_i5-7y57_firmware -
intel core_i5-6350hq_firmware -
intel core_i5-11400f_firmware -
intel core_i5-8500t_firmware -
intel core_i7-1068ng7_firmware -
intel core_i3-10105_firmware -
intel core_i7-9700te_firmware -
intel core_i3-6320_firmware -
intel core_i9-11900h_firmware -
intel core_i3-9300t_firmware -
intel xeon_gold_6126_firmware -
intel core_i5-11400_firmware -
intel xeon_gold_6154_firmware -
intel xeon_e-2144g_firmware -
intel core_i3-1005g1_firmware -
intel xeon_e-2126g_firmware -
intel xeon_d-1527_firmware -
intel core_i7-10875h_firmware -
intel xeon_gold_6238r_firmware -
intel core_i3-9100te_firmware -
intel xeon_w-1250_firmware -
intel core_i7+8700_firmware -
intel xeon_e-2278gel_firmware -
intel core_i7-6820hq_firmware -
intel atom_c3758_firmware -
intel xeon_silver_4208_firmware -
intel xeon_e-2254ml_firmware -
intel core_i7-11390h_firmware -
intel core_m3-6y30_firmware -
intel xeon_silver_4116_firmware -
intel core_i7-10700e_firmware -
intel core_i9-10900te_firmware -
intel core_i5-9600kf_firmware -
intel xeon_d-1531_firmware -
intel xeon_w-2225_firmware -
intel core_i7-9750h_firmware -
intel xeon_silver_4216_firmware -
intel xeon_e-2244g_firmware -
intel xeon_platinum_8276l_firmware -
intel core_i5-6600t_firmware -
intel core_i5-9400h_firmware -
intel xeon_w-1370_firmware -
intel core_i3-7100t_firmware -
intel core_i7-11850he_firmware -
intel xeon_gold_6230n_firmware -
intel core_i7-10700_firmware -
intel core_i3-9350kf_firmware -
intel xeon_gold_6238t_firmware -
intel core_i5-6440eq_firmware -
intel xeon_w-11955m_firmware -
intel core_i5-11300h_firmware -
intel xeon_silver_4110_firmware -
intel core_i3-8100h_firmware -
intel xeon_w-1270e_firmware -
intel atom_c3708_firmware -
intel core_i7-6822eq_firmware -
intel core_i3-10305t_firmware -
intel core_i7-7820hk_firmware -
intel xeon_gold_6230_firmware -
intel xeon_w-2223_firmware -
intel core_i7-6500u_firmware -
intel xeon_e-2278g_firmware -
intel core_i5-7300u_firmware -
intel xeon_w-3265_firmware -
intel core_i5-10500e_firmware -
intel xeon_w-11555mle_firmware -
intel core_m3-7y30_firmware -
intel xeon_e-2388g_firmware -
intel xeon_d-1571_firmware -
intel xeon_gold_5220r_firmware -
intel xeon_e-2136_firmware -
intel core_i7-4940mx_firmware -
intel xeon_platinum_8153_firmware -
intel xeon_gold_6248r_firmware -
intel xeon_platinum_8260_firmware -
intel xeon_e-2174g_firmware -
intel core_i5-10600kf_firmware -
intel core_i3-6157u_firmware -
intel core_i9-9920x_firmware -
intel core_i7-9850he_firmware -
intel core_i7-10810u_firmware -
intel xeon_e-2314_firmware -
intel xeon_gold_6130f_firmware -
intel xeon_e-2254me_firmware -
intel core_i5-1155g7_firmware -
intel xeon_w-3365_firmware -
intel xeon_d-1649n_firmware -
intel xeon_w-2255_firmware -
intel core_i3-8109u_firmware -
intel xeon_gold_6132_firmware -
netapp fas/aff_bios -
intel core_i3-7350k_firmware -
intel core_i7-9800x_firmware -
intel core_i7-8850h_firmware -
intel xeon_d-2123it_firmware -
intel xeon_e-2134_firmware -
intel xeon_d-1637_firmware -
intel core_i5-8350u_firmware -
intel core_i3-9320_firmware -
intel xeon_d-2173it_firmware -
intel core_i3-7101e_firmware -
intel core_i3-7102e_firmware -
intel core_i5-6300hq_firmware -
intel core_i5-7200u_firmware -
intel xeon_gold_5215_firmware -
intel atom_c3538_firmware -
intel core_i5-6585r_firmware -
intel xeon_gold_6152_firmware -
intel core_i9-8950hk_firmware -
intel xeon_e-2336_firmware -
intel core_i5-9300hf_firmware -
intel core_i3-6100h_firmware -
intel core_i9-9820x_firmware -
intel xeon_w-1290te_firmware -
intel xeon_silver_4215_firmware -
intel xeon_w-3245_firmware -
intel core_i5-6600_firmware -
intel core_i5-6402p_firmware -
intel core_i5-7300hq_firmware -
intel core_i7-1065g7_firmware -
intel core_i5-1130g7_firmware -
intel xeon_e-2324g_firmware -
intel xeon_d-2183it_firmware -
intel xeon_gold_6210u_firmware -
intel core_i7-6700hq_firmware -
intel xeon_d-1533n_firmware -
intel core_i7-8569u_firmware -
intel xeon_d-2141i_firmware -
intel xeon_w-1270te_firmware -
intel xeon_w-3275_firmware -
intel core_i7-11700k_firmware -
intel core_i5-11500t_firmware -
intel core_i7-3820_firmware -
intel xeon_silver_4108_firmware -
intel core_i5-1035g1_firmware -
intel xeon_w-2125_firmware -
intel core_i3-9100f_firmware -
intel core_i5-7500_firmware -
intel xeon_d-1623n_firmware -
intel xeon_platinum_8160_firmware -
intel core_i3-10100y_firmware -
intel xeon_gold_6212u_firmware -
intel core_i5-8260u_firmware -
intel core_i3-7100u_firmware -
intel atom_c3338_firmware -
intel xeon_platinum_9222_firmware -
intel core_i5-6440hq_firmware -
intel xeon_e-2378_firmware -
intel core_i5-11320h_firmware -
intel core_i7-11800h_firmware -
intel xeon_w-11155mre_firmware -
intel xeon_gold_6250_firmware -
intel core_i7-6820eq_firmware -
intel core_i3-9100e_firmware -
intel core_i7-10700te_firmware -
intel core_i9-10980xe_firmware -
intel xeon_gold_5122_firmware -
intel xeon_gold_6238l_firmware -
intel core_i7-6600u_firmware -
intel xeon_gold_6226r_firmware -
intel core_i9-10900t_firmware -
intel xeon_gold_6146_firmware -
intel xeon_platinum_8253_firmware -
intel xeon_bronze_3206r_firmware -
intel core_i5-11600kf_firmware -
intel xeon_d-1567_firmware -
intel core_i7-1165g7_firmware -
intel xeon_platinum_8160f_firmware -
intel xeon_w-1390_firmware -
intel core_i3-1110g4_firmware -
intel core_i5-10600t_firmware -
intel xeon_platinum_8170_firmware -
intel xeon_w-1250e_firmware -
intel core_i3-10105t_firmware -
intel core_i7-10710u_firmware -
intel xeon_d-2161i_firmware -
intel core_i9-9940x_firmware -
intel core_i9-9880h_firmware -
intel core_i3-10100t_firmware -
intel core_i9-9900kf_firmware -
intel xeon_e-2226g_firmware -
intel core_i5-8400t_firmware -
intel xeon_gold_5218t_firmware -
intel core_i9-9980xe_firmware -
intel core_i9-9900x_firmware -
intel xeon_gold_6250l_firmware -
intel core_m3-8100y_firmware -
intel xeon_platinum_8280l_firmware -
intel xeon_w-2295_firmware -
intel core_i3-1000g4_firmware -
intel core_i5-9500f_firmware -
intel core_i9-10920x_firmware -
intel core_i3-10100f_firmware -
intel core_i7-11700t_firmware -
intel core_i3-10300_firmware -
intel core_i3-6300t_firmware -
intel xeon_d-1540_firmware -
intel core_i9-9900ks_firmware -
intel core_i3-6100_firmware -
intel core_i7-11700_firmware -
intel core_i7-8750h_firmware -
intel core_i5-6600k_firmware -
intel core_i7-10700kf_firmware -
intel xeon_e-2276m_firmware -
intel xeon_w-2195_firmware -
intel xeon_gold_6240l_firmware -
intel core_i7-3970x_firmware -
intel xeon_platinum_8164_firmware -
intel core_m3-7y32_firmware -
intel core_i5-7287u_firmware -
intel xeon_silver_4116t_firmware -
intel xeon_e-2246g_firmware -
intel atom_c3558r_firmware -
intel core_i7-7700hq_firmware -
intel core_i7-6920hq_firmware -
intel xeon_gold_5218n_firmware -
intel core_i5-8250u_firmware -
intel core_i9-7900x_firmware -
intel core_i7-6700k_firmware -
intel core_i7-11850h_firmware -
intel core_i9-10980hk_firmware -
intel core_i9-11950h_firmware -
intel xeon_e-2186g_firmware -
intel core_i3-9100t_firmware -
intel core_i7-8700_firmware -
intel xeon_d-1520_firmware -
intel xeon_d-2163it_firmware -
intel xeon_silver_4114t_firmware -
intel core_i5-7260u_firmware -
intel core_i5-7640x_firmware -
intel core_i9-7920x_firmware -
intel xeon_d-1513n_firmware -
intel xeon_e-2334_firmware -
intel core_i3-1120g4_firmware -
intel xeon_gold_6240y_firmware -
intel xeon_e-2176g_firmware -
netapp cloud_backup -
intel atom_c3436l_firmware -
intel core_i3-7320_firmware -
intel xeon_platinum_8260l_firmware -
intel xeon_gold_5220_firmware -
intel core_i7-6850k_firmware -
intel core_i7-7820x_firmware -
intel core_i5-8400b_firmware -
intel core_i5-10500te_firmware -
intel xeon_gold_6209u_firmware -
intel xeon_gold_6242_firmware -
intel core_m5-6y57_firmware -
intel xeon_w-10855m_firmware -
intel xeon_e-2226ge_firmware -
intel atom_c3955_firmware -
intel core_i5-10500h_firmware -
intel core_i5-1145g7e_firmware -
intel core_i7-7700t_firmware -
intel xeon_w-3235_firmware -
intel core_i3-10300t_firmware -
intel xeon_silver_4214_firmware -
intel core_i5-9400_firmware -
intel core_i5-8259u_firmware -
intel xeon_e-2288g_firmware -
intel xeon_gold_6144_firmware -
intel core_i3-8350k_firmware -
intel core_i3-6100te_firmware -
intel xeon_silver_4210t_firmware -
intel xeon_e-2224_firmware -
intel core_i9-9900t_firmware -
intel core_i7-9700t_firmware -
intel xeon_gold_6130_firmware -
intel core_i7-8559u_firmware -
intel xeon_w-3335_firmware -
intel core_i3-10105f_firmware -
intel core_i7-10750h_firmware -
intel core_i3-8100_firmware -
intel core_i7-7567u_firmware -
intel xeon_d-1543n_firmware -
intel core_i5-6400_firmware -
intel core_i5-11600t_firmware -
intel core_i7-11700f_firmware -
intel core_i9-10885h_firmware -
intel core_i5-1140g7_firmware -
intel core_i5-7500t_firmware -
intel atom_c3958_firmware -
intel core_i7-7y75_firmware -
intel xeon_w-3345_firmware -
intel xeon_w-1290_firmware -
intel xeon_silver_4112_firmware -
intel core_i3-1125g4_firmware -
intel core_i7-8650u_firmware -
intel xeon_d-1653n_firmware -
intel core_i5-8210y_firmware -
intel xeon_d-1622_firmware -
intel xeon_d-2142it_firmware -
intel xeon_d-1627_firmware -
intel core_i7-6770hq_firmware -
intel xeon_gold_6148f_firmware -
intel core_i5-10310u_firmware -
intel xeon_w-1290p_firmware -
intel core_i7-4930k_firmware -
intel core_i5-6287u_firmware -
intel core_i3-10100te_firmware -
intel core_i5-8265u_firmware -
intel xeon_w-3375_firmware -
intel xeon_w-2235_firmware -
intel core_i7-8700t_firmware -
intel xeon_gold_5217_firmware -
intel core_i9-10900_firmware -
intel xeon_platinum_9242_firmware -
intel xeon_gold_6126f_firmware -
intel core_i3-6167u_firmware -
intel xeon_platinum_9282_firmware -
intel xeon_gold_6240_firmware -
intel xeon_platinum_8270_firmware -
intel xeon_e-2374g_firmware -
intel core_i7-9700_firmware -
intel core_i5-6685r_firmware -
intel core_i5-8269u_firmware -
intel xeon_gold_5220s_firmware -
intel core_i5-11600_firmware -
intel core_i7-7600u_firmware -
intel core_i7-9700kf_firmware -
intel core_i9-9960x_firmware -
intel core_i5-6360u_firmware -
intel core_i5-1145gre_firmware -
intel core_i3-7130u_firmware -
intel core_i5-10400t_firmware -
intel core_i7-1160g7_firmware -
intel xeon_e-2286g_firmware -
intel xeon_platinum_8156_firmware -
intel core_i7-8500y_firmware -
intel atom_c3558_firmware -
intel core_i5-6200u_firmware -
intel core_i5-8365ue_firmware -
intel core_i5-9300h_firmware -
intel core_i3-7100h_firmware -
intel core_i3-8300_firmware -
intel core_i3-10100_firmware -
intel xeon_w-11555mre_firmware -
intel core_i5-7440hq_firmware -
intel core_i5-1145g7_firmware -
intel core_i5-7360u_firmware -
intel core_i3-6300_firmware -
intel core_i5-10400f_firmware -
intel xeon_d-1548_firmware -
intel core_i7-6560u_firmware -
intel core_i7-6900k_firmware -
intel core_i7-7660u_firmware -
intel atom_c3750_firmware -
intel core_i5-8500_firmware -
intel xeon_e-2276ml_firmware -
intel core_i3-1115gre_firmware -
intel xeon_gold_5120t_firmware -
intel core_i7-8705g_firmware -
intel core_i7-9850hl_firmware -
intel core_i3-7300t_firmware -
intel xeon_platinum_8276_firmware -
intel core_i3-11100he_firmware -
intel xeon_w-1370p_firmware -
intel xeon_e-2274g_firmware -
intel xeon_gold_6246r_firmware -
intel core_i7-7920hq_firmware -
intel xeon_d-1553n_firmware -
intel core_i3-7100e_firmware -
intel core_i7-1185gre_firmware -
intel core_i7-8665u_firmware -
intel xeon_gold_5119t_firmware -
intel xeon_silver_4210r_firmware -
intel core_i9-11900_firmware -
intel core_i9-10900kf_firmware -
intel core_i5-10400h_firmware -
intel xeon_e-2356g_firmware -
intel core_i7-10510y_firmware -
intel core_i3-9300_firmware -
intel core_i5-10200h_firmware -
intel core_i5-9400t_firmware -
intel core_i5-7600_firmware -
intel core_i3-8100b_firmware -
intel xeon_gold_6138_firmware -
intel core_i5-7400t_firmware -
intel xeon_e-2234_firmware -
intel core_i5-9600_firmware -
intel core_i5-8500b_firmware -
intel core_i3-9350k_firmware -
intel core_i5-8400_firmware -
intel xeon_bronze_3104_firmware -
intel xeon_gold_6140_firmware -
intel xeon_w-2175_firmware -
intel xeon_platinum_8160t_firmware -
intel core_i7-7820eq_firmware -
intel core_i5-8257u_firmware -
intel core_i7-4960x_firmware -
intel xeon_gold_5220t_firmware -
intel xeon_w-2265_firmware -
intel xeon_w-3223_firmware -
intel xeon_w-1350p_firmware -
intel xeon_platinum_8168_firmware -
intel core_i7-8700b_firmware -
intel xeon_gold_6234_firmware -
intel xeon_gold_6130t_firmware -
intel core_i5-7400_firmware -
intel xeon_e-2236_firmware -
intel xeon_gold_6244_firmware -
intel xeon_w-1250p_firmware -
intel xeon_gold_5118_firmware -
intel xeon_e-2146g_firmware -
intel xeon_platinum_8176_firmware -
intel core_i5-7600t_firmware -
intel core_i5-1135g7_firmware -
intel core_i5-7440eq_firmware -
intel core_i3-1115g4_firmware -
intel core_i5-6300u_firmware -
intel core_i5-11500h_firmware -
intel core_i7-11700kf_firmware -
intel core_i7-6800k_firmware -
intel atom_c3758r_firmware -
intel core_i5-11400h_firmware -
intel atom_c3338r_firmware -
intel xeon_gold_6246_firmware -
intel xeon_gold_6148_firmware -
intel core_i3-10110u_firmware -
intel xeon_gold_6128_firmware -
intel xeon_d-1539_firmware -
intel xeon_w-1290t_firmware -
intel xeon_silver_4214r_firmware -
intel core_i3-7167u_firmware -
intel core_i7-8557u_firmware -
intel xeon_gold_5115_firmware -
intel core_i3-8145u_firmware -
intel core_i7-6970hq_firmware -
intel core_i3-8100t_firmware -
intel core_i5-11400t_firmware -
intel xeon_gold_6226_firmware -
intel xeon_gold_5120_firmware -
intel core_i5-11500_firmware -
intel xeon_silver_4114_firmware -
intel core_m5-6y54_firmware -
intel core_i5-10210y_firmware -
intel core_i5-10505_firmware -
intel xeon_d-2166nt_firmware -
intel core_i5-6400t_firmware -
intel core_i5-8310y_firmware -
intel core_i9-7940x_firmware -
intel xeon_gold_6242r_firmware -
intel xeon_gold_6208u_firmware -
intel core_i3-6100e_firmware -
intel core_i7-3960x_firmware -
intel xeon_gold_6134_firmware -
intel core_i7-4930mx_firmware -
intel core_i3-8300t_firmware -
intel atom_c3308_firmware -
intel core_i7-3920xm_firmware -
intel core_i7-7560u_firmware -
intel xeon_d-2146nt_firmware -
intel xeon_silver_4209t_firmware -
intel xeon_e-2276me_firmware -
intel core_i3-10100e_firmware -
intel core_i3-10320_firmware -
intel core_i9-10850k_firmware -
intel xeon_gold_6150_firmware -
intel atom_c3830_firmware -
intel core_i5-10600_firmware -
intel xeon_w-3245m_firmware -
CVE-2021-0119 MEDIUM

Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.2 MEDIUM CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.3 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-665,CWE-665,

Products Affected

Vendor Product Version
intel core_i7-6650u_firmware -
intel xeon_d-1528_firmware -
intel core_i7-9700k_firmware -
intel xeon_d-1523n_firmware -
intel xeon_platinum_8256_firmware -
intel core_i7-8709g_firmware -
intel xeon_gold_5218b_firmware -
intel core_m7-6y75_firmware -
intel xeon_gold_6262v_firmware -
intel xeon_w-3323_firmware -
intel xeon_d-1541_firmware -
intel core_i7-10510u_firmware -
intel core_i9-10900f_firmware -
intel core_i9-10940x_firmware -
intel core_i9-11900t_firmware -
intel xeon_silver_4109t_firmware -
intel core_i5-9500_firmware -
intel core_i5-10500t_firmware -
intel core_i7-10610u_firmware -
intel core_i7-10700k_firmware -
intel xeon_gold_6230t_firmware -
intel core_i5-9500t_firmware -
intel core_i5-9400f_firmware -
intel xeon_platinum_8158_firmware -
intel core_i5-1030g4_firmware -
intel xeon_gold_5222_firmware -
intel core_i7-8700k_firmware -
intel core_i7-9700e_firmware -
intel core_i3-6100u_firmware -
intel xeon_w-11155mle_firmware -
intel core_i7-10870h_firmware -
intel atom_c3808_firmware -
intel core_i5-8400h_firmware -
intel core_i7-6820hk_firmware -
intel core_i5-8600_firmware -
intel xeon_e-2124_firmware -
intel core_i5-6500_firmware -
intel xeon_w-11855m_firmware -
intel xeon_e-2286m_firmware -
intel core_i3-10305_firmware -
intel xeon_gold_5215l_firmware -
intel xeon_w-1290e_firmware -
intel xeon_bronze_3204_firmware -
intel core_i7-6660u_firmware -
intel core_i7-5930k_firmware -
intel core_i7-7500u_firmware -
intel core_i3-8145ue_firmware -
intel core_i7-1060g7_firmware -
intel core_i5-6500te_firmware -
intel core_i7-11600h_firmware -
intel core_i9-11900k_firmware -
intel xeon_platinum_8176f_firmware -
intel core_i5-8200y_firmware -
intel xeon_gold_6136_firmware -
intel core_i7-6700t_firmware -
intel xeon_bronze_3106_firmware -
intel xeon_d-1577_firmware -
intel core_i5-1038ng7_firmware -
intel core_i5-1030g7_firmware -
intel xeon_d-2145nt_firmware -
intel xeon_gold_6138f_firmware -
intel core_i9-10900k_firmware -
intel core_i7-11375h_firmware -
intel core_i9-7980xe_firmware -
intel atom_c3508_firmware -
intel xeon_platinum_8280_firmware -
intel core_i3-10325_firmware -
intel core_i5-10400_firmware -
intel xeon_w-2275_firmware -
intel core_i9-7960x_firmware -
intel xeon_gold_6230r_firmware -
intel xeon_e-2386g_firmware -
intel xeon_w-3275m_firmware -
intel core_i3-7101te_firmware -
intel core_i9-11900f_firmware -
intel xeon_d-2143it_firmware -
intel xeon_silver_4210_firmware -
intel core_i7-1195g7_firmware -
intel xeon_gold_6142f_firmware -
intel core_i5-8279u_firmware -
intel xeon_w-11865mre_firmware -
intel core_i3-6098p_firmware -
intel core_i9-10900x_firmware -
intel core_i7-8809g_firmware -
intel core_i3-9100hl_firmware -
intel xeon_platinum_8268_firmware -
intel xeon_platinum_8180_firmware -
intel xeon_e-2278ge_firmware -
intel core_i5-6260u_firmware -
intel core_i9-9980hk_firmware -
intel core_i7-1185g7e_firmware -
intel xeon_gold_6138p_firmware -
intel core_i5-8365u_firmware -
intel core_i3-1000g1_firmware -
intel xeon_e-2186m_firmware -
intel xeon_e-2224g_firmware -
intel xeon_d-1602_firmware -
intel core_i3-8140u_firmware -
intel core_i7-6567u_firmware -
intel core_i5-9500te_firmware -
intel xeon_w-3225_firmware -
intel xeon_d-2177nt_firmware -
intel xeon_w-2155_firmware -
intel xeon_w-2145_firmware -
intel core_i3-9100_firmware -
intel core_i9-11900kf_firmware -
intel core_i5-10600k_firmware -
intel core_i7-6700_firmware -
intel xeon_w-1270_firmware -
intel xeon_w-1250te_firmware -
intel xeon_w-1390t_firmware -
intel xeon_w-10885m_firmware -
intel core_i7-6700te_firmware -
intel core_i5-6442eq_firmware -
intel core_i7-10850h_firmware -
intel core_i7-7740x_firmware -
intel core_i3-6006u_firmware -
intel core_i5-8600k_firmware -
intel xeon_w-3175x_firmware -
intel xeon_e-2276g_firmware -
intel xeon_d-1633n_firmware -
intel core_i3-7300_firmware -
intel core_i7-4820k_firmware -
intel core_i5-1035g4_firmware -
intel core_i7-8565u_firmware -
intel xeon_d-1559_firmware -
intel core_i3-6100t_firmware -
intel xeon_e-2378g_firmware -
intel xeon_gold_6254_firmware -
intel core_i9-9900k_firmware -
intel core_i7-10700t_firmware -
intel xeon_gold_6256_firmware -
intel core_i5-9600k_firmware -
intel xeon_w-1350_firmware -
intel core_i5-11500he_firmware -
intel xeon_platinum_9221_firmware -
intel xeon_w-11865mle_firmware -
intel xeon_d-1537_firmware -
intel core_i5-10310y_firmware -
intel core_i7-1180g7_firmware -
intel xeon_gold_6222v_firmware -
intel core_i9-9900_firmware -
intel core_i9-11980hk_firmware -
intel core_i5-7267u_firmware -
intel core_i5-11260h_firmware -
intel core_i7-1185g7_firmware -
intel atom_c3858_firmware -
intel core_i7-7820hq_firmware -
intel core_i5-11600k_firmware -
intel core_i7-5960x_firmware -
intel xeon_w-2135_firmware -
intel xeon_gold_6138t_firmware -
intel xeon_gold_6252_firmware -
intel xeon_gold_6240r_firmware -
intel core_i5-10210u_firmware -
intel xeon_gold_6126t_firmware -
intel xeon_gold_6248_firmware -
intel core_i3-7020u_firmware -
intel xeon_gold_6142_firmware -
intel core_i7-8086k_firmware -
intel core_i5-6267u_firmware -
intel xeon_silver_4214y_firmware -
intel core_i5-1035g7_firmware -
intel xeon_d-2187nt_firmware -
intel core_i9-10900e_firmware -
intel core_i5-7y54_firmware -
intel xeon_e-2176m_firmware -
intel core_i7-9850h_firmware -
intel core_i7-8665ue_firmware -
intel xeon_d-1518_firmware -
intel xeon_d-1529_firmware -
intel core_i7-8550u_firmware -
intel xeon_w-1390p_firmware -
intel core_i7-5820k_firmware -
intel xeon_d-1557_firmware -
intel core_i5-8305g_firmware -
intel core_i3-7100_firmware -
intel atom_c3950_firmware -
intel core_i7-9700f_firmware -
intel xeon_w-3265m_firmware -
intel core_i3-8130u_firmware -
intel core_i7-7800x_firmware -
intel core_i3-10110y_firmware -
intel core_i5-9600t_firmware -
intel core_i7-3940xm_firmware -
intel xeon_w-2133_firmware -
intel xeon_gold_5218_firmware -
intel core_i5-8600t_firmware -
intel core_i7-7700k_firmware -
intel xeon_gold_6238_firmware -
intel core_i7-6870hq_firmware -
intel xeon_gold_6258r_firmware -
intel core_i5-9500e_firmware -
intel atom_c3336_firmware -
intel atom_c3850_firmware -
intel core_i3-1115g4e_firmware -
intel core_i7-6785r_firmware -
intel core_i5-7600k_firmware -
intel core_i3-6102e_firmware -
intel xeon_e-2124g_firmware -
intel core_i7-7700_firmware -
intel core_i7-9750hf_firmware -
intel core_i5-10500_firmware -
intel core_i5-8300h_firmware -
intel core_i7-6950x_firmware -
intel xeon_d-1521_firmware -
intel core_i7-11370h_firmware -
intel xeon_w-1270p_firmware -
intel core_i7-3930k_firmware -
intel xeon_w-2245_firmware -
intel xeon_w-2123_firmware -
intel core_i5-6500t_firmware -
intel core_i5-10300h_firmware -
intel core_i7-8706g_firmware -
intel xeon_silver_4215r_firmware -
intel xeon_platinum_8260y_firmware -
intel core_i7-10700f_firmware -
intel xeon_gold_6252n_firmware -
intel xeon_gold_5218r_firmware -
intel core_i5-7442eq_firmware -
intel core_i5-7y57_firmware -
intel core_i5-6350hq_firmware -
intel core_i5-11400f_firmware -
intel core_i5-8500t_firmware -
intel core_i7-1068ng7_firmware -
intel core_i3-10105_firmware -
intel core_i7-9700te_firmware -
intel core_i3-6320_firmware -
intel core_i9-11900h_firmware -
intel core_i3-9300t_firmware -
intel xeon_gold_6126_firmware -
intel core_i5-11400_firmware -
intel xeon_gold_6154_firmware -
intel xeon_e-2144g_firmware -
intel core_i3-1005g1_firmware -
intel xeon_e-2126g_firmware -
intel xeon_d-1527_firmware -
intel core_i7-10875h_firmware -
intel xeon_gold_6238r_firmware -
intel core_i3-9100te_firmware -
intel xeon_w-1250_firmware -
intel core_i7+8700_firmware -
intel xeon_e-2278gel_firmware -
intel core_i7-6820hq_firmware -
intel atom_c3758_firmware -
intel xeon_silver_4208_firmware -
intel xeon_e-2254ml_firmware -
intel core_i7-11390h_firmware -
intel core_m3-6y30_firmware -
intel xeon_silver_4116_firmware -
intel core_i7-10700e_firmware -
intel core_i9-10900te_firmware -
intel core_i5-9600kf_firmware -
intel xeon_d-1531_firmware -
intel xeon_w-2225_firmware -
intel core_i7-9750h_firmware -
intel xeon_silver_4216_firmware -
intel xeon_e-2244g_firmware -
intel xeon_platinum_8276l_firmware -
intel core_i5-6600t_firmware -
intel core_i5-9400h_firmware -
intel xeon_w-1370_firmware -
intel core_i3-7100t_firmware -
intel core_i7-11850he_firmware -
intel xeon_gold_6230n_firmware -
intel core_i7-10700_firmware -
intel core_i3-9350kf_firmware -
intel xeon_gold_6238t_firmware -
intel core_i5-6440eq_firmware -
intel xeon_w-11955m_firmware -
intel core_i5-11300h_firmware -
intel xeon_silver_4110_firmware -
intel core_i3-8100h_firmware -
intel xeon_w-1270e_firmware -
intel atom_c3708_firmware -
intel core_i7-6822eq_firmware -
intel core_i3-10305t_firmware -
intel core_i7-7820hk_firmware -
intel xeon_gold_6230_firmware -
intel xeon_w-2223_firmware -
intel core_i7-6500u_firmware -
intel xeon_e-2278g_firmware -
intel core_i5-7300u_firmware -
intel xeon_w-3265_firmware -
intel core_i5-10500e_firmware -
intel xeon_w-11555mle_firmware -
intel core_m3-7y30_firmware -
intel xeon_e-2388g_firmware -
intel xeon_d-1571_firmware -
intel xeon_gold_5220r_firmware -
intel xeon_e-2136_firmware -
intel core_i7-4940mx_firmware -
intel xeon_platinum_8153_firmware -
intel xeon_gold_6248r_firmware -
intel xeon_platinum_8260_firmware -
intel xeon_e-2174g_firmware -
intel core_i5-10600kf_firmware -
intel core_i3-6157u_firmware -
intel core_i9-9920x_firmware -
intel core_i7-9850he_firmware -
intel core_i7-10810u_firmware -
intel xeon_e-2314_firmware -
intel xeon_gold_6130f_firmware -
intel xeon_e-2254me_firmware -
intel core_i5-1155g7_firmware -
intel xeon_w-3365_firmware -
intel xeon_d-1649n_firmware -
intel xeon_w-2255_firmware -
intel core_i3-8109u_firmware -
intel xeon_gold_6132_firmware -
netapp fas/aff_bios -
intel core_i3-7350k_firmware -
intel core_i7-9800x_firmware -
intel core_i7-8850h_firmware -
intel xeon_d-2123it_firmware -
intel xeon_e-2134_firmware -
intel xeon_d-1637_firmware -
intel core_i5-8350u_firmware -
intel core_i3-9320_firmware -
intel xeon_d-2173it_firmware -
intel core_i3-7101e_firmware -
intel core_i3-7102e_firmware -
intel core_i5-6300hq_firmware -
intel core_i5-7200u_firmware -
intel xeon_gold_5215_firmware -
intel atom_c3538_firmware -
intel core_i5-6585r_firmware -
intel xeon_gold_6152_firmware -
intel core_i9-8950hk_firmware -
intel xeon_e-2336_firmware -
intel core_i5-9300hf_firmware -
intel core_i3-6100h_firmware -
intel core_i9-9820x_firmware -
intel xeon_w-1290te_firmware -
intel xeon_silver_4215_firmware -
intel xeon_w-3245_firmware -
intel core_i5-6600_firmware -
intel core_i5-6402p_firmware -
intel core_i5-7300hq_firmware -
intel core_i7-1065g7_firmware -
intel core_i5-1130g7_firmware -
intel xeon_e-2324g_firmware -
intel xeon_d-2183it_firmware -
intel xeon_gold_6210u_firmware -
intel core_i7-6700hq_firmware -
intel xeon_d-1533n_firmware -
intel core_i7-8569u_firmware -
intel xeon_d-2141i_firmware -
intel xeon_w-1270te_firmware -
intel xeon_w-3275_firmware -
intel core_i7-11700k_firmware -
intel core_i5-11500t_firmware -
intel core_i7-3820_firmware -
intel xeon_silver_4108_firmware -
intel core_i5-1035g1_firmware -
intel xeon_w-2125_firmware -
intel core_i3-9100f_firmware -
intel core_i5-7500_firmware -
intel xeon_d-1623n_firmware -
intel xeon_platinum_8160_firmware -
intel core_i3-10100y_firmware -
intel xeon_gold_6212u_firmware -
intel core_i5-8260u_firmware -
intel core_i3-7100u_firmware -
intel atom_c3338_firmware -
intel xeon_platinum_9222_firmware -
intel core_i5-6440hq_firmware -
intel xeon_e-2378_firmware -
intel core_i5-11320h_firmware -
intel core_i7-11800h_firmware -
intel xeon_w-11155mre_firmware -
intel xeon_gold_6250_firmware -
intel core_i7-6820eq_firmware -
intel core_i3-9100e_firmware -
intel core_i7-10700te_firmware -
intel core_i9-10980xe_firmware -
intel xeon_gold_5122_firmware -
intel xeon_gold_6238l_firmware -
intel core_i7-6600u_firmware -
intel xeon_gold_6226r_firmware -
intel core_i9-10900t_firmware -
intel xeon_gold_6146_firmware -
intel xeon_platinum_8253_firmware -
intel xeon_bronze_3206r_firmware -
intel core_i5-11600kf_firmware -
intel xeon_d-1567_firmware -
intel core_i7-1165g7_firmware -
intel xeon_platinum_8160f_firmware -
intel xeon_w-1390_firmware -
intel core_i3-1110g4_firmware -
intel core_i5-10600t_firmware -
intel xeon_platinum_8170_firmware -
intel xeon_w-1250e_firmware -
intel core_i3-10105t_firmware -
intel core_i7-10710u_firmware -
intel xeon_d-2161i_firmware -
intel core_i9-9940x_firmware -
intel core_i9-9880h_firmware -
intel core_i3-10100t_firmware -
intel core_i9-9900kf_firmware -
intel xeon_e-2226g_firmware -
intel core_i5-8400t_firmware -
intel xeon_gold_5218t_firmware -
intel core_i9-9980xe_firmware -
intel core_i9-9900x_firmware -
intel xeon_gold_6250l_firmware -
intel core_m3-8100y_firmware -
intel xeon_platinum_8280l_firmware -
intel xeon_w-2295_firmware -
intel core_i3-1000g4_firmware -
intel core_i5-9500f_firmware -
intel core_i9-10920x_firmware -
intel core_i3-10100f_firmware -
intel core_i7-11700t_firmware -
intel core_i3-10300_firmware -
intel core_i3-6300t_firmware -
intel xeon_d-1540_firmware -
intel core_i9-9900ks_firmware -
intel core_i3-6100_firmware -
intel core_i7-11700_firmware -
intel core_i7-8750h_firmware -
intel core_i5-6600k_firmware -
intel core_i7-10700kf_firmware -
intel xeon_e-2276m_firmware -
intel xeon_w-2195_firmware -
intel xeon_gold_6240l_firmware -
intel core_i7-3970x_firmware -
intel xeon_platinum_8164_firmware -
intel core_m3-7y32_firmware -
intel core_i5-7287u_firmware -
intel xeon_silver_4116t_firmware -
intel xeon_e-2246g_firmware -
intel atom_c3558r_firmware -
intel core_i7-7700hq_firmware -
intel core_i7-6920hq_firmware -
intel xeon_gold_5218n_firmware -
intel core_i5-8250u_firmware -
intel core_i9-7900x_firmware -
intel core_i7-6700k_firmware -
intel core_i7-11850h_firmware -
intel core_i9-10980hk_firmware -
intel core_i9-11950h_firmware -
intel xeon_e-2186g_firmware -
intel core_i3-9100t_firmware -
intel core_i7-8700_firmware -
intel xeon_d-1520_firmware -
intel xeon_d-2163it_firmware -
intel xeon_silver_4114t_firmware -
intel core_i5-7260u_firmware -
intel core_i5-7640x_firmware -
intel core_i9-7920x_firmware -
intel xeon_d-1513n_firmware -
intel xeon_e-2334_firmware -
intel core_i3-1120g4_firmware -
intel xeon_gold_6240y_firmware -
intel xeon_e-2176g_firmware -
netapp cloud_backup -
intel atom_c3436l_firmware -
intel core_i3-7320_firmware -
intel xeon_platinum_8260l_firmware -
intel xeon_gold_5220_firmware -
intel core_i7-6850k_firmware -
intel core_i7-7820x_firmware -
intel core_i5-8400b_firmware -
intel core_i5-10500te_firmware -
intel xeon_gold_6209u_firmware -
intel xeon_gold_6242_firmware -
intel core_m5-6y57_firmware -
intel xeon_w-10855m_firmware -
intel xeon_e-2226ge_firmware -
intel atom_c3955_firmware -
intel core_i5-10500h_firmware -
intel core_i5-1145g7e_firmware -
intel core_i7-7700t_firmware -
intel xeon_w-3235_firmware -
intel core_i3-10300t_firmware -
intel xeon_silver_4214_firmware -
intel core_i5-9400_firmware -
intel core_i5-8259u_firmware -
intel xeon_e-2288g_firmware -
intel xeon_gold_6144_firmware -
intel core_i3-8350k_firmware -
intel core_i3-6100te_firmware -
intel xeon_silver_4210t_firmware -
intel xeon_e-2224_firmware -
intel core_i9-9900t_firmware -
intel core_i7-9700t_firmware -
intel xeon_gold_6130_firmware -
intel core_i7-8559u_firmware -
intel xeon_w-3335_firmware -
intel core_i3-10105f_firmware -
intel core_i7-10750h_firmware -
intel core_i3-8100_firmware -
intel core_i7-7567u_firmware -
intel xeon_d-1543n_firmware -
intel core_i5-6400_firmware -
intel core_i5-11600t_firmware -
intel core_i7-11700f_firmware -
intel core_i9-10885h_firmware -
intel core_i5-1140g7_firmware -
intel core_i5-7500t_firmware -
intel atom_c3958_firmware -
intel core_i7-7y75_firmware -
intel xeon_w-3345_firmware -
intel xeon_w-1290_firmware -
intel xeon_silver_4112_firmware -
intel core_i3-1125g4_firmware -
intel core_i7-8650u_firmware -
intel xeon_d-1653n_firmware -
intel core_i5-8210y_firmware -
intel xeon_d-1622_firmware -
intel xeon_d-2142it_firmware -
intel xeon_d-1627_firmware -
intel core_i7-6770hq_firmware -
intel xeon_gold_6148f_firmware -
intel core_i5-10310u_firmware -
intel xeon_w-1290p_firmware -
intel core_i7-4930k_firmware -
intel core_i5-6287u_firmware -
intel core_i3-10100te_firmware -
intel core_i5-8265u_firmware -
intel xeon_w-3375_firmware -
intel xeon_w-2235_firmware -
intel core_i7-8700t_firmware -
intel xeon_gold_5217_firmware -
intel core_i9-10900_firmware -
intel xeon_platinum_9242_firmware -
intel xeon_gold_6126f_firmware -
intel core_i3-6167u_firmware -
intel xeon_platinum_9282_firmware -
intel xeon_gold_6240_firmware -
intel xeon_platinum_8270_firmware -
intel xeon_e-2374g_firmware -
intel core_i7-9700_firmware -
intel core_i5-6685r_firmware -
intel core_i5-8269u_firmware -
intel xeon_gold_5220s_firmware -
intel core_i5-11600_firmware -
intel core_i7-7600u_firmware -
intel core_i7-9700kf_firmware -
intel core_i9-9960x_firmware -
intel core_i5-6360u_firmware -
intel core_i5-1145gre_firmware -
intel core_i3-7130u_firmware -
intel core_i5-10400t_firmware -
intel core_i7-1160g7_firmware -
intel xeon_e-2286g_firmware -
intel xeon_platinum_8156_firmware -
intel core_i7-8500y_firmware -
intel atom_c3558_firmware -
intel core_i5-6200u_firmware -
intel core_i5-8365ue_firmware -
intel core_i5-9300h_firmware -
intel core_i3-7100h_firmware -
intel core_i3-8300_firmware -
intel core_i3-10100_firmware -
intel xeon_w-11555mre_firmware -
intel core_i5-7440hq_firmware -
intel core_i5-1145g7_firmware -
intel core_i5-7360u_firmware -
intel core_i3-6300_firmware -
intel core_i5-10400f_firmware -
intel xeon_d-1548_firmware -
intel core_i7-6560u_firmware -
intel core_i7-6900k_firmware -
intel core_i7-7660u_firmware -
intel atom_c3750_firmware -
intel core_i5-8500_firmware -
intel xeon_e-2276ml_firmware -
intel core_i3-1115gre_firmware -
intel xeon_gold_5120t_firmware -
intel core_i7-8705g_firmware -
intel core_i7-9850hl_firmware -
intel core_i3-7300t_firmware -
intel xeon_platinum_8276_firmware -
intel core_i3-11100he_firmware -
intel xeon_w-1370p_firmware -
intel xeon_e-2274g_firmware -
intel xeon_gold_6246r_firmware -
intel core_i7-7920hq_firmware -
intel xeon_d-1553n_firmware -
intel core_i3-7100e_firmware -
intel core_i7-1185gre_firmware -
intel core_i7-8665u_firmware -
intel xeon_gold_5119t_firmware -
intel xeon_silver_4210r_firmware -
intel core_i9-11900_firmware -
intel core_i9-10900kf_firmware -
intel core_i5-10400h_firmware -
intel xeon_e-2356g_firmware -
intel core_i7-10510y_firmware -
intel core_i3-9300_firmware -
intel core_i5-10200h_firmware -
intel core_i5-9400t_firmware -
intel core_i5-7600_firmware -
intel core_i3-8100b_firmware -
intel xeon_gold_6138_firmware -
intel core_i5-7400t_firmware -
intel xeon_e-2234_firmware -
intel core_i5-9600_firmware -
intel core_i5-8500b_firmware -
intel core_i3-9350k_firmware -
intel core_i5-8400_firmware -
intel xeon_bronze_3104_firmware -
intel xeon_gold_6140_firmware -
intel xeon_w-2175_firmware -
intel xeon_platinum_8160t_firmware -
intel core_i7-7820eq_firmware -
intel core_i5-8257u_firmware -
intel core_i7-4960x_firmware -
intel xeon_gold_5220t_firmware -
intel xeon_w-2265_firmware -
intel xeon_w-3223_firmware -
intel xeon_w-1350p_firmware -
intel xeon_platinum_8168_firmware -
intel core_i7-8700b_firmware -
intel xeon_gold_6234_firmware -
intel xeon_gold_6130t_firmware -
intel core_i5-7400_firmware -
intel xeon_e-2236_firmware -
intel xeon_gold_6244_firmware -
intel xeon_w-1250p_firmware -
intel xeon_gold_5118_firmware -
intel xeon_e-2146g_firmware -
intel xeon_platinum_8176_firmware -
intel core_i5-7600t_firmware -
intel core_i5-1135g7_firmware -
intel core_i5-7440eq_firmware -
intel core_i3-1115g4_firmware -
intel core_i5-6300u_firmware -
intel core_i5-11500h_firmware -
intel core_i7-11700kf_firmware -
intel core_i7-6800k_firmware -
intel atom_c3758r_firmware -
intel core_i5-11400h_firmware -
intel atom_c3338r_firmware -
intel xeon_gold_6246_firmware -
intel xeon_gold_6148_firmware -
intel core_i3-10110u_firmware -
intel xeon_gold_6128_firmware -
intel xeon_d-1539_firmware -
intel xeon_w-1290t_firmware -
intel xeon_silver_4214r_firmware -
intel core_i3-7167u_firmware -
intel core_i7-8557u_firmware -
intel xeon_gold_5115_firmware -
intel core_i3-8145u_firmware -
intel core_i7-6970hq_firmware -
intel core_i3-8100t_firmware -
intel core_i5-11400t_firmware -
intel xeon_gold_6226_firmware -
intel xeon_gold_5120_firmware -
intel core_i5-11500_firmware -
intel xeon_silver_4114_firmware -
intel core_m5-6y54_firmware -
intel core_i5-10210y_firmware -
intel core_i5-10505_firmware -
intel xeon_d-2166nt_firmware -
intel core_i5-6400t_firmware -
intel core_i5-8310y_firmware -
intel core_i9-7940x_firmware -
intel xeon_gold_6242r_firmware -
intel xeon_gold_6208u_firmware -
intel core_i3-6100e_firmware -
intel core_i7-3960x_firmware -
intel xeon_gold_6134_firmware -
intel core_i7-4930mx_firmware -
intel core_i3-8300t_firmware -
intel atom_c3308_firmware -
intel core_i7-3920xm_firmware -
intel core_i7-7560u_firmware -
intel xeon_d-2146nt_firmware -
intel xeon_silver_4209t_firmware -
intel xeon_e-2276me_firmware -
intel core_i3-10100e_firmware -
intel core_i3-10320_firmware -
intel core_i9-10850k_firmware -
intel xeon_gold_6150_firmware -
intel atom_c3830_firmware -
intel core_i5-10600_firmware -
intel xeon_w-3245m_firmware -
CVE-2021-0124 MEDIUM

Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.7 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
intel core_i7-6650u_firmware -
intel xeon_d-1528_firmware -
intel core_i7-9700k_firmware -
intel xeon_d-1523n_firmware -
intel xeon_platinum_8256_firmware -
intel core_i7-8709g_firmware -
intel xeon_gold_5218b_firmware -
intel core_m7-6y75_firmware -
intel xeon_gold_6262v_firmware -
intel xeon_w-3323_firmware -
intel xeon_d-1541_firmware -
intel core_i7-10510u_firmware -
intel core_i9-10900f_firmware -
intel core_i9-10940x_firmware -
intel core_i9-11900t_firmware -
intel xeon_silver_4109t_firmware -
intel core_i5-9500_firmware -
intel core_i5-10500t_firmware -
intel core_i7-10610u_firmware -
intel core_i7-10700k_firmware -
intel xeon_gold_6230t_firmware -
intel core_i5-9500t_firmware -
intel core_i5-9400f_firmware -
intel xeon_platinum_8158_firmware -
intel core_i5-1030g4_firmware -
intel xeon_gold_5222_firmware -
intel core_i7-8700k_firmware -
intel core_i7-9700e_firmware -
intel core_i3-6100u_firmware -
intel xeon_w-11155mle_firmware -
intel core_i7-10870h_firmware -
intel atom_c3808_firmware -
intel core_i5-8400h_firmware -
intel core_i7-6820hk_firmware -
intel core_i5-8600_firmware -
intel xeon_e-2124_firmware -
intel core_i5-6500_firmware -
intel xeon_w-11855m_firmware -
intel xeon_e-2286m_firmware -
intel core_i3-10305_firmware -
intel xeon_gold_5215l_firmware -
intel xeon_w-1290e_firmware -
intel xeon_bronze_3204_firmware -
intel core_i7-6660u_firmware -
intel core_i7-5930k_firmware -
intel core_i7-7500u_firmware -
intel core_i3-8145ue_firmware -
intel core_i7-1060g7_firmware -
intel core_i5-6500te_firmware -
intel core_i7-11600h_firmware -
intel core_i9-11900k_firmware -
intel xeon_platinum_8176f_firmware -
intel core_i5-8200y_firmware -
intel xeon_gold_6136_firmware -
intel core_i7-6700t_firmware -
intel xeon_bronze_3106_firmware -
intel xeon_d-1577_firmware -
intel core_i5-1038ng7_firmware -
intel core_i5-1030g7_firmware -
intel xeon_d-2145nt_firmware -
intel xeon_gold_6138f_firmware -
intel core_i9-10900k_firmware -
intel core_i7-11375h_firmware -
intel core_i9-7980xe_firmware -
intel atom_c3508_firmware -
intel xeon_platinum_8280_firmware -
intel core_i3-10325_firmware -
intel core_i5-10400_firmware -
intel xeon_w-2275_firmware -
intel core_i9-7960x_firmware -
intel xeon_gold_6230r_firmware -
intel xeon_e-2386g_firmware -
intel xeon_w-3275m_firmware -
intel core_i3-7101te_firmware -
intel core_i9-11900f_firmware -
intel xeon_d-2143it_firmware -
intel xeon_silver_4210_firmware -
intel core_i7-1195g7_firmware -
intel xeon_gold_6142f_firmware -
intel core_i5-8279u_firmware -
intel xeon_w-11865mre_firmware -
intel core_i3-6098p_firmware -
intel core_i9-10900x_firmware -
intel core_i7-8809g_firmware -
intel core_i3-9100hl_firmware -
intel xeon_platinum_8268_firmware -
intel xeon_platinum_8180_firmware -
intel xeon_e-2278ge_firmware -
intel core_i5-6260u_firmware -
intel core_i9-9980hk_firmware -
intel core_i7-1185g7e_firmware -
intel xeon_gold_6138p_firmware -
intel core_i5-8365u_firmware -
intel core_i3-1000g1_firmware -
intel xeon_e-2186m_firmware -
intel xeon_e-2224g_firmware -
intel xeon_d-1602_firmware -
intel core_i3-8140u_firmware -
intel core_i7-6567u_firmware -
intel core_i5-9500te_firmware -
intel xeon_w-3225_firmware -
intel xeon_d-2177nt_firmware -
intel xeon_w-2155_firmware -
intel xeon_w-2145_firmware -
intel core_i3-9100_firmware -
intel core_i9-11900kf_firmware -
intel core_i5-10600k_firmware -
intel core_i7-6700_firmware -
intel xeon_w-1270_firmware -
intel xeon_w-1250te_firmware -
intel xeon_w-1390t_firmware -
intel xeon_w-10885m_firmware -
intel core_i7-6700te_firmware -
intel core_i5-6442eq_firmware -
intel core_i7-10850h_firmware -
intel core_i7-7740x_firmware -
intel core_i3-6006u_firmware -
intel core_i5-8600k_firmware -
intel xeon_w-3175x_firmware -
intel xeon_e-2276g_firmware -
intel xeon_d-1633n_firmware -
intel core_i3-7300_firmware -
intel core_i7-4820k_firmware -
intel core_i5-1035g4_firmware -
intel core_i7-8565u_firmware -
intel xeon_d-1559_firmware -
intel core_i3-6100t_firmware -
intel xeon_e-2378g_firmware -
intel xeon_gold_6254_firmware -
intel core_i9-9900k_firmware -
intel core_i7-10700t_firmware -
intel xeon_gold_6256_firmware -
intel core_i5-9600k_firmware -
intel xeon_w-1350_firmware -
intel core_i5-11500he_firmware -
intel xeon_platinum_9221_firmware -
intel xeon_w-11865mle_firmware -
intel xeon_d-1537_firmware -
intel core_i5-10310y_firmware -
intel core_i7-1180g7_firmware -
intel xeon_gold_6222v_firmware -
intel core_i9-9900_firmware -
intel core_i9-11980hk_firmware -
intel core_i5-7267u_firmware -
intel core_i5-11260h_firmware -
intel core_i7-1185g7_firmware -
intel atom_c3858_firmware -
intel core_i7-7820hq_firmware -
intel core_i5-11600k_firmware -
intel core_i7-5960x_firmware -
intel xeon_w-2135_firmware -
intel xeon_gold_6138t_firmware -
intel xeon_gold_6252_firmware -
intel xeon_gold_6240r_firmware -
intel core_i5-10210u_firmware -
intel xeon_gold_6126t_firmware -
intel xeon_gold_6248_firmware -
intel core_i3-7020u_firmware -
intel xeon_gold_6142_firmware -
intel core_i7-8086k_firmware -
intel core_i5-6267u_firmware -
intel xeon_silver_4214y_firmware -
intel core_i5-1035g7_firmware -
intel xeon_d-2187nt_firmware -
intel core_i9-10900e_firmware -
intel core_i5-7y54_firmware -
intel xeon_e-2176m_firmware -
intel core_i7-9850h_firmware -
intel core_i7-8665ue_firmware -
intel xeon_d-1518_firmware -
intel xeon_d-1529_firmware -
intel core_i7-8550u_firmware -
intel xeon_w-1390p_firmware -
intel core_i7-5820k_firmware -
intel xeon_d-1557_firmware -
intel core_i5-8305g_firmware -
intel core_i3-7100_firmware -
intel atom_c3950_firmware -
intel core_i7-9700f_firmware -
intel xeon_w-3265m_firmware -
intel core_i3-8130u_firmware -
intel core_i7-7800x_firmware -
intel core_i3-10110y_firmware -
intel core_i5-9600t_firmware -
intel core_i7-3940xm_firmware -
intel xeon_w-2133_firmware -
intel xeon_gold_5218_firmware -
intel core_i5-8600t_firmware -
intel core_i7-7700k_firmware -
intel xeon_gold_6238_firmware -
intel core_i7-6870hq_firmware -
intel xeon_gold_6258r_firmware -
intel core_i5-9500e_firmware -
intel atom_c3336_firmware -
intel atom_c3850_firmware -
intel core_i3-1115g4e_firmware -
intel core_i7-6785r_firmware -
intel core_i5-7600k_firmware -
intel core_i3-6102e_firmware -
intel xeon_e-2124g_firmware -
intel core_i7-7700_firmware -
intel core_i7-9750hf_firmware -
intel core_i5-10500_firmware -
intel core_i5-8300h_firmware -
intel core_i7-6950x_firmware -
intel xeon_d-1521_firmware -
intel core_i7-11370h_firmware -
intel xeon_w-1270p_firmware -
intel core_i7-3930k_firmware -
intel xeon_w-2245_firmware -
intel xeon_w-2123_firmware -
intel core_i5-6500t_firmware -
intel core_i5-10300h_firmware -
intel core_i7-8706g_firmware -
intel xeon_silver_4215r_firmware -
intel xeon_platinum_8260y_firmware -
intel core_i7-10700f_firmware -
intel xeon_gold_6252n_firmware -
intel xeon_gold_5218r_firmware -
intel core_i5-7442eq_firmware -
intel core_i5-7y57_firmware -
intel core_i5-6350hq_firmware -
intel core_i5-11400f_firmware -
intel core_i5-8500t_firmware -
intel core_i7-1068ng7_firmware -
intel core_i3-10105_firmware -
intel core_i7-9700te_firmware -
intel core_i3-6320_firmware -
intel core_i9-11900h_firmware -
intel core_i3-9300t_firmware -
intel xeon_gold_6126_firmware -
intel core_i5-11400_firmware -
intel xeon_gold_6154_firmware -
intel xeon_e-2144g_firmware -
intel core_i3-1005g1_firmware -
intel xeon_e-2126g_firmware -
intel xeon_d-1527_firmware -
intel core_i7-10875h_firmware -
intel xeon_gold_6238r_firmware -
intel core_i3-9100te_firmware -
intel xeon_w-1250_firmware -
intel core_i7+8700_firmware -
intel xeon_e-2278gel_firmware -
intel core_i7-6820hq_firmware -
intel atom_c3758_firmware -
intel xeon_silver_4208_firmware -
intel xeon_e-2254ml_firmware -
intel core_i7-11390h_firmware -
intel core_m3-6y30_firmware -
intel xeon_silver_4116_firmware -
intel core_i7-10700e_firmware -
intel core_i9-10900te_firmware -
intel core_i5-9600kf_firmware -
intel xeon_d-1531_firmware -
intel xeon_w-2225_firmware -
intel core_i7-9750h_firmware -
intel xeon_silver_4216_firmware -
intel xeon_e-2244g_firmware -
intel xeon_platinum_8276l_firmware -
intel core_i5-6600t_firmware -
intel core_i5-9400h_firmware -
intel xeon_w-1370_firmware -
intel core_i3-7100t_firmware -
intel core_i7-11850he_firmware -
intel xeon_gold_6230n_firmware -
intel core_i7-10700_firmware -
intel core_i3-9350kf_firmware -
intel xeon_gold_6238t_firmware -
intel core_i5-6440eq_firmware -
intel xeon_w-11955m_firmware -
intel core_i5-11300h_firmware -
intel xeon_silver_4110_firmware -
intel core_i3-8100h_firmware -
intel xeon_w-1270e_firmware -
intel atom_c3708_firmware -
intel core_i7-6822eq_firmware -
intel core_i3-10305t_firmware -
intel core_i7-7820hk_firmware -
intel xeon_gold_6230_firmware -
intel xeon_w-2223_firmware -
intel core_i7-6500u_firmware -
intel xeon_e-2278g_firmware -
intel core_i5-7300u_firmware -
intel xeon_w-3265_firmware -
intel core_i5-10500e_firmware -
intel xeon_w-11555mle_firmware -
intel core_m3-7y30_firmware -
intel xeon_e-2388g_firmware -
intel xeon_d-1571_firmware -
intel xeon_gold_5220r_firmware -
intel xeon_e-2136_firmware -
intel core_i7-4940mx_firmware -
intel xeon_platinum_8153_firmware -
intel xeon_gold_6248r_firmware -
intel xeon_platinum_8260_firmware -
intel xeon_e-2174g_firmware -
intel core_i5-10600kf_firmware -
intel core_i3-6157u_firmware -
intel core_i9-9920x_firmware -
intel core_i7-9850he_firmware -
intel core_i7-10810u_firmware -
intel xeon_e-2314_firmware -
intel xeon_gold_6130f_firmware -
intel xeon_e-2254me_firmware -
intel core_i5-1155g7_firmware -
intel xeon_w-3365_firmware -
intel xeon_d-1649n_firmware -
intel xeon_w-2255_firmware -
intel core_i3-8109u_firmware -
intel xeon_gold_6132_firmware -
netapp fas/aff_bios -
intel core_i3-7350k_firmware -
intel core_i7-9800x_firmware -
intel core_i7-8850h_firmware -
intel xeon_d-2123it_firmware -
intel xeon_e-2134_firmware -
intel xeon_d-1637_firmware -
intel core_i5-8350u_firmware -
intel core_i3-9320_firmware -
intel xeon_d-2173it_firmware -
intel core_i3-7101e_firmware -
intel core_i3-7102e_firmware -
intel core_i5-6300hq_firmware -
intel core_i5-7200u_firmware -
intel xeon_gold_5215_firmware -
intel atom_c3538_firmware -
intel core_i5-6585r_firmware -
intel xeon_gold_6152_firmware -
intel core_i9-8950hk_firmware -
intel xeon_e-2336_firmware -
intel core_i5-9300hf_firmware -
intel core_i3-6100h_firmware -
intel core_i9-9820x_firmware -
intel xeon_w-1290te_firmware -
intel xeon_silver_4215_firmware -
intel xeon_w-3245_firmware -
intel core_i5-6600_firmware -
intel core_i5-6402p_firmware -
intel core_i5-7300hq_firmware -
intel core_i7-1065g7_firmware -
intel core_i5-1130g7_firmware -
intel xeon_e-2324g_firmware -
intel xeon_d-2183it_firmware -
intel xeon_gold_6210u_firmware -
intel core_i7-6700hq_firmware -
intel xeon_d-1533n_firmware -
intel core_i7-8569u_firmware -
intel xeon_d-2141i_firmware -
intel xeon_w-1270te_firmware -
intel xeon_w-3275_firmware -
intel core_i7-11700k_firmware -
intel core_i5-11500t_firmware -
intel core_i7-3820_firmware -
intel xeon_silver_4108_firmware -
intel core_i5-1035g1_firmware -
intel xeon_w-2125_firmware -
intel core_i3-9100f_firmware -
intel core_i5-7500_firmware -
intel xeon_d-1623n_firmware -
intel xeon_platinum_8160_firmware -
intel core_i3-10100y_firmware -
intel xeon_gold_6212u_firmware -
intel core_i5-8260u_firmware -
intel core_i3-7100u_firmware -
intel atom_c3338_firmware -
intel xeon_platinum_9222_firmware -
intel core_i5-6440hq_firmware -
intel xeon_e-2378_firmware -
intel core_i5-11320h_firmware -
intel core_i7-11800h_firmware -
intel xeon_w-11155mre_firmware -
intel xeon_gold_6250_firmware -
intel core_i7-6820eq_firmware -
intel core_i3-9100e_firmware -
intel core_i7-10700te_firmware -
intel core_i9-10980xe_firmware -
intel xeon_gold_5122_firmware -
intel xeon_gold_6238l_firmware -
intel core_i7-6600u_firmware -
intel xeon_gold_6226r_firmware -
intel core_i9-10900t_firmware -
intel xeon_gold_6146_firmware -
intel xeon_platinum_8253_firmware -
intel xeon_bronze_3206r_firmware -
intel core_i5-11600kf_firmware -
intel xeon_d-1567_firmware -
intel core_i7-1165g7_firmware -
intel xeon_platinum_8160f_firmware -
intel xeon_w-1390_firmware -
intel core_i3-1110g4_firmware -
intel core_i5-10600t_firmware -
intel xeon_platinum_8170_firmware -
intel xeon_w-1250e_firmware -
intel core_i3-10105t_firmware -
intel core_i7-10710u_firmware -
intel xeon_d-2161i_firmware -
intel core_i9-9940x_firmware -
intel core_i9-9880h_firmware -
intel core_i3-10100t_firmware -
intel core_i9-9900kf_firmware -
intel xeon_e-2226g_firmware -
intel core_i5-8400t_firmware -
intel xeon_gold_5218t_firmware -
intel core_i9-9980xe_firmware -
intel core_i9-9900x_firmware -
intel xeon_gold_6250l_firmware -
intel core_m3-8100y_firmware -
intel xeon_platinum_8280l_firmware -
intel xeon_w-2295_firmware -
intel core_i3-1000g4_firmware -
intel core_i5-9500f_firmware -
intel core_i9-10920x_firmware -
intel core_i3-10100f_firmware -
intel core_i7-11700t_firmware -
intel core_i3-10300_firmware -
intel core_i3-6300t_firmware -
intel xeon_d-1540_firmware -
intel core_i9-9900ks_firmware -
intel core_i3-6100_firmware -
intel core_i7-11700_firmware -
intel core_i7-8750h_firmware -
intel core_i5-6600k_firmware -
intel core_i7-10700kf_firmware -
intel xeon_e-2276m_firmware -
intel xeon_w-2195_firmware -
intel xeon_gold_6240l_firmware -
intel core_i7-3970x_firmware -
intel xeon_platinum_8164_firmware -
intel core_m3-7y32_firmware -
intel core_i5-7287u_firmware -
intel xeon_silver_4116t_firmware -
intel xeon_e-2246g_firmware -
intel atom_c3558r_firmware -
intel core_i7-7700hq_firmware -
intel core_i7-6920hq_firmware -
intel xeon_gold_5218n_firmware -
intel core_i5-8250u_firmware -
intel core_i9-7900x_firmware -
intel core_i7-6700k_firmware -
intel core_i7-11850h_firmware -
intel core_i9-10980hk_firmware -
intel core_i9-11950h_firmware -
intel xeon_e-2186g_firmware -
intel core_i3-9100t_firmware -
intel core_i7-8700_firmware -
intel xeon_d-1520_firmware -
intel xeon_d-2163it_firmware -
intel xeon_silver_4114t_firmware -
intel core_i5-7260u_firmware -
intel core_i5-7640x_firmware -
intel core_i9-7920x_firmware -
intel xeon_d-1513n_firmware -
intel xeon_e-2334_firmware -
intel core_i3-1120g4_firmware -
intel xeon_gold_6240y_firmware -
intel xeon_e-2176g_firmware -
netapp cloud_backup -
intel atom_c3436l_firmware -
intel core_i3-7320_firmware -
intel xeon_platinum_8260l_firmware -
intel xeon_gold_5220_firmware -
intel core_i7-6850k_firmware -
intel core_i7-7820x_firmware -
intel core_i5-8400b_firmware -
intel core_i5-10500te_firmware -
intel xeon_gold_6209u_firmware -
intel xeon_gold_6242_firmware -
intel core_m5-6y57_firmware -
intel xeon_w-10855m_firmware -
intel xeon_e-2226ge_firmware -
intel atom_c3955_firmware -
intel core_i5-10500h_firmware -
intel core_i5-1145g7e_firmware -
intel core_i7-7700t_firmware -
intel xeon_w-3235_firmware -
intel core_i3-10300t_firmware -
intel xeon_silver_4214_firmware -
intel core_i5-9400_firmware -
intel core_i5-8259u_firmware -
intel xeon_e-2288g_firmware -
intel xeon_gold_6144_firmware -
intel core_i3-8350k_firmware -
intel core_i3-6100te_firmware -
intel xeon_silver_4210t_firmware -
intel xeon_e-2224_firmware -
intel core_i9-9900t_firmware -
intel core_i7-9700t_firmware -
intel xeon_gold_6130_firmware -
intel core_i7-8559u_firmware -
intel xeon_w-3335_firmware -
intel core_i3-10105f_firmware -
intel core_i7-10750h_firmware -
intel core_i3-8100_firmware -
intel core_i7-7567u_firmware -
intel xeon_d-1543n_firmware -
intel core_i5-6400_firmware -
intel core_i5-11600t_firmware -
intel core_i7-11700f_firmware -
intel core_i9-10885h_firmware -
intel core_i5-1140g7_firmware -
intel core_i5-7500t_firmware -
intel atom_c3958_firmware -
intel core_i7-7y75_firmware -
intel xeon_w-3345_firmware -
intel xeon_w-1290_firmware -
intel xeon_silver_4112_firmware -
intel core_i3-1125g4_firmware -
intel core_i7-8650u_firmware -
intel xeon_d-1653n_firmware -
intel core_i5-8210y_firmware -
intel xeon_d-1622_firmware -
intel xeon_d-2142it_firmware -
intel xeon_d-1627_firmware -
intel core_i7-6770hq_firmware -
intel xeon_gold_6148f_firmware -
intel core_i5-10310u_firmware -
intel xeon_w-1290p_firmware -
intel core_i7-4930k_firmware -
intel core_i5-6287u_firmware -
intel core_i3-10100te_firmware -
intel core_i5-8265u_firmware -
intel xeon_w-3375_firmware -
intel xeon_w-2235_firmware -
intel core_i7-8700t_firmware -
intel xeon_gold_5217_firmware -
intel core_i9-10900_firmware -
intel xeon_platinum_9242_firmware -
intel xeon_gold_6126f_firmware -
intel core_i3-6167u_firmware -
intel xeon_platinum_9282_firmware -
intel xeon_gold_6240_firmware -
intel xeon_platinum_8270_firmware -
intel xeon_e-2374g_firmware -
intel core_i7-9700_firmware -
intel core_i5-6685r_firmware -
intel core_i5-8269u_firmware -
intel xeon_gold_5220s_firmware -
intel core_i5-11600_firmware -
intel core_i7-7600u_firmware -
intel core_i7-9700kf_firmware -
intel core_i9-9960x_firmware -
intel core_i5-6360u_firmware -
intel core_i5-1145gre_firmware -
intel core_i3-7130u_firmware -
intel core_i5-10400t_firmware -
intel core_i7-1160g7_firmware -
intel xeon_e-2286g_firmware -
intel xeon_platinum_8156_firmware -
intel core_i7-8500y_firmware -
intel atom_c3558_firmware -
intel core_i5-6200u_firmware -
intel core_i5-8365ue_firmware -
intel core_i5-9300h_firmware -
intel core_i3-7100h_firmware -
intel core_i3-8300_firmware -
intel core_i3-10100_firmware -
intel xeon_w-11555mre_firmware -
intel core_i5-7440hq_firmware -
intel core_i5-1145g7_firmware -
intel core_i5-7360u_firmware -
intel core_i3-6300_firmware -
intel core_i5-10400f_firmware -
intel xeon_d-1548_firmware -
intel core_i7-6560u_firmware -
intel core_i7-6900k_firmware -
intel core_i7-7660u_firmware -
intel atom_c3750_firmware -
intel core_i5-8500_firmware -
intel xeon_e-2276ml_firmware -
intel core_i3-1115gre_firmware -
intel xeon_gold_5120t_firmware -
intel core_i7-8705g_firmware -
intel core_i7-9850hl_firmware -
intel core_i3-7300t_firmware -
intel xeon_platinum_8276_firmware -
intel core_i3-11100he_firmware -
intel xeon_w-1370p_firmware -
intel xeon_e-2274g_firmware -
intel xeon_gold_6246r_firmware -
intel core_i7-7920hq_firmware -
intel xeon_d-1553n_firmware -
intel core_i3-7100e_firmware -
intel core_i7-1185gre_firmware -
intel core_i7-8665u_firmware -
intel xeon_gold_5119t_firmware -
intel xeon_silver_4210r_firmware -
intel core_i9-11900_firmware -
intel core_i9-10900kf_firmware -
intel core_i5-10400h_firmware -
intel xeon_e-2356g_firmware -
intel core_i7-10510y_firmware -
intel core_i3-9300_firmware -
intel core_i5-10200h_firmware -
intel core_i5-9400t_firmware -
intel core_i5-7600_firmware -
intel core_i3-8100b_firmware -
intel xeon_gold_6138_firmware -
intel core_i5-7400t_firmware -
intel xeon_e-2234_firmware -
intel core_i5-9600_firmware -
intel core_i5-8500b_firmware -
intel core_i3-9350k_firmware -
intel core_i5-8400_firmware -
intel xeon_bronze_3104_firmware -
intel xeon_gold_6140_firmware -
intel xeon_w-2175_firmware -
intel xeon_platinum_8160t_firmware -
intel core_i7-7820eq_firmware -
intel core_i5-8257u_firmware -
intel core_i7-4960x_firmware -
intel xeon_gold_5220t_firmware -
intel xeon_w-2265_firmware -
intel xeon_w-3223_firmware -
intel xeon_w-1350p_firmware -
intel xeon_platinum_8168_firmware -
intel core_i7-8700b_firmware -
intel xeon_gold_6234_firmware -
intel xeon_gold_6130t_firmware -
intel core_i5-7400_firmware -
intel xeon_e-2236_firmware -
intel xeon_gold_6244_firmware -
intel xeon_w-1250p_firmware -
intel xeon_gold_5118_firmware -
intel xeon_e-2146g_firmware -
intel xeon_platinum_8176_firmware -
intel core_i5-7600t_firmware -
intel core_i5-1135g7_firmware -
intel core_i5-7440eq_firmware -
intel core_i3-1115g4_firmware -
intel core_i5-6300u_firmware -
intel core_i5-11500h_firmware -
intel core_i7-11700kf_firmware -
intel core_i7-6800k_firmware -
intel atom_c3758r_firmware -
intel core_i5-11400h_firmware -
intel atom_c3338r_firmware -
intel xeon_gold_6246_firmware -
intel xeon_gold_6148_firmware -
intel core_i3-10110u_firmware -
intel xeon_gold_6128_firmware -
intel xeon_d-1539_firmware -
intel xeon_w-1290t_firmware -
intel xeon_silver_4214r_firmware -
intel core_i3-7167u_firmware -
intel core_i7-8557u_firmware -
intel xeon_gold_5115_firmware -
intel core_i3-8145u_firmware -
intel core_i7-6970hq_firmware -
intel core_i3-8100t_firmware -
intel core_i5-11400t_firmware -
intel xeon_gold_6226_firmware -
intel xeon_gold_5120_firmware -
intel core_i5-11500_firmware -
intel xeon_silver_4114_firmware -
intel core_m5-6y54_firmware -
intel core_i5-10210y_firmware -
intel core_i5-10505_firmware -
intel xeon_d-2166nt_firmware -
intel core_i5-6400t_firmware -
intel core_i5-8310y_firmware -
intel core_i9-7940x_firmware -
intel xeon_gold_6242r_firmware -
intel xeon_gold_6208u_firmware -
intel core_i3-6100e_firmware -
intel core_i7-3960x_firmware -
intel xeon_gold_6134_firmware -
intel core_i7-4930mx_firmware -
intel core_i3-8300t_firmware -
intel atom_c3308_firmware -
intel core_i7-3920xm_firmware -
intel core_i7-7560u_firmware -
intel xeon_d-2146nt_firmware -
intel xeon_silver_4209t_firmware -
intel xeon_e-2276me_firmware -
intel core_i3-10100e_firmware -
intel core_i3-10320_firmware -
intel core_i9-10850k_firmware -
intel xeon_gold_6150_firmware -
intel atom_c3830_firmware -
intel core_i5-10600_firmware -
intel xeon_w-3245m_firmware -
CVE-2021-0125 MEDIUM

Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.7 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-665,CWE-665,

Products Affected

Vendor Product Version
intel core_i7-6650u_firmware -
intel xeon_d-1528_firmware -
intel core_i7-9700k_firmware -
intel xeon_d-1523n_firmware -
intel xeon_platinum_8256_firmware -
intel core_i7-8709g_firmware -
intel xeon_gold_5218b_firmware -
intel core_m7-6y75_firmware -
intel xeon_gold_6262v_firmware -
intel xeon_w-3323_firmware -
intel xeon_d-1541_firmware -
intel core_i7-10510u_firmware -
intel core_i9-10900f_firmware -
intel core_i9-10940x_firmware -
intel core_i9-11900t_firmware -
intel xeon_silver_4109t_firmware -
intel core_i5-9500_firmware -
intel core_i5-10500t_firmware -
intel core_i7-10610u_firmware -
intel core_i7-10700k_firmware -
intel xeon_gold_6230t_firmware -
intel core_i5-9500t_firmware -
intel core_i5-9400f_firmware -
intel xeon_platinum_8158_firmware -
intel core_i5-1030g4_firmware -
intel xeon_gold_5222_firmware -
intel core_i7-8700k_firmware -
intel core_i7-9700e_firmware -
intel core_i3-6100u_firmware -
intel xeon_w-11155mle_firmware -
intel core_i7-10870h_firmware -
intel atom_c3808_firmware -
intel core_i5-8400h_firmware -
intel core_i7-6820hk_firmware -
intel core_i5-8600_firmware -
intel xeon_e-2124_firmware -
intel core_i5-6500_firmware -
intel xeon_w-11855m_firmware -
intel xeon_e-2286m_firmware -
intel core_i3-10305_firmware -
intel xeon_gold_5215l_firmware -
intel xeon_w-1290e_firmware -
intel xeon_bronze_3204_firmware -
intel core_i7-6660u_firmware -
intel core_i7-5930k_firmware -
intel core_i7-7500u_firmware -
intel core_i3-8145ue_firmware -
intel core_i7-1060g7_firmware -
intel core_i5-6500te_firmware -
intel core_i7-11600h_firmware -
intel core_i9-11900k_firmware -
intel xeon_platinum_8176f_firmware -
intel core_i5-8200y_firmware -
intel xeon_gold_6136_firmware -
intel core_i7-6700t_firmware -
intel xeon_bronze_3106_firmware -
intel xeon_d-1577_firmware -
intel core_i5-1038ng7_firmware -
intel core_i5-1030g7_firmware -
intel xeon_d-2145nt_firmware -
intel xeon_gold_6138f_firmware -
intel core_i9-10900k_firmware -
intel core_i7-11375h_firmware -
intel core_i9-7980xe_firmware -
intel atom_c3508_firmware -
intel xeon_platinum_8280_firmware -
intel core_i3-10325_firmware -
intel core_i5-10400_firmware -
intel xeon_w-2275_firmware -
intel core_i9-7960x_firmware -
intel xeon_gold_6230r_firmware -
intel xeon_e-2386g_firmware -
intel xeon_w-3275m_firmware -
intel core_i3-7101te_firmware -
intel core_i9-11900f_firmware -
intel xeon_d-2143it_firmware -
intel xeon_silver_4210_firmware -
intel core_i7-1195g7_firmware -
intel xeon_gold_6142f_firmware -
intel core_i5-8279u_firmware -
intel xeon_w-11865mre_firmware -
intel core_i3-6098p_firmware -
intel core_i9-10900x_firmware -
intel core_i7-8809g_firmware -
intel core_i3-9100hl_firmware -
intel xeon_platinum_8268_firmware -
intel xeon_platinum_8180_firmware -
intel xeon_e-2278ge_firmware -
intel core_i5-6260u_firmware -
intel core_i9-9980hk_firmware -
intel core_i7-1185g7e_firmware -
intel xeon_gold_6138p_firmware -
intel core_i5-8365u_firmware -
intel core_i3-1000g1_firmware -
intel xeon_e-2186m_firmware -
intel xeon_e-2224g_firmware -
intel xeon_d-1602_firmware -
intel core_i3-8140u_firmware -
intel core_i7-6567u_firmware -
intel core_i5-9500te_firmware -
intel xeon_w-3225_firmware -
intel xeon_d-2177nt_firmware -
intel xeon_w-2155_firmware -
intel xeon_w-2145_firmware -
intel core_i3-9100_firmware -
intel core_i9-11900kf_firmware -
intel core_i5-10600k_firmware -
intel core_i7-6700_firmware -
intel xeon_w-1270_firmware -
intel xeon_w-1250te_firmware -
intel xeon_w-1390t_firmware -
intel xeon_w-10885m_firmware -
intel core_i7-6700te_firmware -
intel core_i5-6442eq_firmware -
intel core_i7-10850h_firmware -
intel core_i7-7740x_firmware -
intel core_i3-6006u_firmware -
intel core_i5-8600k_firmware -
intel xeon_w-3175x_firmware -
intel xeon_e-2276g_firmware -
intel xeon_d-1633n_firmware -
intel core_i3-7300_firmware -
intel core_i7-4820k_firmware -
intel core_i5-1035g4_firmware -
intel core_i7-8565u_firmware -
intel xeon_d-1559_firmware -
intel core_i3-6100t_firmware -
intel xeon_e-2378g_firmware -
intel xeon_gold_6254_firmware -
intel core_i9-9900k_firmware -
intel core_i7-10700t_firmware -
intel xeon_gold_6256_firmware -
intel core_i5-9600k_firmware -
intel xeon_w-1350_firmware -
intel core_i5-11500he_firmware -
intel xeon_platinum_9221_firmware -
intel xeon_w-11865mle_firmware -
intel xeon_d-1537_firmware -
intel core_i5-10310y_firmware -
intel core_i7-1180g7_firmware -
intel xeon_gold_6222v_firmware -
intel core_i9-9900_firmware -
intel core_i9-11980hk_firmware -
intel core_i5-7267u_firmware -
intel core_i5-11260h_firmware -
intel core_i7-1185g7_firmware -
intel atom_c3858_firmware -
intel core_i7-7820hq_firmware -
intel core_i5-11600k_firmware -
intel core_i7-5960x_firmware -
intel xeon_w-2135_firmware -
intel xeon_gold_6138t_firmware -
intel xeon_gold_6252_firmware -
intel xeon_gold_6240r_firmware -
intel core_i5-10210u_firmware -
intel xeon_gold_6126t_firmware -
intel xeon_gold_6248_firmware -
intel core_i3-7020u_firmware -
intel xeon_gold_6142_firmware -
intel core_i7-8086k_firmware -
intel core_i5-6267u_firmware -
intel xeon_silver_4214y_firmware -
intel core_i5-1035g7_firmware -
intel xeon_d-2187nt_firmware -
intel core_i9-10900e_firmware -
intel core_i5-7y54_firmware -
intel xeon_e-2176m_firmware -
intel core_i7-9850h_firmware -
intel core_i7-8665ue_firmware -
intel xeon_d-1518_firmware -
intel xeon_d-1529_firmware -
intel core_i7-8550u_firmware -
intel xeon_w-1390p_firmware -
intel core_i7-5820k_firmware -
intel xeon_d-1557_firmware -
intel core_i5-8305g_firmware -
intel core_i3-7100_firmware -
intel atom_c3950_firmware -
intel core_i7-9700f_firmware -
intel xeon_w-3265m_firmware -
intel core_i3-8130u_firmware -
intel core_i7-7800x_firmware -
intel core_i3-10110y_firmware -
intel core_i5-9600t_firmware -
intel core_i7-3940xm_firmware -
intel xeon_w-2133_firmware -
intel xeon_gold_5218_firmware -
intel core_i5-8600t_firmware -
intel core_i7-7700k_firmware -
intel xeon_gold_6238_firmware -
intel core_i7-6870hq_firmware -
intel xeon_gold_6258r_firmware -
intel core_i5-9500e_firmware -
intel atom_c3336_firmware -
intel atom_c3850_firmware -
intel core_i3-1115g4e_firmware -
intel core_i7-6785r_firmware -
intel core_i5-7600k_firmware -
intel core_i3-6102e_firmware -
intel xeon_e-2124g_firmware -
intel core_i7-7700_firmware -
intel core_i7-9750hf_firmware -
intel core_i5-10500_firmware -
intel core_i5-8300h_firmware -
intel core_i7-6950x_firmware -
intel xeon_d-1521_firmware -
intel core_i7-11370h_firmware -
intel xeon_w-1270p_firmware -
intel core_i7-3930k_firmware -
intel xeon_w-2245_firmware -
intel xeon_w-2123_firmware -
intel core_i5-6500t_firmware -
intel core_i5-10300h_firmware -
intel core_i7-8706g_firmware -
intel xeon_silver_4215r_firmware -
intel xeon_platinum_8260y_firmware -
intel core_i7-10700f_firmware -
intel xeon_gold_6252n_firmware -
intel xeon_gold_5218r_firmware -
intel core_i5-7442eq_firmware -
intel core_i5-7y57_firmware -
intel core_i5-6350hq_firmware -
intel core_i5-11400f_firmware -
intel core_i5-8500t_firmware -
intel core_i7-1068ng7_firmware -
intel core_i3-10105_firmware -
intel core_i7-9700te_firmware -
intel core_i3-6320_firmware -
intel core_i9-11900h_firmware -
intel core_i3-9300t_firmware -
intel xeon_gold_6126_firmware -
intel core_i5-11400_firmware -
intel xeon_gold_6154_firmware -
intel xeon_e-2144g_firmware -
intel core_i3-1005g1_firmware -
intel xeon_e-2126g_firmware -
intel xeon_d-1527_firmware -
intel core_i7-10875h_firmware -
intel xeon_gold_6238r_firmware -
intel core_i3-9100te_firmware -
intel xeon_w-1250_firmware -
intel core_i7+8700_firmware -
intel xeon_e-2278gel_firmware -
intel core_i7-6820hq_firmware -
intel atom_c3758_firmware -
intel xeon_silver_4208_firmware -
intel xeon_e-2254ml_firmware -
intel core_i7-11390h_firmware -
intel core_m3-6y30_firmware -
intel xeon_silver_4116_firmware -
intel core_i7-10700e_firmware -
intel core_i9-10900te_firmware -
intel core_i5-9600kf_firmware -
intel xeon_d-1531_firmware -
intel xeon_w-2225_firmware -
intel core_i7-9750h_firmware -
intel xeon_silver_4216_firmware -
intel xeon_e-2244g_firmware -
intel xeon_platinum_8276l_firmware -
intel core_i5-6600t_firmware -
intel core_i5-9400h_firmware -
intel xeon_w-1370_firmware -
intel core_i3-7100t_firmware -
intel core_i7-11850he_firmware -
intel xeon_gold_6230n_firmware -
intel core_i7-10700_firmware -
intel core_i3-9350kf_firmware -
intel xeon_gold_6238t_firmware -
intel core_i5-6440eq_firmware -
intel xeon_w-11955m_firmware -
intel core_i5-11300h_firmware -
intel xeon_silver_4110_firmware -
intel core_i3-8100h_firmware -
intel xeon_w-1270e_firmware -
intel atom_c3708_firmware -
intel core_i7-6822eq_firmware -
intel core_i3-10305t_firmware -
intel core_i7-7820hk_firmware -
intel xeon_gold_6230_firmware -
intel xeon_w-2223_firmware -
intel core_i7-6500u_firmware -
intel xeon_e-2278g_firmware -
intel core_i5-7300u_firmware -
intel xeon_w-3265_firmware -
intel core_i5-10500e_firmware -
intel xeon_w-11555mle_firmware -
intel core_m3-7y30_firmware -
intel xeon_e-2388g_firmware -
intel xeon_d-1571_firmware -
intel xeon_gold_5220r_firmware -
intel xeon_e-2136_firmware -
intel core_i7-4940mx_firmware -
intel xeon_platinum_8153_firmware -
intel xeon_gold_6248r_firmware -
intel xeon_platinum_8260_firmware -
intel xeon_e-2174g_firmware -
intel core_i5-10600kf_firmware -
intel core_i3-6157u_firmware -
intel core_i9-9920x_firmware -
intel core_i7-9850he_firmware -
intel core_i7-10810u_firmware -
intel xeon_e-2314_firmware -
intel xeon_gold_6130f_firmware -
intel xeon_e-2254me_firmware -
intel core_i5-1155g7_firmware -
intel xeon_w-3365_firmware -
intel xeon_d-1649n_firmware -
intel xeon_w-2255_firmware -
intel core_i3-8109u_firmware -
intel xeon_gold_6132_firmware -
netapp fas/aff_bios -
intel core_i3-7350k_firmware -
intel core_i7-9800x_firmware -
intel core_i7-8850h_firmware -
intel xeon_d-2123it_firmware -
intel xeon_e-2134_firmware -
intel xeon_d-1637_firmware -
intel core_i5-8350u_firmware -
intel core_i3-9320_firmware -
intel xeon_d-2173it_firmware -
intel core_i3-7101e_firmware -
intel core_i3-7102e_firmware -
intel core_i5-6300hq_firmware -
intel core_i5-7200u_firmware -
intel xeon_gold_5215_firmware -
intel atom_c3538_firmware -
intel core_i5-6585r_firmware -
intel xeon_gold_6152_firmware -
intel core_i9-8950hk_firmware -
intel xeon_e-2336_firmware -
intel core_i5-9300hf_firmware -
intel core_i3-6100h_firmware -
intel core_i9-9820x_firmware -
intel xeon_w-1290te_firmware -
intel xeon_silver_4215_firmware -
intel xeon_w-3245_firmware -
intel core_i5-6600_firmware -
intel core_i5-6402p_firmware -
intel core_i5-7300hq_firmware -
intel core_i7-1065g7_firmware -
intel core_i5-1130g7_firmware -
intel xeon_e-2324g_firmware -
intel xeon_d-2183it_firmware -
intel xeon_gold_6210u_firmware -
intel core_i7-6700hq_firmware -
intel xeon_d-1533n_firmware -
intel core_i7-8569u_firmware -
intel xeon_d-2141i_firmware -
intel xeon_w-1270te_firmware -
intel xeon_w-3275_firmware -
intel core_i7-11700k_firmware -
intel core_i5-11500t_firmware -
intel core_i7-3820_firmware -
intel xeon_silver_4108_firmware -
intel core_i5-1035g1_firmware -
intel xeon_w-2125_firmware -
intel core_i3-9100f_firmware -
intel core_i5-7500_firmware -
intel xeon_d-1623n_firmware -
intel xeon_platinum_8160_firmware -
intel core_i3-10100y_firmware -
intel xeon_gold_6212u_firmware -
intel core_i5-8260u_firmware -
intel core_i3-7100u_firmware -
intel atom_c3338_firmware -
intel xeon_platinum_9222_firmware -
intel core_i5-6440hq_firmware -
intel xeon_e-2378_firmware -
intel core_i5-11320h_firmware -
intel core_i7-11800h_firmware -
intel xeon_w-11155mre_firmware -
intel xeon_gold_6250_firmware -
intel core_i7-6820eq_firmware -
intel core_i3-9100e_firmware -
intel core_i7-10700te_firmware -
intel core_i9-10980xe_firmware -
intel xeon_gold_5122_firmware -
intel xeon_gold_6238l_firmware -
intel core_i7-6600u_firmware -
intel xeon_gold_6226r_firmware -
intel core_i9-10900t_firmware -
intel xeon_gold_6146_firmware -
intel xeon_platinum_8253_firmware -
intel xeon_bronze_3206r_firmware -
intel core_i5-11600kf_firmware -
intel xeon_d-1567_firmware -
intel core_i7-1165g7_firmware -
intel xeon_platinum_8160f_firmware -
intel xeon_w-1390_firmware -
intel core_i3-1110g4_firmware -
intel core_i5-10600t_firmware -
intel xeon_platinum_8170_firmware -
intel xeon_w-1250e_firmware -
intel core_i3-10105t_firmware -
intel core_i7-10710u_firmware -
intel xeon_d-2161i_firmware -
intel core_i9-9940x_firmware -
intel core_i9-9880h_firmware -
intel core_i3-10100t_firmware -
intel core_i9-9900kf_firmware -
intel xeon_e-2226g_firmware -
intel core_i5-8400t_firmware -
intel xeon_gold_5218t_firmware -
intel core_i9-9980xe_firmware -
intel core_i9-9900x_firmware -
intel xeon_gold_6250l_firmware -
intel core_m3-8100y_firmware -
intel xeon_platinum_8280l_firmware -
intel xeon_w-2295_firmware -
intel core_i3-1000g4_firmware -
intel core_i5-9500f_firmware -
intel core_i9-10920x_firmware -
intel core_i3-10100f_firmware -
intel core_i7-11700t_firmware -
intel core_i3-10300_firmware -
intel core_i3-6300t_firmware -
intel xeon_d-1540_firmware -
intel core_i9-9900ks_firmware -
intel core_i3-6100_firmware -
intel core_i7-11700_firmware -
intel core_i7-8750h_firmware -
intel core_i5-6600k_firmware -
intel core_i7-10700kf_firmware -
intel xeon_e-2276m_firmware -
intel xeon_w-2195_firmware -
intel xeon_gold_6240l_firmware -
intel core_i7-3970x_firmware -
intel xeon_platinum_8164_firmware -
intel core_m3-7y32_firmware -
intel core_i5-7287u_firmware -
intel xeon_silver_4116t_firmware -
intel xeon_e-2246g_firmware -
intel atom_c3558r_firmware -
intel core_i7-7700hq_firmware -
intel core_i7-6920hq_firmware -
intel xeon_gold_5218n_firmware -
intel core_i5-8250u_firmware -
intel core_i9-7900x_firmware -
intel core_i7-6700k_firmware -
intel core_i7-11850h_firmware -
intel core_i9-10980hk_firmware -
intel core_i9-11950h_firmware -
intel xeon_e-2186g_firmware -
intel core_i3-9100t_firmware -
intel core_i7-8700_firmware -
intel xeon_d-1520_firmware -
intel xeon_d-2163it_firmware -
intel xeon_silver_4114t_firmware -
intel core_i5-7260u_firmware -
intel core_i5-7640x_firmware -
intel core_i9-7920x_firmware -
intel xeon_d-1513n_firmware -
intel xeon_e-2334_firmware -
intel core_i3-1120g4_firmware -
intel xeon_gold_6240y_firmware -
intel xeon_e-2176g_firmware -
netapp cloud_backup -
intel atom_c3436l_firmware -
intel core_i3-7320_firmware -
intel xeon_platinum_8260l_firmware -
intel xeon_gold_5220_firmware -
intel core_i7-6850k_firmware -
intel core_i7-7820x_firmware -
intel core_i5-8400b_firmware -
intel core_i5-10500te_firmware -
intel xeon_gold_6209u_firmware -
intel xeon_gold_6242_firmware -
intel core_m5-6y57_firmware -
intel xeon_w-10855m_firmware -
intel xeon_e-2226ge_firmware -
intel atom_c3955_firmware -
intel core_i5-10500h_firmware -
intel core_i5-1145g7e_firmware -
intel core_i7-7700t_firmware -
intel xeon_w-3235_firmware -
intel core_i3-10300t_firmware -
intel xeon_silver_4214_firmware -
intel core_i5-9400_firmware -
intel core_i5-8259u_firmware -
intel xeon_e-2288g_firmware -
intel xeon_gold_6144_firmware -
intel core_i3-8350k_firmware -
intel core_i3-6100te_firmware -
intel xeon_silver_4210t_firmware -
intel xeon_e-2224_firmware -
intel core_i9-9900t_firmware -
intel core_i7-9700t_firmware -
intel xeon_gold_6130_firmware -
intel core_i7-8559u_firmware -
intel xeon_w-3335_firmware -
intel core_i3-10105f_firmware -
intel core_i7-10750h_firmware -
intel core_i3-8100_firmware -
intel core_i7-7567u_firmware -
intel xeon_d-1543n_firmware -
intel core_i5-6400_firmware -
intel core_i5-11600t_firmware -
intel core_i7-11700f_firmware -
intel core_i9-10885h_firmware -
intel core_i5-1140g7_firmware -
intel core_i5-7500t_firmware -
intel atom_c3958_firmware -
intel core_i7-7y75_firmware -
intel xeon_w-3345_firmware -
intel xeon_w-1290_firmware -
intel xeon_silver_4112_firmware -
intel core_i3-1125g4_firmware -
intel core_i7-8650u_firmware -
intel xeon_d-1653n_firmware -
intel core_i5-8210y_firmware -
intel xeon_d-1622_firmware -
intel xeon_d-2142it_firmware -
intel xeon_d-1627_firmware -
intel core_i7-6770hq_firmware -
intel xeon_gold_6148f_firmware -
intel core_i5-10310u_firmware -
intel xeon_w-1290p_firmware -
intel core_i7-4930k_firmware -
intel core_i5-6287u_firmware -
intel core_i3-10100te_firmware -
intel core_i5-8265u_firmware -
intel xeon_w-3375_firmware -
intel xeon_w-2235_firmware -
intel core_i7-8700t_firmware -
intel xeon_gold_5217_firmware -
intel core_i9-10900_firmware -
intel xeon_platinum_9242_firmware -
intel xeon_gold_6126f_firmware -
intel core_i3-6167u_firmware -
intel xeon_platinum_9282_firmware -
intel xeon_gold_6240_firmware -
intel xeon_platinum_8270_firmware -
intel xeon_e-2374g_firmware -
intel core_i7-9700_firmware -
intel core_i5-6685r_firmware -
intel core_i5-8269u_firmware -
intel xeon_gold_5220s_firmware -
intel core_i5-11600_firmware -
intel core_i7-7600u_firmware -
intel core_i7-9700kf_firmware -
intel core_i9-9960x_firmware -
intel core_i5-6360u_firmware -
intel core_i5-1145gre_firmware -
intel core_i3-7130u_firmware -
intel core_i5-10400t_firmware -
intel core_i7-1160g7_firmware -
intel xeon_e-2286g_firmware -
intel xeon_platinum_8156_firmware -
intel core_i7-8500y_firmware -
intel atom_c3558_firmware -
intel core_i5-6200u_firmware -
intel core_i5-8365ue_firmware -
intel core_i5-9300h_firmware -
intel core_i3-7100h_firmware -
intel core_i3-8300_firmware -
intel core_i3-10100_firmware -
intel xeon_w-11555mre_firmware -
intel core_i5-7440hq_firmware -
intel core_i5-1145g7_firmware -
intel core_i5-7360u_firmware -
intel core_i3-6300_firmware -
intel core_i5-10400f_firmware -
intel xeon_d-1548_firmware -
intel core_i7-6560u_firmware -
intel core_i7-6900k_firmware -
intel core_i7-7660u_firmware -
intel atom_c3750_firmware -
intel core_i5-8500_firmware -
intel xeon_e-2276ml_firmware -
intel core_i3-1115gre_firmware -
intel xeon_gold_5120t_firmware -
intel core_i7-8705g_firmware -
intel core_i7-9850hl_firmware -
intel core_i3-7300t_firmware -
intel xeon_platinum_8276_firmware -
intel core_i3-11100he_firmware -
intel xeon_w-1370p_firmware -
intel xeon_e-2274g_firmware -
intel xeon_gold_6246r_firmware -
intel core_i7-7920hq_firmware -
intel xeon_d-1553n_firmware -
intel core_i3-7100e_firmware -
intel core_i7-1185gre_firmware -
intel core_i7-8665u_firmware -
intel xeon_gold_5119t_firmware -
intel xeon_silver_4210r_firmware -
intel core_i9-11900_firmware -
intel core_i9-10900kf_firmware -
intel core_i5-10400h_firmware -
intel xeon_e-2356g_firmware -
intel core_i7-10510y_firmware -
intel core_i3-9300_firmware -
intel core_i5-10200h_firmware -
intel core_i5-9400t_firmware -
intel core_i5-7600_firmware -
intel core_i3-8100b_firmware -
intel xeon_gold_6138_firmware -
intel core_i5-7400t_firmware -
intel xeon_e-2234_firmware -
intel core_i5-9600_firmware -
intel core_i5-8500b_firmware -
intel core_i3-9350k_firmware -
intel core_i5-8400_firmware -
intel xeon_bronze_3104_firmware -
intel xeon_gold_6140_firmware -
intel xeon_w-2175_firmware -
intel xeon_platinum_8160t_firmware -
intel core_i7-7820eq_firmware -
intel core_i5-8257u_firmware -
intel core_i7-4960x_firmware -
intel xeon_gold_5220t_firmware -
intel xeon_w-2265_firmware -
intel xeon_w-3223_firmware -
intel xeon_w-1350p_firmware -
intel xeon_platinum_8168_firmware -
intel core_i7-8700b_firmware -
intel xeon_gold_6234_firmware -
intel xeon_gold_6130t_firmware -
intel core_i5-7400_firmware -
intel xeon_e-2236_firmware -
intel xeon_gold_6244_firmware -
intel xeon_w-1250p_firmware -
intel xeon_gold_5118_firmware -
intel xeon_e-2146g_firmware -
intel xeon_platinum_8176_firmware -
intel core_i5-7600t_firmware -
intel core_i5-1135g7_firmware -
intel core_i5-7440eq_firmware -
intel core_i3-1115g4_firmware -
intel core_i5-6300u_firmware -
intel core_i5-11500h_firmware -
intel core_i7-11700kf_firmware -
intel core_i7-6800k_firmware -
intel atom_c3758r_firmware -
intel core_i5-11400h_firmware -
intel atom_c3338r_firmware -
intel xeon_gold_6246_firmware -
intel xeon_gold_6148_firmware -
intel core_i3-10110u_firmware -
intel xeon_gold_6128_firmware -
intel xeon_d-1539_firmware -
intel xeon_w-1290t_firmware -
intel xeon_silver_4214r_firmware -
intel core_i3-7167u_firmware -
intel core_i7-8557u_firmware -
intel xeon_gold_5115_firmware -
intel core_i3-8145u_firmware -
intel core_i7-6970hq_firmware -
intel core_i3-8100t_firmware -
intel core_i5-11400t_firmware -
intel xeon_gold_6226_firmware -
intel xeon_gold_5120_firmware -
intel core_i5-11500_firmware -
intel xeon_silver_4114_firmware -
intel core_m5-6y54_firmware -
intel core_i5-10210y_firmware -
intel core_i5-10505_firmware -
intel xeon_d-2166nt_firmware -
intel core_i5-6400t_firmware -
intel core_i5-8310y_firmware -
intel core_i9-7940x_firmware -
intel xeon_gold_6242r_firmware -
intel xeon_gold_6208u_firmware -
intel core_i3-6100e_firmware -
intel core_i7-3960x_firmware -
intel xeon_gold_6134_firmware -
intel core_i7-4930mx_firmware -
intel core_i3-8300t_firmware -
intel atom_c3308_firmware -
intel core_i7-3920xm_firmware -
intel core_i7-7560u_firmware -
intel xeon_d-2146nt_firmware -
intel xeon_silver_4209t_firmware -
intel xeon_e-2276me_firmware -
intel core_i3-10100e_firmware -
intel core_i3-10320_firmware -
intel core_i9-10850k_firmware -
intel xeon_gold_6150_firmware -
intel atom_c3830_firmware -
intel core_i5-10600_firmware -
intel xeon_w-3245m_firmware -
CVE-2021-0127 LOW

Insufficient control flow management in some Intel(R) Processors may allow an authenticated user to potentially enable a denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
intel core_i7-8665ue -
intel core_i7-8809g -
intel xeon_gold_5215 -
intel pentium_gold_6405u -
intel xeon_e-2126g -
intel core_i5-9300h -
intel xeon_e3-1535m_v5 -
intel core_i5-10400f -
intel core_i5-11400f -
intel core_i7-7920hq -
intel xeon_w-3175x -
intel core_i9-9820x -
intel core_i5-1145g7 -
intel core_i5-1145g7e -
intel core_i7-7700k -
intel xeon_gold_6212u -
intel core_i3-6100t -
intel core_i5-6600 -
intel core_i5-8400 -
intel core_i5-7600t -
intel xeon_w-2123 -
intel xeon_d-2142it -
intel xeon_gold_5318h -
intel core_i3-10100te -
intel core_i5-11600 -
intel xeon_d-1513n -
intel xeon_silver_4108 -
intel core_i3-1110g4 -
intel xeon_w-1350 -
intel core_i5-6200u -
intel xeon_w-1370p -
intel core_i5-8305g -
intel core_i5-1140g7 -
intel xeon_gold_6130f -
intel core_i5-11400h -
intel celeron_g1610t -
intel core_i5-9300hf -
intel core_i3-6157u -
intel core_i3-6167u -
intel xeon_gold_5220s -
intel xeon_gold_6328h -
intel core_i5-10600k -
intel core_i9-7960x -
intel xeon_silver_4314 -
intel xeon_gold_6138 -
intel xeon_platinum_9282 -
intel core_i7-6850k -
intel xeon_platinum_8368q -
intel pentium_gold_g5600t -
intel xeon_platinum_8380 -
intel xeon_gold_6252n -
intel core_i5-11600k -
intel xeon_w-1390p -
intel xeon_w-2223 -
intel xeon_w-1350p -
intel xeon_gold_6250 -
intel core_i5-1035g7 -
intel core_i5-9400 -
intel core_i7-6700te -
intel core_i3-6320 -
intel core_i5-10210y -
intel core_i7-6770hq -
intel core_i3-10300t -
intel xeon_w-1290p -
intel pentium_gold_g6400 -
intel core_i7-7800x -
intel core_i7-6970hq -
intel core_i3-9350k -
intel core_i7-8700k -
intel core_i3-7101te -
intel core_i9-7920x -
intel core_i7-10700k -
intel pentium_gold_g5420t -
netapp clustered_data_ontap -
intel xeon_e3-1578l_v5 -
intel xeon_gold_6248 -
intel core_i5-10500 -
intel xeon_w-1290te -
intel xeon_gold_6250l -
intel xeon_gold_6242 -
intel xeon_gold_6330 -
intel core_i7-9700t -
intel core_i3-6100 -
intel xeon_gold_5120t -
intel core_i5-11500t -
intel xeon_w-11865mle -
intel xeon_e-2278ge -
intel core_i5-8350u -
intel xeon_gold_6338 -
intel xeon_gold_5120 -
intel xeon_w-3323 -
intel core_i7-7560u -
intel xeon_platinum_8380hl -
intel xeon_gold_5118 -
intel xeon_w-3265 -
intel xeon_platinum_8260y -
intel xeon_gold_6209u -
intel core_i3-1125g4 -
intel xeon_e-2388g -
intel core_i5-7442eq -
intel xeon_w-1390 -
intel xeon_w-11955m -
intel xeon_platinum_8352m -
intel xeon_platinum_8358 -
intel xeon_w-3375 -
intel core_i9-10900t -
intel xeon_e3-1240l_v5 -
intel core_i5-6500 -
intel core_i5-10300h -
intel core_i7-9850h -
intel core_i7-1160g7 -
intel xeon_gold_6126t -
intel core_i5-7400 -
intel celeron_g1830 -
intel core_i5-6600k -
intel xeon_d-1528 -
intel core_i7-8700b -
intel core_i7-9800x -
intel core_i7-10810u -
intel core_i3-9100e -
intel xeon_bronze_3204 -
intel core_i3-10110u -
intel xeon_gold_6328hl -
intel core_i5-7287u -
intel core_i7-7660u -
intel xeon_d-2143it -
intel xeon_e-2186m -
intel xeon_silver_4114 -
intel core_i5-6300u -
intel xeon_w-11555mle -
intel xeon_platinum_8360hl -
intel pentium_gold_g5620 -
intel xeon_w-2225 -
intel core_i7-9850he -
intel core_i5-10310y -
intel xeon_gold_5317 -
intel core_i3-7101e -
intel core_i5-6300hq -
intel xeon_gold_6230 -
intel core_i7-3820 -
intel core_i5-11500h -
intel pentium_gold_g6400t -
intel xeon_silver_4210t -
intel xeon_e-2134 -
intel core_i7-7500u -
intel core_i7-8565u -
intel xeon_d-1627 -
intel xeon_gold_6130t -
intel xeon_d-1537 -
intel xeon_bronze_3206r -
intel core_i5-9400f -
intel xeon_platinum_8358p -
intel xeon_d-1577 -
intel xeon_d-1533n -
intel xeon_e-2374g -
intel xeon_gold_5218r -
intel xeon_e-2244g -
intel core_i9-11900kf -
intel xeon_d-1539 -
intel core_i9-11900k -
intel xeon_e3-1501m_v6 -
intel xeon_e-2276m -
intel pentium_gold_6500y -
intel pentium_gold_g6500t -
intel core_i3-7130u -
intel xeon_gold_5320t -
intel core_i7-8706g_ -
intel core_i9-10885h -
intel xeon_gold_6246r -
intel core_i5-1155g7 -
intel core_i5-10505 -
intel xeon_d-1518 -
intel core_i9-9940x -
intel core_i7-6567u -
intel core_i7-9750h -
intel core_i3-9350kf -
intel xeon_gold_6258r -
intel xeon_gold_5220 -
intel pentium_gold_4415u -
intel xeon_platinum_8160t -
intel xeon_gold_6126f -
intel core_i5-7300hq -
intel xeon_w-2235 -
intel core_i9-10920x -
intel xeon_gold_6136 -
intel core_i3-7020u -
intel core_i7-11700 -
intel xeon_e-2276g -
intel core_i9-7980xe -
intel core_i7-7y75 -
intel core_i7-6700t -
intel xeon_e-2124g -
intel core_i5-10600kf -
intel core_i7-8700 -
intel xeon_w-10885m -
intel xeon_d-1567 -
intel xeon_d-1520 -
intel core_i7-1195g7 -
intel pentium_gold_g6505 -
intel core_i5-6500te -
intel core_i7-9750hf -
intel xeon_w-2175 -
intel xeon_d-1529 -
intel core_i7-8557u -
intel core_i5-7400t -
intel core_i7-10710u -
intel core_i7-10700e -
intel xeon_e-2246g -
intel core_i3-1000g1 -
intel core_i7-5820k -
intel pentium_gold_g7400e -
intel core_i5-6287u -
intel xeon_d-2123it -
intel core_i7-11700f -
intel xeon_platinum_8158 -
intel xeon_gold_6254 -
intel core_i3-10305 -
intel core_i7-8709g -
intel core_i3-8100 -
intel xeon_gold_6226r -
intel xeon_w-2275 -
intel xeon_gold_6148 -
intel core_i5-8250u -
intel xeon_e-2224g -
intel core_i3-10100e -
intel xeon_gold_5218t -
intel core_i7-6560u -
intel core_i5-11600kf -
intel core_i7-8550u -
intel xeon_e-2278g -
intel xeon_gold_6246 -
intel core_i7-6920hq -
intel xeon_gold_6256 -
intel core_i3-8300 -
intel core_i7-10510y -
intel core_i7-10850h -
intel xeon_silver_4208 -
intel core_i7-8705g -
intel core_i7-1068ng7 -
intel core_i9-11900t -
intel xeon_platinum_8160 -
intel xeon_e3-1505l_v5 -
intel core_i5-6360u -
intel pentium_gold_g6405t -
intel pentium_gold_g7400te -
intel xeon_gold_6338n -
intel core_i9-9980hk -
intel xeon_d-2161i -
intel xeon_e-2286m -
intel core_i3-10110y -
intel core_i5-10600 -
intel core_i5-7500t -
intel xeon_w-2195 -
intel xeon_e-2278gel -
intel xeon_platinum_8270 -
intel core_i5-10500e -
intel celeron_g1820te -
intel xeon_silver_4114t -
intel xeon_w-11155mle -
intel xeon_silver_4310t -
intel xeon_w-1250p -
intel core_i7-6700hq -
intel core_i9-10900 -
intel core_i9-10900kf -
intel xeon_e3-1585_v5 -
intel xeon_d-1557 -
intel xeon_d-2177nt -
intel core_i5-6402p -
intel core_i7-8559u -
intel xeon_gold_6210u -
intel core_i5-7y57 -
intel xeon_e3-1275_v5 -
intel xeon_silver_4316 -
intel core_i3-6100te -
intel xeon_e-2226g -
intel core_i3-10105f -
intel xeon_gold_5218b -
intel core_i7-8569u -
intel core_i7-9700e -
intel core_i7-6820hq -
intel xeon_e-2224 -
intel core_i7-11700kf -
intel core_i7-9850hl -
intel xeon_gold_5119t -
intel core_i7-6820hk -
intel core_i5-1145gre -
intel core_i5-6685r -
intel core_i5-1030g7 -
intel core_i7-1185g7e -
intel xeon_d-2166nt -
intel xeon_platinum_8352y -
intel xeon_gold_5215l -
intel pentium_gold_g5400t -
intel core_i5-6260u -
intel core_i3-8145ue -
intel xeon_platinum_8376h -
intel core_i5-11500 -
intel xeon_gold_6342 -
intel xeon_w-11155mre -
intel xeon_gold_6142 -
intel xeon_d-1602 -
intel celeron_g1610 -
intel xeon_silver_4309y -
intel xeon_gold_6230t -
intel xeon_e3-1230_v5 -
intel core_i5-10500te -
intel core_i9-11900h -
intel xeon_platinum_8380h -
intel core_i5-9400h -
intel xeon_gold_6314u -
intel xeon_e-2324g -
intel core_i7-8750h -
intel core_i7-6700 -
intel core_i7-7820hq -
intel core_i7-8650u -
intel core_i5-9500t -
intel xeon_d-1653n -
intel xeon_d-2173it -
intel core_i7-8665u -
intel xeon_gold_5220r -
intel core_i7-11375h -
intel xeon_w-3275 -
intel xeon_d-2141i -
intel xeon_w-2265 -
intel core_i5-10310u -
intel xeon_platinum_8352v -
intel xeon_platinum_8153 -
intel core_i3-1115gre -
intel xeon_w-1390t -
intel core_i5-7360u -
intel xeon_w-2255 -
intel xeon_gold_6144 -
intel xeon_d-1541 -
intel core_i9-11980hk -
intel xeon_e3-1501l_v6 -
intel core_i7-6820eq -
intel xeon_platinum_8354h -
intel xeon_silver_4112 -
intel core_i3-10105t -
intel xeon_w-1290 -
intel core_i7-7820hk -
intel xeon_w-3365 -
intel core_i7-1180g7 -
intel core_i9-10900k -
intel xeon_w-1270e -
intel xeon_d-1649n -
intel xeon_w-1270te -
intel xeon_gold_6334 -
intel celeron_g3930e -
intel core_i5-11500he -
intel pentium_gold_5405u -
intel core_i5-1130g7 -
intel xeon_platinum_8180 -
intel xeon_gold_5217 -
intel xeon_d-1622 -
intel core_i9-9960x -
intel core_i7-8086k -
intel xeon_gold_6154 -
intel core_i5-9500 -
intel xeon_silver_4210r -
intel core_i5-6440hq -
intel core_i7-10510u -
intel core_i7-4820k -
intel core_i9-10900te -
intel core_i7-3930k -
intel celeron_g1620t -
intel core_i7-7820x -
intel xeon_e-2176g -
intel xeon_e-2254me -
intel core_i5-10400t -
intel pentium_gold_g6605 -
intel core_i3-10100 -
intel core_i7-10610u -
intel xeon_w-2155 -
intel xeon_gold_6330n -
intel core_i5-9500e -
intel core_i9-7940x -
intel pentium_gold_g5420 -
intel core_i7-9700k -
intel xeon_gold_6240y -
intel core_i7-11700t -
intel core_i7-1060g7 -
intel xeon_gold_6150 -
intel xeon_e-2236 -
intel core_i3-7100h -
intel core_i3-7350k -
intel xeon_gold_6138f -
intel core_i5-6585r -
intel pentium_gold_g6505t -
intel core_i3-1000g4 -
intel xeon_platinum_8360h -
intel core_i5-10500t -
intel core_i9-11900 -
intel core_i9-10900f -
intel core_i5-7200u -
intel xeon_e3-1565l_v5 -
intel core_i3-8100h -
intel core_i3-1115g4e -
intel xeon_platinum_8356h -
intel xeon_platinum_8268 -
intel xeon_w-2145 -
intel core_i3-7300t -
intel core_i7-11800h -
intel core_i7-10700f -
intel core_i3-9300t -
intel core_i3-7300 -
intel core_i3-6300t -
intel core_i3-7167u -
intel core_i3-9100te -
intel xeon_gold_6138p -
intel xeon_gold_6142f -
intel core_i7-8700t -
intel xeon_platinum_8260l -
intel core_i3-10325 -
intel pentium_gold_4417u -
intel core_i7-4930mx -
intel core_i5-9600 -
intel xeon_gold_6238r -
intel xeon_gold_6248r -
intel core_i5-7600 -
intel core_i5-7640x -
intel core_i7-6870hq -
intel core_i9-7900x -
intel xeon_gold_6148f -
intel core_i7-11390h -
intel core_i5-8600k -
intel xeon_w-1270p -
intel xeon_w-3335 -
intel core_i3-6100e -
intel core_i3-6098p -
intel xeon_e3-1558l_v5 -
intel core_i3-10100f -
intel pentium_gold_g7400 -
intel xeon_e-2334 -
intel core_i7-1165g7 -
intel core_i3-7100t -
intel core_i7-1185gre -
intel core_i3-1005g1 -
intel xeon_gold_5220t -
intel xeon_gold_6238t -
intel core_i5-6400t -
intel core_i3-6006u -
intel xeon_gold_6230r -
intel xeon_silver_4216 -
intel core_i9-9900ks -
intel xeon_w-2295 -
intel core_i9-11950h -
intel xeon_gold_6240 -
intel core_i7-6650u -
intel core_i5-10400 -
intel xeon_gold_5218n -
intel xeon_e3-1515m_v5 -
intel xeon_w-11555mre -
intel xeon_w-1250e -
intel xeon_gold_6234 -
intel celeron_g1820t -
intel pentium_gold_g5400 -
intel core_i7-6822eq -
intel core_i5-7300u -
intel xeon_gold_6230n -
intel xeon_e3-1585l_v5 -
intel xeon_gold_5115 -
intel core_i3-9100hl -
intel core_i7-8500y -
intel xeon_e-2234 -
intel xeon_gold_6238l -
intel xeon_w-3223 -
intel xeon_gold_6330h -
intel xeon_bronze_3106 -
intel core_i9-9900k -
intel core_i3-8109u -
intel xeon_d-1623n -
intel xeon_d-1548 -
intel xeon_d-2163it -
intel xeon_platinum_8351n -
intel xeon_gold_5318s -
intel xeon_platinum_8176f -
intel xeon_platinum_8156 -
intel core_i5-7260u -
intel core_i5-1035g4 -
intel core_i3-9320 -
intel core_i7-7567u -
intel xeon_e-2124 -
intel core_i3-9300 -
intel xeon_gold_6312u -
intel xeon_gold_6132 -
intel xeon_w-10855m -
intel core_i5-1030g4 -
intel celeron_g3930te -
intel xeon_d-1543n -
intel xeon_platinum_9222 -
intel xeon_gold_6134 -
intel core_i5-9600t -
intel xeon_w-1270 -
intel xeon_gold_6348h -
intel pentium_gold_g6405 -
intel pentium_gold_g7400t -
intel xeon_bronze_3104 -
intel xeon_gold_6336y -
intel core_i7-6500u -
intel core_i7-7700hq -
intel xeon_e-2144g -
intel core_i5-10500h -
intel core_i3-1120g4 -
intel xeon_e3-1280_v5 -
intel core_i7-3970x -
intel xeon_gold_6338t -
intel core_i7-9700 -
intel pentium_gold_g5500t -
intel core_i9-9920x -
intel xeon_platinum_8280l -
intel xeon_silver_4209t -
intel xeon_platinum_8276 -
intel pentium_gold_g6400e -
intel core_i5-1038ng7 -
intel xeon_silver_4116 -
intel core_i7-7700t -
intel xeon_e3-1575m_v5 -
intel xeon_w-2125 -
intel pentium_gold_g6600 -
intel core_i7-9700kf -
intel xeon_w-1250te -
intel core_i9-9900 -
intel core_i7-4940mx -
intel xeon_w-3275m -
intel core_i5-9500te -
intel xeon_d-2183it -
intel xeon_gold_6354 -
intel xeon_w-3235 -
intel xeon_w-3265m -
intel core_i5-10400h -
intel xeon_gold_6242r -
intel core_i3-9100 -
intel xeon_e-2226ge -
intel core_i7-6660u -
intel core_i5-7y54 -
intel xeon_e-2174g -
intel core_i7-10700kf -
intel xeon_gold_5318n -
intel xeon_gold_6240r -
intel xeon_gold_5122 -
intel xeon_silver_4214 -
intel xeon_e-2286g -
intel core_i3-8145u -
intel core_i7-3960x -
intel xeon_e-2186g -
intel xeon_w-2133 -
intel xeon_platinum_8253 -
intel core_i3-8130u -
intel core_i5-11600t -
intel xeon_d-1571 -
intel xeon_e3-1545m_v5 -
intel core_i3-10100t -
intel core_i7-6800k -
intel xeon_w-1370 -
intel xeon_platinum_8360y -
intel xeon_e3-1505m_v5 -
intel pentium_gold_4415y -
intel xeon_w-3345 -
intel core_i3-11100he -
intel core_i7-4960x -
intel xeon_e-2276ml -
intel core_i3-7100e -
intel xeon_gold_6146 -
intel core_i3-8100b -
intel core_i7-11700k -
intel pentium_gold_g5500 -
intel core_i5-6400 -
intel core_i3-6100h -
intel core_i7-10750h -
intel xeon_w-1290t -
intel xeon_gold_6222v -
intel xeon_platinum_8280 -
intel xeon_gold_6326 -
intel core_i7-5930k -
intel xeon_platinum_8376hl -
intel core_i3-7102e -
intel xeon_gold_5315y -
intel core_i5-9600k -
intel core_i7-8850h -
intel celeron_g1620 -
intel core_i3-7100u -
intel core_i3-9100f -
intel core_i9-9980xe -
intel core_i5-10210u -
intel xeon_gold_5320 -
intel xeon_gold_6262v -
intel core_i3-8140u -
intel xeon_d-1633n -
intel core_i7-10875h -
intel core_i7-7740x -
intel xeon_gold_6244 -
intel core_i7-10700 -
intel core_i9-10980xe -
intel xeon_d-1637 -
intel xeon_platinum_8168 -
intel xeon_e-2378 -
intel core_i3-8100t -
intel core_i5-7440hq -
intel xeon_e-2274g -
intel core_i9-11900f -
intel pentium_gold_4425y -
intel xeon_d-1540 -
intel core_i5-11400 -
intel xeon_e3-1235l_v5 -
intel xeon_silver_4215r -
intel xeon_e-2136 -
intel core_i5-10200h -
intel core_i7-8706g -
intel xeon_e-2254ml -
intel core_i5-9500f -
intel xeon_silver_4214y -
intel xeon_w-2245 -
intel core_i5-10600t -
intel core_i5-1135g7 -
intel xeon_w-11865mre -
intel xeon_platinum_8260 -
intel core_i5-1035g1 -
intel core_i5-11260h -
intel core_i3-10100y -
intel xeon_gold_5222 -
intel core_i7-3920xm -
intel xeon_gold_6152 -
intel xeon_e3-1270_v5 -
intel core_i5-7267u -
intel xeon_e3-1220_v5 -
intel xeon_gold_6348 -
intel core_i5-6440eq -
intel xeon_w-1290e -
intel pentium_gold_4410y -
intel pentium_gold_7505 -
intel core_i5-6350hq -
intel core_i3-6300 -
intel xeon_d-2145nt -
intel xeon_w-2135 -
intel celeron_g1630 -
intel xeon_silver_4215 -
intel xeon_gold_6126 -
intel core_i7-3940xm -
intel xeon_e3-1225_v5 -
intel xeon_gold_6238 -
intel pentium_gold_g5600 -
intel xeon_silver_4214r -
intel celeron_g1820 -
intel core_i3-8300t -
intel core_i3-10300 -
intel xeon_e-2288g -
intel xeon_gold_5218 -
intel core_i7-6700k -
intel core_i3-6102e -
intel core_i5-6267u -
intel core_i9-9900x -
intel xeon_e-2176m -
intel xeon_w-3245 -
intel xeon_gold_6208u -
intel xeon_platinum_8368 -
intel xeon_d-1523n -
intel xeon_platinum_9221 -
intel core_i5-6442eq -
intel core_i7-11850he -
intel core_i7-10700t -
intel xeon_d-2146nt -
intel core_i9-10980hk -
intel xeon_silver_4110 -
intel core_i5-9600kf -
intel xeon_e-2356g -
intel pentium_gold_g6400te -
intel xeon_silver_4310 -
intel xeon_gold_6252 -
intel xeon_silver_4116t -
intel xeon_silver_4109t -
intel core_i7-6900k -
intel xeon_d-1531 -
intel core_i5-6500t -
intel core_i5-11400t -
intel core_i9-9880h -
intel core_i9-10900x -
intel core_i7-5960x -
intel xeon_e-2386g -
intel xeon_gold_6240l -
intel core_i7-10870h -
intel core_i5-11300h -
intel core_i5-9400t -
intel core_i3-7100 -
intel xeon_e3-1240_v5 -
intel core_i3-8350k -
intel core_i3-10320 -
intel xeon_e-2314 -
intel xeon_platinum_9242 -
intel core_i7-10700te -
intel core_i7-7600u -
intel core_i9-9900kf -
intel core_i7-9700f -
intel xeon_platinum_8352s -
intel xeon_platinum_8276l -
intel core_i3-10105 -
intel xeon_d-1553n -
intel core_i7-4930k -
intel xeon_e3-1260l_v5 -
intel xeon_gold_6128 -
intel core_i7-11370h -
intel xeon_platinum_8160f -
intel xeon_gold_6346 -
intel xeon_e-2276me -
intel xeon_d-1527 -
intel core_i7-6600u -
intel core_i3-7320 -
intel core_i9-10900e -
intel core_i7-6950x -
intel core_i7-11850h -
intel xeon_w-3245m -
intel pentium_gold_g6500 -
intel xeon_gold_6138t -
intel xeon_platinum_8164 -
intel xeon_w-11855m -
intel xeon_gold_5318y -
intel xeon_gold_6130 -
intel core_i9-9900t -
intel core_i5-7600k -
intel xeon_platinum_8362 -
intel xeon_gold_6226 -
intel core_i5-6600t -
intel xeon_gold_5320h -
intel xeon_d-1559 -
intel xeon_e-2146g -
intel core_i7-1185g7 -
intel xeon_e-2336 -
intel xeon_d-2187nt -
intel core_i3-10305t -
intel core_i7-9700te -
intel xeon_silver_4210 -
intel xeon_d-1521 -
intel core_i5-7500 -
intel core_i7-1065g7 -
intel core_i7-7700 -
intel core_i5-7440eq -
intel core_i5-11320h -
intel core_i7-6785r -
intel xeon_platinum_8256 -
intel core_i3-1115g4 -
intel core_i3-6100u -
intel xeon_w-3225 -
intel xeon_e3-1245_v5 -
intel core_i9-10940x -
intel xeon_platinum_8353h -
intel xeon_e3-1268l_v5 -
intel core_i3-9100t -
intel xeon_platinum_8170 -
intel xeon_e-2378g -
intel xeon_gold_6140 -
intel xeon_w-1250 -
intel xeon_platinum_8176 -
intel core_i7-7820eq -
intel core_i7-11600h -
intel core_i9-10850k -
CVE-2021-0145 LOW

Improper initialization of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-665,CWE-665,

Products Affected

Vendor Product Version
intel core_i3-11100he -
intel core_i7-11700 -
intel core_i7-11700k -
intel core_i5-11400f -
intel core_i5-1145g7 -
intel core_i5-1145g7e -
intel core_i7-11700t -
intel core_i7-1060g7 -
intel core_i7-1195g7 -
intel xeon_w-1300 -
intel xeon_platinum_8376hl -
intel xeon_gold_6300 -
intel core_i3-1000g4 -
intel core_i5-11600 -
intel xeon_platinum_8360h -
intel core_i3-1000g1 -
intel core_i9-11900 -
intel core_i3-1110g4 -
intel core_i3-1115g4e -
intel xeon_platinum_8356h -
intel xeon_w-1350 -
intel xeon_e-2378 -
intel core_i7-11700f -
intel xeon_w-1370p -
intel core_i5-1140g7 -
intel core_i9-11900f -
intel core_i7-11800h -
intel core_i5-11400 -
intel core_i5-11400h -
intel core_i5-11600kf -
intel celeron_6305e -
intel core_i5-1135g7 -
intel xeon_w-11865mre -
intel core_i5-1035g1 -
intel core_i5-11260h -
intel core_i9-11900t -
intel core_i7-11390h -
intel xeon_platinum_8321hc -
intel xeon_platinum_8368q -
intel xeon_platinum_8380 -
intel pentium_gold_7505 -
intel core_i5-11600k -
intel xeon_w-1390p -
intel xeon_w-1350p -
intel celeron_6600he -
intel xeon_e-2334 -
intel core_i5-1035g7 -
intel core_i7-1165g7 -
intel core_i7-1185gre -
intel core_i3-1005g1 -
intel xeon_gold_5300 -
intel xeon_w-11155mle -
intel xeon_platinum_8368 -
intel core_i9-11950h -
intel core_i7-11850he -
intel xeon_w-11555mre -
intel xeon_platinum_8360 -
intel core_i5-11500t -
intel xeon_w-11865mle -
intel xeon_silver_4300 -
intel core_i7-11700kf -
intel xeon_platinum_8380hl -
intel xeon_e-2356g -
intel core_i3-1125g4 -
intel xeon_e-2388g -
intel xeon_w-1390 -
intel xeon_w-11955m -
intel xeon_platinum_8352m -
intel xeon_platinum_8358 -
intel core_i5-1145gre -
intel core_i5-1030g7 -
intel core_i5-11400t -
intel core_i7-1185g7e -
intel xeon_platinum_8352y -
intel xeon_e-2386g -
intel celeron_6305 -
intel core_i5-11300h -
intel core_i7-1160g7 -
intel xeon_platinum_8376h -
intel core_i5-11500 -
intel xeon_platinum_8351n -
intel xeon_w-11155mre -
intel xeon_e-2314 -
intel core_i5-1035g4 -
intel core_i5-1030g4 -
intel core_i9-11900h -
intel xeon_platinum_8380h -
intel xeon_platinum_8352s -
intel xeon_e-2324g -
intel xeon_w-11555mle -
intel xeon_platinum_8360hl -
intel core_i7-11370h -
intel core_i7-11375h -
intel core_i3-1120g4 -
intel core_i7-11850h -
intel xeon_w-11855m -
intel xeon_platinum_8352v -
intel core_i5-11500h -
intel core_i3-1115gre -
intel xeon_w-1390t -
intel core_i9-11980hk -
intel xeon_platinum_8362 -
intel xeon_platinum_8354h -
intel xeon_platinum_8358p -
intel core_i7-1185g7 -
intel xeon_e-2374g -
intel core_i9-11900kf -
intel core_i9-11900k -
intel xeon_e-2336 -
intel core_i7-1180g7 -
intel core_i7-1065g7 -
intel core_i5-1130g7 -
intel core_i5-11320h -
intel core_i3-1115g4 -
intel core_i5-1155g7 -
netapp fas/aff_bios -
intel xeon_platinum_8353h -
intel core_i5-11600t -
intel xeon_e-2378g -
intel xeon_w-1370 -
intel xeon_platinum_8360y -
CVE-2021-0156 MEDIUM

Improper input validation in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
intel core_i7-6650u_firmware -
intel xeon_d-1528_firmware -
intel core_i7-9700k_firmware -
intel xeon_d-1523n_firmware -
intel xeon_platinum_8256_firmware -
intel core_i7-8709g_firmware -
intel xeon_gold_5218b_firmware -
intel core_m7-6y75_firmware -
intel xeon_gold_6262v_firmware -
intel xeon_w-3323_firmware -
intel xeon_d-1541_firmware -
intel core_i7-10510u_firmware -
intel core_i9-10900f_firmware -
intel core_i9-10940x_firmware -
intel core_i9-11900t_firmware -
intel xeon_silver_4109t_firmware -
intel core_i5-9500_firmware -
intel core_i5-10500t_firmware -
intel core_i7-10610u_firmware -
intel core_i7-10700k_firmware -
intel xeon_gold_6230t_firmware -
intel core_i5-9500t_firmware -
intel core_i5-9400f_firmware -
intel xeon_platinum_8158_firmware -
intel core_i5-1030g4_firmware -
intel xeon_gold_5222_firmware -
intel core_i7-8700k_firmware -
intel core_i7-9700e_firmware -
intel core_i3-6100u_firmware -
intel xeon_w-11155mle_firmware -
intel core_i7-10870h_firmware -
intel atom_c3808_firmware -
intel core_i5-8400h_firmware -
intel core_i7-6820hk_firmware -
intel core_i5-8600_firmware -
intel xeon_e-2124_firmware -
intel core_i5-6500_firmware -
intel xeon_w-11855m_firmware -
intel xeon_e-2286m_firmware -
intel core_i3-10305_firmware -
intel xeon_gold_5215l_firmware -
intel xeon_w-1290e_firmware -
intel xeon_bronze_3204_firmware -
intel core_i7-6660u_firmware -
intel core_i7-5930k_firmware -
intel core_i7-7500u_firmware -
intel core_i3-8145ue_firmware -
intel core_i7-1060g7_firmware -
intel core_i5-6500te_firmware -
intel core_i7-11600h_firmware -
intel core_i9-11900k_firmware -
intel xeon_platinum_8176f_firmware -
intel core_i5-8200y_firmware -
intel xeon_gold_6136_firmware -
intel core_i7-6700t_firmware -
intel xeon_bronze_3106_firmware -
intel xeon_d-1577_firmware -
intel core_i5-1038ng7_firmware -
intel core_i5-1030g7_firmware -
intel xeon_d-2145nt_firmware -
intel xeon_gold_6138f_firmware -
intel core_i9-10900k_firmware -
intel core_i7-11375h_firmware -
intel core_i9-7980xe_firmware -
intel atom_c3508_firmware -
intel xeon_platinum_8280_firmware -
intel core_i3-10325_firmware -
intel core_i5-10400_firmware -
intel xeon_w-2275_firmware -
intel core_i9-7960x_firmware -
intel xeon_gold_6230r_firmware -
intel xeon_e-2386g_firmware -
intel xeon_w-3275m_firmware -
intel core_i3-7101te_firmware -
intel core_i9-11900f_firmware -
intel xeon_d-2143it_firmware -
intel xeon_silver_4210_firmware -
intel core_i7-1195g7_firmware -
intel xeon_gold_6142f_firmware -
intel core_i5-8279u_firmware -
intel xeon_w-11865mre_firmware -
intel core_i3-6098p_firmware -
intel core_i9-10900x_firmware -
intel core_i7-8809g_firmware -
intel core_i3-9100hl_firmware -
intel xeon_platinum_8268_firmware -
intel xeon_platinum_8180_firmware -
intel xeon_e-2278ge_firmware -
intel core_i5-6260u_firmware -
intel core_i9-9980hk_firmware -
intel core_i7-1185g7e_firmware -
intel xeon_gold_6138p_firmware -
intel core_i5-8365u_firmware -
intel core_i3-1000g1_firmware -
intel xeon_e-2186m_firmware -
intel xeon_e-2224g_firmware -
intel xeon_d-1602_firmware -
intel core_i3-8140u_firmware -
intel core_i7-6567u_firmware -
intel core_i5-9500te_firmware -
intel xeon_w-3225_firmware -
intel xeon_d-2177nt_firmware -
intel xeon_w-2155_firmware -
intel xeon_w-2145_firmware -
intel core_i3-9100_firmware -
intel core_i9-11900kf_firmware -
intel core_i5-10600k_firmware -
intel core_i7-6700_firmware -
intel xeon_w-1270_firmware -
intel xeon_w-1250te_firmware -
intel xeon_w-1390t_firmware -
intel xeon_w-10885m_firmware -
intel core_i7-6700te_firmware -
intel core_i5-6442eq_firmware -
intel core_i7-10850h_firmware -
intel core_i7-7740x_firmware -
intel core_i3-6006u_firmware -
intel core_i5-8600k_firmware -
intel xeon_w-3175x_firmware -
intel xeon_e-2276g_firmware -
intel xeon_d-1633n_firmware -
intel core_i3-7300_firmware -
intel core_i7-4820k_firmware -
intel core_i5-1035g4_firmware -
intel core_i7-8565u_firmware -
intel xeon_d-1559_firmware -
intel core_i3-6100t_firmware -
intel xeon_e-2378g_firmware -
intel xeon_gold_6254_firmware -
intel core_i9-9900k_firmware -
intel core_i7-10700t_firmware -
intel xeon_gold_6256_firmware -
intel core_i5-9600k_firmware -
intel xeon_w-1350_firmware -
intel core_i5-11500he_firmware -
intel xeon_platinum_9221_firmware -
intel xeon_w-11865mle_firmware -
intel xeon_d-1537_firmware -
intel core_i5-10310y_firmware -
intel core_i7-1180g7_firmware -
intel xeon_gold_6222v_firmware -
intel core_i9-9900_firmware -
intel core_i9-11980hk_firmware -
intel core_i5-7267u_firmware -
intel core_i5-11260h_firmware -
intel core_i7-1185g7_firmware -
intel atom_c3858_firmware -
intel core_i7-7820hq_firmware -
intel core_i5-11600k_firmware -
intel core_i7-5960x_firmware -
intel xeon_w-2135_firmware -
intel xeon_gold_6138t_firmware -
intel xeon_gold_6252_firmware -
intel xeon_gold_6240r_firmware -
intel core_i5-10210u_firmware -
intel xeon_gold_6126t_firmware -
intel xeon_gold_6248_firmware -
intel core_i3-7020u_firmware -
intel xeon_gold_6142_firmware -
intel core_i7-8086k_firmware -
intel core_i5-6267u_firmware -
intel xeon_silver_4214y_firmware -
intel core_i5-1035g7_firmware -
intel xeon_d-2187nt_firmware -
intel core_i9-10900e_firmware -
intel core_i5-7y54_firmware -
intel xeon_e-2176m_firmware -
intel core_i7-9850h_firmware -
intel core_i7-8665ue_firmware -
intel xeon_d-1518_firmware -
intel xeon_d-1529_firmware -
intel core_i7-8550u_firmware -
intel xeon_w-1390p_firmware -
intel core_i7-5820k_firmware -
intel xeon_d-1557_firmware -
intel core_i5-8305g_firmware -
intel core_i3-7100_firmware -
intel atom_c3950_firmware -
intel core_i7-9700f_firmware -
intel xeon_w-3265m_firmware -
intel core_i3-8130u_firmware -
intel core_i7-7800x_firmware -
intel core_i3-10110y_firmware -
intel core_i5-9600t_firmware -
intel core_i7-3940xm_firmware -
intel xeon_w-2133_firmware -
intel xeon_gold_5218_firmware -
intel core_i5-8600t_firmware -
intel core_i7-7700k_firmware -
intel xeon_gold_6238_firmware -
intel core_i7-6870hq_firmware -
intel xeon_gold_6258r_firmware -
intel core_i5-9500e_firmware -
intel atom_c3336_firmware -
intel atom_c3850_firmware -
intel core_i3-1115g4e_firmware -
intel core_i7-6785r_firmware -
intel core_i5-7600k_firmware -
intel core_i3-6102e_firmware -
intel xeon_e-2124g_firmware -
intel core_i7-7700_firmware -
intel core_i7-9750hf_firmware -
intel core_i5-10500_firmware -
intel core_i5-8300h_firmware -
intel core_i7-6950x_firmware -
intel xeon_d-1521_firmware -
intel core_i7-11370h_firmware -
intel xeon_w-1270p_firmware -
intel core_i7-3930k_firmware -
intel xeon_w-2245_firmware -
intel xeon_w-2123_firmware -
intel core_i5-6500t_firmware -
intel core_i5-10300h_firmware -
intel core_i7-8706g_firmware -
intel xeon_silver_4215r_firmware -
intel xeon_platinum_8260y_firmware -
intel core_i7-10700f_firmware -
intel xeon_gold_6252n_firmware -
intel xeon_gold_5218r_firmware -
intel core_i5-7442eq_firmware -
intel core_i5-7y57_firmware -
intel core_i5-6350hq_firmware -
intel core_i5-11400f_firmware -
intel core_i5-8500t_firmware -
intel core_i7-1068ng7_firmware -
intel core_i3-10105_firmware -
intel core_i7-9700te_firmware -
intel core_i3-6320_firmware -
intel core_i9-11900h_firmware -
intel core_i3-9300t_firmware -
intel xeon_gold_6126_firmware -
intel core_i5-11400_firmware -
intel xeon_gold_6154_firmware -
intel xeon_e-2144g_firmware -
intel core_i3-1005g1_firmware -
intel xeon_e-2126g_firmware -
intel xeon_d-1527_firmware -
intel core_i7-10875h_firmware -
intel xeon_gold_6238r_firmware -
intel core_i3-9100te_firmware -
intel xeon_w-1250_firmware -
intel xeon_e-2278gel_firmware -
intel core_i7-6820hq_firmware -
intel atom_c3758_firmware -
intel xeon_silver_4208_firmware -
intel xeon_e-2254ml_firmware -
intel core_i7-11390h_firmware -
intel core_m3-6y30_firmware -
intel xeon_silver_4116_firmware -
intel core_i7-10700e_firmware -
intel core_i9-10900te_firmware -
intel core_i5-9600kf_firmware -
intel xeon_d-1531_firmware -
intel xeon_w-2225_firmware -
intel core_i7-9750h_firmware -
intel xeon_silver_4216_firmware -
intel xeon_e-2244g_firmware -
intel xeon_platinum_8276l_firmware -
intel core_i5-6600t_firmware -
intel core_i5-9400h_firmware -
intel xeon_w-1370_firmware -
intel core_i3-7100t_firmware -
intel core_i7-11850he_firmware -
intel xeon_gold_6230n_firmware -
intel core_i7-10700_firmware -
intel core_i3-9350kf_firmware -
intel xeon_gold_6238t_firmware -
intel core_i5-6440eq_firmware -
intel xeon_w-11955m_firmware -
intel core_i5-11300h_firmware -
intel xeon_silver_4110_firmware -
intel core_i3-8100h_firmware -
intel xeon_w-1270e_firmware -
intel atom_c3708_firmware -
intel core_i7-6822eq_firmware -
intel core_i3-10305t_firmware -
intel core_i7-7820hk_firmware -
intel xeon_gold_6230_firmware -
intel xeon_w-2223_firmware -
intel core_i7-6500u_firmware -
intel xeon_e-2278g_firmware -
intel core_i5-7300u_firmware -
intel xeon_w-3265_firmware -
intel core_i5-10500e_firmware -
intel xeon_w-11555mle_firmware -
intel core_m3-7y30_firmware -
intel xeon_e-2388g_firmware -
intel xeon_d-1571_firmware -
intel xeon_gold_5220r_firmware -
intel xeon_e-2136_firmware -
intel core_i7-4940mx_firmware -
intel xeon_platinum_8153_firmware -
intel xeon_gold_6248r_firmware -
intel xeon_platinum_8260_firmware -
intel xeon_e-2174g_firmware -
intel core_i5-10600kf_firmware -
intel core_i3-6157u_firmware -
intel core_i9-9920x_firmware -
intel core_i7-9850he_firmware -
intel core_i7-10810u_firmware -
intel xeon_e-2314_firmware -
intel xeon_gold_6130f_firmware -
intel xeon_e-2254me_firmware -
intel core_i5-1155g7_firmware -
intel xeon_w-3365_firmware -
intel xeon_d-1649n_firmware -
intel xeon_w-2255_firmware -
intel core_i3-8109u_firmware -
intel xeon_gold_6132_firmware -
netapp fas/aff_bios -
intel core_i3-7350k_firmware -
intel core_i7-9800x_firmware -
intel core_i7-8850h_firmware -
intel xeon_d-2123it_firmware -
intel xeon_e-2134_firmware -
intel xeon_d-1637_firmware -
intel core_i5-8350u_firmware -
intel core_i3-9320_firmware -
intel xeon_d-2173it_firmware -
intel core_i3-7101e_firmware -
intel core_i3-7102e_firmware -
intel core_i5-6300hq_firmware -
intel core_i5-7200u_firmware -
intel xeon_gold_5215_firmware -
intel atom_c3538_firmware -
intel core_i5-6585r_firmware -
intel xeon_gold_6152_firmware -
intel core_i9-8950hk_firmware -
intel xeon_e-2336_firmware -
intel core_i5-9300hf_firmware -
intel core_i3-6100h_firmware -
intel core_i9-9820x_firmware -
intel xeon_w-1290te_firmware -
intel xeon_silver_4215_firmware -
intel xeon_w-3245_firmware -
intel core_i5-6600_firmware -
intel core_i5-6402p_firmware -
intel core_i5-7300hq_firmware -
intel core_i7-1065g7_firmware -
intel core_i5-1130g7_firmware -
intel xeon_e-2324g_firmware -
intel xeon_d-2183it_firmware -
intel xeon_gold_6210u_firmware -
intel core_i7-6700hq_firmware -
intel xeon_d-1533n_firmware -
intel core_i7-8569u_firmware -
intel xeon_d-2141i_firmware -
intel xeon_w-1270te_firmware -
intel xeon_w-3275_firmware -
intel core_i7-11700k_firmware -
intel core_i5-11500t_firmware -
intel core_i7-3820_firmware -
intel xeon_silver_4108_firmware -
intel core_i5-1035g1_firmware -
intel xeon_w-2125_firmware -
intel core_i3-9100f_firmware -
intel core_i5-7500_firmware -
intel xeon_d-1623n_firmware -
intel xeon_platinum_8160_firmware -
intel core_i3-10100y_firmware -
intel xeon_gold_6212u_firmware -
intel core_i5-8260u_firmware -
intel core_i3-7100u_firmware -
intel atom_c3338_firmware -
intel xeon_platinum_9222_firmware -
intel core_i5-6440hq_firmware -
intel xeon_e-2378_firmware -
intel core_i5-11320h_firmware -
intel core_i7-11800h_firmware -
intel xeon_w-11155mre_firmware -
intel xeon_gold_6250_firmware -
intel core_i7-6820eq_firmware -
intel core_i3-9100e_firmware -
intel core_i7-10700te_firmware -
intel core_i9-10980xe_firmware -
intel xeon_gold_5122_firmware -
intel xeon_gold_6238l_firmware -
intel core_i7-6600u_firmware -
intel xeon_gold_6226r_firmware -
intel core_i9-10900t_firmware -
intel xeon_gold_6146_firmware -
intel xeon_platinum_8253_firmware -
intel xeon_bronze_3206r_firmware -
intel core_i5-11600kf_firmware -
intel xeon_d-1567_firmware -
intel core_i7-1165g7_firmware -
intel xeon_platinum_8160f_firmware -
intel xeon_w-1390_firmware -
intel core_i3-1110g4_firmware -
intel core_i5-10600t_firmware -
intel xeon_platinum_8170_firmware -
intel xeon_w-1250e_firmware -
intel core_i3-10105t_firmware -
intel core_i7-10710u_firmware -
intel xeon_d-2161i_firmware -
intel core_i9-9940x_firmware -
intel core_i9-9880h_firmware -
intel core_i3-10100t_firmware -
intel core_i9-9900kf_firmware -
intel xeon_e-2226g_firmware -
intel core_i5-8400t_firmware -
intel xeon_gold_5218t_firmware -
intel core_i9-9980xe_firmware -
intel core_i9-9900x_firmware -
intel xeon_gold_6250l_firmware -
intel core_m3-8100y_firmware -
intel xeon_platinum_8280l_firmware -
intel xeon_w-2295_firmware -
intel core_i3-1000g4_firmware -
intel core_i5-9500f_firmware -
intel core_i9-10920x_firmware -
intel core_i3-10100f_firmware -
intel core_i7-11700t_firmware -
intel core_i3-10300_firmware -
intel core_i3-6300t_firmware -
intel xeon_d-1540_firmware -
intel core_i9-9900ks_firmware -
intel core_i3-6100_firmware -
intel core_i7-11700_firmware -
intel core_i7-8750h_firmware -
intel core_i5-6600k_firmware -
intel core_i7-10700kf_firmware -
intel xeon_e-2276m_firmware -
intel xeon_w-2195_firmware -
intel xeon_gold_6240l_firmware -
intel core_i7-3970x_firmware -
intel xeon_platinum_8164_firmware -
intel core_m3-7y32_firmware -
intel core_i5-7287u_firmware -
intel xeon_silver_4116t_firmware -
intel xeon_e-2246g_firmware -
intel atom_c3558r_firmware -
intel core_i7-7700hq_firmware -
intel core_i7-6920hq_firmware -
intel xeon_gold_5218n_firmware -
intel core_i5-8250u_firmware -
intel core_i9-7900x_firmware -
intel core_i7-6700k_firmware -
intel core_i7-11850h_firmware -
intel core_i9-10980hk_firmware -
intel core_i9-11950h_firmware -
intel xeon_e-2186g_firmware -
intel core_i3-9100t_firmware -
intel core_i7-8700_firmware -
intel xeon_d-1520_firmware -
intel xeon_d-2163it_firmware -
intel xeon_silver_4114t_firmware -
intel core_i5-7260u_firmware -
intel core_i5-7640x_firmware -
intel core_i9-7920x_firmware -
intel xeon_d-1513n_firmware -
intel xeon_e-2334_firmware -
intel core_i3-1120g4_firmware -
intel xeon_gold_6240y_firmware -
intel xeon_e-2176g_firmware -
netapp cloud_backup -
intel atom_c3436l_firmware -
intel core_i3-7320_firmware -
intel xeon_platinum_8260l_firmware -
intel xeon_gold_5220_firmware -
intel core_i7-6850k_firmware -
intel core_i7-7820x_firmware -
intel core_i5-8400b_firmware -
intel core_i5-10500te_firmware -
intel xeon_gold_6209u_firmware -
intel xeon_gold_6242_firmware -
intel core_m5-6y57_firmware -
intel xeon_w-10855m_firmware -
intel xeon_e-2226ge_firmware -
intel atom_c3955_firmware -
intel core_i5-10500h_firmware -
intel core_i5-1145g7e_firmware -
intel core_i7-7700t_firmware -
intel xeon_w-3235_firmware -
intel core_i3-10300t_firmware -
intel xeon_silver_4214_firmware -
intel core_i5-9400_firmware -
intel core_i5-8259u_firmware -
intel xeon_e-2288g_firmware -
intel xeon_gold_6144_firmware -
intel core_i3-8350k_firmware -
intel core_i3-6100te_firmware -
intel xeon_silver_4210t_firmware -
intel xeon_e-2224_firmware -
intel core_i9-9900t_firmware -
intel core_i7-9700t_firmware -
intel xeon_gold_6130_firmware -
intel core_i7-8559u_firmware -
intel xeon_w-3335_firmware -
intel core_i3-10105f_firmware -
intel core_i7-10750h_firmware -
intel core_i3-8100_firmware -
intel core_i7-7567u_firmware -
intel xeon_d-1543n_firmware -
intel core_i5-6400_firmware -
intel core_i5-11600t_firmware -
intel core_i7-11700f_firmware -
intel core_i9-10885h_firmware -
intel core_i5-1140g7_firmware -
intel core_i5-7500t_firmware -
intel atom_c3958_firmware -
intel core_i7-7y75_firmware -
intel xeon_w-3345_firmware -
intel xeon_w-1290_firmware -
intel xeon_silver_4112_firmware -
intel core_i3-1125g4_firmware -
intel core_i7-8650u_firmware -
intel xeon_d-1653n_firmware -
intel core_i5-8210y_firmware -
intel xeon_d-1622_firmware -
intel xeon_d-2142it_firmware -
intel xeon_d-1627_firmware -
intel core_i7-6770hq_firmware -
intel xeon_gold_6148f_firmware -
intel core_i5-10310u_firmware -
intel xeon_w-1290p_firmware -
intel core_i7-4930k_firmware -
intel core_i5-6287u_firmware -
intel core_i3-10100te_firmware -
intel core_i5-8265u_firmware -
intel xeon_w-3375_firmware -
intel xeon_w-2235_firmware -
intel core_i7-8700t_firmware -
intel xeon_gold_5217_firmware -
intel core_i9-10900_firmware -
intel xeon_platinum_9242_firmware -
intel xeon_gold_6126f_firmware -
intel core_i3-6167u_firmware -
intel xeon_platinum_9282_firmware -
intel xeon_gold_6240_firmware -
intel xeon_platinum_8270_firmware -
intel xeon_e-2374g_firmware -
intel core_i7-9700_firmware -
intel core_i5-6685r_firmware -
intel core_i5-8269u_firmware -
intel xeon_gold_5220s_firmware -
intel core_i5-11600_firmware -
intel core_i7-7600u_firmware -
intel core_i7-9700kf_firmware -
intel core_i9-9960x_firmware -
intel core_i5-6360u_firmware -
intel core_i5-1145gre_firmware -
intel core_i3-7130u_firmware -
intel core_i5-10400t_firmware -
intel core_i7-1160g7_firmware -
intel xeon_e-2286g_firmware -
intel xeon_platinum_8156_firmware -
intel core_i7-8500y_firmware -
intel atom_c3558_firmware -
intel core_i5-6200u_firmware -
intel core_i5-8365ue_firmware -
intel core_i5-9300h_firmware -
intel core_i3-7100h_firmware -
intel core_i3-8300_firmware -
intel core_i3-10100_firmware -
intel xeon_w-11555mre_firmware -
intel core_i5-7440hq_firmware -
intel core_i5-1145g7_firmware -
intel core_i5-7360u_firmware -
intel core_i3-6300_firmware -
intel core_i5-10400f_firmware -
intel xeon_d-1548_firmware -
intel core_i7-6560u_firmware -
intel core_i7-6900k_firmware -
intel core_i7-7660u_firmware -
intel atom_c3750_firmware -
intel core_i5-8500_firmware -
intel xeon_e-2276ml_firmware -
intel core_i3-1115gre_firmware -
intel xeon_gold_5120t_firmware -
intel core_i7-8705g_firmware -
intel core_i7-9850hl_firmware -
intel core_i3-7300t_firmware -
intel xeon_platinum_8276_firmware -
intel core_i3-11100he_firmware -
intel xeon_w-1370p_firmware -
intel xeon_e-2274g_firmware -
intel xeon_gold_6246r_firmware -
intel core_i7-7920hq_firmware -
intel xeon_d-1553n_firmware -
intel core_i3-7100e_firmware -
intel core_i7-1185gre_firmware -
intel core_i7-8665u_firmware -
intel xeon_gold_5119t_firmware -
intel xeon_silver_4210r_firmware -
intel core_i9-11900_firmware -
intel core_i9-10900kf_firmware -
intel core_i5-10400h_firmware -
intel xeon_e-2356g_firmware -
intel core_i7-10510y_firmware -
intel core_i3-9300_firmware -
intel core_i5-10200h_firmware -
intel core_i5-9400t_firmware -
intel core_i5-7600_firmware -
intel core_i3-8100b_firmware -
intel xeon_gold_6138_firmware -
intel core_i5-7400t_firmware -
intel xeon_e-2234_firmware -
intel core_i5-9600_firmware -
intel core_i5-8500b_firmware -
intel core_i3-9350k_firmware -
intel core_i5-8400_firmware -
intel xeon_bronze_3104_firmware -
intel xeon_gold_6140_firmware -
intel xeon_w-2175_firmware -
intel xeon_platinum_8160t_firmware -
intel core_i7-7820eq_firmware -
intel core_i5-8257u_firmware -
intel core_i7-4960x_firmware -
intel xeon_gold_5220t_firmware -
intel xeon_w-2265_firmware -
intel xeon_w-3223_firmware -
intel xeon_w-1350p_firmware -
intel xeon_platinum_8168_firmware -
intel core_i7-8700b_firmware -
intel xeon_gold_6234_firmware -
intel xeon_gold_6130t_firmware -
intel core_i5-7400_firmware -
intel xeon_e-2236_firmware -
intel xeon_gold_6244_firmware -
intel xeon_w-1250p_firmware -
intel xeon_gold_5118_firmware -
intel xeon_e-2146g_firmware -
intel xeon_platinum_8176_firmware -
intel core_i5-7600t_firmware -
intel core_i5-1135g7_firmware -
intel core_i5-7440eq_firmware -
intel core_i3-1115g4_firmware -
intel core_i5-6300u_firmware -
intel core_i5-11500h_firmware -
intel core_i7-11700kf_firmware -
intel core_i7-6800k_firmware -
intel atom_c3758r_firmware -
intel core_i5-11400h_firmware -
intel atom_c3338r_firmware -
intel xeon_gold_6246_firmware -
intel xeon_gold_6148_firmware -
intel core_i3-10110u_firmware -
intel xeon_gold_6128_firmware -
intel xeon_d-1539_firmware -
intel xeon_w-1290t_firmware -
intel xeon_silver_4214r_firmware -
intel core_i3-7167u_firmware -
intel core_i7-8557u_firmware -
intel xeon_gold_5115_firmware -
intel core_i3-8145u_firmware -
intel core_i7-6970hq_firmware -
intel core_i3-8100t_firmware -
intel core_i5-11400t_firmware -
intel xeon_gold_6226_firmware -
intel xeon_gold_5120_firmware -
intel core_i5-11500_firmware -
intel xeon_silver_4114_firmware -
intel core_m5-6y54_firmware -
intel core_i5-10210y_firmware -
intel core_i5-10505_firmware -
intel xeon_d-2166nt_firmware -
intel core_i5-6400t_firmware -
intel core_i5-8310y_firmware -
intel core_i9-7940x_firmware -
intel xeon_gold_6242r_firmware -
intel xeon_gold_6208u_firmware -
intel core_i3-6100e_firmware -
intel core_i7-3960x_firmware -
intel xeon_gold_6134_firmware -
intel core_i7-4930mx_firmware -
intel core_i3-8300t_firmware -
intel atom_c3308_firmware -
intel core_i7-3920xm_firmware -
intel core_i7-7560u_firmware -
intel xeon_d-2146nt_firmware -
intel xeon_silver_4209t_firmware -
intel xeon_e-2276me_firmware -
intel core_i3-10100e_firmware -
intel core_i3-10320_firmware -
intel core_i9-10850k_firmware -
intel xeon_gold_6150_firmware -
intel atom_c3830_firmware -
intel core_i5-10600_firmware -
intel xeon_w-3245m_firmware -
CVE-2021-1998 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 3.8 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.8 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L 1.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2021-2001 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.50 and prior, 5.7.30 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2021-2002 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2021-2006 MEDIUM

Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 8.0.19 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
CVE-2021-2007 MEDIUM

Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Client accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
CVE-2021-2009 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2021-2010 MEDIUM

Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.50 and prior, 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Client accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Client. CVSS 3.1 Base Score 4.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.2 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L 1.6 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
CVE-2021-2011 HIGH

Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
oracle mysql *
CVE-2021-2012 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2021-2014 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PAM Auth Plugin). Supported versions that are affected are 5.7.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2016 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2021-2019 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2021-20190 HIGH

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
apache nifi *
fasterxml jackson-databind *
oracle commerce_guided_search_and_experience_manager 11.3.2
netapp oncommand_insight -
netapp active_iq_unified_manager -
debian debian_linux 9.0
netapp oncommand_api_services -
netapp service_level_manager -
CVE-2021-20197 LOW

There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N 1.0 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,CWE-59,CWE-362,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp solidfire_&_hci_management_node -
netapp cloud_backup -
netapp ontap_select_deploy_administration_utility -
gnu binutils *
broadcom brocade_fabric_operating_system_firmware -
CVE-2021-2020 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2021-2021 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2021-2022 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.50 and prior, 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 32
netapp oncommand_insight -
fedoraproject fedora 33
oracle mysql *
netapp snapcenter -
CVE-2021-20220 MEDIUM

A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
redhat undertow *
netapp active_iq_unified_manager -
CVE-2021-20225 HIGH

A flaw was found in grub2 in versions prior to 2.06. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux 8.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_tus 8.2
gnu grub2 *
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server_tus 7.4
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_server_aus 7.3
fedoraproject fedora 34
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_eus 8.1
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
fedoraproject fedora 33
CVE-2021-20226 MEDIUM

A use-after-free flaw was found in the io_uring in Linux kernel, where a local attacker with a user privilege could cause a denial of service problem on the system The issue results from the lack of validating the existence of an object prior to performing operations on the object by not incrementing the file reference counter while in use. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
linux linux_kernel *
netapp cloud_backup -
CVE-2021-20231 HIGH

A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp e-series_performance_analyzer -
gnu gnutls *
netapp active_iq_unified_manager -
fedoraproject fedora 34
CVE-2021-20233 HIGH

A flaw was found in grub2 in versions prior to 2.06. Setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters which allows an attacker to corrupt memory by one byte for each quote in the input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux 8.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_tus 8.2
gnu grub2 *
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server_tus 7.4
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_server_aus 7.3
fedoraproject fedora 34
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_eus 8.1
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.6
fedoraproject fedora 33
CVE-2021-2024 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2028 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-20284 MEDIUM

A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-787,

Products Affected

Vendor Product Version
netapp cloud_backup -
netapp ontap_select_deploy_administration_utility -
gnu binutils 2.35.1
CVE-2021-20289 MEDIUM

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-209,CWE-209,

Products Affected

Vendor Product Version
quarkus quarkus *
oracle communications_cloud_native_core_console 1.9.0
netapp oncommand_insight -
redhat resteasy *
CVE-2021-20293 MEDIUM

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
netapp oncommand_insight -
redhat resteasy *
CVE-2021-2030 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-20305 MEDIUM

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 7.0
debian debian_linux 10.0
nettle_project nettle *
netapp ontap_select_deploy_administration_utility -
netapp active_iq_unified_manager -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-2031 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2032 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Information Schema). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-20322 MEDIUM

A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-330,CWE-330,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
netapp fas_baseboard_management_controller_firmware -
oracle communications_cloud_native_core_binding_support_function 22.1.3
oracle communications_cloud_native_core_network_exposure_function 22.1.1
netapp hci_compute_node_firmware -
netapp solidfire_&_hci_management_node -
oracle communications_cloud_native_core_policy 22.2.0
netapp h500s_firmware -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp h700s_firmware -
netapp h410s_firmware -
netapp aff_baseboard_management_controller_firmware -
netapp aff_a700s_firmware -
linux linux_kernel *
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-2036 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2038 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2042 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.3 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 0.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2046 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.8 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 2.3 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-20461 MEDIUM

IBM Cognos Analytics 10.0 and 11.1 is susceptible to a weakness in the implementation of the System Appearance configuration setting. An attacker could potentially bypass business logic to modify the appearance and behavior of the application. IBM X-Force ID: 196770.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-668,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
ibm cognos_analytics 11.0.13
CVE-2021-20464 MEDIUM

IBM Cognos Analytics PowerPlay (IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7) could be vulnerable to an XML Bomb attack by a malicious authenticated user. IBM X-Force ID: 196813.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-776,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.1
netapp oncommand_insight -
CVE-2021-20468

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 196825.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-20470 MEDIUM

IBM Cognos Analytics 11.1.7 and 11.2.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 196339.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-521,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-2048 HIGH

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H 0.7 4.2

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-20493 MEDIUM

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 197794.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-2055 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2056 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2058 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2060 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.50 and prior, 5.7.32 and prior and 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2061 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2065 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2070 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2072 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2076 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2081 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2087 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2088 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-2122 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-21252 MEDIUM

The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
jqueryvalidation jquery_validation *
netapp snapcenter -
CVE-2021-21267 MEDIUM

Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.`) will freeze the program or web browser page executing the code. This affects any current schema-inspector users using any version to validate email addresses. Users who do not do email validation, and instead do other types of validation (like string min or max length, etc), are not affected. Users should upgrade to version 2.0.0, which uses a regex expression that isn't vulnerable to ReDoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-400,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
schema-inspector_project schema-inspector *
netapp oncommand_insight -
CVE-2021-21284 LOW

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N 2.3 4.0
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N 2.3 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
docker docker *
debian debian_linux 10.0
CVE-2021-21285 MEDIUM

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-754,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
docker docker *
debian debian_linux 10.0
CVE-2021-21290 LOW

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6
security-advisories@github.com 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.5 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-378,CWE-379,CWE-668,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle communications_design_studio 7.4.2
oracle banking_credit_facilities_process_management 14.5.0
oracle banking_corporate_lending_process_management 14.2.0
netapp active_iq_unified_manager -
oracle banking_credit_facilities_process_management 14.2.0
netty netty *
netapp cloud_secure_agent -
netapp snapcenter -
oracle banking_trade_finance_process_management 14.5.0
oracle banking_credit_facilities_process_management 14.3.0
quarkus quarkus *
oracle communications_brm_-_elastic_charging_engine 12.0.0.3
oracle communications_messaging_server 8.1
oracle banking_trade_finance_process_management 14.2.0
oracle banking_trade_finance_process_management 14.3.0
oracle banking_corporate_lending_process_management 14.3.0
oracle nosql_database *
debian debian_linux 9.0
oracle banking_corporate_lending_process_management 14.5.0
CVE-2021-21295 LOW

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_policy 1.14.0
netapp oncommand_workflow_automation -
quarkus quarkus *
debian debian_linux 10.0
apache zookeeper 3.5.9
netapp oncommand_api_services -
netty netty *
apache kudu *
CVE-2021-21341 HIGH

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle communications_unified_inventory_management 7.3.2
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.12.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle banking_enterprise_default_management 2.12.0
oracle business_activity_monitoring 12.2.1.3.0
oracle banking_enterprise_default_management 2.10.0
apache jmeter *
apache activemq *
fedoraproject fedora 33
debian debian_linux 9.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
oracle banking_platform 2.9.0
netapp oncommand_insight -
apache activemq 5.16.1
fedoraproject fedora 34
oracle business_activity_monitoring 11.1.1.9.0
oracle banking_platform 2.7.1
apache activemq 5.16.0
oracle banking_platform 2.4.0
fedoraproject fedora 35
oracle webcenter_portal 11.1.1.9.0
oracle retail_xstore_point_of_service 16.0.6
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-21342 MEDIUM

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N 1.6 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-918,CWE-918,

Products Affected

Vendor Product Version
oracle communications_policy_management 12.5.0
oracle communications_unified_inventory_management 7.3.2
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.12.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 18.0.3
oracle communications_brm_-_elastic_charging_engine 12.0.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle banking_enterprise_default_management 2.12.0
oracle business_activity_monitoring 12.2.1.3.0
oracle banking_enterprise_default_management 2.10.0
apache jmeter *
apache activemq *
fedoraproject fedora 33
debian debian_linux 9.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
oracle banking_platform 2.9.0
netapp oncommand_insight -
apache activemq 5.16.1
fedoraproject fedora 34
oracle banking_virtual_account_management 14.5.0
oracle business_activity_monitoring 11.1.1.9.0
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.7.1
apache activemq 5.16.0
oracle banking_platform 2.4.0
fedoraproject fedora 35
oracle webcenter_portal 11.1.1.9.0
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
oracle banking_virtual_account_management 14.2.0
CVE-2021-21343 MEDIUM

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N 1.6 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-73,CWE-502,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle communications_policy_management 12.5.0
oracle communications_unified_inventory_management 7.3.2
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.12.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle banking_enterprise_default_management 2.12.0
oracle business_activity_monitoring 12.2.1.3.0
oracle banking_enterprise_default_management 2.10.0
apache jmeter *
apache activemq *
fedoraproject fedora 33
debian debian_linux 9.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
oracle banking_platform 2.9.0
netapp oncommand_insight -
apache activemq 5.16.1
fedoraproject fedora 34
oracle banking_virtual_account_management 14.5.0
oracle business_activity_monitoring 11.1.1.9.0
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.7.1
apache activemq 5.16.0
oracle banking_platform 2.4.0
fedoraproject fedora 35
oracle webcenter_portal 11.1.1.9.0
oracle retail_xstore_point_of_service 16.0.6
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0
oracle retail_xstore_point_of_service 17.0.4
oracle banking_virtual_account_management 14.2.0
CVE-2021-21344 HIGH

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N 1.6 3.6
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,CWE-502,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle communications_policy_management 12.5.0
oracle communications_unified_inventory_management 7.3.2
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.12.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle banking_enterprise_default_management 2.12.0
oracle business_activity_monitoring 12.2.1.3.0
oracle banking_enterprise_default_management 2.10.0
apache jmeter *
apache activemq *
fedoraproject fedora 33
debian debian_linux 9.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
oracle mysql_server *
xstream_project xstream *
oracle banking_platform 2.9.0
netapp oncommand_insight -
apache activemq 5.16.1
fedoraproject fedora 34
oracle banking_virtual_account_management 14.5.0
oracle business_activity_monitoring 11.1.1.9.0
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.7.1
apache activemq 5.16.0
oracle banking_platform 2.4.0
fedoraproject fedora 35
oracle webcenter_portal 11.1.1.9.0
oracle retail_xstore_point_of_service 16.0.6
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0
oracle retail_xstore_point_of_service 17.0.4
oracle banking_virtual_account_management 14.2.0
CVE-2021-21345 MEDIUM

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0
security-advisories@github.com 5.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N 1.3 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,CWE-502,CWE-78,

Products Affected

Vendor Product Version
oracle communications_policy_management 12.5.0
oracle communications_unified_inventory_management 7.3.2
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.12.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle banking_enterprise_default_management 2.12.0
oracle business_activity_monitoring 12.2.1.3.0
oracle banking_enterprise_default_management 2.10.0
apache jmeter *
apache activemq *
fedoraproject fedora 33
debian debian_linux 9.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_platform 2.9.0
netapp oncommand_insight -
apache activemq 5.16.1
fedoraproject fedora 34
oracle banking_virtual_account_management 14.5.0
oracle business_activity_monitoring 11.1.1.9.0
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.7.1
apache activemq 5.16.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle banking_platform 2.4.0
fedoraproject fedora 35
oracle webcenter_portal 11.1.1.9.0
oracle retail_xstore_point_of_service 16.0.6
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0
oracle retail_xstore_point_of_service 17.0.4
oracle banking_virtual_account_management 14.2.0
CVE-2021-21346 HIGH

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
security-advisories@github.com 6.1 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N 1.6 4.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,CWE-502,CWE-434,CWE-502,

Products Affected

Vendor Product Version
oracle communications_policy_management 12.5.0
oracle bi_publisher 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.2
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.12.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle banking_enterprise_default_management 2.12.0
oracle business_activity_monitoring 12.2.1.3.0
oracle banking_enterprise_default_management 2.10.0
apache jmeter *
apache activemq *
fedoraproject fedora 33
debian debian_linux 9.0
oracle bi_publisher 12.2.1.3.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
oracle banking_platform 2.9.0
netapp oncommand_insight -
apache activemq 5.16.1
fedoraproject fedora 34
oracle banking_virtual_account_management 14.5.0
oracle business_activity_monitoring 11.1.1.9.0
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.7.1
apache activemq 5.16.0
oracle banking_platform 2.4.0
oracle bi_publisher 5.5.0.0.0
fedoraproject fedora 35
oracle webcenter_portal 11.1.1.9.0
oracle retail_xstore_point_of_service 16.0.6
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0
oracle retail_xstore_point_of_service 17.0.4
oracle banking_virtual_account_management 14.2.0
CVE-2021-21347 HIGH

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.1 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N 1.6 4.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,CWE-502,CWE-434,CWE-502,

Products Affected

Vendor Product Version
oracle communications_policy_management 12.5.0
oracle weblogic_server 12.2.1.3.0
oracle communications_unified_inventory_management 7.3.2
oracle weblogic_server 12.1.3.0.0
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.12.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle weblogic_server 14.1.1.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle banking_enterprise_default_management 2.12.0
oracle business_activity_monitoring 12.2.1.3.0
oracle banking_enterprise_default_management 2.10.0
apache jmeter *
apache activemq *
fedoraproject fedora 33
debian debian_linux 9.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
oracle banking_platform 2.9.0
netapp oncommand_insight -
apache activemq 5.16.1
fedoraproject fedora 34
oracle banking_virtual_account_management 14.5.0
oracle business_activity_monitoring 11.1.1.9.0
oracle weblogic_server 12.2.1.4.0
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.7.1
apache activemq 5.16.0
oracle banking_platform 2.4.0
fedoraproject fedora 35
oracle webcenter_portal 11.1.1.9.0
oracle retail_xstore_point_of_service 16.0.6
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0
oracle retail_xstore_point_of_service 17.0.4
oracle banking_virtual_account_management 14.2.0
CVE-2021-21348 HIGH

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H 1.6 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,CWE-502,CWE-400,

Products Affected

Vendor Product Version
oracle communications_policy_management 12.5.0
oracle communications_unified_inventory_management 7.3.2
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.12.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle banking_enterprise_default_management 2.12.0
oracle business_activity_monitoring 12.2.1.3.0
oracle banking_enterprise_default_management 2.10.0
apache jmeter *
apache activemq *
fedoraproject fedora 33
debian debian_linux 9.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
oracle mysql_server *
xstream_project xstream *
oracle banking_platform 2.9.0
netapp oncommand_insight -
apache activemq 5.16.1
fedoraproject fedora 34
oracle banking_virtual_account_management 14.5.0
oracle business_activity_monitoring 11.1.1.9.0
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.7.1
apache activemq 5.16.0
oracle banking_platform 2.4.0
fedoraproject fedora 35
oracle webcenter_portal 11.1.1.9.0
oracle retail_xstore_point_of_service 16.0.6
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0
oracle retail_xstore_point_of_service 17.0.4
oracle banking_virtual_account_management 14.2.0
CVE-2021-21349 MEDIUM

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.1 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N 1.6 4.0
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N 3.9 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-918,CWE-918,

Products Affected

Vendor Product Version
oracle communications_policy_management 12.5.0
oracle java_se 7u321
oracle communications_unified_inventory_management 7.3.2
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.12.0
oracle java_se 8u311
debian debian_linux 11.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle banking_enterprise_default_management 2.12.0
oracle business_activity_monitoring 12.2.1.3.0
oracle banking_enterprise_default_management 2.10.0
apache jmeter *
apache activemq *
fedoraproject fedora 33
debian debian_linux 9.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
oracle banking_platform 2.9.0
netapp oncommand_insight -
oracle graalvm 21.3.0
apache activemq 5.16.1
fedoraproject fedora 34
oracle banking_virtual_account_management 14.5.0
oracle business_activity_monitoring 11.1.1.9.0
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.7.1
apache activemq 5.16.0
oracle banking_platform 2.4.0
fedoraproject fedora 35
oracle webcenter_portal 11.1.1.9.0
oracle retail_xstore_point_of_service 16.0.6
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0
oracle retail_xstore_point_of_service 17.0.4
oracle graalvm 20.3.4
oracle banking_virtual_account_management 14.2.0
CVE-2021-21350 HIGH

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N 1.6 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,CWE-502,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle communications_policy_management 12.5.0
oracle weblogic_server 12.2.1.3.0
oracle communications_unified_inventory_management 7.3.2
oracle weblogic_server 12.1.3.0.0
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.12.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle weblogic_server 14.1.1.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle banking_enterprise_default_management 2.12.0
oracle business_activity_monitoring 12.2.1.3.0
oracle banking_enterprise_default_management 2.10.0
apache jmeter *
apache activemq *
fedoraproject fedora 33
debian debian_linux 9.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
oracle banking_platform 2.9.0
netapp oncommand_insight -
apache activemq 5.16.1
fedoraproject fedora 34
oracle banking_virtual_account_management 14.5.0
oracle business_activity_monitoring 11.1.1.9.0
oracle weblogic_server 12.2.1.4.0
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.7.1
apache activemq 5.16.0
oracle banking_platform 2.4.0
fedoraproject fedora 35
oracle webcenter_portal 11.1.1.9.0
oracle retail_xstore_point_of_service 16.0.6
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0
oracle retail_xstore_point_of_service 17.0.4
oracle banking_virtual_account_management 14.2.0
CVE-2021-21351 MEDIUM

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N 1.0 4.0
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-502,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle communications_policy_management 12.5.0
oracle communications_unified_inventory_management 7.3.2
oracle communications_unified_inventory_management 7.4.1
oracle banking_platform 2.12.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle banking_enterprise_default_management 2.12.0
oracle business_activity_monitoring 12.2.1.3.0
oracle banking_enterprise_default_management 2.10.0
apache jmeter *
apache activemq *
fedoraproject fedora 33
debian debian_linux 9.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
oracle mysql_server *
xstream_project xstream *
oracle banking_platform 2.9.0
netapp oncommand_insight -
apache activemq 5.16.1
fedoraproject fedora 34
oracle banking_virtual_account_management 14.5.0
oracle business_activity_monitoring 11.1.1.9.0
oracle banking_virtual_account_management 14.3.0
oracle banking_platform 2.7.1
apache activemq 5.16.0
oracle banking_platform 2.4.0
fedoraproject fedora 35
oracle webcenter_portal 11.1.1.9.0
oracle retail_xstore_point_of_service 16.0.6
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0.0.3.0
oracle retail_xstore_point_of_service 17.0.4
oracle banking_virtual_account_management 14.2.0
CVE-2021-21409 MEDIUM

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
oracle helidon 1.4.10
oracle primavera_gateway *
oracle banking_corporate_lending_process_management 14.2.0
oracle banking_credit_facilities_process_management 14.2.0
netapp oncommand_api_services -
netty netty *
oracle communications_design_studio 7.4.2.0.0
oracle banking_credit_facilities_process_management 14.3.0
oracle communications_brm_-_elastic_charging_engine 12.0.0.3
oracle banking_trade_finance_process_management 14.2.0
oracle banking_trade_finance_process_management 14.3.0
oracle helidon 2.4.0
oracle coherence 12.2.1.4.0
oracle nosql_database *
oracle banking_corporate_lending_process_management 14.5.0
oracle communications_cloud_native_core_policy 1.14.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
oracle jd_edwards_enterpriseone_tools *
oracle banking_credit_facilities_process_management 14.5.0
oracle banking_trade_finance_process_management 14.5.0
quarkus quarkus *
oracle communications_cloud_native_core_console 1.7.0
oracle coherence 14.1.1.0.0
oracle communications_messaging_server 8.1
oracle banking_corporate_lending_process_management 14.3.0
CVE-2021-2144 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2146 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2154 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2160 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.30 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2161 MEDIUM

Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mcafee epolicy_orchestrator *
oracle jdk 16.0.0
oracle jdk 1.7.0
oracle openjdk 7
oracle openjdk 8
mcafee epolicy_orchestrator 5.10.0
oracle graalvm 21.0.0.2
oracle jre 1.8.0
netapp solidfire -
fedoraproject fedora 33
debian debian_linux 9.0
oracle graalvm 19.3.5
debian debian_linux 10.0
oracle jdk 1.8.0
oracle openjdk 16
netapp hci_management_node -
oracle openjdk *
netapp active_iq_unified_manager -
fedoraproject fedora 34
fedoraproject fedora 32
netapp hci_storage_node -
oracle graalvm 20.3.1.2
oracle jdk 11.0.10
netapp hci_compute_node -
CVE-2021-2162 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Audit Plug-in). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2163 LOW

Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle jdk 16.0.0
oracle jdk 1.8.0
oracle openjdk 16
netapp hci_management_node -
oracle jdk 1.7.0
oracle openjdk *
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle openjdk 7
oracle openjdk 8
fedoraproject fedora 32
oracle graalvm 21.0.0.2
netapp hci_storage_node -
oracle jre 1.8.0
oracle graalvm 20.3.1.2
oracle jdk 11.0.10
netapp solidfire -
fedoraproject fedora 33
netapp hci_compute_node -
debian debian_linux 9.0
oracle graalvm 19.3.5
CVE-2021-2164 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2166 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2169 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2170 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-21702 MEDIUM

In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
oracle communications_diameter_signaling_router *
debian debian_linux 10.0
netapp clustered_data_ontap -
debian debian_linux 9.0
php php *
CVE-2021-21703 MEDIUM

In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9
security@php.net 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,CWE-787,CWE-787,

Products Affected

Vendor Product Version
oracle communications_diameter_signaling_router *
debian debian_linux 10.0
netapp clustered_data_ontap -
fedoraproject fedora 35
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject fedora 34
debian debian_linux 11.0
php php *
CVE-2021-21704 MEDIUM

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6
security@php.net 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 1.6 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-190,CWE-787,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
php php *
CVE-2021-21705 MEDIUM

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
oracle sd-wan_aware 8.2
php php *
CVE-2021-21707 MEDIUM

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-159,NVD-CWE-Other,

Products Affected

Vendor Product Version
debian debian_linux 10.0
tenable tenable.sc *
netapp clustered_data_ontap -
debian debian_linux 11.0
php php *
CVE-2021-2171 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2172 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2174 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2178 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2179 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2180 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2193 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2194 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2196 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 32
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2201 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2202 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2203 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2208 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-22096 MEDIUM

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-117,NVD-CWE-Other,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_service_communication_proxy 1.15.0
vmware spring_framework *
netapp metrocluster_tiebreaker -
oracle communications_cloud_native_core_console 1.9.0
netapp management_services_for_element_software_and_netapp_hci -
netapp active_iq_unified_manager -
netapp snapcenter -
netapp snap_creator_framework -
CVE-2021-22118 MEDIUM

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-668,

Products Affected

Vendor Product Version
oracle retail_customer_management_and_segmentation_foundation *
oracle financial_services_analytical_applications_infrastructure *
oracle utilities_testing_accelerator 6.0.0.3.1
oracle mysql_enterprise_monitor *
oracle communications_unified_inventory_management 7.4.1
oracle communications_network_integrity 7.3.6
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle insurance_rules_palette 11.0.2
oracle insurance_rules_palette 11.1.0
oracle documaker *
oracle communications_brm_-_elastic_charging_engine 12.0.0.3
oracle insurance_rules_palette 11.3.1
oracle communications_session_route_manager *
oracle communications_cloud_native_core_unified_data_repository 1.14.0
oracle retail_financial_integration 15.0.3.1
oracle communications_interactive_session_recorder 6.4
oracle retail_merchandising_system 19.0.1
oracle retail_financial_integration 14.1.3.2
oracle communications_cloud_native_core_binding_support_function 1.9.0
oracle communications_cloud_native_core_security_edge_protection_proxy 1.6.0
oracle communications_cloud_native_core_policy 1.14.0
oracle retail_predictive_application_server 14.1.3
oracle insurance_rules_palette 11.2.7
oracle retail_assortment_planning 16.0
oracle healthcare_data_repository 8.1.0
oracle insurance_rules_palette 11.3.0
oracle communications_diameter_intelligence_hub *
oracle retail_predictive_application_server 16.0.3
oracle communications_cloud_native_core_service_communication_proxy 1.14.0
oracle insurance_policy_administration *
oracle enterprise_data_quality 12.2.1.3.0
netapp management_services_for_element_software -
oracle communications_unified_inventory_management 7.5.0
oracle retail_order_broker 16.0
oracle utilities_testing_accelerator 6.0.0.2.2
netapp hci -
oracle communications_session_report_manager *
oracle utilities_testing_accelerator 6.0.0.1.1
oracle retail_integration_bus 15.0.3.1
vmware spring_framework *
oracle enterprise_data_quality 12.2.1.4.0
oracle retail_predictive_application_server 15.0.3
oracle retail_integration_bus 14.1.3.2
oracle communications_element_manager *
oracle retail_financial_integration 16.0.3
oracle retail_integration_bus 16.0.3
CVE-2021-2212 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2213 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2215 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2217 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2226 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2230 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2232 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.23 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 1.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 1.9 LOW CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 0.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-22543 MEDIUM

An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
cve-coordination@google.com 7.7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L 1.1 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-119,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
netapp cloud_backup -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
linux linux_kernel 2021-05-18
debian debian_linux 9.0
CVE-2021-22555 MEDIUM

A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 8.3 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 1.6 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp c250_firmware -
netapp h610s_firmware -
netapp solidfire_baseboard_management_controller *
netapp hci_management_node -
netapp h500s_firmware -
netapp h410c_firmware -
netapp fas_8300_firmware -
netapp aff_a250_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp solidfire -
netapp h610c_firmware -
netapp fas_8700_firmware -
netapp c400_firmware -
netapp aff_a400_firmware -
brocade fabric_operating_system -
netapp aff_500f_firmware -
CVE-2021-22570 LOW

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6
cve-coordination@google.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 36
debian debian_linux 10.0
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
debian debian_linux 11.0
fedoraproject fedora 35
google protobuf *
debian debian_linux 9.0
CVE-2021-22600 HIGH

A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,CWE-415,

Products Affected

Vendor Product Version
netapp h300s_firmware -
debian debian_linux 10.0
netapp 8700_firmware -
netapp h500s_firmware -
linux linux_kernel 5.16
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp a400_firmware -
linux linux_kernel *
netapp 8300_firmware -
debian debian_linux 9.0
netapp c400_firmware -
CVE-2021-2278 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-22876 MEDIUM

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-359,CWE-200,

Products Affected

Vendor Product Version
oracle essbase 21.2
netapp hci_management_node -
fedoraproject fedora 34
fedoraproject fedora 32
broadcom fabric_operating_system -
netapp hci_storage_node -
oracle communications_billing_and_revenue_management 12.0.0.3.0
netapp solidfire -
fedoraproject fedora 33
netapp hci_compute_node -
debian debian_linux 9.0
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
haxx libcurl *
CVE-2021-22883 HIGH

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,CWE-772,

Products Affected

Vendor Product Version
oracle jd_edwards_enterpriseone_tools *
oracle peoplesoft_enterprise_peopletools 8.59
fedoraproject fedora 34
netapp e-series_performance_analyzer -
oracle peoplesoft_enterprise_peopletools 8.58
fedoraproject fedora 32
oracle graalvm 21.0.0.2
oracle graalvm 20.3.1.2
nodejs node.js *
oracle mysql_cluster *
oracle nosql_database *
fedoraproject fedora 33
siemens sinec_infrastructure_network_services *
oracle graalvm 19.3.5
CVE-2021-22884 MEDIUM

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-350,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle jd_edwards_enterpriseone_tools *
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp snapcenter -
netapp e-series_performance_analyzer -
oracle peoplesoft_enterprise_peopletools 8.58
fedoraproject fedora 32
oracle graalvm 21.0.0.2
oracle graalvm 20.3.1.2
nodejs node.js *
oracle mysql_cluster *
oracle nosql_database *
fedoraproject fedora 33
siemens sinec_infrastructure_network_services *
oracle graalvm 19.3.5
CVE-2021-22890 MEDIUM

curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-300,CWE-290,

Products Affected

Vendor Product Version
oracle essbase 21.2
netapp hci_management_node -
fedoraproject fedora 34
fedoraproject fedora 32
broadcom fabric_operating_system -
netapp hci_storage_node -
oracle communications_billing_and_revenue_management 12.0.0.3.0
netapp solidfire -
fedoraproject fedora 33
debian debian_linux 9.0
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
haxx libcurl *
CVE-2021-22897 MEDIUM

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-840,CWE-668,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
oracle communications_cloud_native_core_service_communication_proxy 1.15.0
oracle communications_cloud_native_core_network_repository_function 1.15.0
netapp cloud_backup -
netapp hci_compute_node_firmware -
oracle mysql_server *
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
haxx curl *
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
netapp solidfire,_enterprise_sds_&_hci_storage_node -
oracle communications_cloud_native_core_network_repository_function 1.15.1
oracle communications_cloud_native_core_binding_support_function 1.11.0
oracle essbase *
netapp h700e_firmware -
netapp h500e_firmware -
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2021-22901 MEDIUM

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp snapcenter -
netapp h700s_firmware -
netapp h410s_firmware -
oracle communications_cloud_native_core_service_communication_proxy 1.15.0
oracle communications_cloud_native_core_network_repository_function 1.15.0
netapp cloud_backup -
netapp oncommand_workflow_automation -
netapp hci_compute_node_firmware -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
haxx curl *
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
netapp solidfire,_enterprise_sds_&_hci_storage_node -
oracle communications_cloud_native_core_network_repository_function 1.15.1
oracle communications_cloud_native_core_binding_support_function 1.11.0
oracle essbase *
netapp h700e_firmware -
netapp h500e_firmware -
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2021-22922 MEDIUM

When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-840,CWE-755,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
oracle mysql_server *
netapp hci_management_node -
netapp h500s_firmware -
haxx curl *
netapp h700s_firmware -
netapp h410s_firmware -
netapp clustered_data_ontap -
netapp cloud_backup -
netapp solidfire -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2021-22923 LOW

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.

CVSS 2.0

Severity: LOW

Problem Type: CWE-319,CWE-319,CWE-522,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
oracle mysql_server *
netapp hci_management_node -
netapp h500s_firmware -
haxx curl *
netapp h700s_firmware -
netapp h410s_firmware -
netapp clustered_data_ontap -
netapp cloud_backup -
netapp solidfire -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2021-22924 MEDIUM

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-706,

Products Affected

Vendor Product Version
siemens simatic_cp_1543-1_firmware *
siemens scalance_m876-3_firmware *
siemens scalance_m816-1_firmware *
netapp solidfire_baseboard_management_controller_firmware -
netapp solidfire_&_hci_management_node -
debian debian_linux 11.0
siemens scalance_s615_firmware *
siemens simatic_rtu3010c_firmware *
siemens simatic_rtu_3041c_firmware *
netapp cloud_backup -
siemens logo!_cmr2040_firmware *
fedoraproject fedora 33
debian debian_linux 9.0
siemens scalance_m874-2_firmware *
siemens scalance_m804pb_firmware *
siemens ruggedcomrm_1224_lte_firmware *
debian debian_linux 10.0
siemens simatic_rtu3031c_firmware *
oracle mysql_server *
oracle peoplesoft_enterprise_peopletools 8.59
siemens sinema_remote_connect *
siemens sinema_remote_connect_server *
oracle peoplesoft_enterprise_peopletools 8.58
oracle peoplesoft_enterprise_peopletools 8.57
siemens simatic_cp_1545-1_firmware *
netapp clustered_data_ontap -
siemens simatic_rtu3030c_firmware *
siemens siplus_net_cp_1543-1_firmware *
siemens scalance_m876-4_firmware *
siemens scalance_mum856-1_firmware *
siemens scalance_m826-2_firmware *
siemens scalance_m812-1_firmware *
siemens scalance_m874-3_firmware *
siemens sinec_infrastructure_network_services *
siemens logo!_cmr2020_firmware *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
haxx libcurl *
CVE-2021-22925 MEDIUM

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-908,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
apple macos 11.3.1
apple macos 11.2.1
apple macos 11.0.1
apple macos 11.0
netapp h500s_firmware -
apple macos 11.1
netapp h700s_firmware -
netapp h410s_firmware -
netapp cloud_backup -
netapp solidfire -
fedoraproject fedora 33
apple macos 11.5
apple macos 11.4
oracle mysql_server *
netapp hci_management_node -
oracle peoplesoft_enterprise_peopletools 8.59
apple macos 11.1.0
apple mac_os_x 10.15.7
haxx curl *
siemens sinema_remote_connect_server *
apple macos 11.2
oracle peoplesoft_enterprise_peopletools 8.58
oracle peoplesoft_enterprise_peopletools 8.57
netapp clustered_data_ontap -
netapp h700e_firmware -
netapp h500e_firmware -
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
apple macos 11.3
CVE-2021-22926 MEDIUM

libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-840,CWE-295,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp oncommand_workflow_automation -
netapp h300e_firmware -
oracle mysql_server *
netapp hci_management_node -
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
netapp h500s_firmware -
netapp active_iq_unified_manager -
haxx curl *
netapp snapcenter -
netapp h700s_firmware -
netapp h410s_firmware -
oracle peoplesoft_enterprise_peopletools 8.58
oracle peoplesoft_enterprise_peopletools 8.57
netapp clustered_data_ontap -
netapp solidfire -
netapp h700e_firmware -
netapp h500e_firmware -
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2021-2293 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-22930 HIGH

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
debian debian_linux 10.0
nodejs node.js *
netapp nextgen_api -
siemens sinec_infrastructure_network_services *
CVE-2021-22931 HIGH

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-170,CWE-20,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
oracle peoplesoft_enterprise_peopletools 8.58
oracle peoplesoft_enterprise_peopletools 8.57
nodejs node.js *
oracle graalvm 20.3.3
oracle mysql_cluster *
oracle graalvm 21.2.0
netapp nextgen_api -
siemens sinec_infrastructure_network_services *
CVE-2021-22939 MEDIUM

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
oracle peoplesoft_enterprise_peopletools 8.58
debian debian_linux 10.0
oracle peoplesoft_enterprise_peopletools 8.57
nodejs node.js *
oracle jd_edwards_enterpriseone_tools *
oracle graalvm 20.3.3
oracle peoplesoft_enterprise_peopletools 8.59
oracle mysql_cluster *
oracle graalvm 21.2.0
netapp nextgen_api -
siemens sinec_infrastructure_network_services *
CVE-2021-22940 MEDIUM

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
oracle peoplesoft_enterprise_peopletools 8.58
debian debian_linux 10.0
oracle peoplesoft_enterprise_peopletools 8.57
nodejs node.js *
oracle jd_edwards_enterpriseone_tools *
oracle graalvm 20.3.3
oracle peoplesoft_enterprise_peopletools 8.59
oracle graalvm 21.2.0
netapp nextgen_api -
siemens sinec_infrastructure_network_services *
CVE-2021-22945 MEDIUM

When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-415,CWE-415,CWE-415,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
oracle mysql_server *
apple macos *
netapp h500s_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
siemens sinec_ins *
netapp clustered_data_ontap -
netapp cloud_backup -
fedoraproject fedora 35
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
haxx libcurl *
CVE-2021-22946 MEDIUM

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-325,CWE-319,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
oracle communications_cloud_native_core_binding_support_function 22.1.3
netapp solidfire_baseboard_management_controller_firmware -
apple macos *
oracle commerce_guided_search 11.3.2
netapp h500s_firmware -
netapp snapcenter -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
oracle communications_cloud_native_core_service_communication_proxy 1.15.0
oracle communications_cloud_native_core_network_repository_function 1.15.0
netapp cloud_backup -
fedoraproject fedora 33
debian debian_linux 9.0
netapp oncommand_workflow_automation -
oracle communications_cloud_native_core_console 22.2.0
debian debian_linux 10.0
oracle communications_cloud_native_core_network_repository_function 22.2.0
oracle mysql_server *
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
haxx curl *
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
oracle communications_cloud_native_core_security_edge_protection_proxy 22.1.1
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_cloud_native_core_network_repository_function 1.15.1
oracle peoplesoft_enterprise_peopletools 8.57
oracle communications_cloud_native_core_binding_support_function 1.11.0
netapp clustered_data_ontap -
oracle communications_cloud_native_core_network_repository_function 22.1.0
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2021-22947 MEDIUM

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,CWE-345,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
oracle communications_cloud_native_core_binding_support_function 22.1.3
netapp solidfire_baseboard_management_controller_firmware -
apple macos *
oracle commerce_guided_search 11.3.2
netapp h500s_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
oracle communications_cloud_native_core_service_communication_proxy 1.15.0
oracle communications_cloud_native_core_network_repository_function 1.15.0
netapp cloud_backup -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_console 22.2.0
debian debian_linux 10.0
oracle communications_cloud_native_core_network_repository_function 22.2.0
oracle mysql_server *
oracle peoplesoft_enterprise_peopletools 8.59
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
haxx curl *
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
oracle communications_cloud_native_core_security_edge_protection_proxy 22.1.1
oracle communications_cloud_native_core_network_repository_function 22.1.2
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_cloud_native_core_network_repository_function 1.15.1
oracle peoplesoft_enterprise_peopletools 8.57
oracle communications_cloud_native_core_binding_support_function 1.11.0
netapp clustered_data_ontap -
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
siemens sinec_infrastructure_network_services *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2021-2298 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2299 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2300 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2301 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-23017 MEDIUM

A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L 2.2 5.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-193,CWE-193,

Products Affected

Vendor Product Version
oracle enterprise_telephony_fraud_monitor 4.4
netapp ontap_select_deploy_administration_utility -
oracle communications_operations_monitor 4.4
oracle goldengate *
oracle communications_operations_monitor 4.2
oracle enterprise_telephony_fraud_monitor 3.4
oracle blockchain_platform *
oracle communications_control_plane_monitor 4.2
oracle communications_control_plane_monitor 4.4
f5 nginx *
fedoraproject fedora 33
openresty openresty *
oracle communications_session_border_controller 8.4
oracle communications_control_plane_monitor 3.4
oracle enterprise_communications_broker 3.3.0
fedoraproject fedora 34
oracle enterprise_session_border_controller 8.4
oracle communications_fraud_monitor *
oracle communications_operations_monitor 3.4
oracle communications_operations_monitor 4.3
oracle communications_control_plane_monitor 4.3
oracle communications_session_border_controller 9.0
oracle enterprise_telephony_fraud_monitor 4.2
oracle enterprise_session_border_controller 9.0
oracle enterprise_telephony_fraud_monitor 4.3
CVE-2021-2304 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2305 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2307 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N 1.8 4.2
secalert_us@oracle.com 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N 1.8 4.2

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-2308 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2021-23133 MEDIUM

A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@paloaltonetworks.com 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-362,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp solidfire_&_hci_management_node -
broadcom brocade_fabric_operating_system -
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
fedoraproject fedora 32
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-23239 LOW

The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.5 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.0 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
sudo_project sudo *
netapp cloud_backup -
netapp hci_management_node -
netapp solidfire -
fedoraproject fedora 33
CVE-2021-23240 MEDIUM

selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-59,

Products Affected

Vendor Product Version
fedoraproject fedora 32
sudo_project sudo *
netapp hci_management_node -
netapp solidfire -
fedoraproject fedora 33
CVE-2021-23336 MEDIUM

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
report@snyk.io 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H 1.6 4.2
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H 1.6 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
oracle enterprise_manager_ops_center 12.4.0.0
djangoproject django *
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 34
netapp snapcenter -
oracle communications_pricing_design_center 12.0.0.3.0
netapp inventory_collect_tool -
oracle communications_offline_mediation_controller 12.0.0.3.0
fedoraproject fedora 32
oracle zfs_storage_appliance 8.8
netapp cloud_backup -
python python *
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-23337 MEDIUM

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
report@snyk.io 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
oracle banking_supply_chain_finance 14.3.0
oracle primavera_gateway *
oracle banking_corporate_lending_process_management 14.2.0
oracle banking_extensibility_workbench 14.2.0
oracle communications_cloud_native_core_policy 1.11.0
oracle banking_credit_facilities_process_management 14.2.0
siemens sinec_ins 1.0
oracle communications_design_studio 7.4.2.0.0
oracle health_sciences_data_management_workbench 3.0.0.0
lodash lodash *
oracle banking_credit_facilities_process_management 14.3.0
siemens sinec_ins *
oracle primavera_unifier 18.8
oracle banking_trade_finance_process_management 14.2.0
oracle banking_trade_finance_process_management 14.3.0
oracle health_sciences_data_management_workbench 2.5.2.1
oracle primavera_unifier 20.12
netapp system_manager 9.0
oracle primavera_unifier *
oracle retail_customer_management_and_segmentation_foundation 19.0
oracle banking_supply_chain_finance 14.5.0
oracle communications_cloud_native_core_binding_support_function 1.9.0
oracle banking_corporate_lending_process_management 14.5.0
oracle primavera_unifier 19.12
oracle banking_supply_chain_finance 14.2.0
oracle communications_session_border_controller 8.4
oracle jd_edwards_enterpriseone_tools *
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_credit_facilities_process_management 14.5.0
netapp active_iq_unified_manager -
oracle enterprise_communications_broker 3.3.0
oracle banking_trade_finance_process_management 14.5.0
oracle communications_services_gatekeeper 7.0
oracle banking_extensibility_workbench 14.3.0
oracle enterprise_communications_broker 3.2.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle banking_extensibility_workbench 14.5.0
oracle communications_session_border_controller 9.0
netapp cloud_manager -
oracle banking_corporate_lending_process_management 14.3.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
CVE-2021-23383 HIGH

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
report@snyk.io 5.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 2.2 3.4
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1321,

Products Affected

Vendor Product Version
handlebarsjs handlebars *
netapp e-series_performance_analyzer -
CVE-2021-2339 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
CVE-2021-2340 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Memcached). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2342 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
netapp snapcenter -
CVE-2021-2352 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
CVE-2021-2354 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Federated). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
CVE-2021-2356 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H 1.6 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
CVE-2021-2357 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
CVE-2021-2367 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
CVE-2021-2370 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
CVE-2021-2372 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 33
fedoraproject fedora 34
netapp snapcenter -
CVE-2021-2374 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.1 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N 0.5 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
CVE-2021-2383 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
CVE-2021-2384 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
CVE-2021-23841 MEDIUM

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
oracle mysql_enterprise_monitor *
apple macos *
oracle business_intelligence 12.2.1.3.0
oracle business_intelligence 12.2.1.4.0
siemens sinec_ins 1.0
netapp snapcenter -
tenable nessus_network_monitor 5.12.0
siemens sinec_ins *
apple iphone_os *
oracle graalvm 21.0.0.2
tenable nessus_network_monitor 5.11.0
apple safari *
oracle graalvm 19.3.5
netapp oncommand_workflow_automation -
openssl openssl *
debian debian_linux 10.0
tenable tenable.sc *
oracle enterprise_manager_for_storage_management 13.4.0.0
oracle essbase 21.2
oracle zfs_storage_appliance_kit 8.8
oracle enterprise_manager_ops_center 12.4.0.0
oracle mysql_server *
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
tenable nessus_network_monitor 5.13.0
oracle communications_cloud_native_core_policy 1.15.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle peoplesoft_enterprise_peopletools 8.57
apple ipados *
oracle graalvm 20.3.1.2
tenable nessus_network_monitor 5.11.1
oracle business_intelligence 5.9.0.0.0
oracle jd_edwards_world_security a9.4
oracle business_intelligence 5.5.0.0.0
tenable nessus_network_monitor 5.12.1
CVE-2021-2385 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H 0.7 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
netapp snapcenter -
CVE-2021-2387 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2389 HIGH

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp snapcenter -
CVE-2021-2390 HIGH

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-191,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-23901 MEDIUM

An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
apache nutch *
netapp snap_creator_framework -
CVE-2021-23926 MEDIUM

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-776,

Products Affected

Vendor Product Version
oracle peoplesoft_enterprise_peopletools 8.58
oracle peoplesoft_enterprise_peopletools 8.57
netapp oncommand_unified_manager_core_package -
apache xmlbeans *
oracle middleware_common_libraries_and_tools 12.2.1.3.0
oracle peoplesoft_enterprise_peopletools 8.59
netapp snapmanager -
oracle middleware_common_libraries_and_tools 12.2.1.4.0
debian debian_linux 9.0
netapp snap_creator_framework -
CVE-2021-2399 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2402 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2410 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2411 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: JS module). Supported versions that are affected are 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_cluster *
netapp oncommand_insight -
CVE-2021-2412 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2417 HIGH

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.0 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H 1.2 4.7

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2418 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2422 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2424 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2425 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2426 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2427 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2429 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2437 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2440 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2441 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2444 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
CVE-2021-2478 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2479 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-2481 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-25214 MEDIUM

In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-officer@isc.org 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
isc bind 9.11.27
isc bind 9.11.21
netapp h500s_firmware -
netapp aff_a250_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
isc bind 9.16.13
netapp cloud_backup -
fedoraproject fedora 33
debian debian_linux 9.0
isc bind 9.11.3
debian debian_linux 10.0
isc bind 9.10.7
isc bind 9.11.8
isc bind 9.10.5
isc bind 9.9.12
netapp active_iq_unified_manager -
isc bind 9.11.5
fedoraproject fedora 34
isc bind 9.9.13
isc bind 9.11.6
isc bind 9.9.3
isc bind *
isc bind 9.11.29
isc bind 9.16.8
isc bind 9.11.12
netapp h700e_firmware -
isc bind 9.11.7
netapp h500e_firmware -
siemens sinec_infrastructure_network_services *
isc bind 9.16.11
netapp aff_500f_firmware -
CVE-2021-25215 MEDIUM

In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
isc bind 9.11.27
isc bind 9.11.21
netapp h500s_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
isc bind 9.16.13
netapp cloud_backup -
fedoraproject fedora 33
debian debian_linux 9.0
isc bind 9.11.3
debian debian_linux 10.0
oracle tekelec_platform_distribution *
isc bind 9.10.7
isc bind 9.11.8
isc bind 9.10.5
isc bind 9.9.12
netapp active_iq_unified_manager -
isc bind 9.11.5
fedoraproject fedora 34
isc bind 9.9.13
isc bind 9.11.6
netapp 500f_firmware -
isc bind 9.9.3
isc bind *
isc bind 9.11.29
isc bind 9.16.8
isc bind 9.11.12
netapp h700e_firmware -
isc bind 9.11.7
netapp h500e_firmware -
siemens sinec_infrastructure_network_services *
isc bind 9.16.11
netapp a250_firmware -
CVE-2021-25216 MEDIUM

In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
security-officer@isc.org 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
isc bind 9.11.27
isc bind 9.11.21
netapp h500s_firmware -
netapp aff_a250_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
isc bind 9.16.13
netapp cloud_backup -
debian debian_linux 9.0
isc bind 9.11.3
debian debian_linux 10.0
isc bind 9.10.7
isc bind 9.11.8
isc bind 9.10.5
isc bind 9.9.12
netapp active_iq_unified_manager -
isc bind 9.11.5
isc bind 9.9.13
isc bind 9.11.6
isc bind 9.9.3
isc bind *
isc bind 9.11.29
isc bind 9.16.8
isc bind 9.11.12
netapp h700e_firmware -
isc bind 9.11.7
netapp h500e_firmware -
siemens sinec_infrastructure_network_services *
isc bind 9.16.11
netapp aff_500f_firmware -
CVE-2021-25217 LOW

In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series) are beyond their End-of-Life (EOL) and no longer supported by ISC. From inspection it is clear that the defect is also present in releases from those series, but they have not been officially tested for the vulnerability), The outcome of encountering the defect while reading a lease that will trigger it varies, according to: the component being affected (i.e., dhclient or dhcpd) whether the package was built as a 32-bit or 64-bit binary whether the compiler flag -fstack-protection-strong was used when compiling In dhclient, ISC has not successfully reproduced the error on a 64-bit system. However, on a 32-bit system it is possible to cause dhclient to crash when reading an improper lease, which could cause network connectivity problems for an affected system due to the absence of a running DHCP client process. In dhcpd, when run in DHCPv4 or DHCPv6 mode: if the dhcpd server binary was built for a 32-bit architecture AND the -fstack-protection-strong flag was specified to the compiler, dhcpd may exit while parsing a lease file containing an objectionable lease, resulting in lack of service to clients. Additionally, the offending lease and the lease immediately following it in the lease database may be improperly deleted. if the dhcpd server binary was built for a 64-bit architecture OR if the -fstack-protection-strong compiler flag was NOT specified, the crash will not occur, but it is possible for the offending lease and the lease which immediately followed it to be improperly deleted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 2.8 4.0
security-officer@isc.org 7.4 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 2.8 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,

Products Affected

Vendor Product Version
siemens ruggedcom_rox_rx1400_firmware *
netapp solidfire_&_hci_management_node -
siemens ruggedcom_rox_rx1536_firmware *
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 34
siemens sinec_ins 1.0
siemens ruggedcom_rox_rx1524_firmware *
isc dhcp *
siemens sinec_ins *
siemens ruggedcom_rox_rx5000_firmware *
siemens ruggedcom_rox_rx1500_firmware *
siemens ruggedcom_rox_rx1512_firmware *
siemens ruggedcom_rox_rx1501_firmware *
siemens ruggedcom_rox_rx1510_firmware *
fedoraproject fedora 33
isc dhcp 4.1-esv
siemens ruggedcom_rox_mx5000_firmware *
debian debian_linux 9.0
siemens ruggedcom_rox_rx1511_firmware *
CVE-2021-25219 MEDIUM

In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
isc bind 9.11.27
oracle http_server 12.2.1.4.0
isc bind 9.11.21
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
isc bind 9.16.13
netapp cloud_backup -
fedoraproject fedora 33
debian debian_linux 9.0
isc bind 9.11.3
isc bind 9.11.35
debian debian_linux 10.0
isc bind 9.10.7
isc bind 9.11.8
oracle zfs_storage_appliance_kit 8.8
isc bind 9.10.5
isc bind 9.9.12
isc bind 9.11.5
fedoraproject fedora 34
isc bind 9.9.13
isc bind 9.11.6
isc bind 9.16.21
isc bind 9.9.3
isc bind *
oracle http_server 12.2.1.3.0
isc bind 9.11.29
fedoraproject fedora 35
isc bind 9.16.8
isc bind 9.11.12
netapp h700e_firmware -
isc bind 9.11.7
netapp h500e_firmware -
siemens sinec_infrastructure_network_services *
isc bind 9.16.11
CVE-2021-25220 MEDIUM

BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
juniper junos 21.1
fedoraproject fedora 36
juniper junos 22.2
netapp baseboard_management_controller_h500e_firmware -
juniper junos 20.2
netapp h500s_firmware -
netapp h410c_firmware -
siemens sinec_ins 1.0
netapp h700s_firmware -
netapp h410s_firmware -
netapp baseboard_management_controller_h700e_firmware -
siemens sinec_ins *
juniper junos 21.2
netapp baseboard_management_controller_h700s_firmware -
juniper junos *
juniper junos 19.4
netapp baseboard_management_controller_h410c_firmware -
juniper junos 20.4
netapp baseboard_management_controller_h300s_firmware -
juniper junos 19.3
juniper junos 20.3
fedoraproject fedora 34
netapp baseboard_management_controller_h300e_firmware -
juniper junos 21.3
netapp baseboard_management_controller_h410s_firmware -
juniper junos 21.4
netapp baseboard_management_controller_h500s_firmware -
isc bind *
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
juniper junos 22.1
CVE-2021-25742 MEDIUM

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
jordan@liggitt.net 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 2.8 4.7
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N 2.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp trident -
kubernetes ingress-nginx *
kubernetes ingress-nginx 1.0.0
CVE-2021-26117 MEDIUM

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
oracle flexcube_private_banking 12.0.0
netapp oncommand_workflow_automation -
oracle communications_session_report_manager *
oracle communications_session_route_manager *
apache activemq_artemis *
oracle flexcube_private_banking 12.1.0
oracle communications_element_manager *
apache activemq *
debian debian_linux 9.0
CVE-2021-26118 MEDIUM

While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
apache activemq_artemis 2.15.0
CVE-2021-26296 MEDIUM

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
apache myfaces *
netapp oncommand_insight -
apache myfaces 3.0.0
apache myfaces 2.3
CVE-2021-26691 HIGH

In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle instantis_enterprisetrack 17.1
apache http_server *
oracle zfs_storage_appliance_kit 8.8
oracle instantis_enterprisetrack 17.3
oracle enterprise_manager_ops_center 12.4.0.0
oracle secure_backup *
fedoraproject fedora 34
oracle instantis_enterprisetrack 17.2
netapp cloud_backup -
fedoraproject fedora 35
debian debian_linux 9.0
CVE-2021-26707 HIGH

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1321,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
merge-deep_project merge-deep *
CVE-2021-26708 MEDIUM

A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions in the AF_VSOCK implementation are caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in the commits that added VSOCK multi-transport support.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-667,

Products Affected

Vendor Product Version
netapp hci_h410c_firmware -
netapp baseboard_management_controller_500f_firmware *
linux linux_kernel *
netapp solidfire_&_hci_management_node -
netapp cloud_backup -
netapp aff_baseboard_management_controller -
netapp fas_baseboard_management_controller -
netapp baseboard_management_controller_a250_firmware *
netapp solidfire_baseboard_management_controller -
CVE-2021-26932 LOW

An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one is reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. Only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable. This affects arch/*/xen/p2m.c and drivers/xen/gntdev.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 32
netapp hci_h410c_firmware -
linux linux_kernel *
netapp solidfire_&_hci_management_node -
netapp cloud_backup -
fedoraproject fedora 33
netapp hci_compute_node -
debian debian_linux 9.0
netapp solidfire,_enterprise_sds_&_hci_storage_node -
CVE-2021-26987 HIGH

Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to Remote Code Execution. All versions of Element Plug-in for vCenter Server, Management Services versions prior to 2.17.56 and Management Node versions through 12.2 contain vulnerable versions of SpringBoot Framework.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
vmware spring_boot *
netapp management_services_for_element_software_and_netapp_hci *
netapp element_plug-in_for_vcenter_server *
netapp solidfire_&_hci_management_node *
CVE-2021-26988 LOW

Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P8 and 9.8 are susceptible to a vulnerability which could allow unauthorized tenant users to discover information related to converting a 7-Mode directory to Cluster-mode such as Storage Virtual Machine (SVM) names, volume names, directory paths and Job IDs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.5 LOW CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.1 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-862,

Products Affected

Vendor Product Version
netapp data_ontap 9.6.0
netapp data_ontap 9.8.0
netapp data_ontap 9.5.0
netapp data_ontap 9.7.0
netapp data_ontap 9.3.0
CVE-2021-26989 LOW

Clustered Data ONTAP versions prior to 9.3P21, 9.5P16, 9.6P12, 9.7P9 and 9.8 are susceptible to a vulnerability which could allow a remote authenticated attacker to cause a Denial of Service (DoS) on clustered Data ONTAP configured for SMB access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp data_ontap 9.6.0
netapp data_ontap 9.8.0
netapp data_ontap 9.5.0
netapp data_ontap 9.7.0
netapp data_ontap 9.3.0
CVE-2021-26990 HIGH

Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerability that could allow a remote attacker to overwrite arbitrary system files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H 3.9 5.2

CVSS 2.0

Severity: HIGH

Problem Type: CWE-862,

Products Affected

Vendor Product Version
netapp cloud_manager *
CVE-2021-26991 MEDIUM

Cloud Manager versions prior to 3.9.4 contain an insecure Cross-Origin Resource Sharing (CORS) policy which could allow a remote attacker to interact with Cloud Manager.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp cloud_manager *
CVE-2021-26992 MEDIUM

Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerability which could allow a remote attacker to cause a Denial of Service (DoS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp cloud_manager *
CVE-2021-26993 MEDIUM

E-Series SANtricity OS Controller Software 11.x versions prior to 11.70.1 are susceptible to a vulnerability which when successfully exploited could allow a remote attacker to cause a partial Denial of Service (DoS) to the web server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
CVE-2021-26994 MEDIUM

Clustered Data ONTAP versions prior to 9.7P13 and 9.8P3 are susceptible to a vulnerability which could allow single workloads to cause a Denial of Service (DoS) on a cluster node.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
netapp clustered_data_ontap 9.7
netapp clustered_data_ontap 9.8
CVE-2021-26995 MEDIUM

E-Series SANtricity OS Controller Software 11.x versions prior to 11.70.1 are susceptible to a vulnerability which when successfully exploited could allow privileged attackers to execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
CVE-2021-26996 MEDIUM

E-Series SANtricity OS Controller Software 11.x versions prior to 11.70.1 are susceptible to a vulnerability which when successfully exploited could allow a remote attacker to discover system configuration and application information which may aid in crafting more complex attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
CVE-2021-26997 MEDIUM

E-Series SANtricity OS Controller Software 11.x versions prior to 11.70.1 are susceptible to a vulnerability which when successfully exploited could allow a remote attacker to discover information via error messaging which may aid in crafting more complex attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-209,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
CVE-2021-26998 MEDIUM

NetApp Cloud Manager versions prior to 3.9.9 log sensitive information that is available only to authenticated users. Customers with auto-upgrade enabled should already be on a fixed version while customers using on-prem connectors with auto-upgrade disabled are advised to upgrade to a fixed version.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,

Products Affected

Vendor Product Version
netapp cloud_manager *
CVE-2021-26999 MEDIUM

NetApp Cloud Manager versions prior to 3.9.9 log sensitive information when an Active Directory connection fails. The logged information is available only to authenticated users. Customers with auto-upgrade enabled should already be on a fixed version while customers using on-prem connectors with auto-upgrade disabled are advised to upgrade to a fixed version.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,

Products Affected

Vendor Product Version
netapp cloud_manager *
CVE-2021-27001 LOW

Clustered Data ONTAP versions 9.x prior to 9.5P18, 9.6P16, 9.7P16, 9.8P7 and 9.9.1P2 are susceptible to a vulnerability which could allow an authenticated privileged local attacker to arbitrarily modify Compliance-mode WORM data prior to the end of the retention period.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
netapp clustered_data_ontap 9.5
netapp clustered_data_ontap 9.6
netapp clustered_data_ontap 9.9.1
netapp clustered_data_ontap 9.7
netapp clustered_data_ontap 9.8
CVE-2021-27002 MEDIUM

NetApp Cloud Manager versions prior to 3.9.10 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to retrieve sensitive data via the web proxy.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp cloud_manager *
CVE-2021-27003 MEDIUM

Clustered Data ONTAP versions prior to 9.5P18, 9.6P15, 9.7P14, 9.8P5 and 9.9.1 are missing an X-Frame-Options header which could allow a clickjacking attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1021,

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
netapp clustered_data_ontap 9.5
netapp clustered_data_ontap 9.6
netapp clustered_data_ontap 9.7
netapp clustered_data_ontap 9.8
CVE-2021-27004 LOW

System Manager 9.x versions 9.7 and higher prior to 9.7P16, 9.8P7 and 9.9.1P2 are susceptible to a vulnerability which could allow a local attacker to discover plaintext iSCSI CHAP credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp ontap_system_manager 9.8
netapp ontap_system_manager *
netapp ontap_system_manager 9.7
netapp ontap_system_manager 9.9.12
CVE-2021-27005 MEDIUM

Clustered Data ONTAP versions 9.6 and higher prior to 9.6P16, 9.7P16, 9.8P7 and 9.9.1P3 are susceptible to a vulnerability which could allow a remote attacker to cause a crash of the httpd server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp ontap_system_manager 9.8
netapp ontap_system_manager *
netapp ontap_system_manager 9.7
netapp ontap_system_manager 9.9.12
CVE-2021-27006 LOW

StorageGRID (formerly StorageGRID Webscale) versions 11.5 prior to 11.5.0.5 are susceptible to a vulnerability which may allow an administrative user to escalate their privileges and modify settings in SANtricity System Manager.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2021-27007 HIGH

NetApp Virtual Desktop Service (VDS) when used with an HTML5 gateway is susceptible to a vulnerability which when successfully exploited could allow an unauthenticated attacker to takeover a Remote Desktop Session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp virtual_desktop_service *
CVE-2021-27218 MEDIUM

An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-681,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
gnome glib *
netapp cloud_backup -
netapp active_iq_unified_manager -
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject fedora 34
broadcom brocade_fabric_operating_system_firmware -
CVE-2021-27219 MEDIUM

An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-681,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
gnome glib *
netapp cloud_backup -
netapp active_iq_unified_manager -
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject fedora 34
broadcom brocade_fabric_operating_system_firmware -
CVE-2021-27358 MEDIUM

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
grafana grafana *
CVE-2021-27363 LOW

An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L 1.8 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
debian debian_linux 9.0
CVE-2021-27364 LOW

An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 20.04
oracle tekelec_platform_distribution *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
canonical ubuntu_linux 14.04
debian debian_linux 9.0
CVE-2021-27365 MEDIUM

An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
oracle tekelec_platform_distribution *
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
debian debian_linux 9.0
CVE-2021-28038 MEDIUM

An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
linux linux_kernel 5.12
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
debian debian_linux 9.0
CVE-2021-28039 LOW

An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFIG_XEN_UNPOPULATED_ALLOC but not CONFIG_XEN_BALLOON_MEMORY_HOTPLUG.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-131,

Products Affected

Vendor Product Version
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
xen xen -
CVE-2021-28041 MEDIUM

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-415,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3.0
netapp hci_storage_node_firmware -
netapp hci_compute_node_firmware -
oracle zfs_storage_appliance 8.8
netapp cloud_backup -
netapp hci_management_node -
openbsd openssh *
netapp solidfire -
fedoraproject fedora 33
fedoraproject fedora 34
CVE-2021-28163 MEDIUM

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
emo@eclipse.org 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4
nvd@nist.gov 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-59,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle banking_digital_experience 20.1
netapp santricity_cloud_connector -
netapp vasa_provider_for_clustered_data_ontap *
netapp snapcenter -
oracle autovue_for_agile_product_lifecycle_management 21.0.2
eclipse jetty 10.0.1
oracle communications_element_manager 8.2.2
oracle communications_session_route_manager *
eclipse jetty 10.0.0
fedoraproject fedora 33
eclipse jetty 11.0.0
netapp snapcenter_plug-in -
apache ignite *
netapp virtual_storage_console *
oracle siebel_core_-_automation *
eclipse jetty 11.0.1
netapp element_plug-in_for_vcenter_server -
fedoraproject fedora 34
netapp e-series_santricity_web_services -
oracle communications_services_gatekeeper 7.0
eclipse jetty *
oracle banking_digital_experience 21.1
apache solr 8.8.1
netapp e-series_performance_analyzer -
netapp storage_replication_adapter_for_clustered_data_ontap *
oracle banking_apis 20.1
oracle communications_session_report_manager *
fedoraproject fedora 32
oracle banking_apis 21.1
netapp cloud_manager -
CVE-2021-28164 MEDIUM

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
emo@eclipse.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-551,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle banking_digital_experience 20.1
netapp snapcenter_plug-in -
eclipse jetty 9.4.37
netapp virtual_storage_console *
oracle siebel_core_-_automation *
netapp element_plug-in_for_vcenter_server -
netapp santricity_cloud_connector -
netapp vasa_provider_for_clustered_data_ontap *
netapp e-series_santricity_web_services -
netapp snapcenter -
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle banking_digital_experience 21.1
netapp e-series_performance_analyzer -
netapp storage_replication_adapter_for_clustered_data_ontap *
oracle banking_apis 20.1
oracle communications_session_route_manager *
oracle banking_apis 21.1
netapp cloud_manager -
eclipse jetty 9.4.38
CVE-2021-28165 HIGH

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
emo@eclipse.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,CWE-551,CWE-755,CWE-755,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle communications_cloud_native_core_policy 1.14.0
netapp e-series_performance_analyzer *
oracle siebel_core_-_automation *
netapp santricity_cloud_connector -
netapp e-series_santricity_web_services *
jenkins jenkins *
netapp snapcenter *
netapp ontap_tools *
netapp vasa_provider_for_clustered_data_ontap *
oracle communications_services_gatekeeper 7.0
eclipse jetty *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
netapp santricity_web_services_proxy *
netapp storage_replication_adapter_for_clustered_data_ontap *
oracle communications_session_report_manager *
oracle communications_element_manager 8.2.2
oracle communications_session_route_manager *
netapp e-series_santricity_storage *
netapp cloud_manager *
oracle rest_data_services *
CVE-2021-28169 MEDIUM

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
emo@eclipse.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,NVD-CWE-Other,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_policy 1.14.0
netapp hci -
debian debian_linux 10.0
netapp active_iq_unified_manager -
debian debian_linux 9.0
oracle rest_data_services *
netapp snap_creator_framework -
netapp management_services_for_element_software -
eclipse jetty *
CVE-2021-28375 HIGH

An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka CID-20c40794eb85. This is a related issue to CVE-2019-2308.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-862,

Products Affected

Vendor Product Version
fedoraproject fedora 32
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
fedoraproject fedora 33
fedoraproject fedora 34
CVE-2021-28651 MEDIUM

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp cloud_manager -
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject fedora 34
squid-cache squid *
CVE-2021-28660 HIGH

rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may have situations in which a drivers/staging issue is relevant to their own customer base.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp baseboard_management_controller_h300s_firmware -
netapp solidfire_baseboard_management_controller_firmware -
netapp baseboard_management_controller_h500e_firmware -
netapp h500s_firmware -
netapp h700s_firmware -
netapp baseboard_management_controller_h300e_firmware -
netapp h410s_firmware -
netapp baseboard_management_controller_h700e_firmware -
netapp baseboard_management_controller_h700s_firmware -
linux linux_kernel *
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
netapp cloud_backup -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-28691 MEDIUM

Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2021-28951 MEDIUM

An issue was discovered in fs/io_uring.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (deadlock) because exit may be waiting to park a SQPOLL thread, but concurrently that SQPOLL thread is waiting for a signal to start, aka CID-3ebba796fa25.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-667,

Products Affected

Vendor Product Version
netapp fas_500f_firmware -
fedoraproject fedora 32
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
fedoraproject fedora 33
fedoraproject fedora 34
netapp aff_500f_firmware -
netapp a250_firmware -
CVE-2021-28952 MEDIUM

An issue was discovered in the Linux kernel through 5.11.8. The sound/soc/qcom/sdm845.c soundwire device driver has a buffer overflow when an unexpected port ID number is encountered, aka CID-1c668e1c0a0f. (This has been fixed in 5.12-rc4.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp fas_500f_firmware -
fedoraproject fedora 32
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
fedoraproject fedora 33
fedoraproject fedora 34
netapp aff_500f_firmware -
netapp a250_firmware -
CVE-2021-28957 MEDIUM

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle zfs_storage_appliance_kit 8.8
lxml lxml *
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject fedora 34
netapp snapcenter -
CVE-2021-28964 LOW

A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.0 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-362,

Products Affected

Vendor Product Version
netapp fas_500f_firmware -
fedoraproject fedora 32
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject fedora 34
netapp aff_a250_firmware -
CVE-2021-28971 MEDIUM

In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
fedoraproject fedora 32
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject fedora 34
netapp aff_a250_firmware -
netapp aff_500f_firmware -
CVE-2021-28972 HIGH

In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination, aka CID-cc7a0bb058b8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
fedoraproject fedora 32
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
fedoraproject fedora 33
fedoraproject fedora 34
netapp fas/aff_baseboard_management_controller -
CVE-2021-29154 HIGH

BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp hci_management_node -
netapp h500s_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp solidfire -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-29425 MEDIUM

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-22,

Products Affected

Vendor Product Version
oracle application_testing_suite 13.3.0.1
oracle retail_service_backbone 19.0.1
oracle utilities_testing_accelerator 6.0.0.3.1
oracle retail_service_backbone 14.1.3.2
oracle access_manager 12.2.1.3.0
oracle enterprise_communications_broker 3.3
oracle flexcube_core_banking 5.2.0
oracle commerce_guided_search 11.3.2
oracle agile_plm 9.3.6
oracle insurance_rules_palette 11.1.0
oracle communications_pricing_design_center 12.0.0.4.0
oracle banking_enterprise_default_managment *
oracle primavera_unifier 18.8
oracle webcenter_portal 12.2.1.4.0
oracle retail_service_backbone 19.0.0
oracle retail_order_broker 19.1
oracle banking_enterprise_default_management 2.10.0
oracle health_sciences_data_management_workbench 2.5.2.1
apache commons_io 2.6
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle retail_integration_bus 19.0.1
oracle retail_merchandising_system 19.0.1
oracle communications_policy_management 12.5.0.0.0
oracle banking_apis 19.1
oracle communications_service_broker 6.2
oracle communications_contacts_server 8.0.0.6.0
oracle primavera_unifier 21.12
oracle application_performance_management 13.4.1.0
oracle communications_order_and_service_management 7.4
oracle retail_xstore_point_of_service 19.0.2
oracle communications_application_session_controller 3.9.0
oracle enterprise_session_border_controller 8.4
oracle banking_digital_experience 18.1
oracle retail_order_broker 16.0
oracle banking_apis 20.1
oracle utilities_testing_accelerator 6.0.0.1.1
oracle banking_digital_experience 19.2
oracle banking_platform 2.7.0
oracle retail_integration_bus 14.1.3.2
apache commons_io 2.2
oracle retail_integration_bus 14.1.3.0
oracle enterprise_session_border_controller 9.0
oracle financial_services_analytical_applications_infrastructure *
oracle flexcube_core_banking *
oracle retail_assortment_planning 16.0.3
oracle communications_interactive_session_recorder 6.3
oracle retail_size_profile_optimization 16.0.3
oracle insurance_rules_palette 11.3.1
oracle primavera_unifier *
oracle communications_interactive_session_recorder 6.4
oracle retail_integration_bus *
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle healthcare_data_repository 8.1.0
oracle insurance_rules_palette 11.3.0
oracle flexcube_core_banking 11.10.0
oracle banking_party_management 2.7.0
oracle retail_integration_bus 13.0
oracle banking_apis 18.2
oracle banking_digital_experience 21.1
oracle rest_data_services 21.3
oracle insurance_policy_administration 11.0.2
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
oracle retail_service_backbone 15.0.3.1
oracle banking_apis 19.2
oracle solaris_cluster 4.0
oracle banking_digital_experience 20.1
oracle real_user_experience_insight 13.4.1.0
oracle banking_apis 18.1
oracle insurance_rules_palette 11.0.2
oracle insurance_policy_administration 11.3.0
oracle retail_xstore_point_of_service 20.0.1
oracle communications_convergence 3.0.2.2.0
oracle blockchain_platform *
oracle insurance_rules_palette 11.2.8
oracle banking_digital_experience 17.2
oracle primavera_unifier 20.12
oracle insurance_policy_administration 11.1.0
oracle insurance_policy_administration 11.3.1
oracle rest_data_services *
oracle communications_offline_mediation_controller 12.0.0.3
oracle retail_order_broker 18.0
oracle banking_apis 18.3
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_enterprise_default_management 2.7.0
oracle banking_enterprise_default_management 2.6.2
oracle retail_integration_bus 19.0.0
oracle financial_services_model_management_and_governance *
oracle banking_platform 2.7.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_testing_accelerator 6.0.0.2.2
oracle retail_integration_bus 15.0.3.1
apache commons_io 2.3
oracle banking_apis 21.1
oracle helidon 1.4.7
oracle communications_order_and_service_management 7.3
oracle oss_support_tools *
oracle retail_service_backbone *
oracle banking_platform *
oracle retail_service_backbone 14.1.3.0
oracle communications_design_studio 7.3.5
oracle weblogic_server 12.2.1.3.0
oracle weblogic_server 12.1.3.0.0
oracle banking_platform 2.6.2
oracle insurance_policy_administration 11.2.8
apache commons_io 2.4
oracle agile_engineering_data_management 6.2.1.0
oracle health_sciences_data_management_workbench 3.0.0.0
oracle retail_xstore_point_of_service 18.0.3
oracle access_manager 12.2.1.4.0
oracle weblogic_server 14.1.1.0.0
oracle banking_enterprise_default_management 2.12.0
oracle fusion_middleware_mapviewer 12.2.1.4.0
debian debian_linux 9.0
oracle real_user_experience_insight 13.5.1.0
oracle access_manager 11.1.2.3.0
oracle communications_diameter_intelligence_hub *
oracle health_sciences_information_manager *
oracle application_performance_management 13.5.1.0
netapp active_iq_unified_manager -
oracle retail_merchandising_system 16.0.3
oracle weblogic_server 12.2.1.4.0
oracle communications_pricing_design_center 12.0.0.5.0
oracle banking_enterprise_default_management 2.7.1
oracle banking_digital_experience 19.1
oracle communications_converged_application_server_-_service_controller 6.2
oracle retail_pricing 19.0.1
oracle communications_cloud_native_core_network_repository_function 1.14.0
oracle communications_design_studio *
oracle helidon 2.2.0
oracle retail_xstore_point_of_service 17.0.4
apache commons_io 2.5
CVE-2021-29489 LOW

Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
security-advisories@github.com 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L 2.8 4.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp cloud_backup -
netapp oncommand_insight -
netapp snapcenter -
highcharts highcharts *
CVE-2021-29505 MEDIUM

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle communications_unified_inventory_management 7.4.1
oracle retail_customer_insights 16.0.2
oracle communications_unified_inventory_management 7.4.2
oracle banking_corporate_lending_process_management 14.2.0
oracle communications_brm_-_elastic_charging_engine 11.3
oracle banking_credit_facilities_process_management 14.2.0
oracle banking_cash_management 14.5
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle banking_credit_facilities_process_management 14.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle banking_cash_management 14.2
oracle business_activity_monitoring 12.2.1.3.0
oracle communications_brm_-_elastic_charging_engine 12.0
oracle retail_customer_insights 15.0.2
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle banking_corporate_lending_process_management 14.5.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle banking_supply_chain_finance 14.2.0
oracle retail_xstore_point_of_service 19.0.2
oracle enterprise_manager_ops_center 12.4.0.0
xstream_project xstream *
oracle banking_credit_facilities_process_management 14.5.0
oracle webcenter_sites 12.2.1.3.0
fedoraproject fedora 34
oracle business_activity_monitoring 11.1.1.9.0
oracle banking_trade_finance_process_management 14.5.0
oracle webcenter_sites 12.2.1.4.0
oracle banking_cash_management 14.3
oracle banking_corporate_lending_process_management 14.3.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-29662 MEDIUM

The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-704,

Products Affected

Vendor Product Version
data::validate::ip_project data::validate::ip *
netapp snapcenter -
CVE-2021-29678 MEDIUM

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a user with DBADM authority to access other databases and read or modify files. IBM X-Force ID: 199914.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.7 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N 2.3 5.8

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
ibm db2 10.5
ibm db2 10.1
netapp oncommand_insight -
ibm db2 9.7
ibm db2 11.1
ibm db2 11.5
CVE-2021-29679 MEDIUM

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated user to execute code remotely due to incorrectly neutralizaing user-contrlled input that could be interpreted a a server-side include (SSI) directive. IBM X-Force ID: 199915.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
CVE-2021-29716 MEDIUM

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow a low level user to reas of the application that privileged user should only be allowed to view. IBM X-Force ID: 201087.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-29719 MEDIUM

IBM Cognos Analytics 11.1.7 and 11.2.0 could be vulnerable to client side vulnerabilties due to a web response specifying an incorrect content type. IBM X-Force ID: 201091

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-29745 MEDIUM

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to priviledge escalation where a lower evel user could have access to the 'New Job' page to which they should not have access to. IBM X-Force ID: 201695.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
CVE-2021-29756 MEDIUM

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site request forgery (CSRF) in the My Inbox page which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 202167.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-29768 MEDIUM

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.1
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-29823

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204465.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-29824 MEDIUM

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to priviledge escalation where a lower level user could have read access to to the 'Data Connections' page to which they don't have access. IBM X-Force ID: 204468.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.1
netapp oncommand_insight -
CVE-2021-29867 MEDIUM

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated to view or edit a Jupyter notebook that they should not have access to. IBM X-Force ID: 206212.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-3114 MEDIUM

In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-682,

Products Affected

Vendor Product Version
netapp cloud_insights_telegraf_agent -
debian debian_linux 10.0
netapp storagegrid -
fedoraproject fedora 33
golang go *
debian debian_linux 9.0
CVE-2021-3115 MEDIUM

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,

Products Affected

Vendor Product Version
netapp cloud_insights_telegraf_agent -
netapp storagegrid -
fedoraproject fedora 33
golang go *
CVE-2021-31440 MEDIUM

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-682,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h500s_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2021-3156 HIGH

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-193,CWE-193,

Products Affected

Vendor Product Version
oracle micros_kitchen_display_system_firmware 210
netapp oncommand_unified_manager_core_package -
sudo_project sudo *
synology skynas_firmware -
netapp ontap_select_deploy_administration_utility -
oracle micros_compact_workstation_3_firmware 310
oracle micros_workstation_6_firmware *
mcafee web_gateway 8.2.17
netapp cloud_backup -
netapp solidfire -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_performance_intelligence_center *
mcafee web_gateway 9.2.8
sudo_project sudo 1.9.5
synology diskstation_manager_unified_controller 3.0
debian debian_linux 10.0
oracle tekelec_platform_distribution *
synology diskstation_manager 6.2
netapp hci_management_node -
netapp ontap_tools 9
netapp active_iq_unified_manager -
beyondtrust privilege_management_for_unix/linux *
fedoraproject fedora 32
synology vs960hd_firmware -
beyondtrust privilege_management_for_mac *
mcafee web_gateway 10.0.4
oracle micros_workstation_5a_firmware 5a
oracle micros_es400_firmware *
CVE-2021-3177 HIGH

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
oracle communications_offline_mediation_controller 12.0.0.3.0
fedoraproject fedora 32
oracle zfs_storage_appliance_kit 8.8
oracle enterprise_manager_ops_center 12.4.0.0
oracle communications_cloud_native_core_network_function_cloud_native_environment 22.2.0
netapp ontap_select_deploy_administration_utility -
python python *
netapp active_iq_unified_manager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_pricing_design_center 12.0.0.3.0
CVE-2021-31806 MEDIUM

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-116,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp cloud_manager -
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject fedora 34
squid-cache squid *
CVE-2021-31807 MEDIUM

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
squid-cache squid 2.5.stable8
squid-cache squid 2.5.stable9
squid-cache squid 2.5.stable12
squid-cache squid 2.5.stable4
squid-cache squid 2.5.stable14
squid-cache squid 2.5.stable11
squid-cache squid 2.5.stable5
squid-cache squid 2.5.stable13
fedoraproject fedora 34
squid-cache squid 2.5.stable2
squid-cache squid *
squid-cache squid 2.5.stable6
squid-cache squid 2.7
squid-cache squid 2.5.stable3
squid-cache squid 2.6
netapp cloud_manager -
squid-cache squid 2.5.stable7
fedoraproject fedora 33
squid-cache squid 2.5.stable10
CVE-2021-31808 MEDIUM

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp cloud_manager -
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject fedora 34
squid-cache squid *
CVE-2021-31879 MEDIUM

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
gnu wget *
netapp 500f_firmware -
netapp cloud_backup -
netapp ontap_select_deploy_administration_utility -
broadcom brocade_fabric_operating_system_firmware -
netapp a250_firmware -
CVE-2021-32292

An issue was discovered in json-c from 20200420 (post 0.14 unreleased code) through 0.15-20200726. A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
json-c_project json-c 0.15-20200726
netapp active_iq_unified_manager -
CVE-2021-32399 MEDIUM

net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h500s_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
netapp h700s_firmware -
CVE-2021-32626 MEDIUM

Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-122,CWE-787,CWE-787,

Products Affected

Vendor Product Version
oracle communications_operations_monitor 4.3
debian debian_linux 10.0
redis redis *
fedoraproject fedora 35
netapp management_services_for_netapp_hci -
fedoraproject fedora 33
oracle communications_operations_monitor 4.4
fedoraproject fedora 34
oracle communications_operations_monitor 5.0
debian debian_linux 11.0
netapp management_services_for_element_software -
CVE-2021-32627 MEDIUM

Redis is an open source, in-memory database that persists on disk. In affected versions an integer overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-limit configuration parameters to very large values and constructing specially crafted very large stream elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-680,CWE-190,

Products Affected

Vendor Product Version
oracle communications_operations_monitor 4.3
debian debian_linux 10.0
redis redis *
fedoraproject fedora 35
netapp management_services_for_netapp_hci -
fedoraproject fedora 33
oracle communications_operations_monitor 4.4
fedoraproject fedora 34
oracle communications_operations_monitor 5.0
debian debian_linux 11.0
netapp management_services_for_element_software -
CVE-2021-32628 MEDIUM

Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the above configuration parameters. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-680,CWE-190,

Products Affected

Vendor Product Version
oracle communications_operations_monitor 4.3
debian debian_linux 10.0
redis redis *
fedoraproject fedora 35
netapp management_services_for_netapp_hci -
fedoraproject fedora 33
oracle communications_operations_monitor 4.4
fedoraproject fedora 34
oracle communications_operations_monitor 5.0
debian debian_linux 11.0
netapp management_services_for_element_software -
CVE-2021-32640 MEDIUM

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
ws_project ws *
CVE-2021-32672 MEDIUM

Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
debian debian_linux 10.0
redis redis *
redhat software_collections -
oracle communications_operations_monitor 4.4
fedoraproject fedora 34
debian debian_linux 11.0
netapp management_services_for_element_software -
oracle communications_operations_monitor 4.3
fedoraproject fedora 35
netapp management_services_for_netapp_hci -
fedoraproject fedora 33
oracle communications_operations_monitor 5.0
CVE-2021-32675 MEDIUM

Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
oracle communications_operations_monitor 4.3
debian debian_linux 10.0
redis redis *
fedoraproject fedora 35
netapp management_services_for_netapp_hci -
fedoraproject fedora 33
oracle communications_operations_monitor 4.4
fedoraproject fedora 34
oracle communications_operations_monitor 5.0
debian debian_linux 11.0
netapp management_services_for_element_software -
CVE-2021-32687 MEDIUM

Redis is an open source, in-memory database that persists on disk. An integer overflow bug affecting all versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents of the heap or trigger remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration parameter to a very large value and constructing specially crafted commands to manipulate sets. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-680,CWE-190,

Products Affected

Vendor Product Version
oracle communications_operations_monitor 4.3
debian debian_linux 10.0
redis redis *
fedoraproject fedora 35
netapp management_services_for_netapp_hci -
fedoraproject fedora 33
oracle communications_operations_monitor 4.4
fedoraproject fedora 34
oracle communications_operations_monitor 5.0
debian debian_linux 11.0
netapp management_services_for_element_software -
CVE-2021-32762 HIGH

Redis is an open source, in-memory database that persists on disk. The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies. This is a result of a vulnerability in the underlying hiredis library which does not perform an overflow check before calling the calloc() heap allocation function. This issue only impacts systems with heap allocators that do not perform their own overflow checks. Most modern systems do and are therefore not likely to be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator which is also not vulnerable. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-680,CWE-190,

Products Affected

Vendor Product Version
oracle communications_operations_monitor 4.3
debian debian_linux 10.0
redis redis *
fedoraproject fedora 35
netapp management_services_for_netapp_hci -
fedoraproject fedora 33
oracle communications_operations_monitor 4.4
fedoraproject fedora 34
oracle communications_operations_monitor 5.0
debian debian_linux 11.0
netapp management_services_for_element_software -
CVE-2021-32765 MEDIUM

Hiredis is a minimalistic C client library for the Redis database. In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow. Users of hiredis who are unable to update may set the [maxelements](https://github.com/redis/hiredis#reader-max-array-elements) context option to a value small enough that no overflow is possible.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-680,CWE-190,

Products Affected

Vendor Product Version
redis hiredis *
netapp management_services_for_element_software_and_netapp_hci -
debian debian_linux 9.0
CVE-2021-32785 MEDIUM

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. When mod_auth_openidc versions prior to 2.4.9 are configured to use an unencrypted Redis cache (`OIDCCacheEncrypt off`, `OIDCSessionType server-cache`, `OIDCCacheType redis`), `mod_auth_openidc` wrongly performed argument interpolation before passing Redis requests to `hiredis`, which would perform it again and lead to an uncontrolled format string bug. Initial assessment shows that this bug does not appear to allow gaining arbitrary code execution, but can reliably provoke a denial of service by repeatedly crashing the Apache workers. This bug has been corrected in version 2.4.9 by performing argument interpolation only once, using the `hiredis` API. As a workaround, this vulnerability can be mitigated by setting `OIDCCacheEncrypt` to `on`, as cache keys are cryptographically hashed before use when this option is enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-134,CWE-134,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp cloud_backup -
zmartzone mod_auth_openidc *
CVE-2021-3281 MEDIUM

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
djangoproject django *
fedoraproject fedora 33
netapp snapcenter -
CVE-2021-33060

Out-of-bounds write in the BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
intel xeon_gold_6346_firmware -
intel xeon_platinum_8362_firmware -
intel xeon_gold_6336y_firmware -
netapp aff_a700_firmware -
intel xeon_silver_4316_firmware -
netapp fas9000_firmware -
intel xeon_gold_5318h_firmware -
intel xeon_platinum_8358_firmware -
intel xeon_gold_5318y_firmware -
intel xeon_platinum_8360h_firmware -
intel xeon_silver_4309y_firmware -
intel xeon_gold_6328h_firmware -
netapp fas2600_firmware -
intel xeon_gold_5320_firmware -
intel xeon_gold_6334_firmware -
intel xeon_gold_6348_firmware -
intel xeon_platinum_8356h_firmware -
netapp fas8200_firmware -
intel xeon_gold_6338t_firmware -
intel xeon_gold_6312u_firmware -
intel xeon_platinum_8360hl_firmware -
intel xeon_gold_6328hl_firmware -
intel xeon_platinum_8354h_firmware -
intel xeon_gold_6330_firmware -
intel xeon_platinum_8352y_firmware -
intel xeon_silver_4310t_firmware -
netapp fas500f_firmware -
netapp aff_a700s_firmware -
intel xeon_platinum_8380_firmware -
netapp aff_a200_firmware -
netapp aff_a900_firmware -
intel xeon_gold_6342_firmware -
intel xeon_gold_6330n_firmware -
netapp aff_a300_firmware -
intel xeon_silver_4310_firmware -
netapp aff_c190_firmware -
intel xeon_platinum_8352v_firmware -
intel xeon_platinum_8376h_firmware -
intel xeon_gold_6326_firmware -
intel xeon_platinum_8380hl_firmware -
netapp aff_a250_firmware -
intel xeon_platinum_8380h_firmware -
intel xeon_gold_6338_firmware -
intel xeon_gold_6348h_firmware -
intel xeon_gold_5320t_firmware -
netapp aff_a800_firmware -
netapp fas8700_firmware -
intel xeon_platinum_8368q_firmware -
intel xeon_gold_6314u_firmware -
intel xeon_platinum_8353h_firmware -
netapp aff_a400_firmware -
intel xeon_gold_5318s_firmware -
intel xeon_platinum_8351n_firmware -
intel xeon_gold_5317_firmware -
netapp aff_a220_firmware -
intel xeon_platinum_8352m_firmware -
intel xeon_gold_6354_firmware -
intel xeon_platinum_8376hl_firmware -
intel xeon_platinum_8360y_firmware -
intel xeon_gold_5320h_firmware -
netapp aff_a320_firmware -
intel xeon_gold_5315y_firmware -
intel xeon_gold_6330h_firmware -
intel xeon_platinum_8368_firmware -
intel xeon_platinum_8358p_firmware -
intel xeon_gold_5318n_firmware -
netapp fas8300_firmware -
intel xeon_platinum_8352s_firmware -
intel xeon_silver_4314_firmware -
netapp fas9500_firmware -
intel xeon_gold_6338n_firmware -
netapp fas2700_firmware -
CVE-2021-33068 MEDIUM

Null pointer dereference in subsystem for Intel(R) AMT before versions 15.0.35 may allow an authenticated user to potentially enable denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
netapp cloud_backup -
intel active_management_technology_firmware *
CVE-2021-33117 LOW

Improper access control for some 3rd Generation Intel(R) Xeon(R) Scalable Processors before BIOS version MR7, may allow a local attacker to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp fas/aff_bios -
intel bios *
CVE-2021-33195 HIGH

Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4

CVSS 2.0

Severity: HIGH

Problem Type: CWE-74,

Products Affected

Vendor Product Version
netapp cloud_insights_telegraf_agent -
golang go *
CVE-2021-33200 HIGH

kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
netapp solidfire_baseboard_management_controller -
CVE-2021-3326 MEDIUM

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,CWE-617,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
debian debian_linux 10.0
oracle communications_cloud_native_core_security_edge_protection_proxy 1.5.0
fujitsu m10-4s_firmware *
fujitsu m12-1_firmware *
fujitsu m12-2s_firmware *
fujitsu m10-1_firmware *
gnu glibc *
netapp ontap_select_deploy_administration_utility -
fujitsu m10-4_firmware *
fujitsu m12-2_firmware *
CVE-2021-33574 HIGH

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
netapp solidfire_baseboard_management_controller_firmware -
gnu glibc 2.32
netapp h500s_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
gnu glibc 2.33
netapp cloud_backup -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
CVE-2021-33587 MEDIUM

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
css-what_project css-what 4.0.0
css-what_project css-what 5.0.0
CVE-2021-33623 MEDIUM

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
trim-newlines_project trim-newlines *
debian debian_linux 10.0
CVE-2021-33625 MEDIUM

An issue was discovered in Kernel 5.x in Insyde InsydeH2O, affecting HddPassword. Software SMI services that use the Communicate() function of the EFI_SMM_COMMUNICATION_PROTOCOL do not check whether the address of the buffer is valid, which allows use of SMRAM, MMIO, or OS kernel addresses.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
insyde insydeh2o *
siemens simatic_ipc227g_firmware -
siemens simatic_ipc327g_firmware -
siemens simatic_ipc477e_firmware -
siemens ruggedcom_ape1808_firmware -
siemens simatic_itp1000_firmware -
siemens simatic_field_pg_m5_firmware -
siemens simatic_ipc627e_firmware -
siemens simatic_ipc427e_firmware -
netapp fas/aff_bios -
siemens simatic_ipc127e_firmware -
siemens simatic_ipc377g_firmware -
siemens simatic_ipc277g_firmware -
siemens simatic_field_pg_m6_firmware -
siemens simatic_ipc677e_firmware -
siemens simatic_ipc847e_firmware -
siemens simatic_ipc647e_firmware -
siemens simatic_ipc477e_pro_firmware -
CVE-2021-33909 HIGH

fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle communications_session_border_controller 8.4
linux linux_kernel *
oracle communications_session_border_controller 9.0
oracle communications_session_border_controller 8.3
netapp hci_management_node -
sonicwall sma1000_firmware *
netapp solidfire -
oracle communications_session_border_controller 8.2
debian debian_linux 9.0
fedoraproject fedora 34
CVE-2021-33910 MEDIUM

basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
debian debian_linux 10.0
systemd_project systemd *
netapp hci_management_node -
netapp solidfire -
fedoraproject fedora 33
fedoraproject fedora 34
CVE-2021-3426 LOW

There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.1 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,CWE-22,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle zfs_storage_appliance_kit 8.8
netapp ontap_select_deploy_administration_utility -
redhat software_collections -
fedoraproject fedora 34
netapp snapcenter -
python python 3.10.0
fedoraproject fedora 32
netapp cloud_backup -
python python *
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-34428 LOW

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.5 LOW CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 0.9 2.5
emo@eclipse.org 2.9 LOW CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: CWE-613,CWE-613,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
debian debian_linux 10.0
oracle siebel_core_-_automation *
netapp element_plug-in_for_vcenter_server -
netapp santricity_cloud_connector -
netapp active_iq_unified_manager -
netapp e-series_santricity_web_services -
netapp snap_creator_framework -
oracle communications_services_gatekeeper 7.0
eclipse jetty *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_session_report_manager *
oracle communications_element_manager 8.2.2
oracle communications_session_route_manager *
netapp snapmanager -
oracle rest_data_services *
CVE-2021-34429 MEDIUM

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
emo@eclipse.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-551,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp snapcenter_plug-in -
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_cloud_native_core_security_edge_protection_proxy 1.5.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle stream_analytics 19c
netapp element_plug-in_for_vcenter_server -
netapp hci_management_node -
oracle communications_cloud_native_core_service_communication_proxy 1.14.0
oracle retail_eftlink 20.0.1
netapp e-series_santricity_web_services -
netapp snap_creator_framework -
eclipse jetty *
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle communications_diameter_signaling_router *
oracle communications_cloud_native_core_unified_data_repository 1.14.0
netapp solidfire -
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
oracle rest_data_services *
oracle stream_analytics *
CVE-2021-3449 MEDIUM

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
mcafee web_gateway 8.2.19
mcafee web_gateway 9.2.10
siemens simatic_cp_1242-7_gprs_v2_firmware *
siemens simatic_s7-1200_cpu_1214_fc_firmware *
nodejs node.js *
mcafee web_gateway_cloud_service 9.2.10
siemens tia_administrator *
siemens simatic_hmi_basic_panels_2nd_generation_firmware *
siemens simatic_pcs_7_telecontrol_firmware *
siemens sinec_nms 1.0
freebsd freebsd 12.2
siemens scalance_lpe9403_firmware *
oracle primavera_unifier 21.12
openssl openssl *
siemens simatic_hmi_ktp_mobile_panels_firmware *
siemens simatic_s7-1500_cpu_1518-4_pn/dp_mfp_firmware *
siemens simatic_net_cp_1243-1_firmware *
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
fedoraproject fedora 34
tenable nessus_network_monitor 5.13.0
netapp santricity_smi-s_provider -
tenable nessus *
oracle secure_global_desktop 5.6
siemens simatic_s7-1200_cpu_1215c_firmware *
mcafee web_gateway 10.1.1
oracle graalvm 20.3.1.2
siemens scalance_xr-300wg_firmware *
siemens scalance_xr552-12_firmware *
siemens simatic_wincc_telecontrol -
siemens simatic_s7-1200_cpu_1217c_firmware *
checkpoint multi-domain_management_firmware r80.40
siemens simatic_net_cp1243-7_lte_eu_firmware *
netapp cloud_volumes_ontap_mediator -
tenable nessus_network_monitor 5.12.0
mcafee web_gateway_cloud_service 8.2.19
siemens simatic_logon *
siemens simatic_net_cp_1542sp-1_irc_firmware *
netapp storagegrid -
oracle primavera_unifier *
siemens tim_1531_irc_firmware *
tenable tenable.sc *
oracle primavera_unifier 19.12
sonicwall sonicos 7.0.1.0
oracle zfs_storage_appliance_kit 8.8
siemens simatic_rf188ci_firmware *
oracle communications_communications_policy_management 12.6.0.0.0
checkpoint quantum_security_management_firmware r80.40
siemens simatic_rf166c_firmware *
siemens scalance_xf-200ba_firmware *
oracle peoplesoft_enterprise_peopletools 8.57
siemens scalance_m-800_firmware *
siemens simatic_rf186c_firmware *
siemens simatic_hmi_comfort_outdoor_panels_firmware *
mcafee web_gateway_cloud_service 10.1.1
tenable nessus_network_monitor 5.11.1
tenable nessus_network_monitor 5.12.1
siemens simatic_net_cp_1543-1_firmware *
siemens simatic_s7-1200_cpu_1214c_firmware *
siemens scalance_w700_firmware *
siemens simatic_logon 1.5
netapp ontap_select_deploy_administration_utility -
siemens simatic_s7-1200_cpu_1212fc_firmware *
netapp snapcenter -
siemens scalance_xr526-8c_firmware *
checkpoint quantum_security_gateway_firmware r80.40
siemens simatic_cp_1242-7_gprs_v2_firmware -
tenable nessus_network_monitor 5.11.0
siemens scalance_s623_firmware *
oracle primavera_unifier 20.12
siemens scalance_xm-400_firmware *
siemens scalance_w1700_firmware *
siemens simatic_wincc_runtime_advanced *
oracle enterprise_manager_for_storage_management 13.4.0.0
siemens ruggedcom_rcm1224_firmware *
oracle essbase 21.2
checkpoint quantum_security_management_firmware r81
oracle mysql_server *
siemens scalance_s612_firmware *
siemens sinumerik_opc_ua_server *
siemens scalance_sc-600_firmware *
siemens simatic_net_cp_1543sp-1_firmware *
siemens simatic_process_historian_opc_ua_server_firmware *
oracle peoplesoft_enterprise_peopletools 8.58
siemens scalance_xr524-8c_firmware *
siemens simatic_pcs_neo_firmware *
siemens sinec_pni -
siemens simatic_rf186ci_firmware *
siemens simatic_rf360r_firmware *
siemens simatic_pdm_firmware *
oracle jd_edwards_world_security a9.4
siemens simatic_cloud_connect_7_firmware *
siemens sinec_infrastructure_network_services *
siemens scalance_s602_firmware *
siemens scalance_s627-2m_firmware *
siemens sinema_server 14.0
siemens simatic_s7-1200_cpu_1215_fc_firmware *
siemens simatic_net_cp1243-7_lte_us_firmware *
siemens scalance_xb-200_firmware *
siemens simatic_rf185c_firmware *
siemens simatic_mv500_firmware *
checkpoint multi-domain_management_firmware r81
oracle secure_backup *
sonicwall sma100_firmware *
siemens scalance_xp-200_firmware *
siemens simatic_s7-1200_cpu_1211c_firmware *
siemens scalance_s615_firmware *
tenable log_correlation_engine *
oracle graalvm 21.0.0.2
checkpoint quantum_security_gateway_firmware r81
oracle mysql_connectors *
debian debian_linux 9.0
oracle graalvm 19.3.5
siemens simatic_rf188c_firmware *
siemens sinamics_connect_300_firmware *
netapp oncommand_workflow_automation -
debian debian_linux 10.0
siemens scalance_xc-200_firmware *
siemens scalance_xr528-6m_firmware *
oracle jd_edwards_enterpriseone_tools *
netapp active_iq_unified_manager -
siemens simatic_cloud_connect_7_firmware -
netapp e-series_performance_analyzer -
oracle mysql_workbench *
siemens simatic_net_cp_1545-1_firmware *
siemens simatic_net_cp_1243-8_irc_firmware *
siemens simatic_s7-1200_cpu_1212c_firmware *
sonicwall capture_client 3.5
CVE-2021-3450 MEDIUM

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
netapp storagegrid_firmware -
oracle mysql_enterprise_monitor *
oracle commerce_guided_search 11.3.2
netapp ontap_select_deploy_administration_utility -
sonicwall email_security *
oracle secure_backup *
sonicwall sma100_firmware *
netapp cloud_volumes_ontap_mediator -
mcafee web_gateway 8.2.19
mcafee web_gateway 9.2.10
sonicwall capture_client *
tenable nessus_agent *
tenable nessus_network_monitor 5.12.0
oracle graalvm 21.0.0.2
mcafee web_gateway_cloud_service 8.2.19
oracle weblogic_server 14.1.1.0.0
nodejs node.js *
tenable nessus_network_monitor 5.11.0
netapp storagegrid -
mcafee web_gateway_cloud_service 9.2.10
oracle mysql_connectors *
freebsd freebsd 12.2
windriver linux 18.0
oracle graalvm 19.3.5
netapp oncommand_workflow_automation -
openssl openssl *
windriver linux -
oracle enterprise_manager_for_storage_management 13.4.0.0
sonicwall sonicos *
oracle jd_edwards_enterpriseone_tools *
oracle mysql_server *
fedoraproject fedora 34
tenable nessus_network_monitor 5.13.0
oracle weblogic_server 12.2.1.4.0
tenable nessus *
netapp santricity_smi-s_provider_firmware -
oracle secure_global_desktop 5.6
oracle mysql_workbench *
mcafee web_gateway 10.1.1
oracle peoplesoft_enterprise_peopletools *
oracle graalvm 20.3.1.2
windriver linux 17.0
mcafee web_gateway_cloud_service 10.1.1
tenable nessus_network_monitor 5.11.1
oracle jd_edwards_world_security a9.4
windriver linux 19.0
tenable nessus_network_monitor 5.12.1
CVE-2021-34558 LOW

The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-295,

Products Affected

Vendor Product Version
netapp trident -
netapp storagegrid -
fedoraproject fedora 33
golang go *
fedoraproject fedora 34
netapp cloud_insights_telegraf -
oracle timesten_in-memory_database *
CVE-2021-34798 MEDIUM

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
oracle http_server 12.2.1.4.0
oracle instantis_enterprisetrack 17.3
siemens sinec_nms *
broadcom brocade_fabric_operating_system_firmware -
debian debian_linux 11.0
siemens ruggedcom_nms *
netapp storagegrid -
netapp cloud_backup -
debian debian_linux 9.0
debian debian_linux 10.0
oracle instantis_enterprisetrack 17.1
tenable tenable.sc *
apache http_server *
oracle zfs_storage_appliance_kit 8.8
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
fedoraproject fedora 34
siemens sinema_remote_connect_server *
oracle enterprise_manager_base_platform 13.5.0.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle enterprise_manager_base_platform 13.4.0.0
oracle instantis_enterprisetrack 17.2
netapp clustered_data_ontap -
oracle http_server 12.2.1.3.0
fedoraproject fedora 35
siemens sinema_server 14.0
CVE-2021-3483 MEDIUM

A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions before kernel 5.12-rc6 are affected

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
linux linux_kernel 5.12
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-34866 HIGH

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.14-rc3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs, which can result in a type confusion condition. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-14689.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-843,CWE-843,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2021-3501 LOW

A flaw was found in the Linux kernel in versions before 5.12. The value of internal.ndata, in the KVM API, is mapped to an array index, which can be updated by a user process at anytime which could lead to an out-of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
redhat enterprise_linux_for_real_time_for_nfv 8
netapp h500s_firmware -
netapp h410c_firmware -
redhat enterprise_linux_for_real_time_tus 8.4
netapp h700s_firmware -
netapp h410s_firmware -
redhat enterprise_linux_for_real_time_for_nfv_tus 8.4
redhat virtualization 4.0
linux linux_kernel *
redhat virtualization_host 4.0
netapp cloud_backup -
netapp h700e_firmware -
fedoraproject fedora 33
redhat enterprise_linux_for_real_time 8
netapp h500e_firmware -
CVE-2021-35043 MEDIUM

OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with &#00058 as the replacement for the : character.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
oracle banking_platform *
oracle retail_central_office 14.1
oracle retail_back_office 14.0
oracle middleware_common_libraries_and_tools 12.2.1.3.0
oracle retail_central_office 14.0
oracle banking_platform 2.6.2
oracle insurance_policy_administration 11.2.8
oracle insurance_policy_administration 11.3.0
oracle banking_enterprise_default_managment *
antisamy_project antisamy *
oracle banking_enterprise_default_management 2.12.0
oracle retail_returns_management 14.0
oracle banking_enterprise_default_management 2.10.0
oracle retail_returns_management 14.1
oracle insurance_policy_administration 11.1.0
oracle insurance_policy_administration 11.3.1
oracle banking_enterprise_default_management 2.7.0
oracle banking_enterprise_default_management 2.6.2
oracle banking_party_management 2.7.0
netapp active_iq_unified_manager -
oracle middleware_common_libraries_and_tools 12.2.1.4.0
oracle banking_platform 2.7.1
oracle retail_back_office 14.1
oracle insurance_policy_administration 11.0.2
oracle banking_enterprise_default_management 2.7.1
oracle banking_platform 2.7.0
CVE-2021-3506 MEDIUM

An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
linux linux_kernel 5.12
netapp solidfire_baseboard_management_controller_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-3516 MEDIUM

There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
redhat enterprise_linux 8.0
oracle zfs_storage_appliance_kit 8.8
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 34
redhat enterprise_linux 7.0
netapp clustered_data_ontap -
xmlsoft xmllint *
fedoraproject fedora 33
debian debian_linux 9.0
netapp clustered_data_ontap_antivirus_connector -
redhat jboss_core_services -
CVE-2021-3517 HIGH

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 3.9 4.7

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-787,CWE-125,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp hci_h410c_firmware -
oracle real_user_experience_insight 13.4.1.0
netapp manageability_software_development_kit -
netapp snapdrive -
netapp ontap_select_deploy_administration_utility -
oracle openjdk 8
xmlsoft libxml2 *
netapp solidfire -
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
redhat jboss_core_services -
oracle real_user_experience_insight 13.5.1.0
redhat enterprise_linux 8.0
netapp oncommand_workflow_automation -
netapp santricity_unified_manager -
oracle zfs_storage_appliance_kit 8.8
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
fedoraproject fedora 34
netapp e-series_santricity_web_services -
oracle enterprise_manager_base_platform 13.5.0.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle enterprise_manager_base_platform 13.4.0.0
netapp e-series_santricity_storage_manager -
oracle mysql_workbench *
netapp clustered_data_ontap -
netapp clustered_data_ontap_antivirus_connector -
CVE-2021-3518 MEDIUM

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp hci_h410c_firmware -
oracle real_user_experience_insight 13.4.1.0
oracle enterprise_manager_ops_center 12.4.0.0
netapp manageability_software_development_kit -
netapp snapdrive -
netapp ontap_select_deploy_administration_utility -
netapp active_iq_unified_manager -
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
fedoraproject fedora 34
oracle enterprise_manager_base_platform 13.5.0.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle enterprise_manager_base_platform 13.4.0.0
oracle mysql_workbench *
netapp clustered_data_ontap -
xmlsoft libxml2 *
fedoraproject fedora 33
debian debian_linux 9.0
netapp clustered_data_ontap_antivirus_connector -
redhat jboss_core_services -
oracle real_user_experience_insight 13.5.1.0
CVE-2021-3520 HIGH

There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,CWE-787,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_policy 1.14.0
lz4_project lz4 1.8.3
lz4_project lz4 *
oracle zfs_storage_appliance_kit 8.8
netapp cloud_backup -
netapp ontap_select_deploy_administration_utility -
netapp active_iq_unified_manager -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2021-3522 MEDIUM

GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
netapp santricity_unified_manager -
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp e-series_santricity_web_services -
oracle openjdk 8
netapp e-series_santricity_storage_manager -
gstreamer_project gstreamer *
netapp solidfire -
netapp snapmanager -
CVE-2021-3530 MEDIUM

A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,CWE-674,

Products Affected

Vendor Product Version
gnu binutils 2.36
netapp ontap_select_deploy_administration_utility -
CVE-2021-3537 MEDIUM

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
netapp hci_h410c_firmware -
oracle real_user_experience_insight 13.4.1.0
netapp manageability_software_development_kit -
netapp snapdrive -
netapp ontap_select_deploy_administration_utility -
oracle openjdk 8
xmlsoft libxml2 *
fedoraproject fedora 33
debian debian_linux 9.0
redhat jboss_core_services -
oracle real_user_experience_insight 13.5.1.0
redhat enterprise_linux 8.0
oracle enterprise_manager_ops_center 12.4.0.0
netapp active_iq_unified_manager -
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
fedoraproject fedora 34
oracle enterprise_manager_base_platform 13.5.0.0
redhat enterprise_linux 7.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle enterprise_manager_base_platform 13.4.0.0
oracle mysql_workbench *
netapp clustered_data_ontap -
netapp clustered_data_ontap_antivirus_connector -
CVE-2021-3541 MEDIUM

A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-776,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
oracle zfs_storage_appliance_kit 8.8
netapp manageability_software_development_kit -
netapp snapdrive -
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp smi-s_provider -
netapp clustered_data_ontap -
netapp cloud_backup -
xmlsoft libxml2 *
netapp h700e_firmware -
netapp h500e_firmware -
netapp clustered_data_ontap_antivirus_connector -
redhat jboss_core_services -
CVE-2021-35515 MEDIUM

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-834,CWE-835,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle financial_services_enterprise_case_management 8.0.8.1.0
oracle utilities_testing_accelerator 6.0.0.3.1
oracle banking_digital_experience *
oracle flexcube_universal_banking 12.4.0
oracle commerce_guided_search 11.3.2
oracle communications_billing_and_revenue_management 12.0.0.4
apache commons_compress *
oracle insurance_policy_administration 11.2.8
oracle insurance_policy_administration 11.3.0
oracle banking_trade_finance 14.5
oracle primavera_unifier 18.8
oracle communications_session_route_manager *
oracle communications_cloud_native_core_automated_test_suite 1.8.0
oracle communications_cloud_native_core_unified_data_repository 1.14.0
oracle business_process_management_suite 12.2.1.3.0
oracle primavera_unifier 20.12
oracle banking_payments 14.5
oracle primavera_unifier *
oracle insurance_policy_administration 11.1.0
oracle insurance_policy_administration 11.3.1
oracle financial_services_enterprise_case_management 8.0.7.2.0
oracle banking_enterprise_default_management 2.7.0
oracle primavera_unifier 19.12
oracle banking_treasury_management 14.5
oracle healthcare_data_repository 8.1.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle communications_diameter_intelligence_hub *
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_party_management 2.7.0
netapp oncommand_insight -
oracle communications_cloud_native_core_service_communication_proxy 1.14.0
netapp active_iq_unified_manager -
oracle banking_digital_experience 21.1
oracle utilities_testing_accelerator 6.0.0.2.2
oracle peoplesoft_enterprise_peopletools 8.58
oracle peoplesoft_enterprise_peopletools 8.57
oracle utilities_testing_accelerator 6.0.0.1.1
oracle business_process_management_suite 12.2.1.4.0
oracle insurance_policy_administration 11.0.2
oracle communications_messaging_server 8.1
oracle banking_digital_experience 19.1
oracle flexcube_universal_banking *
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
oracle flexcube_universal_banking 14.5.0
CVE-2021-35516 MEDIUM

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-130,CWE-770,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle flexcube_universal_banking 14.5
oracle financial_services_enterprise_case_management 8.0.8.1.0
oracle utilities_testing_accelerator 6.0.0.3.1
oracle banking_digital_experience *
oracle flexcube_universal_banking 12.4.0
oracle commerce_guided_search 11.3.2
oracle communications_billing_and_revenue_management 12.0.0.4
apache commons_compress *
oracle insurance_policy_administration 11.2.8
oracle insurance_policy_administration 11.3.0
oracle primavera_unifier 18.8
oracle communications_session_route_manager *
oracle communications_cloud_native_core_automated_test_suite 1.8.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_cloud_native_core_unified_data_repository 1.14.0
oracle business_process_management_suite 12.2.1.3.0
oracle primavera_unifier 20.12
oracle primavera_unifier *
oracle insurance_policy_administration 11.1.0
oracle insurance_policy_administration 11.3.1
oracle financial_services_enterprise_case_management 8.0.7.2.0
oracle banking_enterprise_default_management 2.7.0
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle healthcare_data_repository 8.1.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle communications_diameter_intelligence_hub *
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_party_management 2.7.0
netapp oncommand_insight -
oracle communications_cloud_native_core_service_communication_proxy 1.14.0
netapp active_iq_unified_manager -
oracle banking_digital_experience 21.1
oracle utilities_testing_accelerator 6.0.0.2.2
oracle peoplesoft_enterprise_peopletools 8.58
oracle peoplesoft_enterprise_peopletools 8.57
oracle utilities_testing_accelerator 6.0.0.1.1
oracle business_process_management_suite 12.2.1.4.0
oracle insurance_policy_administration 11.0.2
oracle communications_messaging_server 8.1
oracle banking_digital_experience 19.1
oracle banking_digital_experience 19.2
oracle flexcube_universal_banking *
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
CVE-2021-35517 MEDIUM

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-130,CWE-770,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle utilities_testing_accelerator 6.0.0.3.1
oracle banking_digital_experience *
oracle commerce_guided_search 11.3.2
oracle communications_billing_and_revenue_management 12.0.0.4
apache commons_compress *
oracle insurance_policy_administration 11.3.0
oracle banking_trade_finance 14.5
oracle primavera_unifier 18.8
oracle webcenter_portal 12.2.1.4.0
oracle communications_cloud_native_core_unified_data_repository 1.14.0
oracle primavera_unifier 20.12
oracle banking_payments 14.5
oracle insurance_policy_administration 11.1.0
oracle insurance_policy_administration 11.3.1
oracle banking_apis 19.1
oracle banking_enterprise_default_management 2.7.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
oracle communications_cloud_native_core_service_communication_proxy 1.14.0
oracle utilities_testing_accelerator 6.0.0.2.2
oracle peoplesoft_enterprise_peopletools 8.58
oracle banking_apis 20.1
oracle utilities_testing_accelerator 6.0.0.1.1
oracle business_process_management_suite 12.2.1.4.0
oracle banking_apis 21.1
oracle banking_digital_experience 19.2
oracle flexcube_universal_banking 14.5
oracle financial_services_enterprise_case_management 8.0.8.1.0
oracle insurance_policy_administration 11.2.8
oracle flexcube_universal_banking 12.4
oracle communications_session_route_manager *
oracle business_process_management_suite 12.2.1.3.0
oracle primavera_unifier *
oracle financial_services_enterprise_case_management 8.0.7.2.0
oracle banking_apis *
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_treasury_management 14.5
oracle healthcare_data_repository 8.1.0
oracle communications_diameter_intelligence_hub *
oracle banking_party_management 2.7.0
netapp active_iq_unified_manager -
oracle banking_digital_experience 21.1
oracle peoplesoft_enterprise_peopletools 8.57
oracle insurance_policy_administration 11.0.2
oracle communications_messaging_server 8.1
oracle banking_digital_experience 19.1
oracle flexcube_universal_banking *
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
oracle banking_apis 19.2
CVE-2021-35537 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35546 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-35550 HIGH

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp e-series_santricity_web_services -
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
netapp e-series_santricity_storage_manager -
oracle graalvm 20.3.3
fedoraproject fedora 35
netapp solidfire -
oracle graalvm 21.2.0
oracle openjdk 11.0.12
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-35556 MEDIUM

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp e-series_santricity_web_services -
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
netapp e-series_santricity_storage_manager -
oracle graalvm 20.3.3
oracle openjdk 17
fedoraproject fedora 35
netapp solidfire -
oracle graalvm 21.2.0
oracle openjdk 11.0.12
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-35559 MEDIUM

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,CWE-400,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp e-series_santricity_web_services -
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
netapp e-series_santricity_storage_manager -
oracle graalvm 20.3.3
oracle openjdk 17
fedoraproject fedora 35
netapp solidfire -
oracle graalvm 21.2.0
oracle openjdk 11.0.12
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-35560 MEDIUM

Vulnerability in the Java SE product of Oracle Java SE (component: Deployment). The supported version that is affected is Java SE: 8u301. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9
secalert_us@oracle.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp e-series_santricity_storage_manager -
netapp santricity_unified_manager -
netapp oncommand_insight -
netapp e-series_santricity_web_services -
oracle openjdk 8
CVE-2021-35561 MEDIUM

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp e-series_santricity_web_services -
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
netapp e-series_santricity_storage_manager -
oracle graalvm 20.3.3
oracle openjdk 17
fedoraproject fedora 35
netapp solidfire -
oracle graalvm 21.2.0
oracle openjdk 11.0.12
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-35564 MEDIUM

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp e-series_santricity_web_services -
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
netapp e-series_santricity_storage_manager -
oracle graalvm 20.3.3
oracle openjdk 17
fedoraproject fedora 35
netapp solidfire -
oracle graalvm 21.2.0
oracle openjdk 11.0.12
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-35565 MEDIUM

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp e-series_santricity_web_services -
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
netapp e-series_santricity_storage_manager -
oracle graalvm 20.3.3
fedoraproject fedora 35
netapp solidfire -
oracle graalvm 21.2.0
oracle openjdk 11.0.12
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-35567 MEDIUM

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N 2.3 4.0
secalert_us@oracle.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N 2.3 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle openjdk 11.0.6
oracle openjdk 11.0.5
oracle openjdk 15.0.2
oracle openjdk 16.0.1
oracle openjdk 11.0.9
oracle openjdk 15.0.1
oracle graalvm 20.3.3
oracle openjdk 17
oracle openjdk 13.0.4
oracle openjdk 11.0.12
netapp snapmanager -
fedoraproject fedora 33
oracle openjdk 15.0.4
oracle openjdk 11
oracle openjdk 13.0.8
oracle jdk 1.8.0
oracle jdk 11.0.12
netapp hci_management_node -
oracle openjdk 13.0.5
netapp oncommand_insight -
fedoraproject fedora 34
netapp e-series_santricity_web_services -
oracle openjdk 15
netapp e-series_santricity_storage_manager -
oracle openjdk 11.0.3
oracle openjdk 13.0.2
oracle openjdk 13.0.7
oracle openjdk 11.0.10
fedoraproject fedora 35
oracle jre 17
netapp e-series_santricity_os_controller *
oracle openjdk 11.0.4
oracle openjdk 16.0.2
debian debian_linux 11.0
oracle openjdk 8
oracle jre 1.8.0
oracle jre 11.0.12
oracle openjdk 13
netapp solidfire -
oracle graalvm 21.2.0
debian debian_linux 9.0
oracle openjdk 11.0.1
oracle openjdk 11.0.11
oracle openjdk 13.0.6
netapp oncommand_workflow_automation -
debian debian_linux 10.0
oracle openjdk 15.0.3
netapp santricity_unified_manager -
oracle openjdk 16
oracle openjdk 11.0.7
netapp active_iq_unified_manager -
oracle openjdk 13.0.3
oracle openjdk 13.0.1
oracle openjdk 11.0.8
oracle jdk 17
oracle openjdk 11.0.2
CVE-2021-35575 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-35577 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via MySQL Protcol to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-35578 MEDIUM

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp e-series_santricity_web_services -
debian debian_linux 11.0
oracle openjdk 8
netapp e-series_santricity_storage_manager -
oracle graalvm 20.3.3
oracle openjdk 17
fedoraproject fedora 35
netapp solidfire -
oracle graalvm 21.2.0
oracle openjdk 11.0.12
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-35583 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Windows). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
netapp snapcenter -
CVE-2021-35584 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: ndbcluster/plugin DDL). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4
secalert_us@oracle.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_cluster *
netapp oncommand_insight -
netapp snapcenter -
CVE-2021-35586 MEDIUM

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp e-series_santricity_web_services -
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
netapp e-series_santricity_storage_manager -
oracle graalvm 20.3.3
oracle openjdk 17
fedoraproject fedora 35
netapp solidfire -
oracle graalvm 21.2.0
oracle openjdk 11.0.12
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-35588 LOW

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u311, 8u301; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L 1.6 1.4
nvd@nist.gov 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
netapp santricity_unified_manager -
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp e-series_santricity_web_services -
oracle openjdk 7
oracle openjdk 8
netapp e-series_santricity_storage_manager -
oracle graalvm 20.3.3
fedoraproject fedora 35
netapp solidfire -
oracle graalvm 21.2.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-3559 MEDIUM

A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 7.0.0. It only affects hosts with a PCI device and driver that supports mediated devices (e.g., GRID driver). This flaw could be used by an unprivileged client with a read-only connection to crash the libvirt daemon by executing the 'nodedev-list' virsh command. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat libvirt *
netapp ontap_select_deploy_administration_utility -
CVE-2021-35590 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
oracle mysql_cluster *
netapp oncommand_insight -
netapp snapcenter -
CVE-2021-35591 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-35592 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-129,

Products Affected

Vendor Product Version
oracle mysql_cluster *
netapp oncommand_insight -
netapp snapcenter -
CVE-2021-35593 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
oracle mysql_cluster *
netapp oncommand_insight -
netapp snapcenter -
CVE-2021-35594 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-129,

Products Affected

Vendor Product Version
oracle mysql_cluster *
netapp oncommand_insight -
netapp snapcenter -
CVE-2021-35596 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Error Handling). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-35597 MEDIUM

Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-35598 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-129,

Products Affected

Vendor Product Version
oracle mysql_cluster *
netapp oncommand_insight -
netapp snapcenter -
CVE-2021-35602 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H 0.7 4.2
secalert_us@oracle.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H 0.7 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-35603 MEDIUM

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp e-series_santricity_web_services -
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
netapp e-series_santricity_storage_manager -
oracle graalvm 20.3.3
oracle openjdk 17
fedoraproject fedora 35
netapp solidfire -
oracle graalvm 21.2.0
oracle openjdk 11.0.12
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
CVE-2021-35604 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mariadb mariadb *
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
netapp snapcenter -
CVE-2021-35607 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-35608 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-35610 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H 2.8 4.2
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H 2.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 35
netapp oncommand_insight -
fedoraproject fedora 33
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2021-35612 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35613 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_cluster *
netapp oncommand_insight -
netapp snapcenter -
CVE-2021-35618 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 1.8 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 1.8 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 0.4 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_cluster *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2021-35621 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_cluster *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2021-35622 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35623 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35624 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35625 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35626 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35627 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35628 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35629 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35630 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35631 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35632 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35633 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Logging). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35634 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35635 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35636 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35637 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35638 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35639 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
netapp snapcenter -
CVE-2021-35640 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35641 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35642 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35643 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35644 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35645 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35646 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35647 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-35648 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2021-3580 MEDIUM

A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 7.0
nettle_project nettle *
netapp ontap_select_deploy_administration_utility -
debian debian_linux 9.0
CVE-2021-35942 MEDIUM

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-704,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
debian debian_linux 10.0
netapp hci_management_node -
gnu glibc *
netapp solidfire -
netapp ontap_select_deploy_administration_utility -
netapp active_iq_unified_manager -
CVE-2021-3597 LOW

A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-362,CWE-362,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
redhat undertow 2.2.9
redhat undertow 2.2.7
redhat undertow 2.0.36
netapp oncommand_insight -
redhat undertow 2.0.39
redhat undertow 2.0.35
netapp active_iq_unified_manager -
redhat jboss_enterprise_application_platform 7.4
redhat fuse 1.0
redhat jboss_enterprise_application_platform -
redhat undertow 2.2.6
redhat openshift_application_runtimes -
redhat jboss_enterprise_application_platform 7.3
redhat single_sign-on -
redhat undertow *
CVE-2021-36086 LOW

The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h615c_firmware -
netapp bootstrap_os -
netapp h610s_firmware -
selinux_project selinux -
fedoraproject fedora 35
netapp active_iq_unified_manager -
netapp h610c_firmware -
debian debian_linux 11.0
selinux_project selinux *
CVE-2021-3609 MEDIUM

.A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-362,

Products Affected

Vendor Product Version
netapp h300e_firmware -
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat build_of_quarkus 1.0
redhat enterprise_linux_for_real_time 8.0
netapp h500s_firmware -
redhat enterprise_linux_for_ibm_z_systems_eus_s390x 8.1
netapp h410c_firmware -
redhat enterprise_linux_server_update_services_for_sap_solutions 8.1
netapp h410s_firmware -
redhat virtualization 4.0
redhat 3scale_api_management 2.0
netapp h610c_firmware -
netapp h610s_firmware -
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_aus 8.2
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_for_power_little_endian_eus 8.1
redhat enterprise_linux_eus 8.4
netapp h700e_firmware -
netapp h500e_firmware -
netapp h300s_firmware -
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
redhat openshift_container_platform 4.6
redhat enterprise_linux_for_real_time_tus 8.0
redhat enterprise_linux_for_power_little_endian_eus 8.4
redhat enterprise_linux_for_real_time_for_nfv 8.0
redhat codeready_linux_builder_for_power_little_endian_eus 8.1
netapp h700s_firmware -
netapp h615c_firmware -
redhat codeready_linux_builder_eus 8.2
redhat codeready_linux_builder_eus 8.4
redhat enterprise_linux_for_power_little_endian_eus 8.2
redhat enterprise_linux_server_update_services_for_sap_solutions 8.4
linux linux_kernel *
redhat virtualization_host 4.0
redhat enterprise_linux_for_real_time_for_nfv_tus 8.0
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2
redhat codeready_linux_builder_eus 8.1
redhat codeready_linux_builder_for_power_little_endian_eus 8.4
redhat openshift_container_platform 4.8
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.1
redhat codeready_linux_builder_for_power_little_endian_eus 8.2
redhat openshift_container_platform 4.7
linux linux_kernel 5.13
redhat enterprise_linux_for_real_time_tus 8.2
CVE-2021-36090 MEDIUM

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-130,NVD-CWE-Other,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle utilities_testing_accelerator 6.0.0.3.1
oracle banking_digital_experience *
oracle banking_platform 2.12.0
oracle commerce_guided_search 11.3.2
oracle communications_billing_and_revenue_management 12.0.0.4
oracle communications_unified_inventory_management 7.4.2
apache commons_compress *
oracle insurance_policy_administration 11.3.0
oracle banking_trade_finance 14.5
oracle primavera_unifier 18.8
oracle webcenter_portal 12.2.1.4.0
oracle communications_cloud_native_core_unified_data_repository 1.14.0
oracle primavera_unifier 20.12
oracle banking_payments 14.5
oracle insurance_policy_administration 11.1.0
oracle insurance_policy_administration 11.3.1
oracle banking_apis 19.1
oracle banking_enterprise_default_management 2.7.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
oracle communications_cloud_native_core_service_communication_proxy 1.14.0
oracle communications_unified_inventory_management 7.5.0
oracle banking_platform 2.7.1
oracle utilities_testing_accelerator 6.0.0.2.2
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_diameter_intelligence_hub 8.2.3
oracle banking_apis 20.1
oracle utilities_testing_accelerator 6.0.0.1.1
oracle business_process_management_suite 12.2.1.4.0
oracle banking_apis 21.1
oracle banking_digital_experience 19.2
oracle communications_element_manager *
oracle financial_services_analytical_applications_infrastructure *
oracle flexcube_universal_banking 14.5
oracle financial_services_enterprise_case_management 8.0.8.1.0
oracle communications_unified_inventory_management 7.4.1
oracle primavera_gateway *
oracle banking_platform 2.6.2
oracle insurance_policy_administration 11.2.8
oracle flexcube_universal_banking 12.4
oracle communications_session_route_manager *
oracle communications_cloud_native_core_automated_test_suite 1.8.0
oracle business_process_management_suite 12.2.1.3.0
oracle financial_services_enterprise_case_management *
oracle primavera_unifier *
oracle financial_services_enterprise_case_management 8.0.7.2.0
oracle banking_apis *
oracle communications_unified_inventory_management 7.4.0
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_treasury_management 14.5
oracle healthcare_data_repository 8.1.0
oracle communications_diameter_intelligence_hub *
oracle banking_party_management 2.7.0
oracle banking_platform 2.9.0
netapp active_iq_unified_manager -
oracle banking_digital_experience 21.1
oracle communications_session_report_manager *
oracle peoplesoft_enterprise_peopletools 8.57
oracle insurance_policy_administration 11.0.2
oracle communications_messaging_server 8.1
oracle banking_digital_experience 19.1
oracle flexcube_universal_banking *
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
oracle banking_apis 19.2
CVE-2021-3612 HIGH

An out-of-bounds memory write flaw was found in the Linux kernel's joystick devices subsystem in versions before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
netapp h300e_firmware -
oracle communications_cloud_native_core_binding_support_function 22.1.3
oracle communications_cloud_native_core_network_exposure_function 22.1.1
netapp solidfire_baseboard_management_controller_firmware -
oracle communications_cloud_native_core_policy 22.2.0
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
redhat enterprise_linux 7.0
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-36160 MEDIUM

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle instantis_enterprisetrack 17.1
oracle http_server 12.2.1.4.0
apache http_server *
oracle zfs_storage_appliance_kit 8.8
oracle instantis_enterprisetrack 17.3
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
fedoraproject fedora 34
broadcom brocade_fabric_operating_system_firmware -
debian debian_linux 11.0
oracle enterprise_manager_base_platform 13.5.0.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle enterprise_manager_base_platform 13.4.0.0
oracle instantis_enterprisetrack 17.2
netapp clustered_data_ontap -
netapp storagegrid -
netapp cloud_backup -
oracle http_server 12.2.1.3.0
fedoraproject fedora 35
debian debian_linux 9.0
CVE-2021-36222 MEDIUM

ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
debian debian_linux 10.0
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
mit kerberos_5 *
netapp snapcenter -
CVE-2021-3629 MEDIUM

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
redhat jboss_enterprise_application_platform 7.3
redhat wildfly_core *
redhat single_sign-on -
netapp oncommand_insight -
redhat undertow *
netapp active_iq_unified_manager -
redhat jboss_enterprise_application_platform 7.4
redhat integration -
redhat jboss_enterprise_application_platform -
CVE-2021-3631 LOW

A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N 1.0 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-732,CWE-732,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat libvirt *
netapp ontap_select_deploy_administration_utility -
redhat openshift_container_platform 4.8
CVE-2021-3634 MEDIUM

A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
debian debian_linux 10.0
oracle mysql_workbench *
libssh libssh *
redhat virtualization 4.0
netapp cloud_backup -
fedoraproject fedora 35
fedoraproject fedora 33
fedoraproject fedora 34
debian debian_linux 11.0
CVE-2021-3640 MEDIUM

A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
canonical ubuntu_linux 21.10
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 14.04
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-3667 LOW

An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-667,CWE-667,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
debian debian_linux 10.0
redhat libvirt *
netapp ontap_select_deploy_administration_utility -
CVE-2021-3671 MEDIUM

A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samba server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
samba samba *
debian debian_linux 10.0
netapp ontap_select_deploy_administration_utility -
netapp management_services_for_netapp_hci -
debian debian_linux 11.0
netapp management_services_for_element_software -
CVE-2021-3695 MEDIUM

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the heap area. An attacker may take advantage of that to cause heap data corruption or eventually arbitrary code execution and circumvent secure boot protections. This issue has a high complexity to be exploited as an attacker needs to perform some triage over the heap layout to achieve signifcant results, also the values written into the memory are repeated three times in a row making difficult to produce valid payloads. This flaw affects grub2 versions prior grub-2.12.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.5 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L 1.0 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
redhat openshift_container_platform 4.9
fedoraproject fedora 36
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
redhat openshift_container_platform 4.6
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat openshift 3.0
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.0
gnu grub2 *
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_for_power_little_endian_eus 8.4
redhat developer_tools 1.0
redhat enterprise_linux_for_power_little_endian_eus 8.2
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_for_power_little_endian_eus 8.6
redhat enterprise_linux 8.1
redhat enterprise_linux_for_power_little_endian 8.0
redhat codeready_linux_builder -
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.2
redhat enterprise_linux 9.0
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_tus 8.2
redhat openshift_container_platform 4.10
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_for_power_little_endian_eus 9.0
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.1
redhat enterprise_linux 8.4
redhat enterprise_linux_eus 9.0
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.6
redhat enterprise_linux_for_power_little_endian 9.0
CVE-2021-3696 MEDIUM

A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader. This may lead to data corruption in the heap space. Confidentiality, Integrity and Availablity impact may be considered Low as it's very complex to an attacker control the encoding and positioning of corrupted Huffman entries to achieve results such as arbitrary code execution and/or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.5 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L 1.0 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
redhat openshift_container_platform 4.9
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
redhat openshift_container_platform 4.6
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat openshift 3.0
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.0
gnu grub2 *
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_for_power_little_endian_eus 8.4
redhat developer_tools 1.0
redhat enterprise_linux_for_power_little_endian_eus 8.2
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_for_power_little_endian_eus 8.6
redhat enterprise_linux 8.1
redhat enterprise_linux_for_power_little_endian 8.0
redhat codeready_linux_builder -
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.2
redhat enterprise_linux 9.0
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_tus 8.2
redhat openshift_container_platform 4.10
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_for_power_little_endian_eus 9.0
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.1
redhat enterprise_linux 8.4
redhat enterprise_linux_eus 9.0
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.6
redhat enterprise_linux_for_power_little_endian 9.0
CVE-2021-3711 HIGH

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp storage_encryption -
netapp manageability_software_development_kit -
oracle mysql_enterprise_monitor *
oracle communications_cloud_native_core_unified_data_repository 1.15.0
oracle communications_cloud_native_core_security_edge_protection_proxy 1.7.0
oracle communications_unified_session_manager 8.4.5
netapp snapcenter -
debian debian_linux 11.0
oracle communications_unified_session_manager 8.2.5
oracle health_sciences_inform_publisher 6.2.1.1
oracle mysql_connectors *
netapp solidfire -
netapp oncommand_workflow_automation -
openssl openssl *
debian debian_linux 10.0
tenable tenable.sc *
oracle communications_session_border_controller 8.4
oracle jd_edwards_enterpriseone_tools *
oracle zfs_storage_appliance_kit 8.8
oracle mysql_server *
netapp hci_management_node -
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle enterprise_communications_broker 3.3.0
netapp santricity_smi-s_provider -
oracle enterprise_session_border_controller 8.4
oracle enterprise_communications_broker 3.2.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle peoplesoft_enterprise_peopletools 8.57
netapp clustered_data_ontap -
oracle essbase *
oracle health_sciences_inform_publisher 6.3.1.1
oracle communications_session_border_controller 9.0
tenable nessus_network_monitor *
oracle jd_edwards_world_security a9.4
oracle enterprise_session_border_controller 9.0
netapp clustered_data_ontap_antivirus_connector -
CVE-2021-3712 MEDIUM

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp storage_encryption -
oracle health_sciences_inform_publisher 6.2.1.0
netapp manageability_software_development_kit -
mcafee epolicy_orchestrator *
oracle mysql_enterprise_monitor *
oracle communications_cloud_native_core_unified_data_repository 1.15.0
oracle communications_cloud_native_core_security_edge_protection_proxy 1.7.0
oracle communications_unified_session_manager 8.4.5
debian debian_linux 11.0
oracle communications_unified_session_manager 8.2.5
mcafee epolicy_orchestrator 5.10.0
oracle mysql_connectors *
netapp solidfire -
debian debian_linux 9.0
openssl openssl *
debian debian_linux 10.0
tenable tenable.sc *
oracle communications_session_border_controller 8.4
oracle jd_edwards_enterpriseone_tools *
oracle zfs_storage_appliance_kit 8.8
oracle communications_cloud_native_core_console 1.9.0
oracle mysql_server *
netapp hci_management_node -
oracle peoplesoft_enterprise_peopletools 8.59
oracle enterprise_communications_broker 3.3.0
netapp santricity_smi-s_provider -
oracle enterprise_session_border_controller 8.4
oracle enterprise_communications_broker 3.2.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle secure_backup 18.1.0.1.0
oracle mysql_workbench *
oracle peoplesoft_enterprise_peopletools 8.57
netapp clustered_data_ontap -
oracle essbase *
oracle health_sciences_inform_publisher 6.3.1.1
oracle communications_session_border_controller 9.0
tenable nessus_network_monitor *
oracle essbase 21.3
oracle jd_edwards_world_security a9.4
oracle enterprise_session_border_controller 9.0
siemens sinec_infrastructure_network_services *
netapp clustered_data_ontap_antivirus_connector -
CVE-2021-37136 MEDIUM

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle helidon 1.4.10
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle commerce_guided_search 11.3.2
oracle communications_cloud_native_core_unified_data_repository 1.15.0
oracle communications_cloud_native_core_security_edge_protection_proxy 1.7.0
netty netty *
debian debian_linux 11.0
oracle peoplesoft_enterprise_peopletools 8.48
oracle communications_diameter_signaling_router *
oracle webcenter_portal 12.2.1.4.0
oracle helidon 2.4.0
oracle coherence 12.2.1.4.0
oracle banking_digital_experience 18.2
oracle banking_apis 19.1
oracle communications_brm_-_elastic_charging_engine *
oracle communications_brm_-_elastic_charging_engine 12
oracle banking_apis *
debian debian_linux 10.0
oracle webcenter_portal 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
oracle communications_cloud_native_core_policy 1.15.0
oracle banking_digital_experience 18.1
oracle banking_digital_experience 21.1
quarkus quarkus *
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_instant_messaging_server 8.1
oracle banking_apis 20.1
oracle peoplesoft_enterprise_peopletools 8.57
oracle communications_cloud_native_core_binding_support_function 1.11.0
oracle coherence 14.1.1.0.0
oracle banking_digital_experience 19.1
oracle banking_apis 21.1
oracle banking_digital_experience 19.2
oracle banking_apis 19.2
CVE-2021-37137 MEDIUM

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
oracle banking_digital_experience 20.1
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle commerce_guided_search 11.3.2
netty netty *
debian debian_linux 11.0
oracle communications_diameter_signaling_router *
oracle webcenter_portal 12.2.1.4.0
oracle banking_digital_experience 18.2
oracle banking_apis 19.1
oracle communications_brm_-_elastic_charging_engine *
oracle banking_apis *
debian debian_linux 10.0
oracle webcenter_portal 12.2.1.3.0
oracle banking_digital_experience 18.3
oracle communications_brm_-_elastic_charging_engine 12.0.0.5.0
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
oracle banking_digital_experience 18.1
oracle banking_digital_experience 21.1
quarkus quarkus *
oracle peoplesoft_enterprise_peopletools 8.58
oracle banking_apis 20.1
oracle peoplesoft_enterprise_peopletools 8.57
oracle banking_digital_experience 19.1
oracle banking_apis 21.1
oracle banking_digital_experience 19.2
oracle banking_apis 19.2
CVE-2021-3733 MEDIUM

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
fedoraproject fedora 36
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat codeready_linux_builder_for_ibm_z_systems 8.0
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_for_power_little_endian_eus 8.4
netapp management_services_for_element_software_and_netapp_hci -
python python 3.10.0
redhat enterprise_linux_server_update_services_for_sap_solutions 8.4
fedoraproject extra_packages_for_enterprise_linux 7.0
redhat enterprise_linux_for_power_little_endian 8.0
fedoraproject fedora 33
redhat enterprise_linux_for_ibm_z_systems 8.0
redhat enterprise_linux 8.0
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
redhat codeready_linux_builder 8.0
netapp hci_compute_node_firmware -
redhat enterprise_linux_server_aus 8.4
fedoraproject fedora 34
netapp solidfire,_enterprise_sds_&_hci_storage_node -
fedoraproject fedora 35
redhat enterprise_linux_eus 8.4
redhat codeready_linux_builder_for_power_little_endian 8.0
python python *
CVE-2021-3737 HIGH

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-835,CWE-400,CWE-835,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
oracle communications_cloud_native_core_binding_support_function 22.1.3
redhat codeready_linux_builder_for_ibm_z_systems 8.0
netapp ontap_select_deploy_administration_utility -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 21.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 14.04
redhat enterprise_linux_for_power_little_endian 8.0
fedoraproject fedora 33
redhat enterprise_linux_for_ibm_z_systems 8.0
netapp netapp_xcp_smb -
redhat enterprise_linux 8.0
oracle communications_cloud_native_core_network_exposure_function 22.1.1
redhat codeready_linux_builder 8.0
oracle communications_cloud_native_core_policy 22.2.0
fedoraproject fedora 34
netapp management_services_for_element_software -
redhat enterprise_linux 7.0
netapp hci -
redhat codeready_linux_builder_for_power_little_endian 8.0
python python *
netapp xcp_nfs -
CVE-2021-3739 LOW

A NULL pointer dereference flaw was found in the btrfs_rm_device function in fs/btrfs/volumes.c in the Linux Kernel, where triggering the bug requires ‘CAP_SYS_ADMIN’. This flaw allows a local attacker to crash the system or leak kernel internal information. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
CVE-2021-3743 LOW

An out-of-bounds (OOB) memory read flaw was found in the Qualcomm IPC router protocol in the Linux kernel. A missing sanity check allows a local attacker to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp baseboard_management_controller_h300s_firmware -
oracle communications_cloud_native_core_binding_support_function 22.1.3
oracle communications_cloud_native_core_network_exposure_function 22.1.1
oracle communications_cloud_native_core_policy 22.2.0
netapp baseboard_management_controller_h500e_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp baseboard_management_controller_h300e_firmware -
netapp h410s_firmware -
netapp baseboard_management_controller_h700e_firmware -
netapp baseboard_management_controller_h700s_firmware -
linux linux_kernel 5.17
linux linux_kernel *
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
netapp baseboard_management_controller_h410c_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
linux linux_kernel 5.14
CVE-2021-3752 HIGH

A use-after-free flaw was found in the Linux kernel’s Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-362,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
redhat enterprise_linux_for_real_time 7
oracle communications_cloud_native_core_binding_support_function 22.1.3
netapp baseboard_management_controller_h500e_firmware -
redhat 3scale 2.0
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp baseboard_management_controller_h700e_firmware -
netapp baseboard_management_controller_h700s_firmware -
linux linux_kernel *
redhat virtualization_host 4.0
netapp baseboard_management_controller_h410c_firmware -
debian debian_linux 9.0
redhat enterprise_linux 8.0
netapp baseboard_management_controller_h300s_firmware -
debian debian_linux 10.0
oracle communications_cloud_native_core_network_exposure_function 22.1.1
oracle communications_cloud_native_core_policy 22.2.0
fedoraproject fedora 34
netapp baseboard_management_controller_h300e_firmware -
redhat enterprise_linux 7.0
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
redhat enterprise_linux_for_real_time_for_nfv 7
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2021-3753 LOW

A race problem was seen in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c in the Linux kernel, which may cause an out of bounds read in vt as the write access to vc_mode is not protected by lock-in vt_ioctl (KDSETMDE). The highest threat from this vulnerability is to data confidentiality.

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-125,CWE-362,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
netapp element_software -
netapp hci_management_node -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
redhat enterprise_linux 7.0
netapp bootstrap_os -
linux linux_kernel *
netapp solidfire -
CVE-2021-3760 HIGH

A flaw was found in the Linux kernel. A use-after-free vulnerability in the NFC stack can lead to a threat to confidentiality, integrity, and system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp baseboard_management_controller_h300s_firmware -
netapp baseboard_management_controller_h500e_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp baseboard_management_controller_h300e_firmware -
netapp h410s_firmware -
netapp baseboard_management_controller_h700e_firmware -
netapp baseboard_management_controller_h700s_firmware -
linux linux_kernel *
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
netapp baseboard_management_controller_h410c_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-37600 LOW

An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
kernel util-linux *
CVE-2021-3770 MEDIUM

vim is vulnerable to Heap-based Buffer Overflow

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
vim vim *
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 33
fedoraproject fedora 34
CVE-2021-37714 MEDIUM

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-248,CWE-835,CWE-835,

Products Affected

Vendor Product Version
oracle retail_customer_management_and_segmentation_foundation *
oracle flexcube_universal_banking 14.5
oracle middleware_common_libraries_and_tools 12.2.1.3.0
netapp management_services_for_element_software_and_netapp_hci -
oracle banking_trade_finance 14.5
oracle webcenter_portal 12.2.1.4.0
oracle business_process_management_suite 12.2.1.3.0
oracle primavera_unifier 20.12
oracle primavera_unifier 21.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_treasury_management 14.5
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle stream_analytics 19c
oracle peoplesoft_enterprise_peopletools 8.59
oracle middleware_common_libraries_and_tools 12.2.1.4.0
quarkus quarkus *
oracle peoplesoft_enterprise_peopletools 8.58
jsoup jsoup *
oracle business_process_management_suite 12.2.1.4.0
oracle communications_messaging_server 8.1
oracle flexcube_universal_banking *
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
oracle hospitality_token_proxy_service 19.2
oracle stream_analytics *
CVE-2021-3772 MEDIUM

A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H 2.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-354,CWE-354,

Products Affected

Vendor Product Version
netapp h300s_firmware -
oracle communications_cloud_native_core_binding_support_function 22.1.3
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp h410c_firmware -
netapp e-series_santricity_os_controller 11.25
netapp e-series_santricity_os_controller 11.60.1
netapp h700s_firmware -
netapp e-series_santricity_os_controller 11.0.0
netapp h410s_firmware -
netapp h615c_firmware -
netapp e-series_santricity_os_controller 11.40.5
linux linux_kernel *
netapp e-series_santricity_os_controller 11.50.1
netapp e-series_santricity_os_controller 11.20
netapp e-series_santricity_os_controller 11.0
debian debian_linux 9.0
netapp h610c_firmware -
redhat enterprise_linux 8.0
netapp e-series_santricity_os_controller 11.70.1
debian debian_linux 10.0
oracle communications_cloud_native_core_network_exposure_function 22.1.1
netapp h610s_firmware -
netapp e-series_santricity_os_controller 11.60.0
netapp e-series_santricity_os_controller 11.70.2
oracle communications_cloud_native_core_policy 22.2.0
netapp e-series_santricity_os_controller 11.40.3r2
netapp e-series_santricity_os_controller 11.30
netapp solidfire_&_hci_storage_node -
netapp e-series_santricity_os_controller 11.60.3
netapp e-series_santricity_os_controller 11.30.5r3
netapp e-series_santricity_os_controller 11.60
netapp hci_compute_node -
netapp e-series_santricity_os_controller 11.40
netapp e-series_santricity_os_controller 11.50.2
CVE-2021-3778 MEDIUM

vim is vulnerable to Heap-based Buffer Overflow

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
vim vim *
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject fedora 34
CVE-2021-3796 MEDIUM

vim is vulnerable to Use After Free

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
vim vim *
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject fedora 34
CVE-2021-3800

A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
gnome glib *
debian debian_linux 10.0
netapp active_iq_unified_manager -
CVE-2021-38160 HIGH

In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE: the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp element_software -
debian debian_linux 10.0
netapp hci_bootstrap_os -
linux linux_kernel *
netapp hci_management_node -
netapp solidfire -
debian debian_linux 9.0
CVE-2021-38199 LOW

fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp element_software -
netapp hci_bootstrap_os -
linux linux_kernel *
netapp hci_management_node -
netapp solidfire -
debian debian_linux 9.0
debian debian_linux 11.0
CVE-2021-38201 MEDIUM

net/sunrpc/xdr.c in the Linux kernel before 5.13.4 allows remote attackers to cause a denial of service (xdr_set_page_base slab-out-of-bounds access) by performing many NFS 4.2 READ_PLUS operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
netapp element_software -
netapp hci_bootstrap_os -
linux linux_kernel *
netapp hci_management_node -
netapp solidfire -
CVE-2021-38202 MEDIUM

fs/nfsd/trace.h in the Linux kernel before 5.13.4 might allow remote attackers to cause a denial of service (out-of-bounds read in strlen) by sending NFS traffic when the trace event framework is being used for nfsd.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp element_software -
netapp hci_bootstrap_os -
linux linux_kernel *
netapp hci_management_node -
netapp solidfire -
CVE-2021-38203 LOW

btrfs in the Linux kernel before 5.13.4 allows attackers to cause a denial of service (deadlock) via processes that trigger allocation of new system chunks during times when there is a shortage of free space in the system space_info.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-667,

Products Affected

Vendor Product Version
netapp element_software -
netapp hci_bootstrap_os -
linux linux_kernel *
netapp hci_management_node -
netapp solidfire -
CVE-2021-38300 HIGH

arch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-3859

A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
redhat single_sign-on 7.5.1
redhat jboss_enterprise_application_platform 7.3
netapp oncommand_insight -
redhat single_sign-on 7.4.10
redhat undertow *
redhat jboss_enterprise_application_platform 7.4
netapp cloud_secure_agent -
CVE-2021-38886 MEDIUM

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 209399.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.1
netapp oncommand_insight -
CVE-2021-38903 LOW

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. IBM X-Force ID: 209691.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.1
netapp oncommand_insight -
CVE-2021-38904 MEDIUM

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings. IBM X-Force ID: 209693.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.1
netapp oncommand_insight -
CVE-2021-38905 MEDIUM

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 could allow an authenticated user to view report pages that they should not have access to. IBM X-Force ID: 209697.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.1
netapp oncommand_insight -
CVE-2021-38909 LOW

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209706.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-38926 LOW

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to gain privileges due to allowing modification of columns of existing tasks. IBM X-Force ID: 210321.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ibm db2 10.5
ibm db2 10.1
netapp oncommand_insight -
ibm db2 9.7
ibm db2 11.1
ibm db2 11.5
CVE-2021-38931 MEDIUM

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1, and 11.5 is vulnerable to an information disclosure as a result of a connected user having indirect read access to a table where they are not authorized to select from. IBM X-Force ID: 210418.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-668,

Products Affected

Vendor Product Version
netapp oncommand_insight -
ibm db2 11.1
ibm db2 11.5
CVE-2021-38945 HIGH

IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 could allow a remote attacker to upload arbitrary files, caused by improper content validation. IBM X-Force ID: 211238.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.1
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-38946 LOW

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 211240.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.1
netapp oncommand_insight -
CVE-2021-39002 MEDIUM

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
ibm db2 10.5
ibm db2 10.1
netapp oncommand_insight -
ibm db2 9.7
ibm db2 11.1
ibm db2 11.5
CVE-2021-39009

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 213554.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-39045

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a local attacker to obtain information due to the autocomplete feature on password input fields. IBM X-Force ID: 214345.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-39047 MEDIUM

IBM Planning Analytics 2.0 and IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 214349.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.0
ibm cognos_analytics 11.1.7
ibm planning_analytics 2.0
ibm cognos_analytics 11.2.1
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2021-39139 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-502,CWE-434,CWE-502,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-39140 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H 1.8 4.0
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-835,CWE-502,CWE-835,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-39141 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-502,CWE-434,CWE-502,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-39144 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,CWE-502,CWE-306,CWE-502,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-39145 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-502,CWE-434,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-39146 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-502,CWE-434,CWE-502,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
oracle retail_xstore_point_of_service 17.0.2
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
CVE-2021-39147 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-502,CWE-434,CWE-502,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-39148 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-502,CWE-434,CWE-502,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-39149 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-502,CWE-434,CWE-502,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-39150 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-918,CWE-502,CWE-918,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-39151 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-502,CWE-434,CWE-502,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
oracle retail_xstore_point_of_service 17.0.2
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
CVE-2021-39152 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-918,CWE-502,CWE-918,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-39153 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-502,CWE-434,CWE-502,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
debian debian_linux 11.0
oracle utilities_framework 4.4.0.3.0
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
CVE-2021-39154 MEDIUM

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-502,CWE-434,CWE-502,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_unified_inventory_management 7.4.1
oracle commerce_guided_search 11.3.2
oracle communications_unified_inventory_management 7.4.2
oracle utilities_framework 4.2.0.3.0
debian debian_linux 11.0
oracle retail_xstore_point_of_service 20.0.1
oracle utilities_framework 4.4.0.3.0
oracle retail_xstore_point_of_service 18.0.3
oracle business_activity_monitoring 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.4
oracle utilities_framework 4.4.0.0.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_unified_inventory_management 7.3.5
oracle communications_cloud_native_core_automated_test_suite 1.9.0
oracle utilities_framework 4.3.0.1.0
netapp snapmanager -
fedoraproject fedora 33
debian debian_linux 9.0
oracle communications_cloud_native_core_policy 1.14.0
oracle utilities_framework 4.4.0.2.0
debian debian_linux 10.0
oracle communications_unified_inventory_management 7.4.0
oracle webcenter_portal 12.2.1.3.0
oracle retail_xstore_point_of_service 19.0.2
xstream_project xstream *
fedoraproject fedora 34
oracle utilities_framework 4.3.0.6.0
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle utilities_framework 4.2.0.2.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
fedoraproject fedora 35
oracle retail_xstore_point_of_service 16.0.6
oracle retail_xstore_point_of_service 17.0.4
CVE-2021-39275 HIGH

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle instantis_enterprisetrack 17.1
oracle http_server 12.2.1.4.0
apache http_server *
oracle zfs_storage_appliance_kit 8.8
oracle instantis_enterprisetrack 17.3
siemens sinec_nms *
fedoraproject fedora 34
debian debian_linux 11.0
oracle instantis_enterprisetrack 17.2
netapp clustered_data_ontap -
netapp storagegrid -
netapp cloud_backup -
oracle http_server 12.2.1.3.0
fedoraproject fedora 35
debian debian_linux 9.0
siemens sinema_server 14.0
CVE-2021-39293 MEDIUM

In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
golang go *
netapp cloud_insights_telegraf -
CVE-2021-3975

A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash.

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
redhat libvirt *
canonical ubuntu_linux 21.10
netapp ontap_select_deploy_administration_utility -
debian debian_linux 11.0
redhat enterprise_linux_for_ibm_z_systems_eus 8.6
redhat enterprise_linux_server_tus 8.6
fedoraproject fedora 35
redhat enterprise_linux_for_power_little_endian_eus 8.6
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_ibm_z_systems 8.0
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.6
redhat codeready_linux_builder -
CVE-2021-3998

A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
gnu glibc *
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2021-3999

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp e-series_performance_analyzer -
debian debian_linux 10.0
netapp nfs_plug-in *
gnu glibc *
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2021-40438 MEDIUM

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,CWE-918,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_tus 8.8
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat enterprise_linux_update_services_for_sap_solutions 8.1
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_for_power_big_endian 7.0
redhat enterprise_linux_for_arm_64 8.0
redhat enterprise_linux_update_services_for_sap_solutions 8.2
redhat enterprise_linux_server_update_services_for_sap_solutions 7.6
redhat software_collections 1.0
siemens ruggedcom_nms *
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_for_power_little_endian_eus 8.6
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_ibm_z_systems_eus 8.1
redhat enterprise_linux 8.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_update_services_for_sap_solutions 8.4
oracle enterprise_manager_ops_center 12.4.0.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_update_services_for_sap_solutions 8.8
redhat enterprise_linux_update_services_for_sap_solutions 8.6
redhat enterprise_linux_server_aus 8.4
fedoraproject fedora 34
redhat enterprise_linux_for_arm_64_eus 8.8
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_aus 8.2
oracle secure_global_desktop 5.6
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.8
redhat enterprise_linux_for_power_little_endian_eus 8.1
redhat enterprise_linux_server_aus 7.6
oracle http_server 12.2.1.3.0
fedoraproject fedora 35
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.6
siemens sinema_server 14.0
redhat enterprise_linux_for_power_little_endian_eus 8.8
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
oracle http_server 12.2.1.4.0
oracle instantis_enterprisetrack 17.3
redhat enterprise_linux_for_scientific_computing 7.0
redhat enterprise_linux_for_power_little_endian_eus 8.4
siemens sinec_nms *
broadcom brocade_fabric_operating_system_firmware -
debian debian_linux 11.0
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.6
redhat enterprise_linux_for_power_little_endian_eus 8.2
redhat enterprise_linux_for_power_little_endian 7.0
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.7
netapp storagegrid -
netapp cloud_backup -
resf rocky_linux 8.0
f5 f5os *
redhat enterprise_linux_for_ibm_z_systems 8.0
siemens sinema_remote_connect_server 3.2
debian debian_linux 9.0
redhat enterprise_linux_eus 8.2
debian debian_linux 10.0
oracle instantis_enterprisetrack 17.1
tenable tenable.sc *
apache http_server *
redhat enterprise_linux_server_tus 8.4
redhat jboss_core_services 1.0
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
redhat enterprise_linux_server_tus 8.2
oracle zfs_storage_appliance_kit 8.8
redhat enterprise_linux_eus 8.8
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_for_arm_64_eus 8.6
redhat enterprise_linux_for_ibm_z_systems 7.0_s390x
siemens sinema_remote_connect_server *
redhat enterprise_linux_for_ibm_z_systems_eus 8.8
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.1
oracle instantis_enterprisetrack 17.2
redhat enterprise_linux_for_ibm_z_systems_eus_s390x 8.2
netapp clustered_data_ontap -
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_update_services_for_sap_solutions 7.7
CVE-2021-4044 MEDIUM

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
openssl openssl *
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp h410c_firmware -
netapp snapcenter -
netapp h700s_firmware -
netapp h410s_firmware -
netapp e-series_performance_analyzer -
netapp 500f_firmware -
nodejs node.js *
netapp cloud_backup -
openssl openssl 1.1.0
netapp h700e_firmware -
netapp h500e_firmware -
openssl openssl 3.0.0
netapp a250_firmware -
CVE-2021-40490 MEDIUM

A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp fas_500f_firmware -
netapp h300e_firmware -
netapp h610s_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp aff_a250_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp h615c_firmware -
linux linux_kernel *
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
debian debian_linux 9.0
netapp h610c_firmware -
CVE-2021-4083 MEDIUM

A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system. This flaw affects Linux kernel versions prior to 5.16-rc4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-362,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
oracle communications_cloud_native_core_binding_support_function 22.1.3
oracle communications_cloud_native_core_network_exposure_function 22.1.1
netapp hci_management_node -
oracle communications_cloud_native_core_policy 22.2.0
netapp h500s_firmware -
linux linux_kernel 5.16
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp solidfire -
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-4090 MEDIUM

An out-of-bounds (OOB) memory write flaw was found in the NFSD in the Linux kernel. Missing sanity may lead to a write beyond bmval[bmlen-1] in nfsd4_decode_bitmap4 in fs/nfsd/nfs4xdr.c. In this flaw, a local attacker with user privilege may gain access to out-of-bounds memory, leading to a system integrity and confidentiality threat.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
linux linux_kernel 5.16
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2021-41073 HIGH

loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-763,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp cloud_backup -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
netapp solidfire_baseboard_management_controller -
CVE-2021-41079 MEDIUM

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-835,

Products Affected

Vendor Product Version
debian debian_linux 10.0
apache tomcat *
netapp management_services_for_element_software_and_netapp_hci -
debian debian_linux 9.0
debian debian_linux 11.0
CVE-2021-41099 MEDIUM

Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted network payloads or commands. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-680,CWE-190,

Products Affected

Vendor Product Version
oracle communications_operations_monitor 4.3
debian debian_linux 10.0
redis redis *
fedoraproject fedora 35
netapp management_services_for_element_software_and_netapp_hci -
fedoraproject fedora 33
oracle communications_operations_monitor 4.4
fedoraproject fedora 34
oracle communications_operations_monitor 5.0
debian debian_linux 11.0
CVE-2021-41182 MEDIUM

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
netapp h300e_firmware -
oracle big_data_spatial_and_graph 23.1
fedoraproject fedora 36
oracle policy_automation *
oracle hospitality_inventory_management 9.1.0
oracle banking_platform 2.12.0
oracle agile_plm 9.3.6
netapp h500s_firmware -
netapp h410c_firmware -
oracle communications_operations_monitor 4.4
netapp h410s_firmware -
oracle primavera_unifier 18.8
oracle primavera_unifier 20.12
fedoraproject fedora 33
oracle rest_data_services *
oracle primavera_unifier 21.12
oracle primavera_unifier 17.9
oracle peoplesoft_enterprise_peopletools 8.59
oracle primavera_unifier 17.11
fedoraproject fedora 34
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_operations_monitor 4.3
oracle application_express *
oracle primavera_unifier 17.10
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
oracle communications_operations_monitor 5.0
netapp h300s_firmware -
oracle hospitality_materials_control 18.1
oracle weblogic_server 12.2.1.3.0
oracle mysql_enterprise_monitor *
oracle hospitality_suite8 8.10.2
netapp h700s_firmware -
oracle primavera_unifier 17.8
oracle weblogic_server 14.1.1.0.0
oracle primavera_unifier 17.7
oracle primavera_unifier *
oracle communications_interactive_session_recorder 6.4
debian debian_linux 9.0
tenable tenable.sc *
oracle primavera_unifier 19.12
oracle primavera_unifier 17.12
oracle jd_edwards_enterpriseone_tools *
oracle banking_platform 2.9.0
jqueryui jquery_ui *
drupal drupal *
oracle weblogic_server 12.2.1.4.0
oracle rest_data_services 22.1.1
oracle hospitality_suite8 *
oracle big_data_spatial_and_graph *
CVE-2021-41183 MEDIUM

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
oracle big_data_spatial_and_graph 23.1
fedoraproject fedora 36
oracle weblogic_server 12.2.1.3.0
oracle policy_automation *
oracle primavera_gateway 21.12.0
oracle hospitality_inventory_management 9.1.0
oracle mysql_enterprise_monitor *
oracle banking_platform 2.12.0
oracle primavera_gateway *
oracle agile_plm 9.3.6
oracle hospitality_suite8 8.10.2
netapp h500s_firmware -
netapp h410c_firmware -
oracle communications_operations_monitor 4.4
netapp h700s_firmware -
netapp h410s_firmware -
oracle weblogic_server 14.1.1.0.0
oracle primavera_gateway 20.12.0
oracle primavera_gateway 19.12.0
oracle communications_interactive_session_recorder 6.4
fedoraproject fedora 33
debian debian_linux 9.0
oracle rest_data_services *
tenable tenable.sc *
oracle jd_edwards_enterpriseone_tools *
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_platform 2.9.0
jqueryui jquery_ui *
drupal drupal *
fedoraproject fedora 34
oracle weblogic_server 12.2.1.4.0
oracle rest_data_services 22.1.1
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_operations_monitor 4.3
oracle application_express *
oracle hospitality_suite8 *
oracle big_data_spatial_and_graph *
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
oracle primavera_gateway 18.8.0
oracle communications_operations_monitor 5.0
CVE-2021-41184 MEDIUM

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
oracle hospitality_materials_control 18.1
oracle big_data_spatial_and_graph 23.1
fedoraproject fedora 36
oracle weblogic_server 12.2.1.3.0
oracle policy_automation *
oracle hospitality_inventory_management 9.1.0
oracle banking_platform 2.12.0
oracle agile_plm 9.3.6
oracle hospitality_suite8 8.10.2
netapp h500s_firmware -
netapp h410c_firmware -
oracle communications_operations_monitor 4.4
netapp h700s_firmware -
netapp h410s_firmware -
oracle primavera_unifier 18.8
oracle weblogic_server 14.1.1.0.0
oracle primavera_unifier 20.12
oracle primavera_unifier *
oracle communications_interactive_session_recorder 6.4
fedoraproject fedora 33
oracle rest_data_services *
oracle primavera_unifier 21.12
tenable tenable.sc *
oracle primavera_unifier 19.12
oracle jd_edwards_enterpriseone_tools *
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_platform 2.9.0
jqueryui jquery_ui *
drupal drupal *
fedoraproject fedora 34
oracle weblogic_server 12.2.1.4.0
oracle rest_data_services 22.1.1
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_operations_monitor 4.3
oracle application_express *
oracle hospitality_suite8 *
oracle big_data_spatial_and_graph *
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
oracle communications_operations_monitor 5.0
CVE-2021-4147 MEDIUM

A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-667,CWE-667,

Products Affected

Vendor Product Version
redhat libvirt *
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
CVE-2021-41524 MEDIUM

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
oracle instantis_enterprisetrack 17.2
oracle instantis_enterprisetrack 17.1
oracle instantis_enterprisetrack 17.3
netapp cloud_backup -
fedoraproject fedora 35
fedoraproject fedora 34
apache http_server 2.4.49
CVE-2021-4154 HIGH

A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat virtualization 4.0
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
netapp hci_baseboard_management_controller h700e
netapp hci_baseboard_management_controller h300e
netapp hci_baseboard_management_controller h300s
netapp hci_baseboard_management_controller h500e
netapp hci_baseboard_management_controller h410s
linux linux_kernel 5.14
netapp hci_baseboard_management_controller h500s
CVE-2021-4157 HIGH

An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could potentially use this flaw to crash the system or escalate privileges on the system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,CWE-119,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
oracle communications_cloud_native_core_binding_support_function 22.1.1
oracle communications_cloud_native_core_binding_support_function 22.1.3
oracle communications_cloud_native_core_binding_support_function 22.2.0
netapp h500s_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2021-41617 MEDIUM

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
oracle http_server 12.2.1.2.0
oracle http_server 12.2.1.4.0
oracle zfs_storage_appliance_kit 8.8
netapp hci_management_node -
netapp ontap_select_deploy_administration_utility -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp aff_a250_firmware -
netapp clustered_data_ontap -
oracle http_server 12.2.1.3.0
openbsd openssh *
fedoraproject fedora 35
netapp solidfire -
fedoraproject fedora 33
starwindsoftware starwind_virtual_san v8r13
netapp aff_500f_firmware -
CVE-2021-41773 MEDIUM

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
oracle instantis_enterprisetrack 17.2
oracle instantis_enterprisetrack 17.1
oracle instantis_enterprisetrack 17.3
netapp cloud_backup -
fedoraproject fedora 35
fedoraproject fedora 34
apache http_server 2.4.49
CVE-2021-41864 MEDIUM

prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel before 5.14.12 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
netapp solidfire_baseboard_management_controller_firmware -
netapp hci_management_node -
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp cloud_backup -
fedoraproject fedora 35
netapp solidfire -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-4189

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
debian debian_linux 10.0
netapp ontap_select_deploy_administration_utility -
python python *
redhat software_collections -
debian debian_linux 11.0
python python 3.10.0
CVE-2021-4197 HIGH

An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
oracle communications_cloud_native_core_binding_support_function 22.1.1
debian debian_linux 10.0
oracle communications_cloud_native_core_binding_support_function 22.1.3
oracle communications_cloud_native_core_binding_support_function 22.2.0
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
broadcom brocade_fabric_operating_system_firmware -
netapp h700s_firmware -
CVE-2021-42008 MEDIUM

The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
netapp h700s_firmware -
CVE-2021-42013 HIGH

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,CWE-22,NVD-CWE-Other,

Products Affected

Vendor Product Version
oracle instantis_enterprisetrack 17.2
oracle instantis_enterprisetrack 17.1
oracle jd_edwards_enterpriseone_tools *
oracle instantis_enterprisetrack 17.3
netapp cloud_backup -
fedoraproject fedora 35
oracle secure_backup *
apache http_server 2.4.50
fedoraproject fedora 34
apache http_server 2.4.49
CVE-2021-4203 MEDIUM

A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-362,CWE-416,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h300s_firmware -
netapp element_software -
oracle communications_cloud_native_core_binding_support_function 22.1.3
oracle communications_cloud_native_core_network_exposure_function 22.1.1
netapp hci_management_node -
linux linux_kernel 5.15
oracle communications_cloud_native_core_policy 22.2.0
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
netapp a700s_firmware -
netapp h410s_firmware -
netapp bootstrap_os -
linux linux_kernel *
netapp solidfire -
CVE-2021-4204

An out-of-bounds (OOB) memory access flaw was found in the Linux kernel's eBPF due to an Improper Input Validation. This flaw allows a local attacker with a special privilege to crash the system or leak internal information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
redhat enterprise_linux 9.0
linux linux_kernel *
linux linux_kernel 5.8.0
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2021-4209

A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
gnu gnutls *
netapp hci_bootstrap_os -
netapp solidfire_&_hci_management_node -
netapp active_iq_unified_manager -
CVE-2021-4214

A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp ontap_select_deploy_administration_utility -
debian debian_linux 11.0
libpng libpng 1.6.0
CVE-2021-42252 MEDIUM

An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
netapp solidfire_baseboard_management_controller_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2021-42327 MEDIUM

dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c in the Linux kernel through 5.14.14 allows a heap-based buffer overflow by an attacker who can write a string to the AMD GPU display drivers debug filesystem. There are no checks on size within parse_write_buffer_into_params when it uses the size of copy_from_user to copy a userspace buffer into a 40-byte heap buffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
fedoraproject fedora 35
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2021-42340 MEDIUM

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,CWE-772,

Products Affected

Vendor Product Version
apache tomcat 10.1.0
apache tomcat *
oracle retail_data_extractor_for_merchandising 15.0.2
oracle retail_store_inventory_management 15.0.3.8
oracle retail_customer_insights 16.0.2
oracle retail_store_inventory_management 14.1.3.5
oracle agile_engineering_data_management 6.2.1.0
debian debian_linux 11.0
oracle communications_diameter_signaling_router *
oracle managed_file_transfer 12.2.1.3.0
oracle retail_customer_insights 15.0.2
oracle payment_interface 19.1
oracle hospitality_cruise_shipboard_property_management_system 20.1.0
oracle retail_store_inventory_management 16.0.3.7
oracle retail_store_inventory_management 15.0.3.3
oracle retail_data_extractor_for_merchandising 16.0.2
oracle retail_store_inventory_management 14.1.3.14
oracle payment_interface 20.3
oracle middleware_common_libraries_and_tools 12.2.1.4.0
oracle retail_store_inventory_management 14.0.4.13
netapp management_services_for_element_software -
oracle retail_financial_integration 19.0.0
netapp hci -
oracle sd-wan_edge 9.1
oracle managed_file_transfer 12.2.1.4.0
oracle retail_financial_integration 16.0.1
oracle taleo_platform *
oracle big_data_spatial_and_graph *
oracle sd-wan_edge 9.0
apache tomcat 10.0.0
oracle retail_eftlink 21.0.0
CVE-2021-42373 LOW

A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp hci_management_node -
netapp h500s_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
busybox busybox 1.33.0
netapp h410s_firmware -
busybox busybox 1.33.1
netapp cloud_backup -
netapp solidfire -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
CVE-2021-42374 LOW

An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H 1.0 4.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp hci_management_node -
busybox busybox *
netapp h500s_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
netapp cloud_backup -
netapp solidfire -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
CVE-2021-42375 LOW

An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-159,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp hci_management_node -
netapp h500s_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
busybox busybox 1.33.1
netapp cloud_backup -
netapp solidfire -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
CVE-2021-42376 LOW

A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp hci_management_node -
busybox busybox *
netapp h500s_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
netapp cloud_backup -
netapp solidfire -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
CVE-2021-42377 MEDIUM

An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-590,CWE-763,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp hci_management_node -
netapp h500s_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
busybox busybox 1.33.0
netapp h410s_firmware -
busybox busybox 1.33.1
netapp cloud_backup -
netapp solidfire -
netapp h700e_firmware -
fedoraproject fedora 33
netapp h500e_firmware -
CVE-2021-42550 HIGH

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
qos logback 1.3.0
redhat satellite 6.0
qos logback *
netapp cloud_manager -
siemens sinec_nms *
netapp service_level_manager -
netapp snap_creator_framework -
CVE-2021-43057 HIGH

An issue was discovered in the Linux kernel before 5.14.8. A use-after-free in selinux_ptrace_traceme (aka the SELinux handler for PTRACE_TRACEME) could be used by local attackers to cause memory corruption and escalate privileges, aka CID-a3727a8bac0a. This occurs because of an attempt to access the subjective credentials of another task.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2021-43267 HIGH

An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1284,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
fedoraproject fedora 35
netapp h500s_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
CVE-2021-43527 HIGH

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle communications_cloud_native_core_network_repository_function 1.15.1
oracle communications_cloud_native_core_binding_support_function 1.11.0
mozilla nss_esr *
oracle communications_cloud_native_core_network_repository_function 1.15.0
netapp cloud_backup -
starwindsoftware starwind_san_&_nas v8r13
oracle communications_policy_management 12.6.0.0.0
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
mozilla nss *
starwindsoftware starwind_virtual_san v8r13
CVE-2021-43616 HIGH

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
cve@mitre.org 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-345,

Products Affected

Vendor Product Version
netapp next_generation_application_programming_interface -
fedoraproject fedora 35
npmjs npm *
CVE-2021-43618 MEDIUM

GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
gmplib gmp *
debian debian_linux 9.0
netapp h700s_firmware -
CVE-2021-43797 MEDIUM

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
oracle helidon 1.4.10
netapp oncommand_workflow_automation -
oracle banking_deposits_and_lines_of_credit_servicing 2.7
debian debian_linux 10.0
oracle communications_design_studio 7.4.2
oracle banking_platform 2.6.2
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_party_management 2.7.0
oracle communications_cloud_native_core_unified_data_repository 1.15.0
oracle communications_cloud_native_core_security_edge_protection_proxy 1.7.0
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
netty netty *
netapp snapcenter -
debian debian_linux 11.0
oracle communications_cloud_native_core_policy 1.15.0
quarkus quarkus *
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_instant_messaging_server 8.1
oracle communications_cloud_native_core_binding_support_function 1.11.0
oracle coherence 14.1.1.0.0
oracle helidon 2.4.0
oracle coherence 12.2.1.4.0
CVE-2021-43818 MEDIUM

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,CWE-79,CWE-79,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle communications_cloud_native_core_binding_support_function 22.1.3
oracle communications_cloud_native_core_network_exposure_function 22.1.1
oracle http_server 12.2.1.4.0
oracle zfs_storage_appliance_kit 8.8
oracle communications_cloud_native_core_policy 22.2.0
fedoraproject fedora 34
debian debian_linux 11.0
netapp hci_storage_node_firmware -
oracle http_server 12.2.1.3.0
fedoraproject fedora 35
netapp solidfire -
lxml lxml *
debian debian_linux 9.0
netapp solidfire_enterprise_sds -
CVE-2021-43975 MEDIUM

In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp h300e_firmware -
debian debian_linux 10.0
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp cloud_backup -
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-43976 LOW

In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
oracle communications_cloud_native_core_binding_support_function 22.1.3
oracle communications_cloud_native_core_network_exposure_function 22.1.1
oracle communications_cloud_native_core_policy 22.2.0
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
linux linux_kernel *
netapp cloud_backup -
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-44228 HIGH

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-400,CWE-502,CWE-917,

Products Affected

Vendor Product Version
cisco unity_connection *
cisco firepower_threat_defense 6.6.0
cisco firepower_threat_defense 6.7.0
cisco common_services_platform_collector 002.009(000.001)
apache log4j 2.0
siemens captial 2019.1
cisco paging_server 14.0(1)
cisco unified_sip_proxy 010.000(001)
siemens energyip 8.6
siemens solid_edge_harness_design 2020
cisco sd-wan_vmanage 20.8
cisco dna_spaces_connector -
cisco dna_center *
siemens industrial_edge_management_hub *
cisco video_surveillance_operations_manager *
cisco unified_customer_voice_portal 12.6(1)
siemens spectrum_power_7 *
cisco iot_operations_dashboard -
cisco cloudcenter_cost_optimizer *
cisco connected_analytics_for_network_deployment 008.000.000
cisco optical_network_controller *
cisco common_services_platform_collector 002.010(000.000)
siemens siguard_dsa *
siemens spectrum_power_4 4.70
cisco connected_analytics_for_network_deployment 007.002.000
cisco sd-wan_vmanage 20.3
bentley synchro_4d *
cisco evolved_programmable_network_manager 4.0
netapp oncommand_insight -
cisco crosswork_network_automation 4.1.1
cisco network_dashboard_fabric_controller 11.1(1)
cisco unified_sip_proxy 010.002(000)
cisco identity_services_engine 003.000(000.458)
siemens 6bk1602-0aa12-0tp0_firmware *
cisco integrated_management_controller_supervisor *
siemens e-car_operation_center *
siemens sipass_integrated 2.80
cisco crosswork_network_automation 3.0.0
cisco identity_services_engine 002.007(000.356)
cisco unified_contact_center_express 12.6(2)
cisco unified_customer_voice_portal 11.6(1)
siemens energy_engage 3.1
cisco connected_analytics_for_network_deployment 006.004.000.003
siemens industrial_edge_management *
cisco cloudcenter_suite 5.5(0)
cisco cloudcenter_suite 4.10(0.15)
cisco crosswork_network_automation 4.1.0
cisco cloudcenter_suite 5.3(0)
cisco sd-wan_vmanage 20.6.1
cisco ucs_central *
cisco identity_services_engine 003.002(000.116)
siemens siveillance_identity 1.5
siemens comos *
siemens siveillance_command *
cisco contact_center_management_portal *
cisco network_dashboard_fabric_controller 11.5(3)
cisco cloudcenter_suite 5.4(1)
cisco fxos 6.4.0
cisco dna_spaces -
cisco unified_communications_manager_im_&_presence_service 11.5(1)
cisco cloudcenter_suite 5.3.0
cisco dna_spaces:_connector *
cisco ucs_central_software 2.0(1d)
cisco unified_communications_manager_im_and_presence_service 11.5(1)
siemens sentron_powermanager 4.1
cisco connected_mobile_experiences -
cisco network_dashboard_fabric_controller 11.5(2)
cisco smart_phy 3.1.4
siemens desigo_cc_advanced_reports 4.1
siemens 6bk1602-0aa52-0tp0_firmware *
siemens siguard_dsa 4.4
cisco fxos 7.0.0
cisco cyber_vision_sensor_management_extension *
cisco evolved_programmable_network_manager 4.1
cisco integrated_management_controller_supervisor 002.003(002.000)
siemens 6bk1602-0aa32-0tp0_firmware *
cisco unified_intelligence_center 12.6(2)
siemens desigo_cc_info_center 5.1
cisco identity_services_engine 002.006(000.156)
siemens teamcenter *
siemens vesys *
siemens vesys 2019.1
cisco virtual_topology_system *
cisco unified_sip_proxy 010.002(001)
cisco webex_meetings_server 3.0
cisco unity_connection 11.5
cisco ucs_central_software 2.0(1f)
cisco cloudcenter_suite 5.5.1
cisco connected_analytics_for_network_deployment 007.003.000
cisco webex_meetings_server *
cisco unified_communications_manager 11.5(1)su3
cisco fxos 7.1.0
cisco crosswork_zero_touch_provisioning 3.0.0
cisco smart_phy 3.1.2
siemens mindsphere *
cisco unified_intelligence_center 12.6(1)
cisco unified_communications_manager 11.5(1.18119.2)
cisco wan_automation_engine 7.1.3
intel computer_vision_annotation_tool -
cisco unified_contact_center_enterprise 11.6(2)
siemens siguard_dsa 4.3
cisco smart_phy 21.3
sonicwall email_security *
cisco evolved_programmable_network_manager 3.1
netapp snapcenter -
cisco ucs_central_software 2.0(1h)
cisco common_services_platform_collector 002.009(000.002)
cisco emergency_responder *
cisco common_services_platform_collector 002.009(001.000)
cisco emergency_responder 11.5(4.66000.14)
cisco unified_communications_manager *
siemens mendix *
siemens energyip 8.5
cisco fxos 6.3.0
netapp solidfire_enterprise_sds -
cisco fog_director -
cisco fxos 6.6.0
cisco identity_services_engine 003.001(000.518)
siemens energyip 8.7
siemens desigo_cc_advanced_reports 3.0
cisco firepower_threat_defense 7.1.0
cisco ucs_central_software 2.0(1e)
cisco crosswork_network_automation -
siemens desigo_cc_info_center 5.0
cisco wan_automation_engine 7.5
cisco wan_automation_engine 7.2.2
cisco paging_server 9.0(1)
netapp cloud_secure_agent -
cisco firepower_threat_defense 7.0.0
cisco finesse *
cisco ucs_central_software 2.0
cisco unified_contact_center_express 12.5(1)
cisco unified_computing_system 006.008(001.000)
cisco evolved_programmable_network_manager *
cisco webex_meetings_server 4.0
cisco unified_contact_center_enterprise 12.6(1)
cisco smart_phy 3.1.3
cisco wan_automation_engine 7.6
fedoraproject fedora 35
apple xcode *
siemens sipass_integrated 2.85
cisco paging_server 8.5(1)
cisco identity_services_engine *
cisco crosswork_network_automation 2.0.0
siemens head-end_system_universal_device_integration_system *
cisco cloudcenter_suite_admin *
netapp ontap_tools -
cisco paging_server 8.3(1)
cisco sd-wan_vmanage *
cisco unified_contact_center_enterprise 12.6(2)
siemens logo!_soft_comfort *
intel system_debugger -
cisco unified_contact_center_management_portal 12.6(1)
cisco sd-wan_vmanage 20.5
cisco video_surveillance_manager 7.14(3.025)
siemens solid_edge_harness_design *
cisco unified_customer_voice_portal 12.0(1)
cisco enterprise_chat_and_email 12.6(1)
cisco video_surveillance_manager 7.14(4.018)
cisco ucs_central_software 2.0(1b)
siemens capital 2019.1
cisco paging_server 9.1(1)
cisco video_surveillance_manager 7.14(1.26)
cisco common_services_platform_collector 002.009(000.000)
cisco common_services_platform_collector 002.009(001.002)
debian debian_linux 9.0
cisco common_services_platform_collector 002.009(001.001)
siemens sentron_powermanager 4.2
cisco network_insights_for_data_center 6.0(2.1914)
cisco unified_customer_voice_portal 12.5(1)
cisco unified_sip_proxy 010.000(000)
debian debian_linux 10.0
siemens energyip_prepay 3.8
cisco fxos 6.5.0
cisco cloudcenter *
cisco crosswork_network_controller *
cisco cloudcenter_suite 5.4.1
cisco unified_communications_manager 11.5(1.18900.97)
cisco broadworks -
cisco unified_customer_voice_portal 11.6
cisco cloudcenter_suite 5.5.0
cisco packaged_contact_center_enterprise 11.6(1)
cisco wan_automation_engine 7.4
intel system_studio -
cisco unified_intelligence_center *
netapp brocade_san_navigator -
cisco emergency_responder 11.5(4.65000.14)
cisco sd-wan_vmanage 20.7
cisco nexus_insights *
cisco emergency_responder 11.5
snowsoftware vm_access_proxy *
cisco prime_service_catalog 12.1
cisco cloud_connect *
cisco identity_services_engine 002.004(000.914)
cisco nexus_dashboard *
cisco firepower_threat_defense 6.3.0
cisco packaged_contact_center_enterprise *
siemens nx *
cisco paging_server 8.4(1)
cisco smart_phy 3.1.5
cisco unified_communications_manager 11.5(1)
cisco wan_automation_engine *
cisco unified_workforce_optimization *
cisco firepower_threat_defense 6.4.0
siemens energyip_prepay 3.7
cisco unified_communications_manager_im_and_presence_service *
cisco evolved_programmable_network_manager 5.0
cisco sd-wan_vmanage 20.6
cisco ucs_central_software 2.0(1g)
cisco ucs_central_software 2.0(1a)
cisco unified_communications_manager 11.5(1.21900.40)
intel genomics_kernel_library -
cisco connected_analytics_for_network_deployment 7.3
cisco network_assurance_engine 6.0(2.1912)
cisco identity_services_engine 2.4.0
cisco intersight_virtual_appliance *
cisco unified_workforce_optimization 11.5(1)
siemens desigo_cc_advanced_reports 5.1
cisco cloudcenter_workload_manager *
cisco paging_server 9.0(2)
siemens siveillance_vantage *
cisco unified_sip_proxy *
cisco crosswork_optimization_engine 3.0.0
cisco mobility_services_engine -
fedoraproject fedora 34
cisco ucs_central_software 2.0(1k)
intel secure_device_onboard -
cisco automated_subsea_tuning 02.01.00
cisco crosswork_network_controller 3.0.0
netapp cloud_manager -
siemens desigo_cc_advanced_reports 5.0
cisco video_surveillance_manager 7.14(2.26)
cisco wan_automation_engine 7.2.3
cisco network_services_orchestrator *
siemens opcenter_intelligence *
cisco cloudcenter_suite 4.10.0.15
cisco data_center_network_manager *
intel data_center_manager *
cisco cloudcenter_suite 5.5(1)
cisco unified_contact_center_enterprise *
cisco intersight_virtual_appliance 1.0.9-343
siemens gma-manager *
siemens xpedition_package_integrator -
cisco finesse 12.6(1)
siemens spectrum_power_4 *
cisco evolved_programmable_network_manager 5.1
cisco virtual_topology_system 2.6.6
cisco data_center_network_manager 11.3(1)
cisco crosswork_optimization_engine *
cisco network_dashboard_fabric_controller 11.3(1)
cisco unified_communications_manager 11.5(1.22900.28)
siemens navigator *
siemens siguard_dsa 4.2
cisco fxos 6.2.3
cisco unity_connection 11.5(1.10000.6)
siemens xpedition_enterprise -
cisco unified_communications_manager 11.5(1.17900.52)
cisco crosswork_data_gateway 3.0.0
cisco smart_phy 3.2.1
intel datacenter_manager *
siemens sppa-t3000_ses3000_firmware *
cisco ucs_director *
cisco network_assurance_engine *
cisco smart_phy *
bentley synchro *
cisco dna_center 2.2.2.8
siemens siveillance_control_pro *
cisco crosswork_data_gateway *
cisco automated_subsea_tuning *
siemens 6bk1602-0aa42-0tp0_firmware *
cisco paging_server *
cisco connected_analytics_for_network_deployment 007.003.003
intel audio_development_kit -
siemens siveillance_viewpoint *
cisco enterprise_chat_and_email *
siemens vesys 2021.1
siemens 6bk1602-0aa22-0tp0_firmware *
siemens desigo_cc_advanced_reports 4.2
snowsoftware snow_commander *
cisco crosswork_zero_touch_provisioning *
cisco cx_cloud_agent 001.012
cisco network_dashboard_fabric_controller 11.4(1)
cisco unified_communications_manager_im_&_presence_service 11.5(1.22900.6)
siemens captial *
cisco enterprise_chat_and_email 12.0(1)
cisco paging_server 12.5(2)
cisco unified_customer_voice_portal 12.0
cisco ucs_central_software 2.0(1l)
cisco crosswork_platform_infrastructure *
cisco enterprise_chat_and_email 12.5(1)
cisco optical_network_controller 1.1
cisco unified_customer_voice_portal 12.5
siemens siveillance_identity 1.6
cisco common_services_platform_collector *
intel oneapi_sample_browser -
cisco contact_center_domain_manager *
siemens vesys 2020.1
siemens capital *
cisco connected_analytics_for_network_deployment 007.000.001
cisco virtualized_infrastructure_manager *
cisco broadworks *
cisco connected_analytics_for_network_deployment 008.000.000.000.004
cisco advanced_malware_protection_virtual_private_cloud_appliance *
cisco business_process_automation *
percussion rhythmyx *
cisco connected_analytics_for_network_deployment 007.003.001.001
siemens solid_edge_cam_pro *
cisco workload_optimization_manager *
cisco fxos 6.7.0
cisco customer_experience_cloud_agent *
cisco connected_analytics_for_network_deployment 006.005.000.
debian debian_linux 11.0
cisco unified_contact_center_enterprise 12.0(1)
siemens energyip 9.0
intel sensor_solution_firmware_development_kit -
cisco wan_automation_engine 7.2.1
netapp cloud_insights -
cisco cyber_vision_sensor_management_extension 4.0.2
cisco network_dashboard_fabric_controller 11.5(1)
cisco sd-wan_vmanage 20.4
cisco unified_contact_center_enterprise 12.5(1)
cisco evolved_programmable_network_manager 3.0
cisco unified_contact_center_express 12.6(1)
cisco network_dashboard_fabric_controller 11.0(1)
cisco connected_analytics_for_network_deployment 007.001.000
siemens operation_scheduler *
cisco prime_service_catalog *
siemens spectrum_power_7 2.30
cisco connected_analytics_for_network_deployment 006.005.000.000
siemens energyip_prepay *
cisco crosswork_platform_infrastructure 4.1.0
cisco network_services_orchestrator -
cisco firepower_threat_defense 6.5.0
cisco network_dashboard_fabric_controller 11.2(1)
netapp active_iq_unified_manager -
apache log4j *
siemens desigo_cc_advanced_reports 4.0
cisco ucs_central_software 2.0(1c)
cisco virtualized_voice_browser *
cisco firepower_threat_defense 6.2.3
cisco cyber_vision 4.0.2
cisco wan_automation_engine 7.3
netapp solidfire_&_hci_storage_node -
cisco integrated_management_controller_supervisor 2.3.2.0
cisco unified_contact_center_express *
cisco unified_customer_voice_portal *
cisco finesse 12.5(1)
CVE-2021-44716 MEDIUM

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
golang go *
debian debian_linux 9.0
netapp cloud_insights_telegraf -
CVE-2021-44733 MEDIUM

A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
netapp h300e_firmware -
netapp baseboard_management_controller_h300s_firmware -
debian debian_linux 10.0
netapp baseboard_management_controller_h500e_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp baseboard_management_controller_h300e_firmware -
netapp h410s_firmware -
netapp baseboard_management_controller_h700e_firmware -
netapp baseboard_management_controller_h700s_firmware -
linux linux_kernel *
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
fedoraproject fedora 35
netapp baseboard_management_controller_h410c_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-44790 HIGH

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
oracle instantis_enterprisetrack 17.1
tenable tenable.sc *
oracle http_server 12.2.1.4.0
apache http_server *
oracle zfs_storage_appliance_kit 8.8
oracle instantis_enterprisetrack 17.3
apple macos *
apple mac_os_x 10.15.7
oracle communications_operations_monitor 4.4
fedoraproject fedora 34
debian debian_linux 11.0
oracle instantis_enterprisetrack 17.2
oracle communications_session_report_manager *
oracle communications_operations_monitor 4.3
oracle communications_session_route_manager *
netapp cloud_backup -
oracle http_server 12.2.1.3.0
fedoraproject fedora 35
oracle communications_element_manager *
oracle communications_operations_monitor 5.0
CVE-2021-45078 MEDIUM

stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
debian debian_linux 10.0
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
debian debian_linux 9.0
fedoraproject fedora 34
gnu binutils *
debian debian_linux 11.0
CVE-2021-45100 MEDIUM

The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8, sometimes communicates in cleartext even though encryption has been enabled. This occurs because it sets the SMB2_GLOBAL_CAP_ENCRYPTION flag when using the SMB 3.1.1 protocol, which is a violation of the SMB protocol specification. When Windows 10 detects this protocol violation, it disables encryption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
ksmbd_project ksmbd *
CVE-2021-45105 MEDIUM

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-674,CWE-20,CWE-674,

Products Affected

Vendor Product Version
oracle hospitality_suite8 8.14.0
sonicwall 6bk1602-0aa32-0tp0_firmware *
oracle agile_plm 9.3.6
oracle communications_cloud_native_core_security_edge_protection_proxy 1.7.0
oracle health_sciences_empirica_signal 9.2.0.0
oracle hyperion_planning *
oracle insurance_insbridge_rating_and_underwriting 5.2.0
oracle communications_cloud_native_core_service_communication_proxy 1.15.0
oracle webcenter_portal 12.2.1.4.0
oracle communications_convergent_charging_controller *
oracle retail_order_broker 19.1
oracle retail_returns_management 14.1
oracle retail_integration_bus 19.0.1
oracle primavera_unifier 21.12
oracle retail_store_inventory_management 14.1.3.14
sonicwall 6bk1602-0aa42-0tp0_firmware *
oracle payment_interface 20.3
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
oracle enterprise_manager_base_platform 13.5.0.0
oracle agile_plm_mcad_connector 3.6
oracle communications_cloud_native_core_network_repository_function 1.15.1
oracle financial_services_model_management_and_governance 8.1.1.0.0
oracle communications_eagle_ftp_table_base_retrieval 4.5
oracle enterprise_manager_for_peoplesoft 13.4.1.1
oracle identity_management_suite 12.2.1.4.0
sonicwall network_security_manager *
oracle primavera_p6_enterprise_project_portfolio_management 21.12.0.0
oracle financial_services_analytical_applications_infrastructure *
oracle retail_data_extractor_for_merchandising 15.0.2
oracle communications_unified_inventory_management 7.4.1
oracle hyperion_tax_provision *
oracle utilities_framework *
oracle identity_management_suite 12.2.1.3.0
oracle retail_eftlink 20.0.1
oracle retail_eftlink 18.0.1
oracle utilities_framework 4.4.0.0.0
oracle communications_webrtc_session_controller 7.2.1
oracle management_cloud_engine 1.5.0
oracle communications_interactive_session_recorder 6.4
oracle retail_service_backbone 14.1.3
oracle retail_price_management 15.0.3.0
oracle hyperion_bi+ *
oracle health_sciences_inform 6.2.1.1
oracle primavera_unifier 19.12
oracle webcenter_portal 12.2.1.3.0
oracle banking_treasury_management 14.5
oracle banking_party_management 2.7.0
oracle banking_deposits_and_lines_of_credit_servicing 2.12.0
oracle healthcare_foundation *
oracle retail_eftlink 19.0.1
oracle instantis_enterprisetrack 17.2
oracle communications_session_report_manager *
oracle retail_predictive_application_server 14.1.3.46
oracle retail_service_backbone 15.0.3.1
oracle hyperion_data_relationship_management *
oracle retail_eftlink 21.0.0
oracle business_intelligence 5.5.0.0.0
oracle retail_order_management_system 19.5
oracle hyperion_profitability_and_cost_management *
oracle retail_store_inventory_management 15.0.3.8
oracle retail_customer_insights 16.0.2
oracle communications_unified_inventory_management 7.4.2
sonicwall email_security *
oracle communications_convergence 3.0.2.2.0
oracle retail_predictive_application_server 15.0.3.115
oracle primavera_unifier 20.12
oracle banking_payments 14.5
oracle communications_billing_and_revenue_management 12.0.0.5
oracle banking_loans_servicing 2.12.0
oracle retail_order_broker 18.0
oracle retail_store_inventory_management 16.0.3.7
sonicwall 6bk1602-0aa22-0tp0_firmware *
oracle enterprise_manager_ops_center 12.4.0.0
oracle retail_integration_bus 14.1.3
oracle communications_network_charging_and_control 6.0.1.0.0
oracle retail_store_inventory_management 14.0.4.13
oracle communications_cloud_native_core_policy 1.15.0
oracle insurance_insbridge_rating_and_underwriting *
oracle retail_financial_integration 19.0.0
oracle banking_platform 2.7.1
oracle health_sciences_inform 7.0.0.0
oracle flexcube_universal_banking 14.5
oracle weblogic_server 12.2.1.3.0
oracle primavera_gateway 21.12.0
oracle e-business_suite 12.2
oracle instantis_enterprisetrack 17.3
oracle agile_engineering_data_management 6.2.1.0
oracle utilities_framework 4.4.0.3.0
oracle retail_point-of-service 14.1
oracle hospitality_suite8 8.13.0
oracle banking_enterprise_default_management 2.12.0
sonicwall web_application_firewall *
oracle retail_eftlink 16.0.3
debian debian_linux 10.0
oracle instantis_enterprisetrack 17.1
oracle webcenter_sites 12.2.1.3.0
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
oracle weblogic_server 12.2.1.4.0
sonicwall 6bk1602-0aa12-0tp0_firmware *
oracle webcenter_sites 12.2.1.4.0
oracle retail_back_office 14.1
oracle managed_file_transfer 12.2.1.4.0
oracle banking_enterprise_default_management 2.7.1
oracle hyperion_infrastructure_technology *
oracle retail_service_backbone 19.0.1
oracle retail_service_backbone 14.1.3.2
sonicwall 6bk1602-0aa52-0tp0_firmware *
oracle communications_network_integrity 7.3.6
oracle retail_financial_integration *
oracle banking_trade_finance 14.5
oracle communications_diameter_signaling_router *
oracle flexcube_universal_banking 11.83.3
oracle primavera_unifier 18.8
oracle communications_cloud_native_core_network_repository_function 1.15.0
oracle retail_invoice_matching 16.0.3
oracle retail_service_backbone 19.0.0
oracle retail_customer_insights 15.0.2
oracle enterprise_manager_for_peoplesoft 13.5.1.1
oracle retail_merchandising_system 19.0.1
oracle retail_financial_integration 14.1.3.2
oracle communications_service_broker 6.2
oracle peoplesoft_enterprise_peopletools 8.59
oracle retail_data_extractor_for_merchandising 16.0.2
oracle insurance_data_gateway 1.0.1
oracle retail_order_broker 16.0
oracle sql_developer *
oracle enterprise_manager_base_platform 13.4.0.0
netapp cloud_manager -
oracle healthcare_translational_research 4.1.0
oracle retail_integration_bus 14.1.3.2
oracle communications_element_manager *
oracle hospitality_token_proxy_service 19.2
oracle retail_central_office 14.1
oracle retail_predictive_application_server 16.0.3.240
oracle mysql_enterprise_monitor *
oracle primavera_gateway *
oracle communications_interactive_session_recorder 6.3
oracle communications_cloud_native_core_unified_data_repository 1.15.0
oracle communications_convergence 3.0.3.0
oracle retail_service_backbone 19.0.1.0
oracle retail_financial_integration 15.0.3.1
oracle retail_invoice_matching 15.0.3
oracle retail_integration_bus *
oracle retail_store_inventory_management 15.0.3.3
oracle communications_convergent_charging_controller 6.0.1.0.0
oracle insurance_insbridge_rating_and_underwriting 5.6.1.0
oracle communications_performance_intelligence_center 10.4.0.3
oracle communications_messaging_server 8.1
oracle communications_network_charging_and_control *
oracle communications_ip_service_activator 7.4.0
oracle taleo_platform *
oracle retail_price_management 14.1.3.0
oracle financial_services_model_management_and_governance 8.0.8.0.0
oracle identity_manager_connector 9.1.0
oracle retail_price_management 16.0.3.0
oracle banking_platform 2.12.0
oracle communications_billing_and_revenue_management 12.0.0.4
oracle retail_store_inventory_management 14.1.3.5
oracle retail_eftlink 17.0.2
oracle communications_pricing_design_center 12.0.0.4
oracle payment_interface 19.1
oracle communications_pricing_design_center 12.0.0.5
oracle healthcare_data_repository 8.1.1
oracle communications_webrtc_session_controller 7.2.0.0
oracle communications_cloud_native_core_console 1.9.0
oracle data_integrator 12.2.1.4.0
oracle retail_integration_bus 19.0.0
oracle financial_services_model_management_and_governance 8.1.0.0.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_evolved_communications_application_server 7.1
oracle retail_integration_bus 15.0.3.1
oracle retail_financial_integration 19.0.1
oracle retail_service_backbone *
oracle banking_platform 2.6.2
oracle communications_asap 7.3
debian debian_linux 11.0
oracle retail_price_management 13.2
oracle autovue_for_agile_product_lifecycle_management 21.0.2
oracle healthcare_master_person_index 5.0.1
oracle communications_session_route_manager *
oracle managed_file_transfer 12.2.1.3.0
oracle weblogic_server 14.1.1.0.0
oracle communications_unified_inventory_management 7.3.5
oracle health_sciences_empirica_signal 9.1.0.6
oracle siebel_ui_framework *
oracle jdeveloper 12.2.1.4.0
oracle communications_user_data_repository 12.4
oracle utilities_framework 4.4.0.2.0
oracle data_integrator 12.2.1.3.0
oracle health_sciences_inform 6.3.2.1
oracle health_sciences_information_manager *
oracle communications_eagle_element_management_system 46.6
apache log4j *
oracle retail_merchandising_system 16.0.3
oracle communications_services_gatekeeper 7.0
oracle primavera_p6_enterprise_project_portfolio_management *
oracle healthcare_translational_research 4.1.1
oracle flexcube_universal_banking *
oracle retail_price_management 14.0.4
CVE-2021-45346 MEDIUM

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
sqlite sqlite 3.37.0
netapp ontap_select_deploy_administration_utility -
sqlite sqlite 3.35.1
CVE-2021-45469 MEDIUM

In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds memory access when an inode has an invalid last xattr entry.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
linux linux_kernel *
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2021-45485 MEDIUM

In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp all_flash_fabric-attached_storage_8300_firmware -
oracle communications_cloud_native_core_binding_support_function 22.1.3
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp h410c_firmware -
netapp fabric-attached_storage_8700_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
netapp e-series_santricity_os_controller -
linux linux_kernel *
netapp h610c_firmware -
netapp aff_a400_firmware -
netapp all_flash_fabric-attached_storage_8700_firmware -
oracle communications_cloud_native_core_network_exposure_function 22.1.1
netapp fabric-attached_storage_8300_firmware -
netapp h610s_firmware -
netapp hci_compute_node_firmware -
oracle communications_cloud_native_core_policy 22.2.0
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp brocade_fabric_operating_system_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
netapp fabric-attached_storage_a400_firmware -
CVE-2021-45868 MEDIUM

In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2021-45960 HIGH

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-682,CWE-682,

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h615c
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp solidfire_&_hci_management_node -
netapp hci_baseboard_management_controller h610s
netapp hci_baseboard_management_controller h610c
netapp active_iq_unified_manager -
siemens sinema_remote_connect_server *
libexpat_project libexpat *
debian debian_linux 11.0
tenable nessus *
CVE-2021-46143 MEDIUM

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
cve@mitre.org 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h615c
netapp oncommand_workflow_automation -
netapp clustered_data_ontap -
netapp solidfire_&_hci_management_node -
netapp hci_baseboard_management_controller h610s
netapp hci_baseboard_management_controller h610c
netapp active_iq_unified_manager -
siemens sinema_remote_connect_server *
libexpat_project libexpat *
tenable nessus *
CVE-2022-0185 HIGH

A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.4 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.5 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-191,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2022-0330 MEDIUM

A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-281,CWE-281,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
netapp h300e_firmware -
redhat codeready_linux_builder_for_power_little_endian_eus 8.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat enterprise_linux_for_real_time_for_nfv 8
redhat codeready_linux_builder 8.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_for_power_big_endian 7.0
netapp h500s_firmware -
netapp h410c_firmware -
redhat developer_tools 1.0
redhat enterprise_linux_server_update_services_for_sap_solutions 7.6
redhat enterprise_linux_server_update_services_for_sap_solutions 8.1
netapp h410s_firmware -
redhat enterprise_linux_for_real_time_for_nfv_tus 8.4
redhat virtualization 4.0
redhat 3scale_api_management 2.0
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux 8.0
redhat enterprise_linux_workstation 7.0
redhat codeready_linux_builder 8.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 8.4
fedoraproject fedora 34
redhat enterprise_linux_for_ibm_z_systems_eus 8.2
redhat enterprise_linux_server_aus 8.2
linux linux_kernel 5.17
redhat enterprise_linux_server_aus 7.6
fedoraproject fedora 35
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_for_real_time_for_nfv 7
netapp h700e_firmware -
netapp h500e_firmware -
netapp h300s_firmware -
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
redhat enterprise_linux_for_real_time 7
redhat enterprise_linux_for_scientific_computing 7.0
redhat enterprise_linux_for_power_little_endian_eus 8.4
redhat ovirt-node 4.4.10
redhat enterprise_linux_for_real_time_tus 8.4
netapp h700s_firmware -
redhat codeready_linux_builder_eus 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.6
redhat enterprise_linux_for_power_little_endian_eus 8.2
redhat enterprise_linux_for_power_little_endian 7.0
redhat enterprise_linux_server_update_services_for_sap_solutions 8.4
redhat codeready_linux_builder_eus_for_power_little_endian 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.7
linux linux_kernel *
redhat virtualization_host 4.0
redhat enterprise_linux_for_real_time 8
redhat enterprise_linux_for_ibm_z_systems 8.0
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2
redhat enterprise_linux_server_aus 7.3
redhat codeready_linux_builder_for_power_little_endian_eus 8.4
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.1
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_update_services_for_sap_solutions 7.7
redhat enterprise_linux_for_real_time_tus 8.2
CVE-2022-0391 MEDIUM

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,CWE-74,

Products Affected

Vendor Product Version
oracle http_server 12.2.1.4.0
oracle zfs_storage_appliance_kit 8.8
netapp ontap_select_deploy_administration_utility -
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp solidfire,_enterprise_sds_&_hci_storage_node -
python python 3.10.0
netapp management_services_for_element_software -
netapp hci -
oracle http_server 12.2.1.3.0
fedoraproject fedora 35
python python *
netapp hci_compute_node -
CVE-2022-0396 MEDIUM

BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition. Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-404,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
fedoraproject fedora 36
netapp baseboard_management_controller_h300s_firmware -
netapp baseboard_management_controller_h500e_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
siemens sinec_ins 1.0
netapp h700s_firmware -
netapp baseboard_management_controller_h300e_firmware -
netapp h410s_firmware -
netapp baseboard_management_controller_h700e_firmware -
siemens sinec_ins *
netapp baseboard_management_controller_h700s_firmware -
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
isc bind *
fedoraproject fedora 35
netapp baseboard_management_controller_h410c_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-0435 HIGH

A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
redhat codeready_linux_builder_for_power_little_endian_eus 8.0
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat enterprise_linux_for_real_time_for_nfv 8
redhat codeready_linux_builder 8.4
redhat enterprise_linux_for_power_little_endian_eus 8.4
netapp h500s_firmware -
redhat enterprise_linux_for_real_time_tus 8.4
netapp h700s_firmware -
netapp h410s_firmware -
redhat enterprise_linux_for_real_time_for_nfv_tus 8.4
redhat codeready_linux_builder_eus 8.2
redhat enterprise_linux_for_power_little_endian_eus 8.2
redhat virtualization 4.0
redhat enterprise_linux_server_update_services_for_sap_solutions 8.4
redhat codeready_linux_builder_eus_for_power_little_endian 8.2
linux linux_kernel *
redhat virtualization_host 4.0
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_real_time 8
redhat enterprise_linux_for_ibm_z_systems 8.0
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
redhat codeready_linux_builder 8.0
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
ovirt node 4.4.10
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2
redhat enterprise_linux_server_aus 8.4
fedoraproject fedora 34
redhat enterprise_linux_for_ibm_z_systems_eus 8.2
redhat codeready_linux_builder_for_power_little_endian_eus 8.4
redhat enterprise_linux_server_aus 8.2
linux linux_kernel 5.17
fedoraproject fedora 35
redhat enterprise_linux_eus 8.4
netapp h700e_firmware -
netapp h500e_firmware -
redhat enterprise_linux_for_real_time_tus 8.2
CVE-2022-0492 MEDIUM

A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-862,

Products Affected

Vendor Product Version
netapp solidfire_&_hci_management_node -
redhat enterprise_linux_server_update_services_for_sap_solutions 8.1
canonical ubuntu_linux 20.04
netapp h500s -
canonical ubuntu_linux 18.04
netapp baseboard_management_controller_h410s -
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux 8.0
netapp baseboard_management_controller_h300e -
redhat codeready_linux_builder 8.0
netapp h300e -
redhat codeready_linux_builder_for_power_little_endian 8.2
redhat enterprise_linux_server_aus 8.2
netapp h410c -
netapp baseboard_management_controller_h300s -
linux linux_kernel 5.17
fedoraproject fedora 35
netapp baseboard_management_controller_h700e -
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
redhat enterprise_linux_for_real_time_tus 8.0
netapp baseboard_management_controller_h700s -
debian debian_linux 11.0
redhat codeready_linux_builder 8.2
netapp h700s -
netapp h410s -
canonical ubuntu_linux 16.04
linux linux_kernel *
redhat virtualization_host 4.0
redhat enterprise_linux_for_real_time_for_nfv_tus 8.0
canonical ubuntu_linux 22.04
redhat enterprise_linux_for_ibm_z_systems_eus 8.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_for_ibm_z_systems 8.0
debian debian_linux 9.0
redhat enterprise_linux_eus 8.2
debian debian_linux 10.0
netapp baseboard_management_controller_h410c -
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2
netapp h700e -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp baseboard_management_controller_h500e -
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.1
netapp h300s -
redhat enterprise_linux_for_power_little_endian_eus 8.0
redhat codeready_linux_builder_for_power_little_endian 8.0
netapp h500e -
netapp hci_compute_node -
netapp baseboard_management_controller_h500s -
redhat enterprise_linux_for_real_time_tus 8.2
CVE-2022-0500 HIGH

A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel’s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
fedoraproject fedora 35
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
CVE-2022-0516 MEDIUM

A vulnerability was found in kvm_s390_guest_sida_op in the arch/s390/kvm/kvm-s390.c function in KVM for s390 in the Linux kernel. This flaw allows a local attacker with a normal user privilege to obtain unauthorized memory write access. This flaw affects Linux kernel versions prior to 5.17-rc4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat enterprise_linux_for_power_little_endian_eus 8.4
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
redhat enterprise_linux_server_update_services_for_sap_solutions 8.4
linux linux_kernel *
redhat virtualization_host 4.0
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_ibm_z_systems 8.0
redhat codeready_linux_builder -
redhat enterprise_linux 8.0
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
redhat enterprise_linux_server_aus 8.4
fedoraproject fedora 34
linux linux_kernel 5.17
fedoraproject fedora 35
redhat enterprise_linux_eus 8.4
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-0561 MEDIUM

Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, the fix is available with commit eecb0712.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
debian debian_linux 10.0
libtiff libtiff *
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
debian debian_linux 9.0
debian debian_linux 11.0
CVE-2022-0562 MEDIUM

Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, a fix is available with commit 561599c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
debian debian_linux 10.0
libtiff libtiff *
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
debian debian_linux 9.0
debian debian_linux 11.0
CVE-2022-0563 LOW

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-209,CWE-209,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
kernel util-linux *
CVE-2022-0635 MEDIUM

Versions affected: BIND 9.18.0 When a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
isc bind 9.18.0
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2022-0646 HIGH

A flaw use after free in the Linux kernel Management Component Transport Protocol (MCTP) subsystem was found in the way user triggers cancel_work_sync after the unregister_netdev during removing device. A local user could use this flaw to crash the system or escalate their privileges on the system. It is actual from Linux Kernel 5.17-rc1 (when mctp-serial.c introduced) till 5.17-rc5.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-459,CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp baseboard_management_controller_h300s_firmware -
netapp baseboard_management_controller_h500e_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp baseboard_management_controller_h300e_firmware -
netapp h410s_firmware -
netapp baseboard_management_controller_h700e_firmware -
netapp baseboard_management_controller_h700s_firmware -
linux linux_kernel 5.17
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
netapp baseboard_management_controller_h410c_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-0667 MEDIUM

When the vulnerability is triggered the BIND process will exit. BIND 9.18.0

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
isc bind 9.18.0
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2022-0742 HIGH

Memory leak in icmp6 implementation in Linux Kernel 5.13+ allows a remote attacker to DoS a host by making it go out-of-memory via icmp6 packets of type 130 or 131. We recommend upgrading past commit 2d3916f3189172d5c69d33065c3c21119fe539fc.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-275,CWE-401,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp aff_8700_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp aff_8300_firmware -
netapp fas_8300_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp a400_firmware -
linux linux_kernel 5.17
linux linux_kernel *
netapp h700e_firmware -
netapp h500e_firmware -
netapp fas_8700_firmware -
CVE-2022-0778 MEDIUM

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
openssl openssl *
mariadb mariadb *
fedoraproject fedora 36
debian debian_linux 10.0
netapp cloud_volumes_ontap_mediator -
fedoraproject fedora 34
debian debian_linux 11.0
netapp santricity_smi-s_provider -
tenable nessus *
netapp clustered_data_ontap -
netapp 500f_firmware -
nodejs node.js *
netapp storagegrid -
debian debian_linux 9.0
netapp clustered_data_ontap_antivirus_connector -
netapp a250_firmware -
CVE-2022-0847 HIGH

A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-665,CWE-665,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat enterprise_linux_for_real_time_for_nfv 8
sonicwall sma1000_firmware *
redhat enterprise_linux_for_power_little_endian_eus 8.4
netapp h500s_firmware -
netapp h410c_firmware -
redhat enterprise_linux_for_real_time_tus 8.4
netapp h700s_firmware -
redhat enterprise_linux_server_update_services_for_sap_solutions 8.1
netapp h410s_firmware -
redhat enterprise_linux_for_real_time_for_nfv_tus 8.4
redhat enterprise_linux_for_power_little_endian_eus 8.2
redhat enterprise_linux_server_update_services_for_sap_solutions 8.4
linux linux_kernel *
redhat virtualization_host 4.0
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_real_time 8
redhat enterprise_linux_for_ibm_z_systems 8.0
redhat codeready_linux_builder -
redhat enterprise_linux 8.0
siemens scalance_lpe9403_firmware *
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_for_ibm_z_systems_eus 8.2
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.1
fedoraproject fedora 35
redhat enterprise_linux_eus 8.4
ovirt ovirt-engine 4.4.10.2
netapp h700e_firmware -
netapp h500e_firmware -
redhat enterprise_linux_for_real_time_tus 8.2
CVE-2022-0865 MEDIUM

Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
libtiff libtiff 4.3.0
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2022-0891 MEDIUM

A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
libtiff libtiff *
fedoraproject fedora 35
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2022-0897 MEDIUM

A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the driver->nwfilters mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the driver->nwfilters object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt's API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-667,CWE-667,

Products Affected

Vendor Product Version
redhat libvirt *
netapp ontap_select_deploy_administration_utility -
CVE-2022-0907 MEDIUM

Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f2b656e2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-252,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
libtiff libtiff 4.3.0
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
debian debian_linux 11.0
CVE-2022-0908 MEDIUM

Null source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to 4.3.0 could lead to Denial of Service via crafted TIFF file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 3.1 4.0
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
libtiff libtiff *
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
debian debian_linux 11.0
CVE-2022-0909 MEDIUM

Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-369,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
libtiff libtiff 4.3.0
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
debian debian_linux 11.0
CVE-2022-0924 MEDIUM

Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 408976c4.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
libtiff libtiff 4.3.0
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
debian debian_linux 11.0
CVE-2022-0995 HIGH

An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp baseboard_management_controller_h500e_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
netapp baseboard_management_controller_h700e_firmware -
netapp baseboard_management_controller_h700s_firmware -
linux linux_kernel *
netapp baseboard_management_controller_h410c_firmware -
netapp h610c_firmware -
netapp baseboard_management_controller_h615c_firmware -
netapp baseboard_management_controller_h300s_firmware -
netapp baseboard_management_controller_h610c_firmware -
netapp h610s_firmware -
netapp baseboard_management_controller_h300e_firmware -
netapp baseboard_management_controller_h610s_firmware -
linux linux_kernel 5.17
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-0998 HIGH

An integer overflow flaw was found in the Linux kernel’s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2022-1011 MEDIUM

A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
netapp h300s_firmware -
netapp h300e_firmware -
oracle communications_cloud_native_core_binding_support_function 22.1.3
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_for_real_time_for_nfv 8
netapp h500s_firmware -
netapp h410c_firmware -
redhat developer_tools 1.0
netapp h700s_firmware -
redhat enterprise_linux_for_real_time_for_nfv_tus 8.6
netapp h410s_firmware -
redhat build_of_quarkus 2.0
redhat enterprise_linux_for_real_time_tus 8.6
redhat enterprise_linux_server_tus 8.6
linux linux_kernel *
redhat virtualization_host 4.0
redhat enterprise_linux_for_power_little_endian_eus 8.6
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_real_time 8
redhat enterprise_linux_for_ibm_z_systems 8.0
debian debian_linux 9.0
redhat codeready_linux_builder -
redhat enterprise_linux 8.0
redhat enterprise_linux_server_update_services_for_sap_solutions 8.6
debian debian_linux 10.0
redhat enterprise_linux_eus 8.6
fedoraproject fedora 34
redhat enterprise_linux 7.0
redhat enterprise_linux_for_ibm_z_systems_eus 8.6
linux linux_kernel 5.17
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.6
CVE-2022-1048 MEDIUM

A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-362,CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
netapp h300e_firmware -
netapp baseboard_management_controller_h300s_firmware -
debian debian_linux 10.0
netapp baseboard_management_controller_h500e_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp baseboard_management_controller_h300e_firmware -
netapp h410s_firmware -
netapp baseboard_management_controller_h700e_firmware -
netapp baseboard_management_controller_h700s_firmware -
linux linux_kernel 5.17
linux linux_kernel *
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
netapp baseboard_management_controller_h410c_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-1055 MEDIUM

A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
netapp h300e_firmware -
canonical ubuntu_linux 21.10
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel 5.17
linux linux_kernel *
canonical ubuntu_linux 22.04
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-1056 MEDIUM

Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 46dc8fcd.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
libtiff libtiff 4.3.0
netapp active_iq_unified_manager -
CVE-2022-1116 HIGH

Integer Overflow or Wraparound vulnerability in io_uring of Linux Kernel allows local attacker to cause memory corruption and escalate privileges to root. This issue affects: Linux Kernel versions prior to 5.4.189; version 5.4.24 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
cve-coordination@google.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700s_firmware -
CVE-2022-1183 MEDIUM

On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to http within the listen-on statements in their named.conf. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected. Affects BIND 9.18.0 -> 9.18.2 and version 9.19.0 of the BIND 9.19 development branch.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
isc bind *
netapp h500s_firmware -
netapp h410c_firmware -
isc bind 9.19.0
netapp h700s_firmware -
CVE-2022-1199

A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
linux linux_kernel 5.18
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-1210 MEDIUM

A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-404,

Products Affected

Vendor Product Version
libtiff libtiff 4.3.0
netapp ontap_select_deploy_administration_utility -
CVE-2022-1259

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
redhat integration_camel_k -
redhat jboss_enterprise_application_platform 7.0.0
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
redhat undertow 2.2.19
redhat single_sign-on 7.0
redhat openshift_application_runtimes -
redhat build_of_quarkus -
redhat undertow 2.2.18
redhat undertow *
CVE-2022-1292 HIGH

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
fedoraproject fedora 36
siemens brownfield_connectivity_gateway *
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp fas_8300_firmware -
netapp snapcenter -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp snapmanager -
debian debian_linux 9.0
netapp fas_8700_firmware -
netapp aff_a400_firmware -
netapp fas_500f_firmware -
netapp oncommand_workflow_automation -
openssl openssl *
debian debian_linux 10.0
oracle enterprise_manager_ops_center 12.4.0.0
oracle mysql_server *
netapp aff_8700_firmware -
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp aff_8300_firmware -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp santricity_smi-s_provider -
netapp a700s_firmware -
netapp smi-s_provider -
oracle mysql_workbench *
netapp clustered_data_ontap -
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
netapp fabric-attached_storage_a400_firmware -
netapp clustered_data_ontap_antivirus_connector -
netapp aff_500f_firmware -
netapp a250_firmware -
CVE-2022-1319

A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
redhat undertow 2.2.19
redhat single_sign-on 7.0
redhat openshift_application_runtimes -
redhat undertow 2.2.17
netapp oncommand_insight -
redhat undertow *
redhat undertow 2.3.0
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
CVE-2022-1343 MEDIUM

The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp fas_8300_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp snapmanager -
netapp fas_8700_firmware -
netapp aff_a400_firmware -
netapp fas_500f_firmware -
openssl openssl *
netapp aff_8700_firmware -
netapp active_iq_unified_manager -
netapp aff_8300_firmware -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp santricity_smi-s_provider -
netapp a700s_firmware -
netapp smi-s_provider -
netapp clustered_data_ontap -
netapp h700e_firmware -
netapp h500e_firmware -
netapp fabric-attached_storage_a400_firmware -
netapp clustered_data_ontap_antivirus_connector -
netapp aff_500f_firmware -
netapp a250_firmware -
CVE-2022-1353 LOW

A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
netapp h300e_firmware -
netapp baseboard_management_controller_h300s_firmware -
debian debian_linux 10.0
netapp baseboard_management_controller_h500e_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp baseboard_management_controller_h300e_firmware -
netapp h410s_firmware -
netapp baseboard_management_controller_h700e_firmware -
netapp baseboard_management_controller_h700s_firmware -
linux linux_kernel 5.17
linux linux_kernel *
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
netapp baseboard_management_controller_h410c_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2022-1354

A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux 9.0
fedoraproject fedora 36
debian debian_linux 10.0
libtiff libtiff *
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 34
debian debian_linux 11.0
CVE-2022-1355

A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H 1.8 4.2

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 7.0
redhat enterprise_linux 9.0
fedoraproject fedora 36
debian debian_linux 10.0
libtiff libtiff *
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
fedoraproject fedora 34
debian debian_linux 11.0
CVE-2022-1434 MEDIUM

The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp fas_8300_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp snapmanager -
netapp fas_8700_firmware -
netapp aff_a400_firmware -
netapp fas_500f_firmware -
openssl openssl *
netapp aff_8700_firmware -
netapp active_iq_unified_manager -
netapp aff_8300_firmware -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp santricity_smi-s_provider -
netapp a700s_firmware -
netapp smi-s_provider -
netapp clustered_data_ontap -
netapp h700e_firmware -
netapp h500e_firmware -
netapp fabric-attached_storage_a400_firmware -
netapp clustered_data_ontap_antivirus_connector -
netapp aff_500f_firmware -
netapp a250_firmware -
CVE-2022-1473 MEDIUM

The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-459,CWE-459,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp fas_8300_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp snapmanager -
netapp fas_8700_firmware -
netapp aff_a400_firmware -
netapp fas_500f_firmware -
openssl openssl *
netapp aff_8700_firmware -
netapp active_iq_unified_manager -
netapp aff_8300_firmware -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp santricity_smi-s_provider -
netapp a700s_firmware -
netapp smi-s_provider -
netapp clustered_data_ontap -
netapp h700e_firmware -
netapp h500e_firmware -
netapp fabric-attached_storage_a400_firmware -
netapp clustered_data_ontap_antivirus_connector -
netapp aff_500f_firmware -
netapp a250_firmware -
CVE-2022-1586 MEDIUM

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
pcre pcre2 *
redhat enterprise_linux 9.0
fedoraproject fedora 36
debian debian_linux 10.0
netapp hci_management_node -
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
pcre pcre2 10.40
fedoraproject fedora 35
netapp solidfire -
CVE-2022-1587 MEDIUM

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
netapp h300s_firmware -
pcre pcre2 *
redhat enterprise_linux 9.0
fedoraproject fedora 36
netapp hci_management_node -
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
fedoraproject fedora 35
netapp solidfire -
CVE-2022-1619 MEDIUM

Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
vim vim *
netapp hci_management_node -
apple macos *
fedoraproject fedora 35
netapp solidfire -
debian debian_linux 9.0
fedoraproject fedora 34
CVE-2022-1622 MEDIUM

LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
fedoraproject fedora 36
apple iphone_os *
apple tvos *
apple watchos *
apple macos *
libtiff libtiff 4.3.0
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
CVE-2022-1623 MEDIUM

LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:624, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
fedoraproject fedora 36
libtiff libtiff 4.3.0
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
debian debian_linux 11.0
CVE-2022-1652 HIGH

Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
redhat enterprise_linux 9.0
debian debian_linux 10.0
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-1664 HIGH

Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
debian debian_linux 10.0
debian dpkg *
netapp ontap_select_deploy_administration_utility -
debian debian_linux 9.0
debian debian_linux 11.0
CVE-2022-1671

A NULL pointer dereference flaw was found in rxrpc_preparse_s in net/rxrpc/server_key.c in the Linux kernel. This flaw allows a local attacker to crash the system or leak internal kernel information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-1678 MEDIUM

An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@openanolis.org 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-911,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h300s_firmware -
netapp element_software -
netapp h300e_firmware -
netapp hci_management_node -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp cloud_volumes_ontap_mediator -
netapp h700s_firmware -
netapp h410s_firmware -
netapp bootstrap_os -
linux linux_kernel *
netapp storagegrid -
netapp solidfire -
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-1679 HIGH

A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
linux linux_kernel *
linux linux_kernel 5.18
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2022-1729

A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
linux linux_kernel 5.18
netapp hci_baseboard_management_controller h300s
netapp hci_baseboard_management_controller h410s
netapp hci_baseboard_management_controller h500s
CVE-2022-1734 MEDIUM

A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
linux linux_kernel 5.18
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2022-1786 HIGH

A use-after-free flaw was found in the Linux kernel’s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a local user to crash or escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-843,CWE-416,CWE-843,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-1882 HIGH

A use-after-free flaw was found in the Linux kernel’s pipes functionality in how a user performs manipulations with the pipe post_one_notification() after free_pipe_info() that is already called. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2022-1973

A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal. This flaw allows a local attacker to crash the system and leads to a kernel information leak problem.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
fedoraproject fedora 36
linux linux_kernel *
fedoraproject fedora 35
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-1998 HIGH

A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). A local user could use this flaw to crash the system or potentially escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
redhat enterprise_linux 9.0
linux linux_kernel *
fedoraproject fedora 35
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-2047 MEDIUM

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
emo@eclipse.org 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N 1.2 1.4
nvd@nist.gov 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp solidfire_&_hci_storage_node -
netapp element_plug-in_for_vcenter_server -
netapp management_services_for_element_software_and_netapp_hci -
netapp hci_compute_node -
netapp snapcenter -
debian debian_linux 11.0
eclipse jetty *
CVE-2022-2048 MEDIUM

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
emo@eclipse.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-410,CWE-664,NVD-CWE-Other,

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp solidfire_&_hci_storage_node -
netapp element_plug-in_for_vcenter_server -
jenkins jenkins *
netapp management_services_for_element_software_and_netapp_hci -
netapp hci_compute_node -
netapp snapcenter -
debian debian_linux 11.0
eclipse jetty *
CVE-2022-2056 MEDIUM

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-369,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
fedoraproject fedora 35
libtiff libtiff 4.4.0
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2022-2057 MEDIUM

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-369,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
fedoraproject fedora 35
libtiff libtiff 4.4.0
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2022-2058 MEDIUM

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-369,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
fedoraproject fedora 35
libtiff libtiff 4.4.0
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2022-2068 HIGH

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
fedoraproject fedora 36
netapp ontap_select_deploy_administration_utility -
netapp fas_a400_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
siemens sinec_ins 1.0
netapp fas_8300_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp h615c_firmware -
siemens sinec_ins *
netapp solidfire -
netapp snapmanager -
netapp ontap_antivirus_connector -
netapp h610c_firmware -
netapp fas_8700_firmware -
netapp aff_a400_firmware -
openssl openssl *
debian debian_linux 10.0
netapp h610s_firmware -
netapp aff_8700_firmware -
netapp hci_management_node -
netapp aff_8300_firmware -
netapp santricity_smi-s_provider -
netapp bootstrap_os -
netapp smi-s_provider -
fedoraproject fedora 35
broadcom sannav -
CVE-2022-2097 MEDIUM

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
netapp h300s_firmware -
openssl openssl *
fedoraproject fedora 36
debian debian_linux 10.0
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
siemens sinec_ins 1.0
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
siemens sinec_ins *
fedoraproject fedora 35
netapp clustered_data_ontap_antivirus_connector -
CVE-2022-21151 LOW

Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
intel core_i7-6650u_firmware -
intel celeron_n3350_firmware -
intel pentium_silver_n6000_firmware -
intel core_i7-9700k_firmware -
intel celeron_j3355_firmware -
intel core_i7-8709g_firmware -
intel core_m7-6y75_firmware -
intel xeon_gold_6348_firmware -
intel xeon_platinum_8356h_firmware -
intel core_i7-10510u_firmware -
intel core_i9-10900f_firmware -
intel core_i5-9500_firmware -
intel core_i5-10500t_firmware -
intel core_i7-10610u_firmware -
intel core_i7-10700k_firmware -
intel core_i5-9500t_firmware -
intel core_i5-9400f_firmware -
intel core_i5-1030g4_firmware -
intel core_i7-8700k_firmware -
intel core_i7-9700e_firmware -
intel core_i3-6100u_firmware -
intel core_i7-10870h_firmware -
intel core_i5-8400h_firmware -
intel celeron_n2805_firmware -
intel core_i7-6820hk_firmware -
intel core_i5-8600_firmware -
intel core_i5-6500_firmware -
intel core_i3-10305_firmware -
intel core_i7-6660u_firmware -
intel celeron_n2807_firmware -
intel core_i7-7500u_firmware -
intel core_i3-8145ue_firmware -
intel core_i7-1060g7_firmware -
intel core_i5-6500te_firmware -
intel xeon_platinum_8380h_firmware -
intel core_i5-8200y_firmware -
intel core_i7-6700t_firmware -
intel core_i5-1038ng7_firmware -
intel core_i5-1030g7_firmware -
intel pentium_silver_j5040_firmware -
intel core_i9-10900k_firmware -
intel core_i3-10325_firmware -
intel core_i5-10400_firmware -
intel celeron_n4000_firmware -
intel xeon_platinum_8358p_firmware -
intel core_i3-7101te_firmware -
intel core_i5-8279u_firmware -
intel core_i3-6098p_firmware -
intel xeon_platinum_8362_firmware -
intel celeron_n3010_firmware -
intel core_i7-8809g_firmware -
intel core_i3-9100hl_firmware -
intel xeon_gold_5318h_firmware -
intel xeon_gold_5318y_firmware -
intel core_i5-6260u_firmware -
intel core_i9-9980hk_firmware -
intel core_i5-8365u_firmware -
intel core_i3-1000g1_firmware -
intel celeron_n4500_firmware -
intel core_i3-8140u_firmware -
intel core_i7-6567u_firmware -
intel core_i5-9500te_firmware -
intel xeon_gold_6338t_firmware -
intel core_i3-9100_firmware -
intel xeon_platinum_8352y_firmware -
intel core_i5-10600k_firmware -
intel core_i7-6700_firmware -
intel celeron_j1900_firmware -
intel core_i7-6700te_firmware -
intel core_i5-6442eq_firmware -
intel core_i7-10850h_firmware -
intel xeon_platinum_8352v_firmware -
intel core_i3-6006u_firmware -
intel core_i5-8600k_firmware -
intel pentium_silver_j5005_firmware -
intel core_i3-7300_firmware -
intel celeron_j3455e_firmware -
intel celeron_n3150_firmware -
intel xeon_gold_6338_firmware -
intel xeon_gold_6348h_firmware -
intel core_i5-1035g4_firmware -
intel core_i7-8565u_firmware -
intel core_i3-6100t_firmware -
intel core_i9-9900k_firmware -
intel core_i7-10700t_firmware -
intel core_i5-9600k_firmware -
intel xeon_platinum_8360y_firmware -
intel core_i5-10310y_firmware -
intel core_i9-9900_firmware -
intel core_i5-7267u_firmware -
intel xeon_gold_5318n_firmware -
intel core_i7-7820hq_firmware -
intel core_i5-10210u_firmware -
intel core_i3-7020u_firmware -
intel xeon_platinum_8358_firmware -
intel core_i7-8086k_firmware -
intel core_i5-6267u_firmware -
intel core_i5-1035g7_firmware -
intel core_i9-10900e_firmware -
intel core_i5-7y54_firmware -
intel core_i7-9850h_firmware -
intel core_i7-8665ue_firmware -
intel celeron_j6413_firmware -
intel core_i7-8550u_firmware -
intel core_i5-8305g_firmware -
intel core_i3-7100_firmware -
intel core_i7-9700f_firmware -
intel core_i3-8130u_firmware -
intel core_i3-10110y_firmware -
intel core_i5-9600t_firmware -
intel celeron_j3060_firmware -
intel core_i5-8600t_firmware -
intel core_i7-7700k_firmware -
intel core_i7-6870hq_firmware -
intel core_i5-9500e_firmware -
intel celeron_j3355e_firmware -
intel core_i7-6785r_firmware -
intel core_i5-7600k_firmware -
intel core_i3-6102e_firmware -
intel core_i7-7700_firmware -
intel core_i7-9750hf_firmware -
intel core_i5-10500_firmware -
intel core_i5-8300h_firmware -
intel celeron_n5105_firmware -
intel core_i5-6500t_firmware -
intel core_i5-10300h_firmware -
intel core_i7-8706g_firmware -
intel core_i7-10700f_firmware -
intel core_i5-7442eq_firmware -
intel core_i5-7y57_firmware -
intel core_i5-6350hq_firmware -
intel xeon_gold_5318s_firmware -
intel core_i5-8500t_firmware -
intel core_i7-1068ng7_firmware -
intel core_i3-10105_firmware -
intel celeron_n2810_firmware -
intel core_i7-9700te_firmware -
intel core_i3-6320_firmware -
intel celeron_n2808_firmware -
intel xeon_gold_5320h_firmware -
intel core_i3-9300t_firmware -
intel celeron_n2815_firmware -
intel core_i3-1005g1_firmware -
intel core_i7-10875h_firmware -
intel core_i3-9100te_firmware -
intel core_i7+8700_firmware -
intel core_i7-6820hq_firmware -
intel core_m3-6y30_firmware -
intel celeron_j4105_firmware -
intel celeron_n5100_firmware -
intel core_i7-10700e_firmware -
intel core_i9-10900te_firmware -
intel core_i5-9600kf_firmware -
intel xeon_silver_4309y_firmware -
intel core_i7-9750h_firmware -
intel celeron_n3050_firmware -
intel core_i5-6600t_firmware -
intel core_i5-9400h_firmware -
intel core_i3-7100t_firmware -
intel xeon_gold_6330_firmware -
intel celeron_n2820_firmware -
intel core_i7-10700_firmware -
intel core_i3-9350kf_firmware -
intel core_i5-6440eq_firmware -
intel core_i3-8100h_firmware -
intel celeron_j4125_firmware -
intel pentium_silver_n5030_firmware -
intel core_i7-6822eq_firmware -
intel core_i3-10305t_firmware -
intel core_i7-7820hk_firmware -
intel core_i7-6500u_firmware -
intel core_i5-7300u_firmware -
intel core_i5-10500e_firmware -
intel core_m3-7y30_firmware -
intel xeon_gold_6326_firmware -
intel core_i5-10600kf_firmware -
intel core_i3-6157u_firmware -
intel core_i7-9850he_firmware -
intel core_i7-10810u_firmware -
intel celeron_n3060_firmware -
intel core_i3-8109u_firmware -
intel core_i3-7350k_firmware -
intel core_i7-8850h_firmware -
intel xeon_silver_4314_firmware -
intel celeron_n2910_firmware -
intel xeon_gold_6346_firmware -
intel core_i5-8350u_firmware -
intel core_i3-9320_firmware -
intel core_i3-7101e_firmware -
intel core_i3-7102e_firmware -
intel core_i5-6300hq_firmware -
intel celeron_n2930_firmware -
intel core_i5-7200u_firmware -
intel core_i5-6585r_firmware -
intel core_i9-8950hk_firmware -
intel core_i5-9300hf_firmware -
intel core_i3-6100h_firmware -
intel core_i5-6600_firmware -
intel core_i5-6402p_firmware -
intel core_i5-7300hq_firmware -
intel core_i7-1065g7_firmware -
intel core_i7-6700hq_firmware -
intel celeron_n2840_firmware -
intel core_i7-8569u_firmware -
intel xeon_gold_6312u_firmware -
intel xeon_platinum_8354h_firmware -
intel xeon_platinum_8380_firmware -
intel core_i5-1035g1_firmware -
intel core_i3-9100f_firmware -
intel celeron_j1800_firmware -
intel core_i5-7500_firmware -
intel celeron_n6211_firmware -
intel core_i3-10100y_firmware -
intel core_i5-8260u_firmware -
intel core_i3-7100u_firmware -
intel xeon_platinum_8376h_firmware -
intel core_i5-6440hq_firmware -
intel celeron_j3160_firmware -
intel celeron_n2940_firmware -
intel core_i7-6820eq_firmware -
intel core_i3-9100e_firmware -
intel core_i7-10700te_firmware -
intel xeon_platinum_8380hl_firmware -
intel core_i7-6600u_firmware -
intel celeron_n3350e_firmware -
intel xeon_gold_5320t_firmware -
intel core_i9-10900t_firmware -
intel celeron_n2806_firmware -
intel celeron_j4005_firmware -
intel xeon_platinum_8352m_firmware -
intel core_i5-10600t_firmware -
intel celeron_j6412_firmware -
intel core_i3-10105t_firmware -
intel xeon_gold_6330h_firmware -
intel core_i7-10710u_firmware -
intel core_i9-9880h_firmware -
intel core_i3-10100t_firmware -
intel celeron_j1750_firmware -
intel xeon_gold_6336y_firmware -
intel core_i9-9900kf_firmware -
intel core_i5-8400t_firmware -
intel celeron_n4100_firmware -
intel xeon_silver_4316_firmware -
intel core_m3-8100y_firmware -
intel core_i3-1000g4_firmware -
intel core_i5-9500f_firmware -
intel core_i3-10100f_firmware -
intel core_i3-10300_firmware -
intel core_i3-6300t_firmware -
intel core_i9-9900ks_firmware -
intel xeon_gold_6334_firmware -
intel core_i3-6100_firmware -
intel core_i7-8750h_firmware -
intel core_i5-6600k_firmware -
intel core_i7-10700kf_firmware -
intel xeon_platinum_8360hl_firmware -
intel core_m3-7y32_firmware -
intel core_i5-7287u_firmware -
intel core_i7-7700hq_firmware -
intel celeron_n4505_firmware -
intel core_i7-6920hq_firmware -
intel core_i5-8250u_firmware -
intel core_i7-6700k_firmware -
intel xeon_gold_6342_firmware -
intel core_i9-10980hk_firmware -
intel core_i3-9100t_firmware -
intel xeon_gold_6330n_firmware -
intel core_i7-8700_firmware -
intel core_i5-7260u_firmware -
intel celeron_n2830_firmware -
intel xeon_platinum_8368q_firmware -
intel core_i3-7320_firmware -
intel xeon_platinum_8353h_firmware -
intel celeron_n3160_firmware -
intel xeon_platinum_8351n_firmware -
debian debian_linux 10.0
intel core_i5-8400b_firmware -
intel core_i5-10500te_firmware -
intel core_m5-6y57_firmware -
intel core_i5-10500h_firmware -
intel xeon_gold_5315y_firmware -
intel core_i7-7700t_firmware -
intel core_i3-10300t_firmware -
intel xeon_platinum_8368_firmware -
intel core_i5-9400_firmware -
intel core_i5-8259u_firmware -
intel core_i3-8350k_firmware -
intel core_i3-6100te_firmware -
intel core_i9-9900t_firmware -
intel core_i7-9700t_firmware -
intel core_i7-8559u_firmware -
intel core_i3-10105f_firmware -
intel core_i7-10750h_firmware -
intel core_i3-8100_firmware -
intel core_i7-7567u_firmware -
intel core_i5-6400_firmware -
intel core_i9-10885h_firmware -
intel xeon_platinum_8360h_firmware -
intel core_i5-7500t_firmware -
intel core_i7-7y75_firmware -
intel core_i7-8650u_firmware -
intel core_i5-8210y_firmware -
intel core_i7-6770hq_firmware -
intel core_i5-10310u_firmware -
intel core_i5-6287u_firmware -
intel celeron_j4025_firmware -
intel xeon_gold_6328hl_firmware -
netapp fas_bios -
intel core_i3-10100te_firmware -
intel core_i5-8265u_firmware -
intel celeron_n3000_firmware -
intel core_i7-8700t_firmware -
intel core_i9-10900_firmware -
intel core_i3-6167u_firmware -
intel core_i7-9700_firmware -
intel core_i5-6685r_firmware -
intel core_i5-8269u_firmware -
intel celeron_n2920_firmware -
intel celeron_j3455_firmware -
intel core_i7-7600u_firmware -
intel core_i7-9700kf_firmware -
intel core_i5-6360u_firmware -
intel core_i3-7130u_firmware -
intel core_i5-10400t_firmware -
intel core_i7-8500y_firmware -
intel core_i5-6200u_firmware -
intel core_i5-8365ue_firmware -
intel core_i5-9300h_firmware -
intel core_i3-7100h_firmware -
intel core_i3-8300_firmware -
intel core_i3-10100_firmware -
intel xeon_gold_5317_firmware -
intel core_i5-7440hq_firmware -
intel xeon_platinum_8376hl_firmware -
intel core_i5-7360u_firmware -
intel core_i3-6300_firmware -
intel core_i5-10400f_firmware -
intel core_i7-6560u_firmware -
intel celeron_n3450_firmware -
intel core_i7-7660u_firmware -
intel core_i5-8500_firmware -
intel core_i7-8705g_firmware -
intel core_i7-9850hl_firmware -
intel core_i3-7300t_firmware -
intel core_i7-7920hq_firmware -
intel core_i3-7100e_firmware -
intel core_i7-8665u_firmware -
intel pentium_silver_n5000_firmware -
intel core_i9-10900kf_firmware -
intel celeron_n6210_firmware -
intel core_i5-10400h_firmware -
intel xeon_gold_6328h_firmware -
intel xeon_gold_5320_firmware -
intel core_i7-10510y_firmware -
intel core_i3-9300_firmware -
intel core_i5-10200h_firmware -
intel core_i5-9400t_firmware -
intel core_i5-7600_firmware -
intel core_i3-8100b_firmware -
intel core_i5-7400t_firmware -
intel core_i5-9600_firmware -
intel celeron_n4020_firmware -
intel core_i5-8500b_firmware -
intel core_i3-9350k_firmware -
intel pentium_silver_n6005_firmware -
intel core_i5-8400_firmware -
intel xeon_silver_4310t_firmware -
intel core_i7-7820eq_firmware -
intel core_i5-8257u_firmware -
intel core_i7-8700b_firmware -
intel core_i5-7400_firmware -
intel xeon_silver_4310_firmware -
intel core_i5-7600t_firmware -
intel core_i5-7440eq_firmware -
intel core_i5-6300u_firmware -
intel celeron_n4120_firmware -
intel core_i3-10110u_firmware -
intel core_i3-7167u_firmware -
intel core_i7-8557u_firmware -
debian debian_linux 11.0
intel core_i3-8145u_firmware -
intel core_i7-6970hq_firmware -
intel core_i3-8100t_firmware -
intel xeon_gold_6314u_firmware -
intel core_m5-6y54_firmware -
intel core_i5-10210y_firmware -
intel core_i5-10505_firmware -
intel xeon_gold_6354_firmware -
intel core_i5-6400t_firmware -
intel core_i5-8310y_firmware -
intel core_i3-6100e_firmware -
intel core_i3-8300t_firmware -
intel celeron_j1850_firmware -
intel core_i7-7560u_firmware -
intel core_i3-10100e_firmware -
intel core_i3-10320_firmware -
intel core_i9-10850k_firmware -
intel xeon_platinum_8352s_firmware -
intel core_i5-10600_firmware -
intel xeon_gold_6338n_firmware -
CVE-2022-21245 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21248 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
oracle jdk 1.7.0
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle jdk 17.0.1
oracle jdk 11.0.13
oracle jre 1.7.0
oracle jre 1.8.0
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
fedoraproject fedora 35
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21249 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21253 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21254 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21256 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21264 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21265 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 3.8 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.8 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L 1.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21270 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Federated). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21271 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
oracle http_server 12.2.1.4.0
netapp cloud_insights_acquisition_unit -
oracle jdk 1.7.0
oracle jdk 11.0.13
oracle jre 1.7.0
oracle solaris 11
oracle jre 1.8.0
netapp solidfire -
netapp snapmanager -
netapp oncommand_workflow_automation -
netapp santricity_unified_manager -
oracle zfs_storage_appliance_kit 8.8
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle http_server 12.2.1.3.0
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21277 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
debian debian_linux 11.0
oracle jdk 17.0.1
oracle jdk 11.0.13
netapp cloud_insights -
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21278 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H 2.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21279 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21280 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21282 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
oracle jdk 1.7.0
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle jdk 17.0.1
oracle jdk 11.0.13
netapp cloud_insights -
oracle jre 1.7.0
oracle jre 1.8.0
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21283 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle jdk 17.0.1
oracle jdk 11.0.13
netapp cloud_insights -
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21284 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21285 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21286 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21287 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21288 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21289 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21290 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21291 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
oracle jdk 1.7.0
debian debian_linux 11.0
oracle jdk 17.0.1
oracle jdk 11.0.13
oracle jre 1.7.0
oracle jre 1.8.0
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21293 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
oracle jdk 1.7.0
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle jdk 17.0.1
oracle jdk 11.0.13
oracle jre 1.7.0
oracle jre 1.8.0
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21294 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
oracle jdk 1.7.0
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle jdk 17.0.1
oracle jdk 11.0.13
oracle jre 1.7.0
oracle jre 1.8.0
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21296 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
oracle jdk 1.7.0
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle jdk 17.0.1
oracle jdk 11.0.13
oracle jre 1.7.0
oracle jre 1.8.0
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21297 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21299 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
oracle jdk 1.7.0
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle jdk 17.0.1
oracle jdk 11.0.13
oracle jre 1.7.0
oracle jre 1.8.0
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21301 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21302 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21303 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21304 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21305 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
oracle jdk 1.7.0
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle jdk 17.0.1
oracle jdk 11.0.13
oracle jre 1.7.0
oracle jre 1.8.0
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21307 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21308 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21309 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21310 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-129,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21311 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21312 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21313 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21314 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21315 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21316 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.3 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21317 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21318 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.3 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21319 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21320 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21321 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21322 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
netapp snapcenter -
CVE-2022-21323 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21324 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21325 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21326 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21327 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21328 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21329 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21330 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21331 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21332 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21333 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21334 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21335 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21336 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21337 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21339 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle mysql *
netapp snapcenter -
CVE-2022-21340 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
oracle jdk 1.7.0
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle jdk 17.0.1
oracle jdk 11.0.13
oracle jre 1.7.0
oracle jre 1.8.0
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21341 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
oracle jdk 1.7.0
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle jdk 17.0.1
oracle jdk 11.0.13
oracle jre 1.7.0
oracle jre 1.8.0
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21342 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21344 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21348 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21349 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 7u321, 8u311; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
netapp santricity_unified_manager -
oracle jdk 1.8.0
netapp hci_management_node -
oracle jdk 1.7.0
netapp oncommand_insight -
oracle graalvm 21.3.0
netapp e-series_santricity_web_services -
oracle openjdk 7
oracle openjdk 8
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
netapp cloud_insights -
oracle jre 1.7.0
oracle jre 1.8.0
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
oracle graalvm 20.3.4
CVE-2022-21351 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H 2.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21352 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H 0.7 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21355 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21356 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21357 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21358 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21360 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
oracle jdk 1.7.0
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle jdk 17.0.1
oracle jdk 11.0.13
oracle jre 1.7.0
oracle jre 1.8.0
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21362 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21365 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
oracle jdk 1.7.0
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle jdk 17.0.1
oracle jdk 11.0.13
oracle jre 1.7.0
oracle jre 1.8.0
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
debian debian_linux 9.0
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21366 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp cloud_insights_acquisition_unit -
oracle openjdk 17.0.1
debian debian_linux 11.0
oracle jdk 17.0.1
oracle jdk 11.0.13
netapp santricity_storage_plugin -
oracle openjdk 17
netapp solidfire -
netapp snapmanager -
netapp oncommand_workflow_automation -
debian debian_linux 10.0
netapp santricity_unified_manager -
oracle jre 17.0.1
netapp hci_management_node -
netapp oncommand_insight -
oracle graalvm 21.3.0
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jre 11.0.13
oracle graalvm 20.3.4
CVE-2022-21367 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Compiling). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21368 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21370 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21372 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21374 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21378 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21379 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
CVE-2022-21380 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
CVE-2022-21412 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21413 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21414 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21415 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21417 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21418 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H 0.7 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21423 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21425 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21426 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
azul zulu 8.60
oracle jdk 17.0.2
azul zulu 11.54
netapp cloud_insights_acquisition_unit -
netapp solidfire_&_hci_management_node -
oracle jre 17.0.2
oracle jdk 1.7.0
oracle jdk 11.0.14
azul zulu 15.38
debian debian_linux 11.0
oracle jre 1.7.0
oracle jre 1.8.0
oracle graalvm 22.0.0.2
debian debian_linux 9.0
oracle graalvm 21.3.1
azul zulu 7.52
oracle jre 11.0.14
debian debian_linux 10.0
azul zulu 6.45
netapp santricity_unified_manager -
netapp hci_compute_node_firmware -
oracle jdk 1.8.0
azul zulu 17.32
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
oracle jdk 18
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
azul zulu 13.46
oracle jre 18
azul zulu 18.28
oracle graalvm 20.3.5
CVE-2022-21427 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
debian debian_linux 10.0
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21434 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
azul zulu 8.60
oracle jdk 17.0.2
azul zulu 11.54
netapp cloud_insights_acquisition_unit -
netapp solidfire_&_hci_management_node -
oracle jre 17.0.2
oracle jdk 1.7.0
oracle jdk 11.0.14
azul zulu 15.38
debian debian_linux 11.0
oracle jre 1.7.0
oracle jre 1.8.0
oracle graalvm 22.0.0.2
debian debian_linux 9.0
oracle graalvm 21.3.1
azul zulu 7.52
oracle jre 11.0.14
debian debian_linux 10.0
azul zulu 6.45
netapp santricity_unified_manager -
netapp hci_compute_node_firmware -
oracle jdk 1.8.0
azul zulu 17.32
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
oracle jdk 18
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
azul zulu 13.46
oracle jre 18
azul zulu 18.28
oracle graalvm 20.3.5
CVE-2022-21435 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21436 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21437 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21438 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21440 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21443 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
azul zulu 8.60
oracle java_se 11.0.14
azul zulu 11.54
netapp cloud_insights_acquisition_unit -
oracle java_se 8u321
oracle java_se 7u331
azul zulu 15.38
debian debian_linux 11.0
netapp solidfire -
oracle java_se 17.0.2
oracle graalvm 22.0.0.2
debian debian_linux 9.0
oracle graalvm 21.3.1
oracle java_se 18
azul zulu 7.52
debian debian_linux 10.0
azul zulu 6.45
netapp santricity_unified_manager -
netapp hci_management_node -
azul zulu 17.32
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp bootstrap_os -
netapp e-series_santricity_storage_manager -
azul zulu 13.46
azul zulu 18.28
oracle graalvm 20.3.5
CVE-2022-21444 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21449 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
debian debian_linux 10.0
oracle jdk 17.0.2
netapp santricity_unified_manager -
netapp solidfire_&_hci_management_node -
azul zulu 17.32
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp e-series_santricity_web_services -
azul zulu 15.38
netapp solidfire,_enterprise_sds_&_hci_storage_node -
debian debian_linux 11.0
oracle jdk 18
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
netapp cloud_insights -
azul zulu 18.28
netapp e-series_santricity_os_controller 11.0
netapp hci_compute_node -
oracle graalvm 22.0.0.2
oracle graalvm 21.3.1
CVE-2022-21451 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21452 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21454 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21455

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PAM Auth Plugin). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21457 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PAM Auth Plugin). Supported versions that are affected are 8.0.28 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21459 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21460 LOW

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Logging). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 4.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N 0.7 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21462 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21476 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
azul zulu 8.60
oracle jdk 17.0.2
azul zulu 11.54
netapp cloud_insights_acquisition_unit -
oracle jdk 11.0.14
azul zulu 15.38
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
netapp solidfire -
oracle graalvm 22.0.0.2
debian debian_linux 9.0
oracle graalvm 21.3.1
azul zulu 7.52
debian debian_linux 10.0
netapp santricity_unified_manager -
netapp hci_management_node -
azul zulu 17.32
netapp oncommand_insight -
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
oracle jdk 18
netapp bootstrap_os -
netapp e-series_santricity_storage_manager -
azul zulu 13.46
oracle openjdk 18
oracle jdk 8.0
oracle graalvm 20.3.5
oracle jdk 7.0
CVE-2022-21478 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21479 MEDIUM

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server and unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H 1.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21482 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21483 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21484 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21485 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21486 LOW

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.9 LOW CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.4 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21489 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2022-21490 MEDIUM

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle mysql_cluster *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21496 MEDIUM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp element_software -
azul zulu 8.60
oracle java_se 11.0.14
azul zulu 11.54
netapp cloud_insights_acquisition_unit -
oracle java_se 8u321
oracle java_se 7u331
azul zulu 15.38
netapp solidfire -
oracle java_se 17.0.2
oracle graalvm 22.0.0.2
debian debian_linux 9.0
oracle graalvm 21.3.1
oracle java_se 18
azul zulu 7.52
azul zulu 6.45
netapp santricity_unified_manager -
netapp hci_management_node -
azul zulu 17.32
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp e-series_santricity_web_services -
netapp bootstrap_os -
netapp e-series_santricity_storage_manager -
azul zulu 13.46
azul zulu 18.28
oracle graalvm 20.3.5
CVE-2022-21509

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21515

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 5.7.38 and prior and 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 36
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21517

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 36
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21519

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Cluster. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_cluster *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21522

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 36
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21525

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 36
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21526

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21527

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21528

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 36
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21529

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21530

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 36
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21531

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 36
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21534

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21537

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 36
oracle mysql_server *
fedoraproject fedora 35
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21538

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 1.6 1.4

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21539

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L 1.6 3.4

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21540

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
oracle jdk 17.0.3.1
azul zulu 8.62
fedoraproject fedora 36
netapp cloud_insights_acquisition_unit -
azul zulu 13.48
oracle jdk 1.7.0
oracle jre 18.0.1.1
oracle graalvm 21.3.2
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle graalvm 20.3.6
oracle jdk 11.0.15.1
oracle jdk 18.0.1.1
oracle jre 1.7.0
oracle jre 1.8.0
oracle jre 11.0.15.1
azul zulu 18.30
netapp solidfire -
azul zulu 11.56
debian debian_linux 10.0
azul zulu 17.34
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
azul zulu 15.40
oracle jre 17.0.3.1
netapp 7-mode_transition_tool -
oracle graalvm 22.1.0
oracle openjdk 18
azul zulu 6.47
netapp hci_compute_node -
azul zulu 7.54
CVE-2022-21541

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

Products Affected

Vendor Product Version
oracle jdk 17.0.3.1
azul zulu 8.62
fedoraproject fedora 36
netapp cloud_insights_acquisition_unit -
azul zulu 13.48
oracle jdk 1.7.0
oracle jre 18.0.1.1
oracle graalvm 21.3.2
debian debian_linux 11.0
oracle openjdk 7
oracle openjdk 8
oracle graalvm 20.3.6
oracle jdk 11.0.15.1
oracle jdk 18.0.1.1
oracle jre 1.7.0
oracle jre 1.8.0
oracle jre 11.0.15.1
azul zulu 18.30
netapp solidfire -
azul zulu 11.56
debian debian_linux 10.0
azul zulu 17.34
oracle jdk 1.8.0
netapp hci_management_node -
netapp oncommand_insight -
oracle openjdk *
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
azul zulu 15.40
oracle jre 17.0.3.1
netapp 7-mode_transition_tool -
oracle graalvm 22.1.0
oracle openjdk 18
netapp hci_compute_node -
azul zulu 7.54
CVE-2022-21547

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Federated). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21549

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
oracle jdk 17.0.3.1
fedoraproject fedora 36
azul zulu 17.34
netapp cloud_insights_acquisition_unit -
netapp hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle graalvm 21.3.2
netapp cloud_secure_agent -
debian debian_linux 11.0
oracle jre 17.0.3.1
netapp 7-mode_transition_tool -
fedoraproject fedora 35
netapp solidfire -
oracle graalvm 22.1.0
netapp hci_compute_node -
CVE-2022-21550

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.36 and prior, 7.5.26 and prior, 7.6.22 and prior and and 8.0.29 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 0.4 5.9

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_cluster *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21553

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21556

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H 1.2 5.2

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21569

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2022-21589

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.39 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation *
netapp oncommand_insight -
oracle mysql *
CVE-2022-21592

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.7.39 and prior and 8.0.29 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21594

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21595

Vulnerability in the MySQL Server product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
mariadb mariadb *
netapp oncommand_insight -
oracle mysql *
CVE-2022-21599

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21600

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21604

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21605

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21607

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21608

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.39 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21611

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.30 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.1 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.5 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21617

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are 5.7.39 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21618

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp oncommand_workflow_automation -
fedoraproject fedora 36
oracle jre 19
azul zulu 17.36
netapp e-series_santricity_unified_manager -
oracle graalvm 22.2.0
netapp cloud_insights_acquisition_unit -
oracle jre 17.0.4.1
netapp oncommand_insight -
netapp cloud_secure_agent -
azul zulu 19.28
azul zulu 11.58
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle graalvm 21.3.3
oracle jdk 17.0.4.1
netapp santricity_storage_plugin -
azul zulu 15.42
oracle jdk 19
azul zulu 13.50
fedoraproject fedora 35
CVE-2022-21619

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 36
oracle jre 19
oracle jdk 11.0.16.1
oracle jre 11.0.16.1
oracle graalvm 22.2.0
netapp cloud_insights_acquisition_unit -
azul zulu 11.58
oracle graalvm 21.3.3
azul zulu 8.64
oracle jre 1.8.0
netapp santricity_storage_plugin -
netapp santricity_web_services_proxy -
oracle graalvm 20.3.7
netapp oncommand_workflow_automation -
azul zulu 17.36
netapp e-series_santricity_unified_manager -
oracle jre 17.0.4.1
netapp e-series_santricity_os_controller 11.70.2
oracle jdk 1.8.0
netapp oncommand_insight -
azul zulu 7.56
netapp cloud_secure_agent -
azul zulu 19.28
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jdk 17.0.4.1
azul zulu 15.42
oracle jdk 19
azul zulu 13.50
fedoraproject fedora 35
CVE-2022-21624

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 36
oracle jre 19
oracle jdk 11.0.16.1
oracle jre 11.0.16.1
oracle graalvm 22.2.0
netapp cloud_insights_acquisition_unit -
azul zulu 11.58
oracle graalvm 21.3.3
azul zulu 8.64
oracle jre 1.8.0
netapp santricity_storage_plugin -
netapp santricity_web_services_proxy -
oracle graalvm 20.3.7
netapp oncommand_workflow_automation -
azul zulu 17.36
netapp e-series_santricity_unified_manager -
oracle jre 17.0.4.1
oracle jdk 1.8.0
netapp oncommand_insight -
azul zulu 7.56
netapp cloud_secure_agent -
azul zulu 19.28
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jdk 17.0.4.1
azul zulu 15.42
oracle jdk 19
azul zulu 13.50
fedoraproject fedora 35
azul zulu 6.49
CVE-2022-21625

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21626

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 36
oracle jdk 11.0.16.1
oracle jre 11.0.16.1
oracle graalvm 22.2.0
netapp cloud_insights_acquisition_unit -
azul zulu 11.58
oracle graalvm 21.3.3
azul zulu 8.64
oracle jre 1.8.0
netapp santricity_storage_plugin -
netapp santricity_web_services_proxy -
oracle graalvm 20.3.7
netapp oncommand_workflow_automation -
netapp e-series_santricity_unified_manager -
oracle jdk 1.8.0
netapp oncommand_insight -
azul zulu 7.56
netapp cloud_secure_agent -
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
azul zulu 15.42
azul zulu 13.50
fedoraproject fedora 35
azul zulu 6.49
CVE-2022-21628

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 36
oracle jre 19
oracle jdk 11.0.16.1
oracle jre 11.0.16.1
oracle graalvm 22.2.0
netapp cloud_insights_acquisition_unit -
azul zulu 11.58
oracle graalvm 21.3.3
azul zulu 8.64
oracle jre 1.8.0
netapp santricity_storage_plugin -
netapp santricity_web_services_proxy -
oracle graalvm 20.3.7
netapp oncommand_workflow_automation -
azul zulu 17.36
netapp e-series_santricity_unified_manager -
oracle jre 17.0.4.1
oracle jdk 1.8.0
netapp oncommand_insight -
azul zulu 7.56
netapp cloud_secure_agent -
azul zulu 19.28
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jdk 17.0.4.1
azul zulu 15.42
oracle jdk 19
azul zulu 13.50
fedoraproject fedora 35
azul zulu 6.49
CVE-2022-21632

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21633

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21635

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H 1.2 5.2

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21637

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation *
netapp oncommand_insight -
oracle mysql *
CVE-2022-21638

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21640

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21641

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-21702 LOW

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N 1.3 4.7
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer *
fedoraproject fedora 36
grafana grafana 2.0.0
fedoraproject fedora 35
grafana grafana *
fedoraproject fedora 34
CVE-2022-21703 MEDIUM

Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
security-advisories@github.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N 2.1 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer *
fedoraproject fedora 36
grafana grafana 3.0.0
fedoraproject fedora 35
grafana grafana *
fedoraproject fedora 34
CVE-2022-21713 LOW

Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-863,CWE-639,

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer *
fedoraproject fedora 36
fedoraproject fedora 35
grafana grafana 5.0.0
grafana grafana *
fedoraproject fedora 34
CVE-2022-21824 MEDIUM

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H 3.9 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-471,CWE-1321,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
debian debian_linux 10.0
oracle mysql_enterprise_monitor *
oracle mysql_server *
oracle peoplesoft_enterprise_peopletools 8.59
netapp oncommand_insight -
netapp snapcenter -
debian debian_linux 11.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle mysql_workbench *
nodejs node.js *
oracle mysql_cluster *
oracle mysql_connectors *
CVE-2022-22576 MEDIUM

An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-306,

Products Affected

Vendor Product Version
netapp h300s_firmware -
debian debian_linux 10.0
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
haxx curl *
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp bootstrap_os -
netapp clustered_data_ontap -
netapp solidfire_&_hci_storage_node -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
brocade fabric_operating_system -
CVE-2022-2274 HIGH

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
openssl openssl 3.0.4
netapp snapcenter -
netapp h700s_firmware -
CVE-2022-22844 MEDIUM

LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
debian debian_linux 10.0
libtiff libtiff 4.3.0
netapp ontap_select_deploy_administration_utility -
debian debian_linux 9.0
debian debian_linux 11.0
CVE-2022-22968 MEDIUM

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-178,

Products Affected

Vendor Product Version
vmware spring_framework *
netapp metrocluster_tiebreaker -
oracle mysql_enterprise_monitor *
netapp snapmanager -
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp snap_creator_framework -
CVE-2022-22970 LOW

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
vmware spring_framework *
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
netapp brocade_san_navigator -
netapp oncommand_insight -
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
CVE-2022-22971 MEDIUM

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
vmware spring_framework *
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
netapp oncommand_insight -
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
netapp cloud_secure_agent -
CVE-2022-22976 MEDIUM

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
vmware spring_security *
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
netapp active_iq_unified_manager -
vmware spring_security 5.2.0
CVE-2022-22978 HIGH

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-863,CWE-863,

Products Affected

Vendor Product Version
vmware spring_security *
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
netapp active_iq_unified_manager -
CVE-2022-2318 MEDIUM

There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
linux linux_kernel 5.19
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2022-23222 HIGH

kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local users to gain privileges because of the availability of pointer arithmetic via certain *_OR_NULL pointer types.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-476,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
linux linux_kernel *
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-23232 MEDIUM

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could allow disabled, expired, or locked external user accounts to access S3 data to which they previously had access. StorageGRID 11.6.0 obtains the user account status from Active Directory or Azure and will block S3 access for disabled user accounts during the subsequent background synchronization. User accounts that are expired or locked for Active Directory or Azure, or user accounts that are disabled, expired, or locked in identity sources other than Active Directory or Azure must be manually removed from group memberships or have their S3 keys manually removed from Tenant Manager in all versions of StorageGRID (formerly StorageGRID Webscale).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2022-23233 MEDIUM

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could lead to Denial of Service (DoS) of the Local Distribution Router (LDR) service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2022-23234 LOW

SnapCenter versions prior to 4.5 are susceptible to a vulnerability which could allow a local authenticated attacker to discover plaintext HANA credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-312,

Products Affected

Vendor Product Version
netapp snapcenter *
CVE-2022-23235

Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.10P1 are susceptible to a vulnerability which could allow an attacker to discover cluster, node and Active IQ Unified Manager specific information via AutoSupport telemetry data that is sent even when AutoSupport has been disabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
netapp active_iq_unified_manager 9.10
netapp active_iq_unified_manager *
CVE-2022-23236 LOW

E-Series SANtricity OS Controller Software versions 11.40 through 11.70.2 store the LDAP BIND password in plaintext within a file accessible only to privileged users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-312,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
CVE-2022-23237 MEDIUM

E-Series SANtricity OS Controller Software 11.x versions through 11.70.2 are vulnerable to host header injection attacks that could allow an attacker to redirect users to malicious websites.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
CVE-2022-23238

Linux deployments of StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through 11.6.0.2 deployed with a Linux kernel version less than 4.7.0 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to view limited metrics information and modify alert email recipients and content.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2022-23239

Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows administrative users to perform a Stored Cross-Site Scripting (XSS) attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
netapp active_iq_unified_manager *
CVE-2022-23240

Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows unauthorized users to update EMS Subscriptions via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
netapp active_iq_unified_manager *
CVE-2022-23241

Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock configured FlexGroups are susceptible to a vulnerability which could allow an authenticated remote attacker to arbitrarily modify or delete WORM data prior to the end of the retention period.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H 2.8 5.2

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.11.1
CVE-2022-23302 MEDIUM

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
oracle jdeveloper 12.2.1.3.0
oracle hyperion_infrastructure_technology *
oracle weblogic_server 12.2.1.3.0
oracle mysql_enterprise_monitor *
oracle communications_unified_inventory_management 7.4.1
oracle communications_network_integrity 7.3.6
oracle financial_services_revenue_management_and_billing_analytics 2.7.0.1
oracle communications_unified_inventory_management 7.4.2
oracle business_intelligence 12.2.1.3.0
oracle identity_management_suite 12.2.1.3.0
oracle business_intelligence 12.2.1.4.0
oracle financial_services_revenue_management_and_billing_analytics 2.8.0.0
oracle tuxedo 12.2.2.0.0
oracle communications_offline_mediation_controller 12.0.0.5.0
oracle weblogic_server 14.1.1.0.0
oracle business_process_management_suite 12.2.1.3.0
oracle advanced_supply_chain_planning 12.1
oracle advanced_supply_chain_planning 12.2
broadcom brocade_sannav -
netapp snapmanager -
oracle communications_offline_mediation_controller *
oracle financial_services_revenue_management_and_billing_analytics 2.7.0.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle middleware_common_libraries_and_tools 12.2.1.4.0
apache log4j *
oracle weblogic_server 12.2.1.4.0
oracle enterprise_manager_base_platform 13.5.0.0
oracle e-business_suite_cloud_manager_and_cloud_backup_module *
oracle enterprise_manager_base_platform 13.4.0.0
oracle healthcare_foundation 8.1.0
oracle business_process_management_suite 12.2.1.4.0
oracle communications_messaging_server 8.1
oracle identity_manager_connector 11.1.1.5.0
oracle hyperion_data_relationship_management *
oracle communications_eagle_ftp_table_base_retrieval 4.5
oracle business_intelligence 5.9.0.0.0
qos reload4j *
oracle e-business_suite_cloud_manager_and_cloud_backup_module 2.2.1.1.1
oracle identity_management_suite 12.2.1.4.0
CVE-2022-23305 MEDIUM

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
oracle jdeveloper 12.2.1.3.0
oracle hyperion_infrastructure_technology *
oracle weblogic_server 12.2.1.3.0
oracle mysql_enterprise_monitor *
oracle communications_unified_inventory_management 7.4.1
oracle communications_network_integrity 7.3.6
oracle financial_services_revenue_management_and_billing_analytics 2.7.0.1
oracle communications_unified_inventory_management 7.4.2
oracle business_intelligence 12.2.1.3.0
oracle identity_management_suite 12.2.1.3.0
oracle business_intelligence 12.2.1.4.0
oracle financial_services_revenue_management_and_billing_analytics 2.8.0.0
oracle tuxedo 12.2.2.0.0
oracle communications_offline_mediation_controller 12.0.0.5.0
oracle weblogic_server 14.1.1.0.0
oracle business_process_management_suite 12.2.1.3.0
oracle advanced_supply_chain_planning 12.1
oracle advanced_supply_chain_planning 12.2
broadcom brocade_sannav -
netapp snapmanager -
oracle communications_offline_mediation_controller *
oracle financial_services_revenue_management_and_billing_analytics 2.7.0.0
oracle communications_instant_messaging_server 10.0.1.5.0
oracle e-business_suite_information_discovery *
oracle middleware_common_libraries_and_tools 12.2.1.4.0
apache log4j *
oracle weblogic_server 12.2.1.4.0
oracle enterprise_manager_base_platform 13.5.0.0
oracle e-business_suite_cloud_manager_and_cloud_backup_module *
oracle enterprise_manager_base_platform 13.4.0.0
oracle healthcare_foundation 8.1.0
oracle business_process_management_suite 12.2.1.4.0
oracle communications_messaging_server 8.1
oracle identity_manager_connector 11.1.1.5.0
oracle hyperion_data_relationship_management *
oracle communications_eagle_ftp_table_base_retrieval 4.5
oracle retail_extract_transform_and_load 13.2.5
oracle business_intelligence 5.9.0.0.0
qos reload4j *
oracle e-business_suite_cloud_manager_and_cloud_backup_module 2.2.1.1.1
oracle identity_management_suite 12.2.1.4.0
CVE-2022-23308 MEDIUM

valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp manageability_software_development_kit -
netapp solidfire_&_hci_management_node -
apple macos *
netapp snapdrive -
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp h410c_firmware -
oracle communications_cloud_native_core_network_function_cloud_native_environment 22.1.0
netapp h700s_firmware -
netapp h410s_firmware -
apple iphone_os *
apple tvos *
xmlsoft libxml2 *
netapp snapmanager -
debian debian_linux 9.0
oracle communications_cloud_native_core_unified_data_repository 22.2.0
oracle communications_cloud_native_core_network_repository_function 22.2.0
oracle communications_cloud_native_core_binding_support_function 22.2.0
oracle zfs_storage_appliance_kit 8.8
apple watchos *
apple mac_os_x 10.15.7
oracle communications_cloud_native_core_network_slice_selection_function 22.1.1
netapp active_iq_unified_manager -
fedoraproject fedora 34
netapp solidfire,_enterprise_sds_&_hci_storage_node -
oracle communications_cloud_native_core_network_repository_function 22.1.2
netapp bootstrap_os -
netapp smi-s_provider -
oracle mysql_workbench *
netapp clustered_data_ontap -
apple ipados *
netapp h700e_firmware -
netapp h500e_firmware -
apple mac_os_x *
netapp clustered_data_ontap_antivirus_connector -
CVE-2022-23437 HIGH

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-835,

Products Affected

Vendor Product Version
oracle ilearning 6.3
oracle retail_service_backbone 19.0.1
oracle retail_service_backbone 14.1.3.2
oracle retail_extract_transform_and_load 13.2.8
oracle agile_plm 9.3.6
oracle product_lifecycle_analytics 3.6.1
oracle health_sciences_information_manager 3.0.0.1
oracle financial_services_behavior_detection_platform 8.1.1.0
oracle retail_integration_bus 19.0.1
oracle retail_merchandising_system 19.0.1
oracle retail_financial_integration 14.1.3.2
oracle global_lifecycle_management_opatch *
oracle financial_services_enterprise_case_management 8.1.1.1
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle peoplesoft_enterprise_peopletools 8.59
oracle peoplesoft_enterprise_peopletools 8.58
oracle retail_integration_bus 15.0.3.1
oracle financial_services_behavior_detection_platform 8.1.1.1
oracle retail_bulk_data_integration 16.0.3.0
oracle retail_integration_bus 14.1.3.2
oracle communications_element_manager *
oracle retail_financial_integration 19.0.1
oracle retail_financial_integration 16.0.3
oracle retail_integration_bus 16.0.3
oracle financial_services_analytical_applications_infrastructure *
oracle financial_services_enterprise_case_management 8.0.8.1
oracle weblogic_server 12.2.1.3.0
oracle flexcube_universal_banking 12.4.0
oracle primavera_gateway *
oracle communications_asap 7.3
oracle agile_engineering_data_management 6.2.1.0
oracle global_lifecycle_management_nextgen_oui_framework *
oracle communications_session_route_manager *
oracle weblogic_server 14.1.1.0.0
oracle ilearning 6.2
oracle retail_financial_integration 15.0.3.1
oracle financial_services_enterprise_case_management 8.0.8.0
oracle financial_services_enterprise_case_management 8.0.7.2.0
oracle global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2
oracle banking_deposits_and_lines_of_credit_servicing 2.7
oracle banking_party_management 2.7.0
oracle health_sciences_information_manager *
netapp active_iq_unified_manager -
oracle retail_merchandising_system 16.0.3
oracle weblogic_server 12.2.1.4.0
oracle financial_services_behavior_detection_platform 8.1.2.0
oracle communications_session_report_manager *
oracle retail_service_backbone 16.0.3
oracle retail_service_backbone 15.0.3.1
oracle financial_services_behavior_detection_platform *
oracle financial_services_enterprise_case_management 8.1.1.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
apache xerces-j *
oracle financial_services_enterprise_case_management 8.0.7.1
CVE-2022-23457 HIGH

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
owasp enterprise_security_api *
oracle weblogic_server 12.2.1.3.0
oracle weblogic_server 14.1.1.0.0
netapp active_iq_unified_manager -
oracle weblogic_server 12.2.1.4.0
CVE-2022-23491

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N 2.3 4.0
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
certifi_project certifi *
netapp management_services_for_netapp_hci -
netapp management_services_for_element_software -
CVE-2022-23772 HIGH

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp cloud_insights_telegraf_agent -
netapp beegfs_csi_driver -
netapp storagegrid -
netapp kubernetes_monitoring_operator -
golang go *
debian debian_linux 9.0
CVE-2022-23773 MEDIUM

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-436,

Products Affected

Vendor Product Version
netapp cloud_insights_telegraf_agent -
netapp beegfs_csi_driver -
netapp storagegrid -
netapp kubernetes_monitoring_operator -
golang go *
CVE-2022-23806 MEDIUM

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-252,

Products Affected

Vendor Product Version
netapp cloud_insights_telegraf_agent -
netapp beegfs_csi_driver -
netapp storagegrid -
netapp kubernetes_monitoring_operator -
golang go *
debian debian_linux 9.0
CVE-2022-23852 HIGH

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp clustered_data_ontap -
debian debian_linux 9.0
siemens sinema_remote_connect_server *
libexpat_project libexpat *
tenable nessus *
oracle communications_metasolv_solution 6.3.1
CVE-2022-23913 MEDIUM

In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
apache activemq_artemis *
netapp active_iq_unified_manager -
CVE-2022-24122 MEDIUM

kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp baseboard_management_controller_h300s_firmware -
netapp baseboard_management_controller_h500e_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp baseboard_management_controller_h300e_firmware -
netapp h410s_firmware -
netapp baseboard_management_controller_h700e_firmware -
netapp baseboard_management_controller_h700s_firmware -
linux linux_kernel *
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
fedoraproject fedora 35
netapp baseboard_management_controller_h410c_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-24407 MEDIUM

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
fedoraproject fedora 36
oracle communications_cloud_native_core_console 22.2.0
debian debian_linux 10.0
oracle communications_cloud_native_core_network_function_cloud_native_environment 22.2.0
netapp ontap_select_deploy_administration_utility -
netapp active_iq_unified_manager -
fedoraproject fedora 34
oracle communications_cloud_native_core_security_edge_protection_proxy 22.1.1
debian debian_linux 11.0
cyrusimap cyrus-sasl *
fedoraproject fedora 35
debian debian_linux 9.0
CVE-2022-24675 MEDIUM

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,

Products Affected

Vendor Product Version
fedoraproject fedora 36
fedoraproject fedora 35
netapp kubernetes_monitoring_operator -
golang go *
fedoraproject fedora 34
CVE-2022-24735 MEDIUM

Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 3.9 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 1.3 2.5
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,CWE-94,

Products Affected

Vendor Product Version
fedoraproject fedora 36
oracle communications_operations_monitor 4.3
redis redis *
fedoraproject fedora 35
netapp management_services_for_netapp_hci -
oracle communications_operations_monitor 4.4
fedoraproject fedora 34
oracle communications_operations_monitor 5.0
redis redis 7.0
netapp management_services_for_element_software -
CVE-2022-24736 LOW

Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 1.8 1.4
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
fedoraproject fedora 36
oracle communications_operations_monitor 4.3
redis redis *
fedoraproject fedora 35
netapp management_services_for_netapp_hci -
oracle communications_operations_monitor 4.4
fedoraproject fedora 34
oracle communications_operations_monitor 5.0
redis redis 7.0
netapp management_services_for_element_software -
CVE-2022-24785 MEDIUM

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-27,CWE-22,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
tenable tenable.sc *
fedoraproject fedora 35
momentjs moment *
netapp active_iq -
CVE-2022-24823 LOW

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

CVSS 2.0

Severity: LOW

Problem Type: CWE-378,CWE-379,CWE-668,CWE-668,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
netapp active_iq_unified_manager -
netty netty *
netapp snapcenter -
CVE-2022-24891 MEDIUM

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
owasp enterprise_security_api *
oracle weblogic_server 12.2.1.3.0
oracle weblogic_server 14.1.1.0.0
netapp active_iq_unified_manager -
oracle weblogic_server 12.2.1.4.0
CVE-2022-24903 MEDIUM

Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-1284,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 35
netapp active_iq_unified_manager -
rsyslog rsyslog *
debian debian_linux 9.0
debian debian_linux 11.0
CVE-2022-24921 MEDIUM

regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,

Products Affected

Vendor Product Version
netapp astra_trident -
golang go *
debian debian_linux 9.0
CVE-2022-24958 MEDIUM

drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-763,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2022-25258 MEDIUM

An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
fedoraproject fedora 35
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
debian debian_linux 9.0
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2022-2526

A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
systemd_project systemd 240
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h700s_firmware -
CVE-2022-25265 MEDIUM

In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-913,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp baseboard_management_controller_firmware -
netapp h500s_firmware -
netapp h700e_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2022-25636 MEDIUM

net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
netapp baseboard_management_controller_h300e -
oracle communications_cloud_native_core_binding_support_function 22.1.3
oracle communications_cloud_native_core_network_exposure_function 22.1.1
netapp baseboard_management_controller_h410c -
oracle communications_cloud_native_core_policy 22.2.0
netapp h300e -
netapp h700e -
netapp baseboard_management_controller_h700s -
debian debian_linux 11.0
netapp h700s -
netapp baseboard_management_controller_h500e -
netapp h410c -
netapp h500s -
netapp h410s -
netapp baseboard_management_controller_h300s -
netapp h300s -
linux linux_kernel *
netapp baseboard_management_controller_h410s -
netapp h500e -
netapp baseboard_management_controller_h500s -
netapp baseboard_management_controller_h700e -
CVE-2022-25647 MEDIUM

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
netapp active_iq_unified_manager -
oracle graalvm 21.3.2
debian debian_linux 11.0
oracle graalvm 20.3.6
oracle retail_order_broker 19.1
oracle graalvm 22.1.0
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
debian debian_linux 9.0
google gson *
oracle retail_order_broker 18.0
CVE-2022-25844 MEDIUM

The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1333,

Products Affected

Vendor Product Version
angularjs angular *
fedoraproject fedora 36
angularjs angularjs *
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
CVE-2022-26336 MEDIUM

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-770,CWE-770,

Products Affected

Vendor Product Version
apache poi *
netapp active_iq_unified_manager -
CVE-2022-26377 MEDIUM

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
fedoraproject fedora 36
netapp clustered_data_ontap -
apache http_server *
fedoraproject fedora 35
CVE-2022-26488 MEDIUM

In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-426,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
python python *
netapp active_iq_unified_manager -
python python 3.11.0
CVE-2022-26490 MEDIUM

st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
netapp h410s_firmware -
linux linux_kernel *
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2022-26966 LOW

An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp active_iq_unified_manager -
netapp h500e_firmware -
debian debian_linux 9.0
netapp h700s_firmware -
CVE-2022-27223 MEDIUM

In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-129,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp active_iq_unified_manager -
netapp h500e_firmware -
debian debian_linux 9.0
netapp h700s_firmware -
CVE-2022-2764

A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
redhat integration_camel_k -
redhat jboss_enterprise_application_platform 7.0.0
redhat single_sign-on 7.0
redhat jboss_fuse 7.0.0
netapp oncommand_insight -
redhat undertow *
redhat undertow 2.3.0
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
CVE-2022-27666 MEDIUM

A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
redhat virtualization 4.0
linux linux_kernel 5.17
linux linux_kernel *
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
debian debian_linux 9.0
CVE-2022-27774 LOW

An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 2.1 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-522,CWE-522,

Products Affected

Vendor Product Version
netapp h300s_firmware -
debian debian_linux 10.0
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
haxx curl *
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp clustered_data_ontap -
netapp hci_bootstrap_os -
netapp solidfire_&_hci_storage_node -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
brocade fabric_operating_system -
CVE-2022-27775 MEDIUM

An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
haxx curl *
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp clustered_data_ontap -
netapp hci_bootstrap_os -
netapp solidfire_&_hci_storage_node -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
brocade fabric_operating_system -
CVE-2022-27776 MEDIUM

A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,CWE-522,

Products Affected

Vendor Product Version
netapp h300s_firmware -
fedoraproject fedora 36
debian debian_linux 10.0
netapp solidfire_&_hci_management_node -
fedoraproject fedora 37
netapp h500s_firmware -
haxx curl *
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp clustered_data_ontap -
netapp hci_bootstrap_os -
netapp solidfire_&_hci_storage_node -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
brocade fabric_operating_system -
CVE-2022-27778 MEDIUM

A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-706,CWE-706,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp oncommand_workflow_automation -
haxx curl 7.83.0
netapp hci_compute_node_firmware -
oracle mysql_server *
netapp bh500s_firmware -
netapp solidfire_&_hci_management_node -
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
netapp h700s_firmware -
netapp h410s_firmware -
netapp clustered_data_ontap -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2022-27779 MEDIUM

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-201,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
haxx curl *
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp h700s_firmware -
netapp h410s_firmware -
netapp clustered_data_ontap -
netapp hci_bootstrap_os -
netapp hci_compute_node -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2022-27780 MEDIUM

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-177,CWE-918,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp clustered_data_ontap -
netapp hci_bootstrap_os -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
haxx curl *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp h700s_firmware -
CVE-2022-27781 MEDIUM

libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-835,

Products Affected

Vendor Product Version
netapp h300s_firmware -
debian debian_linux 10.0
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
haxx curl *
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp clustered_data_ontap -
netapp hci_bootstrap_os -
netapp hci_compute_node -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2022-28131

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
fedoraproject fedora 35
golang go *
netapp cloud_insights_telegraf -
CVE-2022-28388 LOW

usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free.

CVSS 2.0

Severity: LOW

Problem Type: CWE-415,CWE-415,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
fedoraproject fedora 36
debian debian_linux 10.0
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
linux linux_kernel *
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-28389 LOW

mcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through 5.17.1 has a double free.

CVSS 2.0

Severity: LOW

Problem Type: CWE-415,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
fedoraproject fedora 36
debian debian_linux 10.0
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
linux linux_kernel *
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-28390 MEDIUM

ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-415,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
netapp hci_baseboard_management_controller h700e
netapp hci_baseboard_management_controller h300e
netapp hci_baseboard_management_controller h300s
fedoraproject fedora 34
debian debian_linux 11.0
netapp hci_baseboard_management_controller h500s
netapp hci_baseboard_management_controller h410c
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
fedoraproject fedora 35
netapp hci_baseboard_management_controller h500e
debian debian_linux 9.0
netapp hci_baseboard_management_controller h410s
CVE-2022-28614 MEDIUM

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-200,CWE-190,

Products Affected

Vendor Product Version
fedoraproject fedora 36
netapp clustered_data_ontap -
apache http_server *
fedoraproject fedora 35
CVE-2022-28615 MEDIUM

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
fedoraproject fedora 36
netapp clustered_data_ontap -
apache http_server *
fedoraproject fedora 35
CVE-2022-2873

An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
redhat enterprise_linux 8.0
netapp h300s_firmware -
redhat enterprise_linux 9.0
fedoraproject fedora 36
linux linux_kernel 5.19
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
redhat enterprise_linux 7.0
linux linux_kernel *
CVE-2022-28734

Out-of-bounds write when handling split HTTP headers; When handling split HTTP headers, GRUB2 HTTP code accidentally moves its internal data buffer point by one position. This can lead to a out-of-bound write further when parsing the HTTP request, writing a NULL byte past the buffer. It's conceivable that an attacker controlled set of packets can lead to corruption of the GRUB2's internal memory metadata.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@ubuntu.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
gnu grub2 *
netapp active_iq_unified_manager -
CVE-2022-28796 MEDIUM

jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
netapp h300s_firmware -
netapp h300e_firmware -
netapp hci_compute_node_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp h700s_firmware -
netapp h410s_firmware -
redhat enterprise_linux 7.0
linux linux_kernel *
fedoraproject fedora 35
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-28893 HIGH

The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
netapp hci_compute_node_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp h410c_firmware -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
linux linux_kernel *
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-28948 MEDIUM

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
netapp astra_trident -
yaml_project yaml 3.0.0
CVE-2022-29155 HIGH

In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
debian debian_linux 9.0
netapp h700s_firmware -
debian debian_linux 11.0
openldap openldap *
CVE-2022-29156 HIGH

drivers/infiniband/ulp/rtrs/rtrs-clt.c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h300e_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700e_firmware -
netapp h410c_firmware -
netapp h500e_firmware -
netapp h700s_firmware -
CVE-2022-29244 MEDIUM

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
npmjs npm *
CVE-2022-2938

A flaw was found in the Linux kernel's implementation of Pressure Stall Information. While the feature is disabled by default, it could allow an attacker to crash the system or have other memory-corruption side effects.

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
fedoraproject fedora 35
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-29404 MEDIUM

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
fedoraproject fedora 36
netapp clustered_data_ontap -
apache http_server *
fedoraproject fedora 35
CVE-2022-29526 MEDIUM

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
fedoraproject fedora 36
netapp beegfs_csi_driver -
fedoraproject fedora 35
golang go *
CVE-2022-2953

LibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in tools/tiffcrop.c:6905, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 48d6ece8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
libtiff libtiff *
netapp ontap_select_deploy_administration_utility -
debian debian_linux 11.0
CVE-2022-29581 HIGH

Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-911,NVD-CWE-Other,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h300e_firmware -
debian debian_linux 10.0
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 22.04
canonical ubuntu_linux 14.04
netapp h700e_firmware -
netapp h500e_firmware -
CVE-2022-2961

A use-after-free flaw was found in the Linux kernel’s PLP Rose functionality in the way a user triggers a race condition by calling bind while simultaneously triggering the rose_bind() function. This flaw allows a local user to crash or potentially escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
fedoraproject fedora 36
linux linux_kernel *
linux linux_kernel 6.0
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-2964

A flaw was found in the Linux kernel’s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
netapp h410s_firmware -
redhat enterprise_linux 7.0
redhat enterprise_linux 9.0
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-29824 MEDIUM

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
netapp h300s_firmware -
fedoraproject fedora 36
debian debian_linux 10.0
oracle zfs_storage_appliance_kit 8.8
netapp manageability_software_development_kit -
netapp solidfire_&_hci_management_node -
netapp snapdrive -
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp smi-s_provider -
xmlsoft libxslt *
netapp clustered_data_ontap -
xmlsoft libxml2 *
fedoraproject fedora 35
netapp snapmanager -
debian debian_linux 9.0
netapp clustered_data_ontap_antivirus_connector -
CVE-2022-29968 MEDIUM

An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-909,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
fedoraproject fedora 36
linux linux_kernel *
netapp solidfire_&_hci_management_node -
fedoraproject fedora 35
netapp h500s_firmware -
netapp h410c_firmware -
fedoraproject fedora 34
netapp h700s_firmware -
CVE-2022-30115 MEDIUM

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-325,CWE-319,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp clustered_data_ontap -
netapp hci_bootstrap_os -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
haxx curl *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp h700s_firmware -
CVE-2022-30522 MEDIUM

If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-789,CWE-770,

Products Affected

Vendor Product Version
fedoraproject fedora 36
netapp clustered_data_ontap -
apache http_server 2.4.53
fedoraproject fedora 35
CVE-2022-30556 MEDIUM

Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,NVD-CWE-Other,

Products Affected

Vendor Product Version
fedoraproject fedora 36
netapp clustered_data_ontap -
apache http_server *
fedoraproject fedora 35
CVE-2022-30594 MEDIUM

The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,

Products Affected

Vendor Product Version
netapp h300s_firmware -
debian debian_linux 10.0
netapp solidfire_&_hci_management_node -
netapp 8700_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp solidfire,_enterprise_sds_&_hci_storage_node -
netapp h700s_firmware -
netapp h410s_firmware -
netapp a400_firmware -
linux linux_kernel *
netapp 8300_firmware -
netapp hci_compute_node -
debian debian_linux 9.0
CVE-2022-30614

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to a denial of service via email flooding caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available CPU resources. IBM X-Force ID: 227591.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2022-30634

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp cloud_insights_telegraf_agent -
golang go *
CVE-2022-31097

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
grafana grafana *
CVE-2022-31107

Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.1 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L 1.6 5.5
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
grafana grafana *
CVE-2022-31123

Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.

Products Affected

Vendor Product Version
netapp e-series_performance_analyzer -
grafana grafana *
CVE-2022-31160

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

Products Affected

Vendor Product Version
netapp h300s_firmware -
fedoraproject fedora 36
debian debian_linux 10.0
fedoraproject fedora 37
jqueryui jquery_ui *
netapp oncommand_insight -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
fedoraproject fedora 35
drupal jquery_ui_checkboxradio 8.x-1.2
drupal jquery_ui_checkboxradio 8.x-1.0
drupal jquery_ui_checkboxradio 8.x-1.3
drupal jquery_ui_checkboxradio 8.x-1.1
CVE-2022-31676

VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
vmware tools *
fedoraproject fedora 37
netapp ontap_select_deploy_administration_utility -
debian debian_linux 11.0
CVE-2022-31690

Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
vmware spring_security *
netapp active_iq_unified_manager -
CVE-2022-31692

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
vmware spring_security *
netapp active_iq_unified_manager -
CVE-2022-31813 HIGH

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-348,CWE-345,

Products Affected

Vendor Product Version
fedoraproject fedora 36
netapp clustered_data_ontap -
apache http_server *
fedoraproject fedora 35
CVE-2022-3202

A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-32205 MEDIUM

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
siemens scalance_sc636-2c_firmware *
netapp hci_management_node -
apple macos *
netapp h500s_firmware -
siemens scalance_sc642-2c_firmware *
haxx curl *
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
siemens scalance_sc646-2c_firmware *
netapp clustered_data_ontap -
siemens scalance_sc626-2c_firmware *
fedoraproject fedora 35
netapp solidfire -
siemens scalance_sc632-2c_firmware *
siemens scalance_sc622-2c_firmware *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2022-32206 MEDIUM

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
siemens scalance_sc636-2c_firmware *
debian debian_linux 10.0
netapp hci_management_node -
netapp h500s_firmware -
siemens scalance_sc642-2c_firmware *
haxx curl *
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp bootstrap_os -
siemens scalance_sc646-2c_firmware *
netapp clustered_data_ontap -
siemens scalance_sc626-2c_firmware *
fedoraproject fedora 35
netapp solidfire -
siemens scalance_sc632-2c_firmware *
siemens scalance_sc622-2c_firmware *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2022-32207 HIGH

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-840,CWE-276,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
netapp hci_management_node -
apple macos *
netapp h500s_firmware -
haxx curl *
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp bootstrap_os -
netapp clustered_data_ontap -
fedoraproject fedora 35
netapp solidfire -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2022-32208 MEDIUM

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-840,CWE-787,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
debian debian_linux 10.0
netapp hci_management_node -
apple macos *
netapp h500s_firmware -
haxx curl *
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp bootstrap_os -
netapp clustered_data_ontap -
fedoraproject fedora 35
netapp solidfire -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2022-32221

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
netapp clustered_data_ontap -
apple macos *
netapp h500s_firmware -
haxx curl *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2022-32250 HIGH

net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
fedoraproject fedora 36
debian debian_linux 10.0
linux linux_kernel *
fedoraproject fedora 35
netapp h500s_firmware -
netapp h410c_firmware -
debian debian_linux 9.0
netapp h700s_firmware -
CVE-2022-33980 HIGH

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
apache commons_configuration *
netapp snapcenter -
debian debian_linux 11.0
CVE-2022-34169

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Products Affected

Vendor Product Version
apache xalan-java *
azul zulu 8.62
fedoraproject fedora 36
azul zulu 11.57
oracle jdk 1.7.0
oracle openjdk 7
oracle graalvm 20.3.6
azul zulu 11.58
oracle jdk 11.0.15.1
oracle jdk 18.0.1.1
oracle jre 1.7.0
azul zulu 8.64
azul zulu 18.32
azul zulu 15.41
azul zulu 11.56
azul zulu 17.36
azul zulu 17.34
azul zulu 17.35
oracle jdk 1.8.0
netapp hci_management_node -
azul zulu 13.49
netapp oncommand_insight -
oracle openjdk *
azul zulu 7.56
netapp cloud_secure_agent -
azul zulu 15.40
netapp 7-mode_transition_tool -
azul zulu 15.42
fedoraproject fedora 35
azul zulu 6.47
oracle jdk 17.0.3.1
azul zulu 7.55
netapp cloud_insights_acquisition_unit -
azul zulu 13.48
oracle jre 18.0.1.1
oracle graalvm 21.3.2
debian debian_linux 11.0
oracle openjdk 8
azul zulu 8.63
oracle jre 1.8.0
oracle jre 11.0.15.1
azul zulu 18.30
netapp solidfire -
debian debian_linux 10.0
netapp active_iq_unified_manager -
oracle jre 17.0.3.1
azul zulu 13.50
oracle graalvm 22.1.0
oracle openjdk 18
netapp hci_compute_node -
azul zulu 6.49
azul zulu 7.54
CVE-2022-34357

IBM Cognos Analytics Mobile Server 11.1.7, 11.2.4, and 12.0.0 is vulnerable to Denial of Service due to due to weak or absence of rate limiting. By making unlimited http requests, it is possible for a single user to exhaust server resources over a period of time making service unavailable for other legitimate users. IBM X-Force ID: 230510.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@us.ibm.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.4
ibm cognos_analytics 12.0.1
netapp oncommand_insight -
ibm cognos_analytics *
ibm cognos_analytics 12.0.0
CVE-2022-34526

A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit v4.4.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted TIFF file parsed by the "tiffsplit" or "tiffcrop" utilities.

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
netapp ontap_select_deploy_administration_utility -
libtiff libtiff 4.4.0
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2022-34903 MEDIUM

GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N 2.2 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
fedoraproject fedora 35
netapp ontap_select_deploy_administration_utility -
gnupg gnupg *
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2022-34918 HIGH

An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-843,

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 22.04
canonical ubuntu_linux 14.04
CVE-2022-35252

When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
debian debian_linux 10.0
netapp hci_management_node -
apple macos *
netapp h500s_firmware -
haxx curl *
netapp h700s_firmware -
netapp h410s_firmware -
netapp bootstrap_os -
netapp clustered_data_ontap -
netapp solidfire -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2022-35260

curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp clustered_data_ontap -
apple macos *
netapp h500s_firmware -
haxx curl *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
netapp h700s_firmware -
CVE-2022-35278

In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
apache activemq_artemis *
netapp active_iq_unified_manager -
CVE-2022-3545

A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
cna@vuldb.com 5.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 2.1 3.4

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2022-3564

A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 5.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 2.1 3.4
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
netapp h500s_firmware -
linux linux_kernel -
netapp h700s_firmware -
CVE-2022-35737

SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

Products Affected

Vendor Product Version
sqlite sqlite *
netapp ontap_select_deploy_administration_utility -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2022-3597

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
debian debian_linux 10.0
libtiff libtiff *
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2022-3598

LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit cfbb883b.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
debian debian_linux 10.0
libtiff libtiff *
netapp active_iq_unified_manager -
CVE-2022-3599

LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
debian debian_linux 10.0
libtiff libtiff *
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2022-3602

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).

Products Affected

Vendor Product Version
openssl openssl *
fedoraproject fedora 36
nodejs node.js 19.0.0
netapp clustered_data_ontap -
nodejs node.js *
fedoraproject fedora 27
fedoraproject fedora 37
nodejs node.js 18.12.0
fedoraproject fedora 26
CVE-2022-36033

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
jsoup jsoup *
netapp management_services_for_netapp_hci -
netapp management_services_for_element_software -
CVE-2022-36123

The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-3626

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
debian debian_linux 10.0
libtiff libtiff *
netapp active_iq_unified_manager -
CVE-2022-3627

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6
cve@gitlab.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
debian debian_linux 10.0
libtiff libtiff *
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2022-3649

A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 1.6 1.4
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
netapp h500s_firmware -
netapp active_iq_unified_manager -
linux linux_kernel -
netapp h700s_firmware -
CVE-2022-36773

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 233571.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 2.8 5.2

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2022-36879

An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
netapp h300s_firmware -
netapp fas_a400_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp fas_8300_firmware -
netapp aff_a250_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp h615c_firmware -
linux linux_kernel *
netapp h610c_firmware -
netapp fas_8700_firmware -
netapp aff_a400_firmware -
netapp fas_500f_firmware -
debian debian_linux 10.0
netapp h610s_firmware -
netapp aff_8700_firmware -
netapp active_iq_unified_manager -
netapp aff_8300_firmware -
netapp fas_a250_firmware -
netapp a700s_firmware -
netapp hci_bootstrap_os -
netapp aff_500f_firmware -
CVE-2022-36946

nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
debian debian_linux 10.0
linux linux_kernel *
netapp solidfire_&_hci_storage_node -
netapp solidfire_&_hci_management_node -
netapp active_iq_unified_manager -
netapp hci_compute_node -
debian debian_linux 11.0
netapp solidfire_enterprise_sds -
CVE-2022-3705

A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9
cna@vuldb.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 1.6 3.4

Products Affected

Vendor Product Version
fedoraproject fedora 36
debian debian_linux 10.0
vim vim *
fedoraproject fedora 35
netapp active_iq_unified_manager -
CVE-2022-37434

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp oncommand_workflow_automation -
fedoraproject fedora 36
debian debian_linux 10.0
apple watchos *
apple macos *
fedoraproject fedora 37
netapp ontap_select_deploy_administration_utility -
stormshield stormshield_network_security *
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h700s_firmware -
netapp management_services_for_element_software -
netapp hci -
apple iphone_os *
apple ipados *
netapp storagegrid -
fedoraproject fedora 35
zlib zlib *
netapp hci_compute_node -
CVE-2022-37966

Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secure@microsoft.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
fedoraproject fedora 36
microsoft windows_server_2019 -
microsoft windows_server_2012 -
fedoraproject fedora 37
microsoft windows_server_2008 -
netapp management_services_for_element_software -
microsoft windows_server_2016 -
microsoft windows_server_2008 r2
samba samba *
microsoft windows_server_2022 -
netapp management_services_for_netapp_hci -
microsoft windows_server_2012 r2
CVE-2022-37967

Windows Kerberos Elevation of Privilege Vulnerability

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secure@microsoft.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
fedoraproject fedora 36
microsoft windows_server_2019 -
microsoft windows_server_2012 -
fedoraproject fedora 37
microsoft windows_server_2008 -
netapp management_services_for_element_software -
microsoft windows_server_2016 -
microsoft windows_server_2008 r2
samba samba *
microsoft windows_server_2022 -
netapp management_services_for_netapp_hci -
microsoft windows_server_2012 r2
CVE-2022-38023

Netlogon RPC Elevation of Privilege Vulnerability

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secure@microsoft.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
fedoraproject fedora 36
microsoft windows_server_2019 -
microsoft windows_server_2012 -
fedoraproject fedora 37
microsoft windows_server_2008 -
netapp management_services_for_element_software -
microsoft windows_server_2016 -
microsoft windows_server_2008 r2
samba samba *
microsoft windows_server_2022 -
netapp management_services_for_netapp_hci -
microsoft windows_server_2012 r2
CVE-2022-38177

By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
isc bind 9.11.27
fedoraproject fedora 36
isc bind 9.11.21
fedoraproject fedora 37
debian debian_linux 11.0
isc bind 9.11.14-s1
isc bind 9.16.13
isc bind 9.16.32
isc bind 9.11.3
isc bind 9.11.35
debian debian_linux 10.0
isc bind 9.10.7
isc bind 9.11.8
isc bind 9.11.37
isc bind 9.10.5
isc bind 9.9.12
netapp active_iq_unified_manager -
isc bind 9.11.5
isc bind 9.9.13
isc bind 9.11.6
isc bind 9.16.21
isc bind 9.9.3
isc bind *
isc bind 9.11.29
fedoraproject fedora 35
isc bind 9.16.8
isc bind 9.11.12
isc bind 9.11.7
isc bind 9.11.19-s1
isc bind 9.16.11
CVE-2022-38178

By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
isc bind 9.11.27
fedoraproject fedora 36
isc bind 9.11.21
fedoraproject fedora 37
debian debian_linux 11.0
isc bind 9.11.14-s1
isc bind 9.16.13
isc bind 9.16.32
isc bind 9.11.3
isc bind 9.11.35
isc bind 9.11.8
isc bind 9.11.37
netapp active_iq_unified_manager -
isc bind 9.11.5
isc bind 9.11.6
isc bind 9.16.21
isc bind *
isc bind 9.11.29
fedoraproject fedora 35
isc bind 9.16.8
isc bind 9.11.12
isc bind 9.11.7
isc bind 9.11.19-s1
isc bind 9.16.11
CVE-2022-38732

SnapCenter versions prior to 4.7 shipped without Content Security Policy (CSP) implemented which could allow certain types of attacks that otherwise would be prevented.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
netapp snapcenter *
CVE-2022-38733

OnCommand Insight versions 7.3.1 through 7.3.14 are susceptible to an authentication bypass vulnerability in the Data Warehouse component.

Products Affected

Vendor Product Version
netapp oncommand_insight *
CVE-2022-38734

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0.8 are susceptible to a Denial of Service (DoS) vulnerability. A successful exploit could lead to to a crash of the Local Distribution Router (LDR) service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2022-39046

An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
gnu glibc 2.36
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-39189

An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h410c
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
netapp hci_baseboard_management_controller h300s
netapp hci_baseboard_management_controller h410s
netapp hci_baseboard_management_controller h500s
CVE-2022-39399

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
fedoraproject fedora 36
oracle jre 19
oracle jdk 11.0.16.1
oracle jre 11.0.16.1
oracle graalvm 22.2.0
netapp cloud_insights_acquisition_unit -
azul zulu 11.58
oracle graalvm 21.3.3
netapp santricity_storage_plugin -
netapp santricity_web_services_proxy -
oracle graalvm 20.3.7
netapp oncommand_workflow_automation -
azul zulu 17.36
netapp e-series_santricity_unified_manager -
oracle jre 17.0.4.1
netapp oncommand_insight -
netapp cloud_secure_agent -
azul zulu 19.28
netapp e-series_santricity_storage_manager -
netapp 7-mode_transition_tool -
oracle jdk 17.0.4.1
azul zulu 15.42
oracle jdk 19
azul zulu 13.50
fedoraproject fedora 35
CVE-2022-39400

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-39408

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-39410

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
oracle mysql *
CVE-2022-3970

A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L 2.8 3.4
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
apple iphone_os *
debian debian_linux 10.0
apple ipados *
libtiff libtiff *
apple macos *
netapp active_iq_unified_manager -
apple safari *
CVE-2022-40303

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

Products Affected

Vendor Product Version
netapp h300s_firmware -
apple watchos *
apple macos *
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
apple iphone_os *
netapp clustered_data_ontap -
apple ipados *
apple tvos *
xmlsoft libxml2 *
netapp netapp_manageability_sdk -
netapp snapmanager -
netapp clustered_data_ontap_antivirus_connector -
CVE-2022-40304

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp manageability_software_development_kit -
apple watchos *
apple macos *
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
apple iphone_os *
netapp smi-s_provider -
netapp clustered_data_ontap -
apple ipados *
apple tvos *
xmlsoft libxml2 *
netapp snapmanager -
netapp clustered_data_ontap_antivirus_connector -
CVE-2022-40982

Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secure@intel.com 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0

Products Affected

Vendor Product Version
intel pentium_gold_g6405t_firmware -
intel core_i3-7120_firmware -
intel core_i7-9700k_firmware -
intel xeon_platinum_8256_firmware -
intel xeon_e3-1245_v6_firmware -
intel core_i7-8709g_firmware -
intel pentium_gold_g6500_firmware -
intel xeon_gold_5218b_firmware -
intel xeon_gold_6262v_firmware -
intel xeon_platinum_8356h_firmware -
redhat enterprise_linux 8.0
intel core_i7-10510u_firmware -
intel core_i9-10900f_firmware -
intel core_i9-10940x_firmware -
intel core_i9-11900t_firmware -
intel pentium_gold_g6400_firmware -
intel core_i5-9500_firmware -
intel core_i5-10500t_firmware -
intel core_i7-10610u_firmware -
intel core_i7-10700k_firmware -
intel xeon_gold_6230t_firmware -
intel core_i5-9500t_firmware -
intel core_i5-9400f_firmware -
intel core_i5-1030g4_firmware -
intel xeon_gold_5222_firmware -
intel core_i7-8700k_firmware -
netapp all_flash_fabric-attached_storage_a800 -
intel xeon_w-11155mle_firmware -
intel core_i7-10870h_firmware -
intel core_i5-8400h_firmware -
intel core_i5-8600_firmware -
intel xeon_e-2124_firmware -
intel core_i3-10305_firmware -
intel xeon_gold_5215l_firmware -
intel xeon_bronze_3204_firmware -
intel xeon_d-1712tr_firmware -
intel core_i7-1060g7_firmware -
netapp all_flash_fabric-attached_storage_500f *
intel core_i7-11600h_firmware -
intel core_i9-11900k_firmware -
intel xeon_platinum_8380h_firmware -
intel core_i5-8200y_firmware -
intel core_i5-1030g7_firmware -
intel xeon_d-2145nt_firmware -
intel core_i9-10900k_firmware -
intel core_i7-11375h_firmware -
intel core_i9-7980xe_firmware -
intel xeon_platinum_8280_firmware -
intel core_i3-10325_firmware -
intel core_i5-10400_firmware -
intel xeon_w-2275_firmware -
intel core_i9-7960x_firmware -
intel xeon_gold_6230r_firmware -
intel xeon_e-2386g_firmware -
intel microcode *
intel xeon_w-3275m_firmware -
intel xeon_e3-1230_v6_firmware -
intel core_i3-7101te_firmware -
intel celeron_g5925_firmware -
intel core_i9-11900f_firmware -
intel xeon_d-2143it_firmware -
intel xeon_silver_4210_firmware -
intel core_i7-1195g7_firmware -
netapp all_flash_fabric-attached_storage_c400 -
redhat enterprise_linux 6.0
intel core_i5-8279u_firmware -
intel xeon_w-11865mre_firmware -
intel core_i9-10900x_firmware -
netapp all_flash_fabric-attached_storage_c250 *
intel core_i7-8809g_firmware -
intel xeon_gold_5318h_firmware -
intel xeon_e3-1240_v6_firmware -
intel xeon_platinum_8268_firmware -
intel xeon_e-2278ge_firmware -
intel xeon_gold_5318y_firmware -
intel core_i7-1185g7e_firmware -
intel core_i5-8365u_firmware -
intel core_i3-7340_firmware -
intel core_i3-1000g1_firmware -
netapp all_flash_fabric-attached_storage_a900 -
intel xeon_e-2224g_firmware -
netapp all_flash_fabric-attached_storage_8700 -
intel core_i7-1068g7_firmware -
intel xeon_gold_6338t_firmware -
intel xeon_w-3225_firmware -
intel xeon_d-2177nt_firmware -
intel xeon_w-2155_firmware -
intel xeon_w-2145_firmware -
intel core_i3-9100_firmware -
intel core_i9-11900kf_firmware -
intel core_i5-10600k_firmware -
intel xeon_w-1270_firmware -
intel xeon_w-1390t_firmware -
intel xeon_w-10885m_firmware -
intel core_i7-10850h_firmware -
intel core_i7-7740x_firmware -
intel core_i5-8600k_firmware -
intel xeon_e3-1505l_v6_firmware -
intel xeon_e-2276g_firmware -
intel core_i3-7300_firmware -
intel celeron_5305u_firmware -
intel xeon_gold_6348h_firmware -
intel core_i5-1035g4_firmware -
intel core_i7-8565u_firmware -
intel xeon_e-2378g_firmware -
intel xeon_gold_6254_firmware -
intel core_i9-9900k_firmware -
intel core_i7-10700t_firmware -
intel xeon_gold_6256_firmware -
intel core_i5-9600k_firmware -
intel xeon_w-1350_firmware -
intel core_i5-11500he_firmware -
intel xeon_platinum_9221_firmware -
intel xeon_d-1732te_firmware -
intel xeon_w-11865mle_firmware -
intel core_i5-10310y_firmware -
intel core_i7-1180g7_firmware -
intel xeon_gold_6222v_firmware -
intel core_i9-9900_firmware -
intel core_i9-11980hk_firmware -
intel celeron_g5920_firmware -
intel core_i5-7267u_firmware -
intel core_i5-11260h_firmware -
intel core_i7-1185g7_firmware -
intel core_i5-11600k_firmware -
intel xeon_w-2135_firmware -
intel xeon_gold_6252_firmware -
intel xeon_gold_6240r_firmware -
intel core_i5-10210u_firmware -
intel xeon_gold_6248_firmware -
intel core_i3-7020u_firmware -
intel core_i7-8086k_firmware -
intel xeon_silver_4214y_firmware -
intel core_i5-1035g7_firmware -
intel xeon_d-2187nt_firmware -
intel xeon_e3-1220_v6_firmware -
intel core_i7-8550u_firmware -
intel xeon_w-1390p_firmware -
intel core_i5-8305g_firmware -
intel xeon_d-2775te_firmware -
intel core_i3-7100_firmware -
intel celeron_g5905_firmware -
intel core_i7-9700f_firmware -
intel xeon_w-3265m_firmware -
intel core_i3-8130u_firmware -
intel core_i7-7800x_firmware -
intel core_i3-10110y_firmware -
intel core_i5-9600t_firmware -
intel xeon_w-2133_firmware -
intel pentium_gold_g6505t_firmware -
intel xeon_gold_5218_firmware -
intel core_i5-8600t_firmware -
intel core_i7-7700k_firmware -
intel xeon_gold_6238_firmware -
intel xeon_e3-1501m_v6_firmware -
intel xeon_gold_6258r_firmware -
intel core_i3-1115g4e_firmware -
intel core_i5-7600k_firmware -
intel xeon_e-2124g_firmware -
intel core_i7-7700_firmware -
intel core_i5-10500_firmware -
intel core_i5-8300h_firmware -
intel core_i7-11370h_firmware -
intel xeon_w-1270p_firmware -
intel xeon_w-2245_firmware -
intel xeon_w-2123_firmware -
intel core_i5-10300h_firmware -
intel core_i7-8706g_firmware -
intel xeon_silver_4215r_firmware -
intel xeon_platinum_8260y_firmware -
intel core_i7-10700f_firmware -
intel xeon_gold_6252n_firmware -
intel xeon_gold_5218r_firmware -
netapp all_flash_fabric-attached_storage_a400 -
intel core_i5-7442eq_firmware -
intel core_i5-11400f_firmware -
intel core_i5-8500t_firmware -
intel core_i3-10105_firmware -
intel core_i9-11900h_firmware -
intel xeon_gold_5320h_firmware -
intel core_i3-9300t_firmware -
intel core_i5-11400_firmware -
intel xeon_d-2752ter_firmware -
intel xeon_e-2144g_firmware -
intel core_i3-1005g1_firmware -
intel xeon_e-2126g_firmware -
intel core_i7-10875h_firmware -
intel xeon_gold_6238r_firmware -
intel xeon_w-1250_firmware -
intel xeon_e-2278gel_firmware -
intel xeon_silver_4208_firmware -
intel core_i7-11390h_firmware -
intel celeron_g5900t_firmware -
intel core_i5-9600kf_firmware -
netapp all_flash_fabric-attached_storage_a250 *
intel xeon_w-2225_firmware -
netapp all_flash_fabric-attached_storage_2820 -
intel celeron_g4920_firmware -
intel xeon_silver_4216_firmware -
intel xeon_e-2244g_firmware -
intel xeon_platinum_8276l_firmware -
redhat enterprise_linux 9.0
intel pentium_gold_g6405_firmware -
intel celeron_g5900_firmware -
intel xeon_w-1370_firmware -
intel core_i3-7100t_firmware -
intel xeon_d-1715ter_firmware -
intel core_i7-11850he_firmware -
intel xeon_e3-1501l_v6_firmware -
intel xeon_gold_6330_firmware -
intel xeon_gold_6230n_firmware -
intel core_i7-10700_firmware -
intel core_i3-9350kf_firmware -
intel xeon_gold_6238t_firmware -
intel core_i5-11300h_firmware -
intel xeon_d-2712t_firmware -
intel core_i3-8100h_firmware -
intel core_i3-10305t_firmware -
intel xeon_gold_6230_firmware -
intel xeon_w-2223_firmware -
intel xeon_e-2278g_firmware -
intel core_i5-7300u_firmware -
intel xeon_w-3265_firmware -
intel xeon_w-11555mle_firmware -
intel xeon_e-2388g_firmware -
intel xeon_gold_6326_firmware -
intel xeon_gold_5220r_firmware -
intel xeon_e-2136_firmware -
intel xeon_gold_6248r_firmware -
intel xeon_platinum_8260_firmware -
intel xeon_e-2174g_firmware -
intel core_i5-10600kf_firmware -
intel core_i9-9920x_firmware -
intel core_i7-10810u_firmware -
intel xeon_e-2314_firmware -
intel core_i5-1155g7_firmware -
netapp all_flash_fabric-attached_storage_c800 -
intel xeon_w-2255_firmware -
intel core_i3-8109u_firmware -
intel core_i3-7350k_firmware -
intel core_i7-9800x_firmware -
intel core_i7-8850h_firmware -
intel xeon_d-2123it_firmware -
intel xeon_e-2134_firmware -
intel xeon_silver_4314_firmware -
intel core_i5-8350u_firmware -
intel core_i3-9320_firmware -
intel xeon_d-2173it_firmware -
intel core_i3-7101e_firmware -
intel core_i3-7102e_firmware -
intel xeon_gold_5215_firmware -
intel core_i9-8950hk_firmware -
intel xeon_e-2336_firmware -
intel core_i9-9820x_firmware -
intel xeon_silver_4215_firmware -
intel xeon_w-3245_firmware -
intel core_i7-1065g7_firmware -
intel core_i5-1130g7_firmware -
intel xeon_e-2324g_firmware -
intel xeon_d-2183it_firmware -
intel xeon_gold_6210u_firmware -
intel xeon_e3-1535m_v6_firmware -
intel core_i7-8569u_firmware -
intel xeon_d-2141i_firmware -
intel xeon_w-3275_firmware -
intel core_i7-11700k_firmware -
intel xeon_e3-1285_v6_firmware -
intel xeon_platinum_8354h_firmware -
intel pentium_gold_g6605_firmware -
intel core_i5-11500t_firmware -
intel core_i5-1035g1_firmware -
intel xeon_w-2125_firmware -
intel core_i3-9100f_firmware -
intel core_i5-7500_firmware -
intel core_i3-10100y_firmware -
intel xeon_gold_6212u_firmware -
intel core_i5-8260u_firmware -
intel core_i3-7100u_firmware -
intel xeon_platinum_9222_firmware -
intel xeon_platinum_8376h_firmware -
intel xeon_e-2378_firmware -
intel core_i5-11320h_firmware -
intel core_i7-11800h_firmware -
intel xeon_w-11155mre_firmware -
intel xeon_gold_6250_firmware -
intel core_i9-10980xe_firmware -
intel xeon_platinum_8380hl_firmware -
intel xeon_gold_6238l_firmware -
intel xeon_gold_6226r_firmware -
intel xeon_gold_5320t_firmware -
intel core_i9-10900t_firmware -
intel core_i3-7120t_firmware -
intel xeon_platinum_8253_firmware -
intel xeon_bronze_3206r_firmware -
intel core_i5-11600kf_firmware -
intel core_i7-1165g7_firmware -
intel xeon_w-1390_firmware -
intel core_i3-1110g4_firmware -
intel core_i5-10600t_firmware -
intel core_i3-10105t_firmware -
intel xeon_gold_6330h_firmware -
intel core_i7-10710u_firmware -
intel xeon_d-2733nt_firmware -
intel xeon_d-2161i_firmware -
intel core_i9-9940x_firmware -
intel core_i3-10100t_firmware -
intel xeon_gold_6336y_firmware -
intel core_i9-9900kf_firmware -
intel xeon_e-2226g_firmware -
intel core_i5-8400t_firmware -
intel xeon_gold_5218t_firmware -
intel core_i9-9980xe_firmware -
intel core_i9-9900x_firmware -
intel xeon_silver_4316_firmware -
intel xeon_gold_6250l_firmware -
intel core_m3-8100y_firmware -
intel xeon_platinum_8280l_firmware -
intel xeon_w-2295_firmware -
intel core_i3-1000g4_firmware -
intel core_i5-9500f_firmware -
intel core_i9-10920x_firmware -
intel core_i3-10100f_firmware -
intel core_i7-11700t_firmware -
intel core_i3-10300_firmware -
intel pentium_gold_g5400t_firmware -
intel core_i9-9900ks_firmware -
intel core_i7-11700_firmware -
intel core_i7-8750h_firmware -
intel core_i7-10700kf_firmware -
intel xeon_w-2195_firmware -
intel xeon_gold_6240l_firmware -
intel pentium_gold_g5400_firmware -
intel xeon_platinum_8360hl_firmware -
intel core_i5-7287u_firmware -
intel xeon_e-2246g_firmware -
intel xeon_gold_5218n_firmware -
intel core_i5-8250u_firmware -
intel pentium_6405u_firmware -
intel core_i9-7900x_firmware -
intel core_i7-11850h_firmware -
intel core_i9-10980hk_firmware -
intel core_i9-11950h_firmware -
intel xeon_e-2186g_firmware -
intel core_i3-9100t_firmware -
intel core_i7-8700_firmware -
intel core_i3-7320t_firmware -
intel xeon_d-2163it_firmware -
intel core_i5-7260u_firmware -
intel core_i5-7640x_firmware -
intel core_i9-7920x_firmware -
intel xeon_e3-1275_v6_firmware -
intel xeon_e-2334_firmware -
intel core_i3-1120g4_firmware -
intel xeon_gold_6240y_firmware -
intel xeon_e-2176g_firmware -
intel core_i3-7320_firmware -
intel core_i3-7310t_firmware -
intel xeon_platinum_8353h_firmware -
xen xen -
intel xeon_platinum_8260l_firmware -
intel xeon_gold_5220_firmware -
debian debian_linux 10.0
intel xeon_e3-1505m_v6_firmware -
intel core_i7-7820x_firmware -
intel core_i5-8400b_firmware -
intel xeon_gold_6209u_firmware -
intel xeon_gold_6242_firmware -
intel xeon_w-10855m_firmware -
intel pentium_gold_g6400t_firmware -
intel xeon_e-2226ge_firmware -
intel celeron_g4900t_firmware -
intel core_i5-10500h_firmware -
intel core_i5-1145g7e_firmware -
intel xeon_gold_5315y_firmware -
intel core_i7-7700t_firmware -
intel xeon_w-3235_firmware -
intel core_i3-10300t_firmware -
debian debian_linux 12.0
intel xeon_silver_4214_firmware -
intel core_i5-9400_firmware -
intel core_i5-8259u_firmware -
intel xeon_e-2288g_firmware -
intel xeon_d-2796te_firmware -
intel xeon_e3-1280_v6_firmware -
netapp all_flash_fabric-attached_storage_8300 -
intel core_i3-8350k_firmware -
intel celeron_5205u_firmware -
intel xeon_silver_4210t_firmware -
intel xeon_e-2224_firmware -
intel core_i9-9900t_firmware -
intel core_i7-9700t_firmware -
intel core_i7-8559u_firmware -
intel core_i3-10105f_firmware -
intel core_i7-10750h_firmware -
intel core_i3-8100_firmware -
intel pentium_gold_g5500_firmware -
intel core_i7-7567u_firmware -
intel core_i5-11600t_firmware -
intel core_i7-11700f_firmware -
intel core_i9-10885h_firmware -
intel xeon_platinum_8360h_firmware -
intel core_i5-1140g7_firmware -
intel core_i5-7500t_firmware -
intel xeon_w-1290_firmware -
intel pentium_gold_6405u_firmware -
intel core_i3-1125g4_firmware -
intel core_i7-8650u_firmware -
intel core_i5-8210y_firmware -
intel xeon_d-2142it_firmware -
intel core_i5-10310u_firmware -
intel xeon_w-1290p_firmware -
intel xeon_gold_6328hl_firmware -
intel core_i5-8265u_firmware -
intel xeon_w-2235_firmware -
intel core_i7-8700t_firmware -
intel xeon_gold_5217_firmware -
intel core_i9-10900_firmware -
intel xeon_platinum_9242_firmware -
intel xeon_platinum_9282_firmware -
intel xeon_gold_6240_firmware -
intel xeon_platinum_8270_firmware -
intel xeon_e-2374g_firmware -
intel core_i7-9700_firmware -
intel core_i5-8269u_firmware -
intel xeon_gold_5220s_firmware -
netapp all_flash_fabric-attached_storage_9500 -
intel core_i5-11600_firmware -
intel core_i9-9990xe_firmware -
intel core_i7-7600u_firmware -
intel core_i7-9700kf_firmware -
intel core_i9-9960x_firmware -
intel core_i5-1145gre_firmware -
intel core_i5-10400t_firmware -
intel core_i7-1160g7_firmware -
intel xeon_e-2286g_firmware -
intel core_i7-8500y_firmware -
intel xeon_e3-1270_v6_firmware -
intel xeon_e-2104g_firmware -
intel core_i3-8300_firmware -
intel core_i3-10100_firmware -
intel xeon_w-11555mre_firmware -
intel xeon_gold_5317_firmware -
intel core_i5-1145g7_firmware -
intel xeon_platinum_8376hl_firmware -
intel core_i5-7360u_firmware -
intel core_i5-10400f_firmware -
intel core_i7-7660u_firmware -
intel core_i5-8500_firmware -
intel pentium_gold_g5600_firmware -
intel core_i3-1115gre_firmware -
intel core_i7-8705g_firmware -
intel core_i3-7300t_firmware -
intel xeon_platinum_8276_firmware -
intel pentium_gold_g6500t_firmware -
intel core_i3-11100he_firmware -
intel xeon_w-1370p_firmware -
intel xeon_e-2274g_firmware -
intel xeon_gold_6246r_firmware -
intel core_i3-7100e_firmware -
intel core_i7-1185gre_firmware -
intel celeron_g4900_firmware -
intel core_i7-8665u_firmware -
intel xeon_silver_4210r_firmware -
intel core_i9-11900_firmware -
intel core_i9-10900kf_firmware -
intel core_i5-10400h_firmware -
intel xeon_gold_6328h_firmware -
intel xeon_e-2356g_firmware -
intel core_i7-10510y_firmware -
intel core_i3-9300_firmware -
intel core_i5-10200h_firmware -
intel core_i5-9400t_firmware -
intel core_i5-7600_firmware -
intel core_i3-8100b_firmware -
intel core_i5-7400t_firmware -
intel xeon_e-2234_firmware -
intel core_i5-9600_firmware -
intel core_i5-8500b_firmware -
intel core_i3-9350k_firmware -
intel core_i5-8400_firmware -
intel xeon_w-2175_firmware -
intel xeon_silver_4310t_firmware -
intel core_i7-7820eq_firmware -
intel core_i5-8257u_firmware -
intel xeon_gold_5220t_firmware -
intel xeon_w-2265_firmware -
intel xeon_w-3223_firmware -
intel xeon_w-1350p_firmware -
intel core_i7-8700b_firmware -
intel xeon_gold_6234_firmware -
intel core_i5-7400_firmware -
intel xeon_e-2236_firmware -
intel xeon_gold_6244_firmware -
intel xeon_w-1250p_firmware -
intel xeon_e-2146g_firmware -
intel xeon_silver_4310_firmware -
intel core_i5-7600t_firmware -
intel core_i5-1135g7_firmware -
intel core_i5-7440eq_firmware -
intel core_i3-1115g4_firmware -
intel core_i5-11500h_firmware -
intel xeon_d-1735tr_firmware -
intel core_i7-11700kf_firmware -
intel core_i5-11400h_firmware -
intel xeon_gold_6246_firmware -
intel core_i3-10110u_firmware -
intel xeon_w-1290t_firmware -
intel xeon_silver_4214r_firmware -
intel core_i3-7167u_firmware -
intel core_i7-8557u_firmware -
debian debian_linux 11.0
intel xeon_d-1746ter_firmware -
intel pentium_gold_g6600_firmware -
intel core_i3-8145u_firmware -
intel core_i3-8100t_firmware -
intel core_i5-11400t_firmware -
intel xeon_e3-1225_v6_firmware -
intel pentium_gold_g6505_firmware -
intel xeon_gold_6226_firmware -
intel core_i5-11500_firmware -
intel core_i5-10210y_firmware -
intel core_i5-10505_firmware -
intel core_i3-8100f_firmware -
intel xeon_d-2166nt_firmware -
intel pentium_gold_g5500t_firmware -
intel core_i5-8310y_firmware -
intel core_i9-7940x_firmware -
intel xeon_gold_6242r_firmware -
intel xeon_gold_6208u_firmware -
redhat enterprise_linux 7.0
intel core_i3-8300t_firmware -
intel core_i7-7560u_firmware -
intel xeon_d-2146nt_firmware -
intel xeon_silver_4209t_firmware -
intel celeron_g5905t_firmware -
intel core_i3-10320_firmware -
intel core_i9-10850k_firmware -
intel core_i5-10600_firmware -
intel xeon_w-3245m_firmware -
CVE-2022-41222

mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h410c
canonical ubuntu_linux 20.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
canonical ubuntu_linux 22.04
netapp hci_baseboard_management_controller h300s
netapp hci_baseboard_management_controller h410s
netapp hci_baseboard_management_controller h500s
CVE-2022-41858

A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h410c
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
linux linux_kernel 5.18
netapp hci_baseboard_management_controller h300s
netapp hci_baseboard_management_controller h410s
netapp hci_baseboard_management_controller h500s
CVE-2022-42003

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
quarkus quarkus *
debian debian_linux 10.0
fasterxml jackson-databind *
debian debian_linux 11.0
CVE-2022-42004

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
quarkus quarkus *
debian debian_linux 10.0
fasterxml jackson-databind *
debian debian_linux 11.0
CVE-2022-42889

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
juniper security_threat_response_manager *
apache commons_text *
netapp bluexp -
juniper security_threat_response_manager 7.5.0
CVE-2022-42915

curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
fedoraproject fedora 36
apple macos *
fedoraproject fedora 37
netapp h500s_firmware -
haxx curl *
netapp h700s_firmware -
netapp h410s_firmware -
netapp ontap_9 -
fedoraproject fedora 35
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
CVE-2022-4292

Use After Free in GitHub repository vim/vim prior to 9.0.0882.

Products Affected

Vendor Product Version
vim vim *
netapp ontap_select_deploy_administration_utility -
CVE-2022-43551

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
haxx curl *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
netapp snapcenter -
CVE-2022-43680

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp oncommand_workflow_automation -
fedoraproject fedora 36
netapp baseboard_management_controller_h300s_firmware -
debian debian_linux 10.0
netapp hci_compute_node_firmware -
netapp solidfire_&_hci_management_node -
fedoraproject fedora 37
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
libexpat_project libexpat *
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp baseboard_management_controller_h700s_firmware -
netapp baseboard_management_controller_h410s_firmware -
netapp baseboard_management_controller_h500s_firmware -
fedoraproject fedora 35
netapp baseboard_management_controller_h410c_firmware -
CVE-2022-43945

The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-44792

handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker (who has write access) to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
netapp h500s_firmware -
netapp h700s_firmware -
net-snmp net-snmp *
CVE-2022-44793

handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
netapp h500s_firmware -
netapp h700s_firmware -
net-snmp net-snmp *
CVE-2022-45061

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Products Affected

Vendor Product Version
netapp element_software -
fedoraproject fedora 36
fedoraproject fedora 37
netapp ontap_select_deploy_administration_utility -
netapp active_iq_unified_manager -
python python 3.11.0
netapp management_services_for_element_software -
netapp e-series_performance_analyzer -
netapp bootstrap_os -
netapp hci -
fedoraproject fedora 35
python python *
CVE-2022-45884

An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-45885

An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-45886

An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-45887

An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-45888

An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-45919

An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-45934

An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
fedoraproject fedora 37
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2022-47518

An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-47519

An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-47520

An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-47521

An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2022-48064

GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
fedoraproject fedora 38
fedoraproject fedora 37
netapp ontap_select_deploy_administration_utility -
gnu binutils *
CVE-2022-48065

GNU Binutils before 2.40 was discovered to contain a memory leak vulnerability var the function find_abstract_instance in dwarf2.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
fedoraproject fedora 38
netapp ontap_select_deploy_administration_utility -
gnu binutils *
fedoraproject fedora 39
CVE-2022-48502

An issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c.

Products Affected

Vendor Product Version
netapp h700s -
netapp h410c -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
CVE-2022-48564

read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
python python *
netapp active_iq_unified_manager -
CVE-2022-48566

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

Products Affected

Vendor Product Version
debian debian_linux 10.0
python python *
netapp active_iq_unified_manager -
netapp converged_systems_advisor_agent -
CVE-2023-0045

The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set  function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall.  The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.0 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2023-0361

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
fedoraproject fedora 36
fedoraproject fedora 38
debian debian_linux 10.0
fedoraproject fedora 37
netapp ontap_select_deploy_administration_utility -
gnu gnutls 3.6.8-11.el8_2
netapp active_iq_unified_manager -
netapp converged_systems_advisor_agent -
CVE-2023-0386

A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
canonical ubuntu_linux 20.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 22.04
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
linux linux_kernel 6.2
CVE-2023-1077

In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
debian debian_linux 10.0
netapp 8700_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
netapp a700s_firmware -
netapp h410s_firmware -
netapp a400_firmware -
linux linux_kernel *
netapp 8300_firmware -
linux linux_kernel -
netapp c400_firmware -
CVE-2023-1096

SnapCenter versions 4.7 prior to 4.7P2 and 4.8 prior to 4.8P1 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to gain access as an admin user.

Products Affected

Vendor Product Version
netapp snapcenter 4.7
netapp snapcenter 4.8
CVE-2023-1108

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
redhat openshift_container_platform_for_power 4.9
netapp oncommand_workflow_automation -
redhat integration_camel_k -
redhat integration_service_registry -
redhat openshift_container_platform_for_linuxone 4.9
redhat fuse 1.0.0
redhat jboss_enterprise_application_platform 7.4
redhat openshift_container_platform 4.12
redhat openshift_container_platform 4.11
redhat openshift_container_platform_for_linuxone 4.10
redhat jboss_enterprise_application_platform -
redhat decision_manager 7.0
redhat single_sign-on 7.6
redhat openshift_application_runtimes -
redhat build_of_quarkus -
redhat single_sign-on -
redhat undertow *
redhat process_automation 7.0
redhat jboss_enterprise_application_platform_expansion_pack -
redhat openstack_platform 13.0
redhat openshift_container_platform_for_power 4.10
CVE-2023-1295

A time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp h700s -
netapp h410c -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
CVE-2023-1380

A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
redhat enterprise_linux 9.0
debian debian_linux 10.0
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
linux linux_kernel 6.3
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
linux linux_kernel *
canonical ubuntu_linux 22.04
canonical ubuntu_linux 14.04
linux linux_kernel -
CVE-2023-1838

A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

Products Affected

Vendor Product Version
netapp h700s -
netapp h410c -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
CVE-2023-1989

A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.

Products Affected

Vendor Product Version
netapp h700s -
netapp h410c -
debian debian_linux 10.0
netapp h500s -
netapp h410s -
netapp h300s -
debian debian_linux 12.0
linux linux_kernel *
CVE-2023-2006

A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h410c
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
netapp hci_baseboard_management_controller h300s
netapp hci_baseboard_management_controller h410s
netapp hci_baseboard_management_controller h500s
CVE-2023-2007

The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2023-20862

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

Products Affected

Vendor Product Version
vmware spring_security *
netapp active_iq_unified_manager -
CVE-2023-20900

A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 1.6 5.9
security@vmware.com 7.1 HIGH CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
fedoraproject fedora 38
debian debian_linux 10.0
vmware tools *
debian debian_linux 12.0
fedoraproject fedora 37
netapp ontap_select_deploy_administration_utility -
vmware open_vm_tools *
debian debian_linux 11.0
fedoraproject fedora 39
CVE-2023-2124

An out-of-bounds memory access flaw was found in the Linux kernel’s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 12.0
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2023-21911

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21919

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21920

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21929

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21930

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

Products Affected

Vendor Product Version
oracle graalvm 21.3.5
debian debian_linux 10.0
oracle jre 11.0.18
oracle jre 20
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
debian debian_linux 11.0
oracle openjdk 8
netapp 7-mode_transition_tool -
oracle jre 1.8.0
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 20
oracle jdk 11.0.18
oracle jdk 17.0.6
oracle jre 17.0.6
oracle graalvm 22.3.1
netapp brocade_san_navigator -
oracle openjdk 20
oracle graalvm 20.3.9
CVE-2023-21933

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21935

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21937

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

Products Affected

Vendor Product Version
oracle graalvm 21.3.5
debian debian_linux 10.0
oracle jre 11.0.18
oracle jre 20
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
debian debian_linux 11.0
oracle openjdk 8
netapp 7-mode_transition_tool -
oracle jre 1.8.0
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 20
oracle jdk 11.0.18
oracle jdk 17.0.6
oracle jre 17.0.6
oracle graalvm 22.3.1
netapp brocade_san_navigator -
oracle openjdk 20
oracle graalvm 20.3.9
CVE-2023-21938

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle jre 11.0.18
oracle jre 20
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
oracle graalvm 22.3.0
netapp oncommand_insight -
oracle openjdk *
debian debian_linux 11.0
oracle openjdk 8
netapp 7-mode_transition_tool -
oracle graalvm 20.3.8
oracle graalvm 21.3.4
oracle jre 1.8.0
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 20
oracle jdk 11.0.18
oracle jdk 17.0.6
oracle jre 17.0.6
netapp brocade_san_navigator -
oracle openjdk 20
CVE-2023-21939

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
oracle graalvm 21.3.5
debian debian_linux 10.0
oracle jre 11.0.18
oracle jre 20
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
debian debian_linux 11.0
oracle openjdk 8
netapp 7-mode_transition_tool -
oracle jre 1.8.0
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 20
oracle jdk 11.0.18
oracle jdk 17.0.6
oracle jre 17.0.6
oracle graalvm 22.3.1
netapp brocade_san_navigator -
oracle openjdk 20
oracle graalvm 20.3.9
CVE-2023-21940

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21945

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21946

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21947

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21953

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21954

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

Products Affected

Vendor Product Version
oracle graalvm 21.3.5
debian debian_linux 10.0
oracle jre 11.0.18
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
debian debian_linux 11.0
oracle openjdk 8
netapp 7-mode_transition_tool -
oracle jre 1.8.0
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 11.0.18
oracle jdk 17.0.6
oracle jre 17.0.6
oracle graalvm 22.3.1
netapp brocade_san_navigator -
oracle openjdk 20
oracle graalvm 20.3.9
CVE-2023-21955

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21962

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-21967

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
oracle graalvm 21.3.5
debian debian_linux 10.0
oracle jre 11.0.18
oracle jre 20
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
debian debian_linux 11.0
oracle openjdk 8
netapp 7-mode_transition_tool -
oracle jre 1.8.0
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 20
oracle jdk 11.0.18
oracle jdk 17.0.6
oracle jre 17.0.6
oracle graalvm 22.3.1
netapp brocade_san_navigator -
oracle openjdk 20
oracle graalvm 20.3.9
CVE-2023-21968

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

Products Affected

Vendor Product Version
oracle graalvm 21.3.5
debian debian_linux 10.0
oracle jre 11.0.18
oracle jre 20
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
netapp oncommand_insight -
oracle openjdk *
debian debian_linux 11.0
oracle openjdk 8
netapp 7-mode_transition_tool -
oracle jre 1.8.0
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 20
oracle jdk 11.0.18
oracle jdk 17.0.6
oracle jre 17.0.6
oracle graalvm 22.3.1
netapp brocade_san_navigator -
oracle openjdk 20
oracle graalvm 20.3.9
CVE-2023-21971

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors as well as unauthorized update, insert or delete access to some of MySQL Connectors accessible data and unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H 0.5 4.7

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_binding_support_function 22.4.0
oracle communications_cloud_native_core_policy 22.4.0
oracle communications_cloud_native_core_policy 23.1.0
oracle mysql_connectors *
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle communications_cloud_native_core_binding_support_function 23.1.0
netapp snapcenter -
CVE-2023-22005

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-22006

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N 1.6 1.4

Products Affected

Vendor Product Version
oracle jdk 11.0.19
oracle jre 11.0.19
debian debian_linux 10.0
oracle graalvm_for_jdk 20.0.1
netapp cloud_insights_acquisition_unit -
netapp oncommand_insight -
netapp active_iq_unified_manager -
debian debian_linux 11.0
oracle graalvm_for_jdk 17.0.7
oracle jdk 20.0.1
netapp 7-mode_transition_tool -
oracle jre 20.0.1
oracle graalvm 20.3.10
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
oracle graalvm 22.3.2
oracle jdk 17.0.7
oracle jre 17.0.7
oracle graalvm 21.3.6
CVE-2023-22008

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-22015

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.42 and prior and 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-22025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7 and 22.3.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition,. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

Products Affected

Vendor Product Version
oracle jdk 17.0.8
oracle jre 21.0.0
oracle jre 1.8.0
netapp cloud_insights_acquisition_unit -
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 1.8.0
oracle graalvm_for_jdk 17.0.8
oracle jdk 21.0.0
oracle jre 17.0.8
oracle graalvm_for_jdk 21
CVE-2023-22026

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.42 and prior and 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-22028

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.43 and prior and 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-22032

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
oracle mysql 8.1.0
netapp oncommand_insight -
oracle mysql *
CVE-2023-22033

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-22036

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

Products Affected

Vendor Product Version
oracle jdk 11.0.19
oracle jre 11.0.19
debian debian_linux 10.0
oracle graalvm_for_jdk 20.0.1
netapp cloud_insights_acquisition_unit -
netapp oncommand_insight -
netapp active_iq_unified_manager -
debian debian_linux 11.0
oracle graalvm_for_jdk 17.0.7
oracle jdk 20.0.1
netapp 7-mode_transition_tool -
oracle jre 20.0.1
oracle graalvm 20.3.10
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
oracle graalvm 22.3.2
oracle jdk 17.0.7
oracle jre 17.0.7
oracle graalvm 21.3.6
CVE-2023-22038

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N 1.2 1.4

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-22041

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.1 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 1.4 3.6

Products Affected

Vendor Product Version
oracle jdk 11.0.19
oracle jre 11.0.19
debian debian_linux 10.0
oracle graalvm_for_jdk 20.0.1
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
netapp oncommand_insight -
netapp active_iq_unified_manager -
debian debian_linux 11.0
oracle graalvm_for_jdk 17.0.7
oracle jdk 20.0.1
netapp 7-mode_transition_tool -
oracle jre 20.0.1
oracle graalvm 20.3.10
oracle jre 1.8.0
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
oracle graalvm 22.3.2
oracle jdk 17.0.7
oracle jre 17.0.7
oracle graalvm 21.3.6
CVE-2023-22045

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
oracle jdk 11.0.19
oracle jre 11.0.19
debian debian_linux 10.0
oracle graalvm_for_jdk 20.0.1
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
netapp oncommand_insight -
netapp active_iq_unified_manager -
debian debian_linux 11.0
oracle graalvm_for_jdk 17.0.7
oracle jdk 20.0.1
netapp 7-mode_transition_tool -
oracle jre 20.0.1
oracle graalvm 20.3.10
oracle jre 1.8.0
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
oracle graalvm 22.3.2
oracle jdk 17.0.7
oracle jre 17.0.7
oracle graalvm 21.3.6
CVE-2023-22046

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-22048

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.6 1.4

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-22049

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

Products Affected

Vendor Product Version
oracle jdk 11.0.19
oracle jre 11.0.19
debian debian_linux 10.0
oracle graalvm_for_jdk 20.0.1
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
netapp oncommand_insight -
netapp active_iq_unified_manager -
debian debian_linux 11.0
oracle graalvm_for_jdk 17.0.7
oracle jdk 20.0.1
netapp 7-mode_transition_tool -
oracle jre 20.0.1
oracle graalvm 20.3.10
oracle jre 1.8.0
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
oracle graalvm 22.3.2
oracle jdk 17.0.7
oracle jre 17.0.7
oracle graalvm 21.3.6
CVE-2023-22053

Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.7.42 and prior and 8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server and unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H 1.6 4.2

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-22054

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-22056

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-22057

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-22058

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
fedoraproject fedora 38
oracle mysql_server *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
fedoraproject fedora 39
CVE-2023-22059

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
oracle mysql 8.1.0
netapp oncommand_insight -
oracle mysql *
CVE-2023-22064

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-22065

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-22066

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
oracle mysql 8.1.0
netapp oncommand_insight -
oracle mysql *
CVE-2023-22067

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM Enterprise Edition: 20.3.11 and 21.3.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
oracle jre 1.8.0
netapp cloud_insights_acquisition_unit -
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 1.8.0
CVE-2023-22068

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
oracle mysql 8.1.0
netapp oncommand_insight -
oracle mysql *
CVE-2023-22070

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
oracle mysql 8.1.0
netapp oncommand_insight -
oracle mysql *
CVE-2023-22078

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
oracle mysql 8.1.0
netapp oncommand_insight -
oracle mysql *
CVE-2023-22079

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-22081

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and 22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
oracle jdk 17.0.8
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
oracle graalvm_for_jdk 17.0.8
oracle jdk 11.0.2
oracle graalvm_for_jdk 21
oracle jre 11.0.2
oracle jre 21.0.0
oracle jre 1.8.0
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 21.0.0
oracle jre 17.0.8
CVE-2023-22084

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
mariadb mariadb *
fedoraproject fedora 38
oracle mysql 8.1.0
fedoraproject fedora 37
netapp oncommand_insight -
oracle mysql *
fedoraproject fedora 39
CVE-2023-22092

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-22095

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). The supported version that is affected is 8.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
oracle mysql 8.1.0
netapp oncommand_insight -
CVE-2023-22097

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
oracle mysql 8.1.0
netapp oncommand_insight -
oracle mysql *
CVE-2023-22102

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

Products Affected

Vendor Product Version
oracle mysql_connector/j *
netapp oncommand_insight -
CVE-2023-22103

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
oracle mysql 8.1.0
netapp oncommand_insight -
oracle mysql *
CVE-2023-22104

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-22110

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-22111

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-22112

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-22113

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-22114

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
oracle mysql 8.1.0
netapp oncommand_insight -
oracle mysql *
CVE-2023-22115

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2023-2236

A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Both io_install_fixed_file and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability. We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h410c
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
netapp hci_baseboard_management_controller h300s
netapp hci_baseboard_management_controller h410s
netapp hci_baseboard_management_controller h500s
CVE-2023-2269

A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.

Products Affected

Vendor Product Version
netapp h300s_firmware -
fedoraproject fedora 36
debian debian_linux 10.0
fedoraproject fedora 37
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
fedoraproject fedora 38
debian debian_linux 12.0
linux linux_kernel 6.2
CVE-2023-23559

In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h410c
debian debian_linux 10.0
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
netapp hci_baseboard_management_controller h300s
netapp hci_baseboard_management_controller h410s
netapp hci_baseboard_management_controller h500s
CVE-2023-23583

Sequence of processor instructions leads to unexpected behavior for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege and/or information disclosure and/or denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
secure@intel.com 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

Products Affected

Vendor Product Version
intel xeon_gold_6346_firmware -
intel xeon_d-2173it_firmware -
intel xeon_d-1528_firmware -
intel xeon_d-1523n_firmware -
intel core_i7-1065g7_firmware -
intel xeon_gold_6348_firmware -
intel core_i5-1130g7_firmware -
intel xeon_d-2183it_firmware -
intel xeon_d-1541_firmware -
intel xeon_platinum_8356h_firmware -
intel core_i7-10510u_firmware -
intel core_i9-11900t_firmware -
intel xeon_d-2777nx_firmware -
intel xeon_d-1533n_firmware -
intel xeon_gold_6312u_firmware -
intel xeon_d-2141i_firmware -
intel core_i7-10610u_firmware -
intel xeon_d-2766nt_firmware -
intel core_i7-11700k_firmware -
intel xeon_d-1736_firmware -
intel xeon_platinum_8354h_firmware -
intel core_i7-10870h_firmware -
intel core_i5-11500t_firmware -
intel xeon_platinum_8380_firmware -
intel core_i5-1035g1_firmware -
intel xeon_d-1623n_firmware -
intel core_i3-10100y_firmware -
intel xeon_platinum_8376h_firmware -
intel xeon_d-1712tr_firmware -
intel core_i7-11800h_firmware -
intel core_i7-11600h_firmware -
intel xeon_platinum_8380hl_firmware -
intel core_i9-11900k_firmware -
intel xeon_platinum_8380h_firmware -
intel xeon_gold_5320t_firmware -
intel xeon_d-1577_firmware -
intel xeon_d-1749nt_firmware -
intel xeon_d-2786nte_firmware -
intel xeon_d-2145nt_firmware -
intel core_i5-11600kf_firmware -
intel xeon_d-1567_firmware -
intel core_i7-11375h_firmware -
intel core_i7-1165g7_firmware -
intel xeon_platinum_8352m_firmware -
intel core_i3-1110g4_firmware -
intel xeon_gold_6330h_firmware -
intel xeon_platinum_8358p_firmware -
intel core_i7-10710u_firmware -
intel xeon_d-2733nt_firmware -
intel xeon_d-2161i_firmware -
intel core_i9-11900f_firmware -
intel xeon_d-2143it_firmware -
intel core_i7-1195g7_firmware -
intel xeon_d-2779_firmware -
intel xeon_platinum_8362_firmware -
intel xeon_gold_6336y_firmware -
intel xeon_silver_4316_firmware -
intel xeon_gold_5318h_firmware -
intel xeon_gold_5318y_firmware -
intel core_i7-11700t_firmware -
intel core_i7-1185g7e_firmware -
intel xeon_d-1540_firmware -
intel xeon_gold_6334_firmware -
intel xeon_d-1602_firmware -
intel core_i7-11700_firmware -
intel xeon_d-1734nt_firmware -
intel xeon_gold_6338t_firmware -
intel xeon_d-1726_firmware -
intel xeon_d-2177nt_firmware -
intel xeon_platinum_8360hl_firmware -
intel core_i9-11900kf_firmware -
intel xeon_platinum_8352y_firmware -
intel xeon_d-1736nt_firmware -
intel xeon_d-1747nte_firmware -
intel xeon_d-2799_firmware -
intel xeon_gold_6342_firmware -
intel core_i7-11850h_firmware -
intel core_i9-10980hk_firmware -
intel core_i9-11950h_firmware -
intel xeon_gold_6330n_firmware -
intel xeon_d-1520_firmware -
intel xeon_d-2163it_firmware -
intel core_i7-10850h_firmware -
intel xeon_platinum_8352v_firmware -
intel xeon_d-2752nte_firmware -
intel xeon_d-2798nt_firmware -
intel xeon_d-2738_firmware -
netapp affa900_firmware -
intel xeon_d-1633n_firmware -
intel xeon_d-1739_firmware -
intel xeon_d-1513n_firmware -
intel xeon_gold_6338_firmware -
intel xeon_gold_6348h_firmware -
intel core_i3-1120g4_firmware -
intel core_i5-1035g4_firmware -
intel xeon_d-1559_firmware -
intel xeon_platinum_8353h_firmware -
intel xeon_platinum_8351n_firmware -
intel core_i5-11500he_firmware -
intel xeon_platinum_8360y_firmware -
intel xeon_d-1732te_firmware -
intel xeon_d-1537_firmware -
intel xeon_d-2798nx_firmware -
intel core_i5-1155g7 -
intel xeon_d-1714_firmware -
intel core_i5-10310y_firmware -
intel core_i5-10500h_firmware -
intel core_i5-1145g7e_firmware -
intel core_i7-1180g7_firmware -
intel xeon_gold_5315y_firmware -
intel xeon_platinum_8368_firmware -
debian debian_linux 12.0
intel core_i9-11980hk_firmware -
intel core_i5-11260h_firmware -
intel xeon_d-2796te_firmware -
intel xeon_gold_5318n_firmware -
intel core_i7-1185g7_firmware -
intel core_i5-11600k_firmware -
intel xeon_d-2757nx_firmware -
intel core_i5-10210u_firmware -
intel core_i7-10750h_firmware -
intel xeon_d-2753nt_firmware -
intel xeon_d-1733nt_firmware -
intel xeon_platinum_8358_firmware -
intel xeon_d-1543n_firmware -
intel core_i5-11600t_firmware -
intel core_i7-11700f_firmware -
intel core_i9-10885h_firmware -
intel xeon_platinum_8360h_firmware -
intel core_i5-1140g7_firmware -
intel core_i5-1035g7_firmware -
intel xeon_d-2187nt_firmware -
intel core_i3-1125g4_firmware -
intel xeon_d-1653n_firmware -
intel xeon_d-1622_firmware -
intel xeon_d-2142it_firmware -
intel xeon_d-1518_firmware -
intel xeon_d-1722ne_firmware -
intel xeon_d-1529_firmware -
intel xeon_d-1627_firmware -
intel xeon_d-1557_firmware -
intel core_i5-10310u_firmware -
intel xeon_d-2775te_firmware -
intel xeon_gold_6328hl_firmware -
intel xeon_d-2796nt_firmware -
intel core_i3-10110y_firmware -
netapp fas2820_firmware -
intel core_i3-1115g4e_firmware -
intel core_i5-11600_firmware -
intel xeon_d-1521_firmware -
intel core_i7-11370h_firmware -
intel xeon_d-2745nx_firmware -
intel core_i5-10300h_firmware -
intel core_i5-1145gre_firmware -
intel core_i7-1160g7_firmware -
intel xeon_gold_5318s_firmware -
intel core_i5-11400f_firmware -
intel xeon_gold_5317_firmware -
intel core_i5-1145g7_firmware -
intel xeon_platinum_8376hl_firmware -
intel core_i9-11900h_firmware -
intel xeon_d-1548_firmware -
intel xeon_gold_5320h_firmware -
intel core_i5-11400_firmware -
intel xeon_d-2752ter_firmware -
intel core_i3-1005g1_firmware -
intel xeon_d-1527_firmware -
intel core_i7-10875h_firmware -
intel xeon_d-1718t_firmware -
intel core_i3-1115gre_firmware -
intel core_i3-11100he_firmware -
intel xeon_d-1553n_firmware -
intel core_i7-11390h_firmware -
intel core_i7-1185gre_firmware -
intel core_i9-11900_firmware -
intel core_i5-10400h_firmware -
intel xeon_silver_4309y_firmware -
intel xeon_gold_6328h_firmware -
intel xeon_gold_5320_firmware -
intel xeon_d-1531_firmware -
intel core_i7-10510y_firmware -
intel core_i5-10200h_firmware -
intel xeon_d-2776nt_firmware -
intel xeon_d-1715ter_firmware -
intel core_i7-11850he_firmware -
intel xeon_d-1748te_firmware -
intel xeon_gold_6330_firmware -
intel xeon_silver_4310t_firmware -
intel core_i5-11300h_firmware -
intel xeon_d-2712t_firmware -
intel xeon_silver_4310_firmware -
intel core_i5-1135g7_firmware -
intel xeon_d-1702_firmware -
intel core_i3-1115g4_firmware -
intel core_i5-11500h_firmware -
intel xeon_d-1713nt_firmware -
intel xeon_d-1735tr_firmware -
intel core_i7-11700kf_firmware -
intel xeon_d-1713nte_firmware -
intel core_i5-11400h_firmware -
intel xeon_gold_6326_firmware -
intel xeon_d-1571_firmware -
intel core_i3-10110u_firmware -
intel xeon_d-1539_firmware -
debian debian_linux 11.0
intel xeon_d-1746ter_firmware -
intel core_i5-11400t_firmware -
intel xeon_gold_6314u_firmware -
intel core_i7-10810u_firmware -
intel core_i5-11500_firmware -
intel core_i5-10210y_firmware -
intel xeon_d-2795nt_firmware -
intel xeon_d-2166nt_firmware -
intel xeon_gold_6354_firmware -
intel xeon_d-1649n_firmware -
intel core_i5-11320h -
intel xeon_d-1731nte_firmware -
intel xeon_d-2146nt_firmware -
intel xeon_d-2123it_firmware -
intel xeon_platinum_8352s_firmware -
intel xeon_d-1637_firmware -
intel xeon_silver_4314_firmware -
netapp fas9500_firmware -
intel xeon_gold_6338n_firmware -
CVE-2023-23914

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp clustered_data_ontap 9.0
netapp h500s_firmware -
netapp active_iq_unified_manager -
haxx curl *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
netapp h700s_firmware -
CVE-2023-23915

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp clustered_data_ontap 9.0
netapp h500s_firmware -
netapp active_iq_unified_manager -
haxx curl *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
netapp h700s_firmware -
CVE-2023-23916

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
fedoraproject fedora 36
debian debian_linux 10.0
netapp clustered_data_ontap -
netapp h500s_firmware -
haxx curl *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2023-24329

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
fedoraproject fedora 36
fedoraproject fedora 38
fedoraproject fedora 37
netapp ontap_select_deploy_administration_utility -
python python *
netapp management_services_for_netapp_hci -
netapp active_iq_unified_manager -
netapp management_services_for_element_software -
CVE-2023-25136

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H 2.2 4.2

Products Affected

Vendor Product Version
netapp c250_firmware -
fedoraproject fedora 38
netapp 500f_firmware -
openssh openssh 9.1
fedoraproject fedora 37
netapp ontap_select_deploy_administration_utility -
netapp a250_firmware -
CVE-2023-2598

A flaw was found in the fixed buffer registration code for io_uring (io_sqe_buffer_register in io_uring/rsrc.c) in the Linux kernel that allows out-of-bounds access to physical memory beyond the end of the buffer. This flaw enables full local privilege escalation.

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h410c
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
netapp hci_baseboard_management_controller h300s
netapp hci_baseboard_management_controller h410s
netapp hci_baseboard_management_controller h500s
CVE-2023-26049

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 2.4 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N 0.9 1.4

Products Affected

Vendor Product Version
netapp e-series_santricity_os_controller *
debian debian_linux 10.0
netapp e-series_santricity_unified_manager -
debian debian_linux 12.0
netapp active_iq_unified_manager -
netapp e-series_santricity_web_services -
debian debian_linux 11.0
eclipse jetty 12.0.0
eclipse jetty *
CVE-2023-26545

In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.0 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2023-26607

In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h410c
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
netapp hci_baseboard_management_controller h300s
linux linux_kernel 6.0.8
netapp hci_baseboard_management_controller h410s
netapp hci_baseboard_management_controller h500s
CVE-2023-27043

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Products Affected

Vendor Product Version
fedoraproject fedora 38
netapp ontap_select_deploy_administration_utility -
python python *
netapp active_iq_unified_manager -
fedoraproject fedora 39
CVE-2023-27311

NetApp Blue XP Connector versions prior to 3.9.25 expose information via a directory listing. A new Connector architecture resolves this issue - obtaining the fix requires redeploying a fresh Connector.

Products Affected

Vendor Product Version
netapp blue_xp_connector *
CVE-2023-27312

SnapCenter Plugin for VMware vSphere versions 4.6 prior to 4.9 are susceptible to a vulnerability which may allow authenticated unprivileged users to modify email and snapshot name settings within the VMware vSphere user interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4
security-alert@netapp.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
netapp snapcenter_plug-in *
CVE-2023-27313

SnapCenter versions 3.x and 4.x prior to 4.9 are susceptible to a vulnerability which may allow an authenticated unprivileged user to gain access as an admin user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H 2.8 5.5
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
netapp snapcenter *
CVE-2023-27314

ONTAP 9 versions prior to 9.8P19, 9.9.1P16, 9.10.1P12, 9.11.1P8, 9.12.1P2 and 9.13.1 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to cause a crash of the HTTP service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-alert@netapp.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
netapp clustered_data_ontap 9.10.1
netapp clustered_data_ontap 9.10.0
netapp clustered_data_ontap 9.9.1
netapp clustered_data_ontap 9.13.0
netapp clustered_data_ontap 9.8
netapp clustered_data_ontap 9.12.0
CVE-2023-27315

SnapGathers versions prior to 4.9 are susceptible to a vulnerability which could allow a local authenticated attacker to discover plaintext domain user credentials

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
netapp snapgathers *
CVE-2023-27316

SnapCenter versions 4.8 through 4.9 are susceptible to a vulnerability which may allow an authenticated SnapCenter Server user to become an admin user on a remote system where a SnapCenter plug-in has been installed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
security-alert@netapp.com 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

Products Affected

Vendor Product Version
netapp snapcenter *
CVE-2023-27317

ONTAP 9 versions 9.12.1P8, 9.13.1P4, and 9.13.1P5 are susceptible to a vulnerability which will cause all SAS-attached FIPS 140-2 drives to become unlocked after a system reboot or power cycle or a single SAS-attached FIPS 140-2 drive to become unlocked after reinsertion. This could lead to disclosure of sensitive information to an attacker with physical access to the unlocked drives.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 4.3 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 0.7 3.6
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 0.9 3.6

Products Affected

Vendor Product Version
netapp ontap 9.13.1
netapp ontap 9.12.1
CVE-2023-27318

StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through 11.6.0.13 are susceptible to a Denial of Service (DoS) vulnerability. A successful exploit could lead to a crash of the Local Distribution Router (LDR) service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2023-27319

ONTAP Mediator versions prior to 1.7 are susceptible to a vulnerability that can allow an unauthenticated attacker to enumerate URLs via REST API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
netapp ontap_mediator *
CVE-2023-27533

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
fedoraproject fedora 36
netapp clustered_data_ontap 9.0
netapp h500s_firmware -
netapp active_iq_unified_manager -
haxx curl *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
netapp h700s_firmware -
CVE-2023-27534

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
fedoraproject fedora 36
netapp h500s_firmware -
netapp active_iq_unified_manager -
haxx curl *
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
broadcom brocade_fabric_operating_system_firmware -
netapp h700s_firmware -
CVE-2023-27535

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
fedoraproject fedora 36
netapp ontap_9 -
debian debian_linux 10.0
netapp h500s_firmware -
netapp active_iq_unified_manager -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
netapp h700s_firmware -
haxx libcurl *
CVE-2023-27536

An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
fedoraproject fedora 36
debian debian_linux 10.0
netapp h500s_firmware -
netapp active_iq_unified_manager -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
netapp h700s_firmware -
netapp ontap 9
haxx libcurl *
CVE-2023-27537

A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
haxx libcurl 7.88.0
netapp clustered_data_ontap 9.0
haxx libcurl 7.88.1
netapp h500s_firmware -
netapp active_iq_unified_manager -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
broadcom brocade_fabric_operating_system_firmware -
netapp h700s_firmware -
CVE-2023-27538

An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
fedoraproject fedora 36
debian debian_linux 10.0
netapp clustered_data_ontap 9.0
netapp h500s_firmware -
netapp active_iq_unified_manager -
broadcom brocade_fabric_operating_system_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
splunk universal_forwarder *
splunk universal_forwarder 9.1.0
haxx libcurl *
CVE-2023-2828

Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit. It has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
debian debian_linux 10.0
fedoraproject fedora 37
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
fedoraproject fedora 38
debian debian_linux 12.0
isc bind *
CVE-2023-2829

A `named` instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (`synth-from-dnssec`) enabled can be remotely terminated using a zone with a malformed NSEC record. This issue affects BIND 9 versions 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1 through 9.18.15-S1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
isc bind *
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2023-28319

A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp clustered_data_ontap -
apple macos *
netapp h500s_firmware -
netapp ontap_antivirus_connector -
haxx curl *
netapp h700s_firmware -
CVE-2023-28320

A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp clustered_data_ontap -
apple macos *
netapp h500s_firmware -
netapp ontap_antivirus_connector -
haxx curl *
netapp h700s_firmware -
CVE-2023-28321

An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
fedoraproject fedora 38
debian debian_linux 10.0
netapp clustered_data_ontap -
apple macos *
fedoraproject fedora 37
netapp h500s_firmware -
netapp ontap_antivirus_connector -
haxx curl *
netapp h700s_firmware -
CVE-2023-28322

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
fedoraproject fedora 38
netapp clustered_data_ontap -
apple macos *
fedoraproject fedora 37
netapp h500s_firmware -
netapp ontap_antivirus_connector -
haxx curl *
netapp h700s_firmware -
CVE-2023-28464

hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hci_conn_hash_flush) because of calls to hci_dev_put and hci_conn_put. There is a double free that may lead to privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel 6.3
linux linux_kernel 6.1.25
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
linux linux_kernel 6.2.12
CVE-2023-28466

do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
netapp h700s -
netapp h410c -
debian debian_linux 10.0
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
CVE-2023-28486

Sudo before 1.9.13 does not escape control characters in log messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
sudo_project sudo *
netapp active_iq_unified_manager -
CVE-2023-28487

Sudo before 1.9.13 does not escape control characters in sudoreplay output.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
sudo_project sudo *
netapp active_iq_unified_manager -
CVE-2023-28531

ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp hci_bootstrap_os -
netapp solidfire_element_os -
openbsd openssh *
netapp brocade_fabric_operating_system -
CVE-2023-28656

NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
f5sirt@f5.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
netapp ontap_select_deploy -
f5 nginx_instance_manager *
netapp cloud_backup -
f5 nginx_security_monitoring *
f5 nginx_api_connectivity_manager *
CVE-2023-28709

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

Products Affected

Vendor Product Version
netapp 7-mode_transition_tool -
apache tomcat *
debian debian_linux 12.0
apache tomcat 11.0.0
CVE-2023-2898

There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
debian debian_linux 12.0
netapp h500s_firmware -
netapp h410c_firmware -
linux linux_kernel -
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2023-2911

If the `recursive-clients` quota is reached on a BIND 9 resolver configured with both `stale-answer-enable yes;` and `stale-answer-client-timeout 0;`, a sequence of serve-stale-related lookups could cause `named` to loop and terminate unexpectedly due to a stack overflow. This issue affects BIND 9 versions 9.16.33 through 9.16.41, 9.18.7 through 9.18.15, 9.16.33-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
fedoraproject fedora 38
debian debian_linux 12.0
isc bind *
fedoraproject fedora 37
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2023-29153

Uncontrolled resource consumption for some Intel(R) SPS firmware before version SPS_E5_06.01.04.002.0 may allow a privileged user to potentially enable denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secure@intel.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp hci_compute_node_bios -
netapp hci_bootstrap_os -
intel server_platform_services *
CVE-2023-29483

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.

Products Affected

Vendor Product Version
netapp bootstrap_os -
fedoraproject fedora 38
fedoraproject fedora 40
fedoraproject fedora 39
dnspython dnspython *
eventlet eventlet *
CVE-2023-2953

A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
redhat enterprise_linux 9.0
netapp ontap_tools -
apple macos *
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp clustered_data_ontap -
openldap openldap 2.4
CVE-2023-29552

The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated, remote attacker to register arbitrary services. This could allow the attacker to use spoofed UDP traffic to conduct a denial-of-service attack with a significant amplification factor.

Products Affected

Vendor Product Version
suse linux_enterprise_server 12
netapp smi-s_provider -
suse linux_enterprise_server 15
suse manager_server -
suse linux_enterprise_server 11
service_location_protocol_project service_location_protocol -
vmware esxi *
CVE-2023-2975

Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue.

Products Affected

Vendor Product Version
openssl openssl *
netapp ontap_select_deploy_administration_utility -
netapp management_services_for_element_software_and_netapp_hci -
CVE-2023-30996

IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 could be vulnerable to information leakage due to unverified sources in messages sent between Windows objects of different origins. IBM X-Force ID: 254290.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@us.ibm.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.4
ibm cognos_analytics 12.0.1
netapp oncommand_insight -
ibm cognos_analytics *
ibm cognos_analytics 12.0.0
CVE-2023-3107

A set of carefully crafted ipv6 packets can trigger an integer overflow in the calculation of a fragment reassembled packet's payload length field. This allows an attacker to trigger a kernel panic, resulting in a denial of service.

Products Affected

Vendor Product Version
freebsd freebsd 13.2
freebsd freebsd 12.4
netapp clustered_data_ontap 9.0
freebsd freebsd 13.1
CVE-2023-31084

An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.

Products Affected

Vendor Product Version
fedoraproject fedora 38
debian debian_linux 10.0
debian debian_linux 12.0
fedoraproject fedora 37
netapp h410c_firmware -
debian debian_linux 11.0
linux linux_kernel 6.2
CVE-2023-31102

Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
7-zip 7-zip *
netapp active_iq_unified_manager -
CVE-2023-3111

A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag().

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2023-3141

A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.

Products Affected

Vendor Product Version
netapp hci_baseboard_management_controller h410c
debian debian_linux 10.0
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
netapp hci_baseboard_management_controller h300s
netapp hci_baseboard_management_controller h410s
netapp hci_baseboard_management_controller h500s
CVE-2023-3212

A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
redhat enterprise_linux 9.0
debian debian_linux 10.0
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
fedoraproject fedora 38
debian debian_linux 12.0
linux linux_kernel *
linux linux_kernel 6.4
CVE-2023-32233

In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp hci_baseboard_management_controller h410c
redhat enterprise_linux 7.0
redhat enterprise_linux 9.0
netapp hci_baseboard_management_controller h700s
linux linux_kernel *
netapp hci_baseboard_management_controller h300s
netapp hci_baseboard_management_controller h410s
netapp hci_baseboard_management_controller h500s
CVE-2023-32247

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_SESSION_SETUP commands. The issue results from the lack of control of resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp h700s -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
CVE-2023-32248

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp h700s -
netapp h410c -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
CVE-2023-32250

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0

Products Affected

Vendor Product Version
netapp h700s -
netapp hci -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
netapp hci_storage_nodes -
CVE-2023-32252

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_LOGOFF commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2023-32254

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp h700s -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
netapp hci_management_node -
CVE-2023-32257

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP and SMB2_LOGOFF commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
netapp h700s -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
netapp solidfire_&_hci_storage_node -
CVE-2023-32258

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_LOGOFF and SMB2_CLOSE commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
netapp h700s -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
CVE-2023-32344

IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable to form action hijacking where it is possible to modify the form action to reference an arbitrary path. IBM X-Force ID: 255898.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@us.ibm.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.4
ibm cognos_analytics 12.0.1
netapp oncommand_insight -
ibm cognos_analytics *
ibm cognos_analytics 12.0.0
CVE-2023-33250

The Linux kernel 6.3 has a use-after-free in iopt_unmap_iova_range in drivers/iommu/iommufd/io_pagetable.c.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel 6.3
netapp h500s_firmware -
netapp h700s_firmware -
CVE-2023-3338

A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue could allow a remote user to crash the system.

Products Affected

Vendor Product Version
debian debian_linux 10.0
linux linux_kernel *
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2023-3390

A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp h700s -
netapp h410c -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
CVE-2023-35001

Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@ubuntu.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
netapp h700s -
netapp h410c -
fedoraproject fedora 38
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
fedoraproject fedora 37
debian debian_linux 11.0
CVE-2023-35788

An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.

Products Affected

Vendor Product Version
netapp h300s_firmware -
debian debian_linux 10.0
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
debian debian_linux 12.0
linux linux_kernel *
canonical ubuntu_linux 22.04
canonical ubuntu_linux 14.04
CVE-2023-35826

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.

Products Affected

Vendor Product Version
netapp h700s -
netapp h410c -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
CVE-2023-35828

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.

Products Affected

Vendor Product Version
netapp h700s -
netapp h410c -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
CVE-2023-35829

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c.

Products Affected

Vendor Product Version
netapp h700s -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
CVE-2023-36054

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Products Affected

Vendor Product Version
netapp hci -
netapp ontap_tools -
mit kerberos_5 1.21
debian debian_linux 10.0
netapp clustered_data_ontap 9.0
netapp active_iq_unified_manager -
mit kerberos_5 *
netapp management_services_for_element_software -
CVE-2023-37920

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
fedoraproject fedora 38
netapp solidfire_&_hci_storage_node -
netapp ontap_mediator -
kennethreitz certifi *
netapp ontap_select_deploy_administration_utility -
netapp management_services_for_netapp_hci -
netapp active_iq_unified_manager -
netapp management_services_for_element_software -
CVE-2023-38359

IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 260744.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@us.ibm.com 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.4
ibm cognos_analytics 12.0.1
netapp oncommand_insight -
ibm cognos_analytics *
ibm cognos_analytics 12.0.0
CVE-2023-38403

iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field.

Products Affected

Vendor Product Version
apple macos 14.0
fedoraproject fedora 38
debian debian_linux 10.0
netapp clustered_data_ontap 9.0
es iperf3 *
apple macos *
fedoraproject fedora 37
netapp ontap_select_deploy_administration_utility -
CVE-2023-38426

An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context's name_len is larger than the tag length.

Products Affected

Vendor Product Version
netapp h700s -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
netapp solidfire_&_hci_storage_node -
netapp solidfire_&_hci_management_node -
CVE-2023-38427

An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts.

Products Affected

Vendor Product Version
netapp h700s -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
CVE-2023-38428

An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read.

Products Affected

Vendor Product Version
netapp h700s -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
netapp solidfire_&_hci_storage_node -
netapp solidfire_&_hci_management_node -
CVE-2023-38430

An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read.

Products Affected

Vendor Product Version
netapp h700s -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
netapp hci_management_node -
CVE-2023-38431

An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/connection.c in ksmbd does not validate the relationship between the NetBIOS header's length field and the SMB header sizes, via pdu_size in ksmbd_conn_handler_loop, leading to an out-of-bounds read.

Products Affected

Vendor Product Version
netapp h700s -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
netapp solidfire_&_hci_management_node -
CVE-2023-38432

An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read.

Products Affected

Vendor Product Version
netapp h700s -
netapp h500s -
netapp h410s -
netapp h300s -
linux linux_kernel *
netapp solidfire_&_hci_storage_node -
netapp solidfire -
CVE-2023-38545

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
microsoft windows_11_21h2 *
microsoft windows_server_2022 *
microsoft windows_11_23h2 *
fedoraproject fedora 37
netapp oncommand_insight -
microsoft windows_10_21h2 *
netapp active_iq_unified_manager -
microsoft windows_10_1809 *
microsoft windows_11_22h2 *
microsoft windows_server_2019 *
microsoft windows_10_22h2 *
haxx libcurl *
CVE-2023-38709

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.

Products Affected

Vendor Product Version
fedoraproject fedora 38
debian debian_linux 10.0
broadcom fabric_operating_system -
apache http_server *
netapp ontap_tools 10
apple macos *
fedoraproject fedora 40
fedoraproject fedora 39
netapp ontap 9
CVE-2023-39325

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
fedoraproject fedora 38
netapp astra_trident -
netapp astra_trident_autosupport -
fedoraproject fedora 37
golang go *
golang http2 *
fedoraproject fedora 39
CVE-2023-4004

A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h700s -
redhat enterprise_linux 9.0
fedoraproject fedora 38
debian debian_linux 10.0
netapp h500s -
netapp h410s -
netapp h300s -
debian debian_linux 12.0
linux linux_kernel *
debian debian_linux 11.0
CVE-2023-40745

LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6
secalert@redhat.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
fedoraproject fedora -
redhat enterprise_linux 9.0
libtiff libtiff *
netapp active_iq_unified_manager -
CVE-2023-40791

extract_user_to_sg in lib/scatterlist.c in the Linux kernel before 6.4.12 fails to unpin pages in a certain situation, as demonstrated by a WARNING for try_grab_page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H 1.0 5.2

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp h500s_firmware -
netapp h700s_firmware -
CVE-2023-41105

An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
python python *
netapp active_iq_unified_manager -
CVE-2023-41993

The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
apple macos *
fedoraproject fedora 37
netapp oncommand_insight -
netapp active_iq_unified_manager -
debian debian_linux 11.0
oracle graalvm 21.3.9
oracle graalvm 20.3.13
apple iphone_os 17.0
apple iphone_os *
fedoraproject fedora 38
apple ipados 17.0
apple ipados *
oracle jre 1.8.0
debian debian_linux 12.0
netapp cloud_insights_storage_workload_security_agent -
webkitgtk webkitgtk+ *
apple safari *
fedoraproject fedora 39
CVE-2023-4236

A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
debian debian_linux 10.0
fedoraproject fedora 37
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
fedoraproject fedora 38
isc bind 9.18.18
isc bind *
fedoraproject fedora 39
isc bind 9.18.11
CVE-2023-4273

A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N 0.8 5.2

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
redhat enterprise_linux 9.0
fedoraproject fedora 38
debian debian_linux 12.0
linux linux_kernel *
fedoraproject fedora 37
netapp h500s_firmware -
netapp h700s_firmware -
debian debian_linux 11.0
linux linux_kernel 6.5
CVE-2023-43051

IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 267451.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@us.ibm.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
ibm cognos_analytics 11.1.7
ibm cognos_analytics 11.2.4
ibm cognos_analytics 12.0.1
netapp oncommand_insight -
ibm cognos_analytics *
ibm cognos_analytics 12.0.0
CVE-2023-4408

The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
isc bind 9.18.0
isc bind 9.16.36
netapp ontap 9.14.1
isc bind 9.16.43
fedoraproject fedora 38
isc bind 9.16.21
isc bind 9.16.14
isc bind 9.18.18
isc bind 9.9.3
isc bind 9.16.13
isc bind *
isc bind 9.16.8
isc bind 9.16.12
isc bind 9.16.32
netapp ontap 9.15.1
isc bind 9.16.11
fedoraproject fedora 39
isc bind 9.18.11
CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
redhat openshift_secondary_scheduler_operator -
f5 big-ip_websafe *
microsoft visual_studio_2022 *
netty netty *
apache apisix *
nodejs node.js *
f5 big-ip_policy_enforcement_manager 17.1.0
cisco crosswork_situation_manager -
redhat openshift_distributed_tracing -
redhat ansible_automation_platform 2.0
redhat enterprise_linux 8.0
cisco telepresence_video_communication_server *
redhat jboss_fuse 6.0.0
netapp oncommand_insight -
redhat cert-manager_operator_for_red_hat_openshift -
redhat single_sign-on 7.0
cisco iot_field_network_director *
facebook proxygen *
redhat migration_toolkit_for_virtualization -
envoyproxy envoy 1.25.9
apache tomcat *
redhat openshift -
apple swiftnio_http/2 *
f5 big-ip_local_traffic_manager *
f5 big-ip_application_acceleration_manager *
f5 big-ip_global_traffic_manager 17.1.0
cisco nx-os *
redhat openshift_service_mesh 2.0
linkerd linkerd 2.14.1
redhat jboss_core_services -
redhat advanced_cluster_security 4.0
redhat web_terminal -
openresty openresty *
f5 big-ip_carrier-grade_nat 17.1.0
f5 big-ip_ddos_hybrid_defender *
microsoft windows_server_2019 -
redhat jboss_enterprise_application_platform 6.0.0
microsoft windows_10_1809 *
microsoft windows_server_2016 -
redhat advanced_cluster_security 3.0
f5 big-ip_advanced_web_application_firewall *
amazon opensearch_data_prepper *
redhat openshift_container_platform 4.0
redhat enterprise_linux 6.0
dena h2o *
redhat jboss_data_grid 7.0.0
varnish_cache_project varnish_cache *
redhat openshift_api_for_data_protection -
jenkins jenkins *
envoyproxy envoy 1.27.0
redhat support_for_spring_boot -
f5 big-ip_domain_name_system *
redhat openshift_developer_tools_and_services -
cisco firepower_threat_defense *
redhat service_telemetry_framework 1.5
apache traffic_server *
istio istio *
envoyproxy envoy 1.26.4
ietf http 2.0
kazu-yamamoto http2 *
apache solr *
redhat openshift_pipelines -
microsoft windows_11_22h2 *
f5 big-ip_ddos_hybrid_defender 17.1.0
cisco prime_infrastructure *
cisco ultra_cloud_core_-_serving_gateway_function *
grpc grpc 1.57.0
redhat build_of_quarkus -
f5 big-ip_application_acceleration_manager 17.1.0
cisco prime_access_registrar *
caddyserver caddy *
f5 big-ip_webaccelerator 17.1.0
f5 big-ip_application_security_manager 17.1.0
redhat openshift_virtualization 4
cisco unified_attendant_console_advanced -
fedoraproject fedora 37
f5 big-ip_analytics *
microsoft windows_10_1607 *
f5 big-ip_local_traffic_manager 17.1.0
redhat service_interconnect 1.0
projectcontour contour *
redhat openstack_platform 16.1
envoyproxy envoy 1.24.10
f5 big-ip_access_policy_manager *
redhat openshift_container_platform_assisted_installer -
redhat integration_camel_k -
debian debian_linux 10.0
f5 big-ip_advanced_firewall_manager *
redhat migration_toolkit_for_applications 6.0
redhat cryostat 2.0
microsoft windows_10_21h2 *
redhat openstack_platform 17.1
redhat self_node_remediation_operator -
eclipse jetty *
redhat fence_agents_remediation_operator -
redhat openshift_sandboxed_containers -
debian debian_linux 12.0
redhat certification_for_red_hat_enterprise_linux 9.0
cisco secure_web_appliance_firmware *
redhat openshift_dev_spaces -
f5 big-ip_global_traffic_manager *
microsoft azure_kubernetes_service *
f5 nginx_plus r29
cisco ios_xe *
f5 big-ip_application_visibility_and_reporting *
microsoft windows_server_2022 -
redhat network_observability_operator -
traefik traefik 3.0.0
cisco expressway *
konghq kong_gateway *
redhat process_automation 7.0
f5 big-ip_ssl_orchestrator *
microsoft cbl-mariner *
redhat 3scale_api_management_platform 2.0
cisco data_center_network_manager -
linkerd linkerd *
cisco unified_contact_center_enterprise -
f5 big-ip_advanced_web_application_firewall 17.1.0
redhat logging_subsystem_for_red_hat_openshift -
redhat integration_camel_for_spring_boot -
f5 big-ip_next 20.0.1
redhat migration_toolkit_for_containers -
cisco prime_cable_provisioning *
linecorp armeria *
cisco ultra_cloud_core_-_policy_control_function *
f5 big-ip_carrier-grade_nat *
cisco unified_contact_center_management_portal -
linkerd linkerd 2.13.0
cisco secure_malware_analytics *
redhat openshift_serverless -
traefik traefik *
redhat openstack_platform 16.2
redhat jboss_a-mq 7
redhat openshift_data_science -
redhat satellite 6.0
microsoft asp.net_core *
f5 nginx *
redhat node_healthcheck_operator -
redhat quay 3.0.0
linkerd linkerd 2.13.1
netapp astra_control_center -
cisco ultra_cloud_core_-_session_management_function *
redhat cost_management -
redhat jboss_fuse 7.0.0
cisco crosswork_data_gateway *
f5 big-ip_domain_name_system 17.1.0
f5 big-ip_fraud_protection_service 17.1.0
f5 nginx_plus r30
f5 big-ip_websafe 17.1.0
golang http2 *
f5 nginx_ingress_controller *
redhat certification_for_red_hat_enterprise_linux 8.0
cisco crosswork_zero_touch_provisioning *
f5 big-ip_application_visibility_and_reporting 17.1.0
f5 big-ip_advanced_firewall_manager 17.1.0
f5 big-ip_webaccelerator *
microsoft windows_10_22h2 *
akka http_server *
redhat openshift_gitops -
cisco ios_xr *
redhat enterprise_linux 9.0
redhat jboss_enterprise_application_platform 7.0.0
redhat build_of_optaplanner 8.0
redhat integration_service_registry -
f5 big-ip_access_policy_manager 17.1.0
cisco unified_contact_center_domain_manager -
redhat decision_manager 7.0
redhat run_once_duration_override_operator -
f5 big-ip_application_security_manager *
nghttp2 nghttp2 *
redhat node_maintenance_operator -
f5 big-ip_link_controller *
f5 big-ip_analytics 17.1.0
f5 nginx_plus *
grpc grpc *
cisco business_process_automation *
debian debian_linux 11.0
fedoraproject fedora 38
redhat jboss_a-mq_streams -
cisco prime_network_registrar *
f5 big-ip_policy_enforcement_manager *
cisco connected_mobile_experiences *
cisco crosswork_data_gateway 5.0
microsoft windows_11_21h2 *
golang networking *
cisco ultra_cloud_core_-_policy_control_function 2024.01.0
microsoft .net *
f5 big-ip_next_service_proxy_for_kubernetes *
cisco unified_contact_center_enterprise_-_live_data_server *
golang go *
redhat ceph_storage 5.0
redhat machine_deletion_remediation_operator -
f5 big-ip_link_controller 17.1.0
f5 big-ip_ssl_orchestrator 17.1.0
linkerd linkerd 2.14.0
cisco enterprise_chat_and_email -
cisco secure_dynamic_attributes_connector *
cisco fog_director *
f5 big-ip_fraud_protection_service *
apache tomcat 11.0.0
redhat advanced_cluster_management_for_kubernetes 2.0
CVE-2023-4527

A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H 2.2 4.2
secalert@redhat.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H 2.2 4.2

Products Affected

Vendor Product Version
netapp h300s_firmware -
redhat enterprise_linux_for_ibm_z_systems_eus_s390x 9.2
redhat enterprise_linux_for_power_little_endian 9.2_ppc64le
redhat enterprise_linux_for_ibm_z_systems_s390x 9.2
redhat codeready_linux_builder_for_ibm_z_systems_eus 9.2_s390x
fedoraproject fedora 37
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.2_ppc64le
redhat enterprise_linux_eus 9.2
redhat codeready_linux_builder_for_ibm_z_systems 9.0_s390x
netapp h410s_firmware -
redhat enterprise_linux_for_power_little_endian 8.0_ppc64le
redhat codeready_linux_builder_eus_for_power_little_endian 9.0_ppc64le
redhat enterprise_linux_for_arm_64_eus 9.2_aarch64
fedoraproject fedora 38
redhat enterprise_linux_for_power_little_endian_eus 9.2_ppc64le
redhat codeready_linux_builder_eus 9.2
redhat enterprise_linux_for_power_little_endian_eus 8.8_ppc64le
redhat enterprise_linux_server_aus 9.2
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat enterprise_linux_eus 8.8
gnu glibc *
redhat codeready_linux_builder_for_arm64_eus 9.2_aarch64
redhat enterprise_linux_tus 8.8
redhat enterprise_linux_for_arm_64 9.0_aarch64
redhat codeready_linux_builder_eus_for_power_little_endian_eus 9.2_ppc64le
redhat enterprise_linux_for_ibm_z_systems_eus 8.8_s390x
fedoraproject fedora 39
redhat enterprise_linux_for_ibm_z_systems 8.0_s390x
redhat codeready_linux_builder_for_arm64 9.0_aarch64
CVE-2023-45745

Improper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secure@intel.com 7.9 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N 1.5 5.8

Products Affected

Vendor Product Version
netapp hci_compute_node_bios -
intel tdx_module *
CVE-2023-45862

An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
linux linux_kernel *
netapp active_iq_unified_manager -
netapp h410c_firmware -
CVE-2023-46604

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@apache.org 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H 3.9 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp e-series_santricity_unified_manager -
netapp santricity_storage_plugin -
apache activemq *
apache activemq_legacy_openwire_module *
debian debian_linux 11.0
netapp e-series_santricity_web_services_proxy -
CVE-2023-47855

Improper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secure@intel.com 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N 0.8 5.2

Products Affected

Vendor Product Version
netapp hci_compute_node_bios -
intel tdx_module *
CVE-2023-4813

A flaw has been identified in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
netapp h300s_firmware -
redhat enterprise_linux 9.0
redhat enterprise_linux_server_tus 8.8
redhat enterprise_linux_for_ibm_z_systems_eus_s390x 9.2
redhat enterprise_linux_for_power_little_endian 9.2_ppc64le
redhat enterprise_linux_for_ibm_z_systems_s390x 9.2
redhat enterprise_linux_eus 8.8
gnu glibc *
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
redhat enterprise_linux_eus 9.2
netapp h410s_firmware -
fedoraproject fedora 38
redhat enterprise_linux_for_power_little_endian_eus 9.2_ppc64le
redhat enterprise_linux_server_aus 9.2
CVE-2023-4863

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
debian debian_linux 10.0
microsoft teams 1.6.00.26474
microsoft teams 1.6.00.26463
mozilla firefox_esr *
bandisoft honeyview *
fedoraproject fedora 37
mozilla thunderbird *
microsoft webp_image_extension *
bentley seequent_leapfrog *
microsoft edge_chromium *
netapp active_iq_unified_manager -
mozilla firefox *
debian debian_linux 11.0
fedoraproject fedora 38
webmproject libwebp *
microsoft edge *
microsoft teams *
debian debian_linux 12.0
google chrome *
microsoft webp_image_extension 1.0.62681.0
fedoraproject fedora 39
CVE-2023-4911

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
secalert@redhat.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
redhat enterprise_linux_server_aus 9.6
redhat codeready_linux_builder_for_ibm_z_systems_eus 9.4_s390x
redhat enterprise_linux_server_aus 8.6
redhat codeready_linux_builder_for_arm64_eus 8.6
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
redhat codeready_linux_builder_for_power_little_endian_eus 9.2_ppc64le
redhat enterprise_linux_for_arm_64_eus 9.4_aarch64
netapp h410c_firmware -
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.6_ppc64le
netapp h410s_firmware -
redhat codeready_linux_builder_for_ibm_z_systems_eus 9.6_s390x
redhat codeready_linux_builder_eus 8.6
redhat enterprise_linux_for_arm_64_eus 9.2_aarch64
redhat enterprise_linux_update_services_for_sap_solutions 9.6
redhat enterprise_linux_server_tus 8.6
redhat virtualization 4.0
redhat codeready_linux_builder_eus 9.2
redhat codeready_linux_builder_for_ibm_z_systems_eus 8.6
redhat enterprise_linux 8.0
redhat codeready_linux_builder_eus 9.4
redhat enterprise_linux 9.0
gnu glibc -
redhat enterprise_linux_eus 8.6
debian debian_linux 13.0
redhat codeready_linux_builder 9.0
redhat enterprise_linux_update_services_for_sap_solutions 9.2
gnu glibc *
redhat enterprise_linux_eus 9.4
redhat codeready_linux_builder_for_power_little_endian_eus 9.6_ppc64le
redhat enterprise_linux_for_ibm_z_systems_eus 9.2_s390x
netapp bootstrap_os -
redhat codeready_linux_builder_for_power_little_endian_eus 9.4_ppc64le
redhat enterprise_linux_for_power_big_endian_eus 8.6_ppc64le
redhat enterprise_linux_update_services_for_sap_solutions 9.4
redhat enterprise_linux_for_ibm_z_systems_eus_s390x 8.6
redhat enterprise_linux_for_ibm_z_systems_eus 9.6_s390x
netapp h300s_firmware -
redhat enterprise_linux_for_ibm_z_systems 9.0_s390x
redhat enterprise_linux_for_arm_64_eus 8.6_aarch64
redhat enterprise_linux_for_power_little_endian_eus 9.6_ppc64le
redhat codeready_linux_builder_for_ibm_z_systems_eus 9.2_s390x
fedoraproject fedora 37
redhat enterprise_linux_for_ibm_z_systems_eus 9.4_s390x
netapp h700s_firmware -
debian debian_linux 11.0
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.2_ppc64le
redhat enterprise_linux_eus 9.2
redhat codeready_linux_builder_for_ibm_z_systems 9.0_s390x
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.4_ppc64le
fedoraproject fedora 38
redhat codeready_linux_builder_for_power_little_endian 9.0_ppc64le
redhat enterprise_linux_for_power_little_endian_eus 9.2_ppc64le
redhat virtualization_host 4.0
canonical ubuntu_linux 22.04
redhat codeready_linux_builder_eus 9.6
redhat enterprise_linux_eus 9.6
redhat enterprise_linux_server_aus 9.2
redhat enterprise_linux_for_power_little_endian_eus 9.4_ppc64le
redhat enterprise_linux_for_power_little_endian 9.0_ppc64le
redhat codeready_linux_builder_for_arm64_eus 9.4_aarch64
redhat enterprise_linux_server_aus 9.4
redhat codeready_linux_builder_for_arm64_eus 9.2_aarch64
debian debian_linux 12.0
redhat codeready_linux_builder_for_arm64_eus 9.6_aarch64
redhat enterprise_linux_for_arm_64 9.0_aarch64
redhat enterprise_linux_for_arm_64_eus 9.6_aarch64
redhat codeready_linux_builder_for_power_little_endian_eus 8.6
fedoraproject fedora 39
redhat codeready_linux_builder_for_arm64 9.0_aarch64
canonical ubuntu_linux 23.04
CVE-2023-50868

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Products Affected

Vendor Product Version
redhat enterprise_linux 6.0
redhat enterprise_linux 8.0
debian debian_linux 10.0
netapp active_iq_unified_manager -
redhat enterprise_linux 8.2
debian debian_linux 11.0
redhat enterprise_linux 7.0
netapp bootstrap_os -
redhat enterprise_linux 8.4
fedoraproject fedora 38
isc bind *
powerdns recursor *
fedoraproject fedora 39
netapp hci_baseboard_management_controller -
CVE-2023-5178

A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
linux linux_kernel *
netapp solidfire_&_hci_storage_node -
netapp solidfire_&_hci_management_node -
netapp active_iq_unified_manager -
linux linux_kernel 6.6
CVE-2023-52433

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction New elements in this transaction might expired before such transaction ends. Skip sync GC for such elements otherwise commit path might walk over an already released object. Once transaction is finished, async GC will collect such expired element.

Products Affected

Vendor Product Version
netapp ontap_tools 10
linux linux_kernel *
netapp ontap_tools 9
CVE-2023-5363

Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
openssl openssl *
debian debian_linux 12.0
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2023-5517

A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
isc bind 9.16.36
netapp active_iq_unified_manager -
isc bind 9.16.43
isc bind 9.16.45
fedoraproject fedora 38
isc bind 9.16.21
isc bind 9.16.14
isc bind 9.18.18
isc bind 9.16.13
isc bind 9.18.21
isc bind *
isc bind 9.16.8
isc bind 9.16.12
isc bind 9.16.32
isc bind 9.16.11
fedoraproject fedora 39
isc bind 9.18.11
CVE-2023-5679

A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
isc bind 9.16.36
netapp active_iq_unified_manager -
isc bind 9.16.43
isc bind 9.16.45
fedoraproject fedora 38
isc bind 9.16.21
isc bind 9.16.14
isc bind 9.18.18
isc bind 9.16.13
isc bind 9.18.21
isc bind *
isc bind 9.16.12
isc bind 9.16.32
fedoraproject fedora 39
isc bind 9.18.11
CVE-2023-5680

If a resolver cache has a very large number of ECS records stored for the same name, the process of cleaning the cache database node for this name can significantly impair query performance. This issue affects BIND 9 versions 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-officer@isc.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
isc bind 9.11.27
isc bind 9.11.21
isc bind 9.16.36
isc bind 9.11.4
isc bind 9.16.43
isc bind 9.16.14
isc bind 9.16.13
isc bind 9.18.21
isc bind 9.16.32
isc bind 9.18.11
isc bind 9.11.3
isc bind 9.11.35
isc bind 9.11.8
isc bind 9.11.37
netapp active_iq_unified_manager -
isc bind 9.11.5
isc bind 9.11.6
isc bind 9.16.21
isc bind 9.18.18
isc bind 9.11.29
isc bind 9.16.8
isc bind 9.16.12
isc bind 9.11.12
isc bind 9.11.7
isc bind 9.16.11
CVE-2023-6516

To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-officer@isc.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
isc bind 9.16.36
netapp active_iq_unified_manager -
isc bind 9.16.43
isc bind 9.16.45
isc bind 9.16.21
isc bind 9.16.14
isc bind 9.16.13
isc bind *
isc bind 9.16.8
isc bind 9.16.12
isc bind 9.16.32
isc bind 9.16.11
CVE-2024-0565

An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel. This issue occurs due to integer underflow on the memcpy length, leading to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.8 MEDIUM CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 0.9 5.9
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 1.5 5.9

Products Affected

Vendor Product Version
netapp ontap_tools -
linux linux_kernel *
linux linux_kernel 6.7
CVE-2024-0567

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
fedoraproject fedora 38
gnu gnutls *
netapp active_iq_unified_manager -
debian debian_linux 11.0
fedoraproject fedora 39
CVE-2024-1086

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
cve-coordination@google.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
linux linux_kernel 6.8
netapp c250_firmware -
redhat enterprise_linux_workstation 7.0
debian debian_linux 10.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_for_ibm_z_systems 7.0_s390x
redhat enterprise_linux_for_power_little_endian 7.0_ppc64le
netapp 500f_firmware -
linux linux_kernel *
redhat enterprise_linux_for_power_big_endian 7.0_ppc64
fedoraproject fedora 39
netapp a250_firmware -
CVE-2024-11053

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 3.4 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N 1.6 1.4

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
netapp bootstrap_os -
netapp h610s_firmware -
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
haxx curl *
netapp h610c_firmware -
netapp h700s_firmware -
netapp ontap 9
CVE-2024-1635

A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
redhat openshift_container_platform_for_power 4.9
netapp oncommand_workflow_automation -
redhat openshift_container_platform_for_linuxone 4.9
netapp active_iq_unified_manager -
redhat jboss_enterprise_application_platform 7.4
redhat fuse 1.0
redhat openshift_container_platform 4.12
redhat openshift_container_platform 4.11
redhat openshift_container_platform_for_linuxone 4.10
redhat integration_camel_for_spring_boot -
redhat single_sign-on 7.6
redhat single_sign-on -
redhat openshift_container_platform_for_power 4.10
CVE-2024-2004

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp bootstrap_os -
apple macos *
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
haxx curl *
fedoraproject fedora 40
netapp h700s_firmware -
fedoraproject fedora 39
netapp ontap 9
CVE-2024-20918

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

Products Affected

Vendor Product Version
oracle graalvm_for_jdk 21.0.1
debian debian_linux 10.0
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
oracle graalvm_for_jdk 17.0.9
netapp oncommand_insight -
oracle graalvm 20.3.12
oracle graalvm 22.3.4
oracle jdk 17.0.9
oracle jre 11.0.21
oracle jre 17.0.9
oracle jre 21.0.1
oracle graalvm 21.3.8
oracle jdk 11.0.21
oracle jre 1.8.0
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 21.0.1
CVE-2024-20922

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.5 LOW CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N 1.0 1.4

Products Affected

Vendor Product Version
oracle graalvm 21.3.8
oracle jre 1.8.0
netapp cloud_insights_acquisition_unit -
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 1.8.0
netapp oncommand_insight -
oracle graalvm 20.3.12
CVE-2024-20926

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

Products Affected

Vendor Product Version
oracle graalvm_for_jdk 21.0.1
debian debian_linux 10.0
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
oracle graalvm_for_jdk 17.0.9
netapp oncommand_insight -
oracle graalvm 20.3.12
oracle graalvm 22.3.4
oracle jdk 17.0.9
oracle jre 11.0.21
oracle jre 17.0.9
oracle jre 21.0.1
oracle graalvm 21.3.8
oracle jdk 11.0.21
oracle jre 1.8.0
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 21.0.1
CVE-2024-20932

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and 22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
oracle graalvm 21.3.8
netapp cloud_insights_acquisition_unit -
netapp cloud_insights_storage_workload_security_agent -
oracle graalvm_for_jdk 17.0.9
netapp oncommand_insight -
oracle graalvm 22.3.4
oracle jdk 17.0.9
oracle jre 17.0.9
CVE-2024-20952

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

Products Affected

Vendor Product Version
oracle graalvm_for_jdk 21.0.1
debian debian_linux 10.0
netapp cloud_insights_acquisition_unit -
oracle jdk 1.8.0
oracle graalvm_for_jdk 17.0.9
netapp oncommand_insight -
oracle openjdk *
oracle graalvm 20.3.12
oracle graalvm 22.3.4
oracle jdk 17.0.9
oracle jre 11.0.21
oracle jre 17.0.9
oracle openjdk 8
oracle jre 21.0.1
oracle graalvm 21.3.8
oracle jdk 11.0.21
oracle jre 1.8.0
netapp cloud_insights_storage_workload_security_agent -
oracle jdk 21.0.1
CVE-2024-20961

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2024-20963

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2024-20965

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2024-20967

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2024-20969

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2024-20971

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2024-20973

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2024-20975

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2024-20977

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2024-20981

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2024-20983

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2024-20985

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
oracle mysql *
CVE-2024-20993

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
oracle mysql_server 8.2.0
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2024-20994

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

Products Affected

Vendor Product Version
oracle mysql_server 8.3.0
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2024-21000

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.8 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N 1.2 2.5

Products Affected

Vendor Product Version
oracle mysql_server 8.3.0
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2024-21002

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.5 LOW CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N 1.0 1.4

Products Affected

Vendor Product Version
oracle graalvm 20.3.13
netapp data_infrastructure_insights_acquisition_unit -
netapp oncommand_workflow_automation -
oracle jre 1.8.0
oracle jdk 1.8.0
netapp oncommand_insight -
netapp data_infrastructure_insights_storage_workload_security_agent -
netapp active_iq_unified_manager -
oracle graalvm 21.3.9
CVE-2024-21003

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N 1.6 1.4

Products Affected

Vendor Product Version
oracle graalvm 20.3.13
netapp data_infrastructure_insights_acquisition_unit -
netapp oncommand_workflow_automation -
oracle jre 1.8.0
oracle jdk 1.8.0
netapp oncommand_insight -
netapp data_infrastructure_insights_storage_workload_security_agent -
netapp active_iq_unified_manager -
oracle graalvm 21.3.9
CVE-2024-21004

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.5 LOW CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N 1.0 1.4

Products Affected

Vendor Product Version
oracle graalvm 20.3.13
netapp data_infrastructure_insights_acquisition_unit -
netapp oncommand_workflow_automation -
oracle jre 1.8.0
oracle jdk 1.8.0
netapp oncommand_insight -
netapp data_infrastructure_insights_storage_workload_security_agent -
netapp active_iq_unified_manager -
oracle graalvm 21.3.9
CVE-2024-21005

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N 1.6 1.4

Products Affected

Vendor Product Version
oracle graalvm 20.3.13
netapp data_infrastructure_insights_acquisition_unit *
netapp oncommand_workflow_automation -
oracle jre 1.8.0
oracle jdk 1.8.0
netapp oncommand_insight -
netapp data_infrastructure_insights_storage_workload_security_agent -
netapp active_iq_unified_manager -
oracle graalvm 21.3.9
CVE-2024-21008

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2024-21009

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2024-21011

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

Products Affected

Vendor Product Version
netapp data_infrastructure_insights_acquisition_unit -
netapp oncommand_workflow_automation -
debian debian_linux 10.0
oracle jdk 17.0.10
oracle jdk 21.0.2
oracle jre 21.0.2
oracle jdk 1.8.0
oracle graalvm_for_jdk 17.0.10
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle jre 17.0.10
oracle jre 11.0.22
oracle graalvm 21.3.9
oracle graalvm 20.3.13
oracle jre 22.0.1
oracle jre 1.8.0
oracle jdk 11.0.22
netapp data_infrastructure_insights_storage_workload_security_agent -
oracle graalvm_for_jdk 22
oracle jdk 22.0.1
oracle graalvm_for_jdk 21.0.2
CVE-2024-21012

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

Products Affected

Vendor Product Version
netapp data_infrastructure_insights_acquisition_unit -
netapp oncommand_workflow_automation -
debian debian_linux 10.0
oracle jdk 17.0.10
oracle jdk 21.0.2
oracle jre 21.0.2
oracle graalvm_for_jdk 17.0.10
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle jre 17.0.10
oracle jre 11.0.22
oracle graalvm 21.3.9
oracle graalvm 20.3.13
oracle jre 22.0.1
oracle jdk 11.0.22
netapp data_infrastructure_insights_storage_workload_security_agent -
oracle graalvm_for_jdk 22
oracle jdk 22.0.1
oracle graalvm_for_jdk 21.0.2
CVE-2024-21013

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2024-21015

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.34 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 1.2 4.2

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle mysql_server *
netapp oncommand_insight -
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2024-21047

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2024-21049

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
CVE-2024-21050

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
CVE-2024-21051

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
CVE-2024-21055

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp bluexp -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2024-21056

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
CVE-2024-21061

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Audit Plug-in). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2024-21062

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2024-21068

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

Products Affected

Vendor Product Version
netapp data_infrastructure_insights_acquisition_unit -
netapp oncommand_workflow_automation -
debian debian_linux 10.0
oracle jdk 17.0.10
oracle jdk 21.0.2
oracle jre 21.0.2
oracle jdk 1.8.0
oracle graalvm_for_jdk 17.0.10
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle jre 17.0.10
oracle jre 11.0.22
oracle graalvm 21.3.9
oracle jre 22
oracle jre 1.8.0
oracle jdk 11.0.22
netapp data_infrastructure_insights_storage_workload_security_agent -
oracle graalvm_for_jdk 22
oracle jdk 22.0.1
oracle graalvm_for_jdk 21.0.2
CVE-2024-21069

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2024-21085

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

Products Affected

Vendor Product Version
netapp data_infrastructure_insights_acquisition_unit -
netapp oncommand_workflow_automation -
debian debian_linux 10.0
oracle jdk 1.8.0
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle jre 11.0.22
oracle graalvm 21.3.9
oracle graalvm 20.3.13
oracle jre 1.8.0
oracle jdk 11.0.22
netapp data_infrastructure_insights_storage_workload_security_agent -
CVE-2024-21087

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2024-21094

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

Products Affected

Vendor Product Version
netapp data_infrastructure_insights_acquisition_unit -
netapp oncommand_workflow_automation -
debian debian_linux 10.0
oracle jdk 17.0.10
oracle jdk 21.0.2
oracle jre 21.0.2
oracle jdk 1.8.0
oracle graalvm_for_jdk 17.0.10
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle jre 17.0.10
oracle jre 11.0.22
oracle graalvm 21.3.9
oracle graalvm 20.3.13
oracle jre 22.0.1
oracle jre 1.8.0
oracle jdk 11.0.22
netapp data_infrastructure_insights_storage_workload_security_agent -
oracle graalvm_for_jdk 22
oracle jdk 22.0.1
oracle graalvm_for_jdk 21.0.2
CVE-2024-21096

Vulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 1.4 3.4

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
fedoraproject fedora 40
oracle mysql *
netapp snapcenter -
debian debian_linux 11.0
fedoraproject fedora 39
CVE-2024-21101

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.5.33 and prior, 7.6.29 and prior, 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data. CVSS 3.1 Base Score 2.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 2.2 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N 0.7 1.4

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2024-21102

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp oncommand_insight -
netapp active_iq_unified_manager -
oracle mysql *
netapp snapcenter -
CVE-2024-21131

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle jdk 1.8.0
oracle graalvm 21.3.10
oracle jre 21.0.3
oracle jdk 17.0.11
oracle jdk 21.0.3
netapp oncommand_insight -
oracle graalvm 20.3.14
netapp active_iq_unified_manager -
oracle jre 17.0.11
oracle jdk 11.0.23
oracle jre 22.0.1
oracle graalvm_for_jdk 21.0.3
oracle jre 1.8.0
oracle graalvm_for_jdk 17.0.11
netapp bluexp -
netapp data_infrastructure_insights_storage_workload_security_agent -
oracle jre 11.0.23
oracle jdk 22.0.1
oracle graalvm_for_jdk 22.0.1
CVE-2024-21138

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle jdk 1.8.0
oracle graalvm 21.3.10
oracle jre 21.0.3
oracle jdk 17.0.11
oracle jdk 21.0.3
netapp oncommand_insight -
oracle graalvm 20.3.14
netapp active_iq_unified_manager -
oracle jre 17.0.11
oracle jdk 11.0.23
oracle jre 22.0.1
oracle graalvm_for_jdk 21.0.3
oracle jre 1.8.0
oracle graalvm_for_jdk 17.0.11
netapp bluexp -
netapp data_infrastructure_insights_storage_workload_security_agent -
oracle jre 11.0.23
oracle jdk 22.0.1
oracle graalvm_for_jdk 22.0.1
CVE-2024-21140

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle jdk 1.8.0
oracle graalvm 21.3.10
oracle jre 21.0.3
oracle jdk 17.0.11
oracle jdk 21.0.3
netapp oncommand_insight -
oracle graalvm 20.3.14
netapp active_iq_unified_manager -
oracle jre 17.0.11
netapp bootstrap_os -
oracle jdk 11.0.23
oracle jre 22.0.1
oracle graalvm_for_jdk 21.0.3
oracle jre 1.8.0
oracle graalvm_for_jdk 17.0.11
netapp bluexp -
netapp data_infrastructure_insights_storage_workload_security_agent -
oracle jre 11.0.23
oracle jdk 22.0.1
oracle graalvm_for_jdk 22.0.1
CVE-2024-21144

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

Products Affected

Vendor Product Version
oracle java_jre 11.0.23
netapp oncommand_workflow_automation -
oracle java_jre 1.8.0
oracle jdk 11.0.23
oracle java_jdk 1.8.0
oracle jre 1.8.0
oracle jdk 1.8.0
oracle graalvm 21.3.10
oracle graalvm 20.3.14
oracle jre 11.0.23
oracle java_jdk 11.0.23
CVE-2024-21145

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

Products Affected

Vendor Product Version
oracle java_jre 11.0.23
oracle graalvm 22.0.1
netapp oncommand_workflow_automation -
oracle java_jdk 21.0.3
oracle java_jdk 1.8.0
oracle java_jdk 17.0.11
oracle graalvm 21.3.10
netapp oncommand_insight -
oracle graalvm 20.3.14
oracle java_jdk 22.0.1
oracle java_jre 1.8.0
oracle java_jre 22.0.1
oracle graalvm_for_jdk 21.0.3
netapp cloud_insights_storage_workload_security_agent -
oracle graalvm_for_jdk 17.0.11
oracle java_jre 21.0.3
oracle java_jre 17.0.11
netapp bluexp -
oracle graalvm_for_jdk 22.0.1
oracle java_jdk 11.0.23
CVE-2024-21147

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle jdk 1.8.0
oracle graalvm 21.3.10
oracle jre 21.0.3
oracle jdk 17.0.11
oracle jdk 21.0.3
netapp oncommand_insight -
oracle graalvm 20.3.14
netapp active_iq_unified_manager -
oracle jre 17.0.11
netapp bootstrap_os -
oracle jdk 11.0.23
oracle jre 22.0.1
oracle graalvm_for_jdk 21.0.3
oracle jre 1.8.0
oracle graalvm_for_jdk 17.0.11
netapp bluexp -
netapp data_infrastructure_insights_storage_workload_security_agent -
oracle jre 11.0.23
oracle jdk 22.0.1
oracle graalvm_for_jdk 22.0.1
CVE-2024-21211

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle Java SE: 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

Products Affected

Vendor Product Version
netapp bootstrap_os -
oracle graalvm_for_jdk 17.0.12
oracle graalvm_for_jdk 23
oracle graalvm 20.3.15
oracle jdk 23
oracle graalvm_for_jdk 21.0.4
oracle jre 23
oracle graalvm 21.3.11
CVE-2024-21982

ONTAP versions 9.4 and higher are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information to unprivileged attackers when the object-store profiler command is being run by an administrative user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
security-alert@netapp.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
netapp clustered_data_ontap 9.11.1
netapp clustered_data_ontap 9.10.1
netapp clustered_data_ontap 9.13.1
netapp clustered_data_ontap 9.9.1
netapp clustered_data_ontap 9.12.1
netapp clustered_data_ontap 9.8
CVE-2024-21983

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8 are susceptible to a Denial of Service (DoS) vulnerability. Successful exploit by an authenticated attacker could lead to an out of memory condition or node reboot.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2024-21984

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8 are susceptible to a difficult to exploit Reflected Cross-Site Scripting (XSS) vulnerability. Successful exploit requires the attacker to know specific information about the target instance and trick a privileged user into clicking a specially crafted link. This could allow the attacker to view or modify configuration settings or add or modify user accounts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N 1.6 4.2

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2024-21985

ONTAP 9 versions prior to 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10 and 9.13.1P4 are susceptible to a vulnerability which could allow an authenticated user with multiple remote accounts with differing roles to perform actions via REST API beyond their intended privilege. Possible actions include viewing limited configuration details and metrics or modifying limited settings, some of which could result in a Denial of Service (DoS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H 2.8 4.7
security-alert@netapp.com 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
netapp clustered_data_ontap *
netapp clustered_data_ontap 9.11.1
netapp clustered_data_ontap 9.10.1
netapp clustered_data_ontap 9.13.1
netapp clustered_data_ontap 9.9.1
netapp clustered_data_ontap 9.12.1
CVE-2024-21987

SnapCenter versions 4.8 prior to 5.0 are susceptible to a vulnerability which could allow an authenticated SnapCenter Server user to modify system logging configuration settings

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
netapp snapcenter *
CVE-2024-21988

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.7.0.9 and 11.8.0.5 are susceptible to disclosure of sensitive information via complex MiTM attacks due to a vulnerability in the SSH cryptographic implementation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N 1.6 3.6

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2024-21989

ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1.x and 9.14.1.x are susceptible to a vulnerability which when successfully exploited could allow a read-only user to escalate their privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H 2.8 5.2

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility *
CVE-2024-21990

ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1.x and 9.14.1.x contain hard-coded credentials that could allow an attacker to view Deploy configuration information and modify the account credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility *
CVE-2024-21993

SnapCenter versions prior to 5.0p1 are susceptible to a vulnerability which could allow an authenticated attacker to discover plaintext credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 2.1 3.6

Products Affected

Vendor Product Version
netapp snapcenter 5.0
netapp snapcenter *
CVE-2024-21994

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9 are susceptible to a Denial of Service (DoS) vulnerability. Successful exploit by an authenticated attacker could lead to a service crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2024-22019

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

Products Affected

Vendor Product Version
nodejs node.js *
netapp astra_control_center -
CVE-2024-22201

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
debian debian_linux 10.0
netapp bluexp -
netapp active_iq_unified_manager -
eclipse jetty *
CVE-2024-22259

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@vmware.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
vmware spring_framework *
netapp active_iq_unified_manager -
CVE-2024-2312

GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@ubuntu.com 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
netapp bootstrap_os -
gnu grub2 *
CVE-2024-2379

libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h610s_firmware -
apple macos *
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
netapp bootstrap_os -
haxx curl 8.6.0
netapp h610c_firmware -
CVE-2024-2398

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h610s_firmware -
apple macos *
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp active_iq_unified_manager -
haxx curl *
fedoraproject fedora 40
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
netapp bootstrap_os -
netapp brocade_fabric_operating_system -
netapp h610c_firmware -
fedoraproject fedora 39
CVE-2024-2466

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp bootstrap_os -
apple macos *
netapp h500s_firmware -
haxx curl *
netapp h700s_firmware -
CVE-2024-24795

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.

Products Affected

Vendor Product Version
fedoraproject fedora 38
debian debian_linux 10.0
broadcom fabric_operating_system -
apache http_server *
netapp ontap_tools 10
apple macos *
fedoraproject fedora 40
fedoraproject fedora 39
netapp ontap 9
CVE-2024-25047

IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.2 is vulnerable to injection attacks in application logging by not sanitizing user provided data. This could lead to further attacks against the system. IBM X-Force ID: 282956.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@us.ibm.com 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N 3.9 4.0

Products Affected

Vendor Product Version
ibm cognos_analytics 11.2.4
netapp oncommand_insight -
ibm cognos_analytics *
CVE-2024-25111

Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

Products Affected

Vendor Product Version
fedoraproject fedora 38
netapp bluexp -
fedoraproject fedora 39
squid-cache squid *
CVE-2024-25617

Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
netapp bluexp -
squid-cache squid *
CVE-2024-26306

iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

Products Affected

Vendor Product Version
netapp bootstrap_os -
es iperf3 *
CVE-2024-26458

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

Products Affected

Vendor Product Version
netapp h615c_firmware -
netapp ontap_9 -
netapp h610s_firmware -
mit kerberos_5 1.21.2
netapp ontap_select_deploy_administration_utility -
netapp management_services_for_element_software_and_netapp_hci -
netapp active_iq_unified_manager -
netapp cloud_volumes_ontap_mediator -
netapp h610c_firmware -
CVE-2024-26461

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

Products Affected

Vendor Product Version
netapp h615c_firmware -
netapp ontap_9 -
netapp h610s_firmware -
mit kerberos_5 1.21.2
netapp ontap_select_deploy_administration_utility -
netapp management_services_for_element_software_and_netapp_hci -
netapp active_iq_unified_manager -
netapp cloud_volumes_ontap_mediator -
netapp h610c_firmware -
CVE-2024-26462

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

Products Affected

Vendor Product Version
netapp h615c_firmware -
netapp h610s_firmware -
mit kerberos_5 1.21.2
netapp ontap_select_deploy_administration_utility -
netapp management_services_for_element_software_and_netapp_hci -
netapp active_iq_unified_manager -
netapp cloud_volumes_ontap_mediator -
netapp h610c_firmware -
CVE-2024-27316

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Products Affected

Vendor Product Version
fedoraproject fedora 38
apache http_server *
fedoraproject fedora 40
fedoraproject fedora 39
netapp ontap 9
CVE-2024-28752

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
apache cxf *
netapp ontap_tools 10
CVE-2024-28757

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp oncommand_workflow_automation -
netapp h610s_firmware -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp windows_host_utilities -
libexpat_project libexpat *
fedoraproject fedora 40
netapp h700s_firmware -
netapp h410s_firmware -
fedoraproject fedora 38
netapp ontap_tools 10
netapp h610c_firmware -
fedoraproject fedora 39
netapp ontap 9
CVE-2024-29131

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.

Products Affected

Vendor Product Version
netapp ontap_tools 10
apache commons_configuration *
fedoraproject fedora 40
netapp snapcenter -
fedoraproject fedora 39
CVE-2024-32487

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.

Products Affected

Vendor Product Version
netapp bootstrap_os -
debian debian_linux 10.0
netapp solidfire -
greenwoodsoftware less *
netapp hci_storage_nodes -
CVE-2024-33599

nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
debian debian_linux 10.0
netapp hci_bootstrap_os -
gnu glibc *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2024-33600

nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.

Products Affected

Vendor Product Version
netapp h300s_firmware -
debian debian_linux 10.0
netapp h610s_firmware -
gnu glibc *
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
netapp hci_bootstrap_os -
netapp h610c_firmware -
CVE-2024-33601

nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
debian debian_linux 10.0
netapp hci_bootstrap_os -
netapp h610s_firmware -
gnu glibc *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h610c_firmware -
netapp h700s_firmware -
CVE-2024-33602

nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp element_software -
debian debian_linux 10.0
netapp hci_bootstrap_os -
netapp solidfire_&_hci_storage_node -
netapp solidfire_&_hci_management_node -
gnu glibc *
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2024-34397

An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.

Products Affected

Vendor Product Version
gnome glib *
debian debian_linux 10.0
netapp ontap_tools 10
fedoraproject fedora 40
fedoraproject fedora 39
CVE-2024-3447

A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 9.0.0
netapp hci_compute_node -
CVE-2024-34750

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Products Affected

Vendor Product Version
apache tomcat *
apache tomcat 11.0.0
netapp ontap_tools 9
CVE-2024-36387

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.

Products Affected

Vendor Product Version
apache http_server *
netapp ontap 9
CVE-2024-36958

In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix nfsd4_encode_fattr4() crasher Ensure that args.acl is initialized early. It is used in an unconditional call to kfree() on the way out of nfsd4_encode_fattr4().

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
linux linux_kernel *
netapp solidfire_&_hci_storage_node -
linux linux_kernel 6.9
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp h410c_firmware -
netapp hci_compute_node -
netapp h700s_firmware -
netapp converged_systems_advisor_agent -
CVE-2024-37891

urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N 0.7 3.6

Products Affected

Vendor Product Version
python urllib3 *
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2024-38286

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@apache.org 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

Products Affected

Vendor Product Version
apache tomcat 10.1.0
apache tomcat *
netapp ontap_tools 10
apache tomcat 11.0.0
netapp ontap_tools 9
CVE-2024-38472

SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue.  Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.

Products Affected

Vendor Product Version
apache http_server *
netapp ontap 9
CVE-2024-38473

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Products Affected

Vendor Product Version
apache http_server *
netapp ontap 9
CVE-2024-38474

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.0
apache http_server *
CVE-2024-38475

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Products Affected

Vendor Product Version
sonicwall sma_200_firmware *
netapp ontap_9 -
sonicwall sma_400_firmware *
apache http_server *
sonicwall sma_500v_firmware *
sonicwall sma_410_firmware *
sonicwall sma_210_firmware *
CVE-2024-38476

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.0
apache http_server *
CVE-2024-38477

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Products Affected

Vendor Product Version
netapp clustered_data_ontap 9.0
apache http_server *
CVE-2024-38808

In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@vmware.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
vmware spring_framework *
netapp oncommand_insight -
netapp active_iq_unified_manager -
CVE-2024-39573

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Products Affected

Vendor Product Version
apache http_server *
netapp ontap 9
CVE-2024-39689

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
certifi certifi *
netapp ontap_tools 10
netapp ontap_select_deploy_administration_utility -
netapp management_services_for_element_software_and_netapp_hci -
CVE-2024-39884

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

Products Affected

Vendor Product Version
apache http_server 2.4.60
netapp ontap_tools 10
CVE-2024-39908

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
netapp bootstrap_os -
ruby-lang rexml *
CVE-2024-40896

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H 3.9 5.2

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp solidfire_&_hci_storage_node -
netapp solidfire_&_hci_management_node -
xmlsoft libxml2 *
netapp h500s_firmware -
netapp h410c_firmware -
netapp hci_compute_node -
netapp h700s_firmware -
CVE-2024-43374

The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.5 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 1.0 3.4

Products Affected

Vendor Product Version
netapp bootstrap_os -
vim vim *
CVE-2024-43398

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
netapp bootstrap_os -
ruby-lang rexml *
CVE-2024-43790

Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.5 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 1.0 3.4

Products Affected

Vendor Product Version
netapp bootstrap_os -
vim vim *
CVE-2024-47554

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

Products Affected

Vendor Product Version
netapp e-series_santricity_unified_manager -
netapp santricity_storage_plugin -
netapp ontap_tools 10
netapp bluexp -
netapp ontap_tools 9
apache commons_io *
netapp active_iq_unified_manager -
netapp snapcenter -
netapp e-series_santricity_web_services_proxy -
CVE-2024-47561

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4  or 1.12.0, which fix this issue.

Products Affected

Vendor Product Version
apache avro *
netapp brocade_san_navigator -
netapp active_iq_unified_manager -
CVE-2024-47814

Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 3.9 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L 1.3 2.5

Products Affected

Vendor Product Version
netapp bootstrap_os -
vim vim *
CVE-2024-49761

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Products Affected

Vendor Product Version
ruby-lang rexml *
netapp ontap_tools 10
CVE-2024-50379

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp bootstrap_os -
apache tomcat *
CVE-2024-50602

An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp solidfire_&_hci_management_node -
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp windows_host_utilities -
libexpat_project libexpat *
netapp h700s_firmware -
debian debian_linux 11.0
netapp h410s_firmware -
netapp solidfire_&_hci_storage_node -
netapp hci_compute_node -
CVE-2024-52533

gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
gnome glib *
netapp ontap_tools 10
netapp active_iq_unified_manager -
debian debian_linux 11.0
CVE-2024-53580

iperf v3.17.1 was discovered to contain a segmentation violation via the iperf_exchange_parameters() function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
es iperf3 3.17.1
netapp ontap_9 -
netapp hci_compute_node -
CVE-2024-54085

AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp sg110_firmware -
ami megarac_sp-x *
netapp sg6160_firmware -
netapp sgf6112_firmware -
netapp sg1100_firmware -
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2024-54677

Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
netapp bootstrap_os -
apache tomcat *
CVE-2024-56171

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N 1.4 5.8

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp manageability_software_development_kit -
netapp solidfire_&_hci_management_node -
xmlsoft libxml2 *
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp hci_compute_node -
netapp h700s_firmware -
netapp ontap 9
CVE-2024-56337

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp bootstrap_os -
apache tomcat *
CVE-2024-6119

Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp c250_firmware -
openssl openssl *
netapp h610s_firmware -
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp management_services_for_element_software_and_netapp_hci -
netapp ontap_tools 9
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
netapp bootstrap_os -
netapp ontap_9 -
netapp h615c -
netapp 500f_firmware -
netapp brocade_fabric_operating_system -
netapp h610c_firmware -
netapp a250_firmware -
CVE-2024-6387

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
apple macos *
netapp ontap_select_deploy_administration_utility -
redhat enterprise_linux_for_arm_64_eus 9.4_aarch64
amazon amazon_linux 2023.0
openbsd openssh 4.4
canonical ubuntu_linux 23.10
netapp a1k_firmware -
suse linux_enterprise_micro 6.0
canonical ubuntu_linux 22.10
openbsd openssh 8.6
redhat enterprise_linux 9.0
openbsd openssh 8.5
amazon linux_2023 -
arista eos *
netapp a220_firmware -
redhat enterprise_linux_eus 9.4
sonicwall sma_8200v_firmware -
freebsd freebsd 14.1
netapp bootstrap_os -
netapp fas2750_firmware -
netapp fas2820_firmware -
netapp a150_firmware -
netapp ontap_tools 10
netapp c400_firmware -
netapp ontap 9
netapp a250_firmware -
netapp e-series_santricity_os_controller *
redhat enterprise_linux_for_ibm_z_systems 9.0_s390x
netapp c250_firmware -
netapp a800_firmware -
netapp c190_firmware -
sonicwall sma_6210_firmware -
sonicwall sra_ex_7000_firmware -
netapp c800_firmware -
netapp a900_firmware -
sonicwall sma_7210_firmware -
redhat enterprise_linux_for_ibm_z_systems_eus 9.4_s390x
netapp a9500_firmware -
canonical ubuntu_linux 22.04
almalinux almalinux 9.0
openbsd openssh *
redhat enterprise_linux_for_power_little_endian_eus 9.4_ppc64le
redhat enterprise_linux_for_power_little_endian 9.0_ppc64le
canonical ubuntu_linux 24.04
redhat enterprise_linux_server_aus 9.4
freebsd freebsd 13.2
netbsd netbsd *
netapp a70_firmware -
netapp a90_firmware -
netapp 8700_firmware -
freebsd freebsd 14.0
sonicwall sma_7200_firmware -
netapp ontap_tools 9
netapp active_iq_unified_manager -
netapp a700s_firmware -
freebsd freebsd 13.3
sonicwall sma_6200_firmware -
netapp a400_firmware -
netapp 500f_firmware -
debian debian_linux 12.0
netapp fas2720_firmware -
redhat enterprise_linux_for_arm_64 9.0_aarch64
netapp 8300_firmware -
redhat openshift_container_platform 4.0
canonical ubuntu_linux 23.04
CVE-2024-7254

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Products Affected

Vendor Product Version
google protobuf-javalite *
google protobuf-kotlin-lite *
google protobuf-java *
netapp ontap_tools 10
google protobuf-kotlin *
netapp bluexp -
netapp active_iq_unified_manager -
google protobuf *
CVE-2024-8096

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp bootstrap_os -
netapp ontap_tools 10
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp active_iq_unified_manager -
haxx curl *
netapp h700s_firmware -
debian debian_linux 11.0
CVE-2024-8372

Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .

CVSS 3.x

Source Score Severity Vector Exploitability Impact
36c7be3b-2937-45df-85ea-ca7133ea542c 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L 2.2 2.5

Products Affected

Vendor Product Version
angularjs angularjs 1.3.0
angularjs angularjs *
angularjs angular.js 1.3.0
netapp active_iq_unified_manager -
angularjs angular.js *
CVE-2024-8373

Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .

CVSS 3.x

Source Score Severity Vector Exploitability Impact
36c7be3b-2937-45df-85ea-ca7133ea542c 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L 2.2 2.5

Products Affected

Vendor Product Version
angularjs angularjs *
netapp active_iq_unified_manager -
angularjs angular.js *
CVE-2024-8932

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp ontap 9
php php *
CVE-2024-9823

There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
emo@eclipse.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
netapp bootstrap_os -
netapp active_iq_unified_manager -
eclipse jetty *
CVE-2025-0167

When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 3.4 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N 1.6 1.4

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp element_software -
netapp h610s_firmware -
netapp solidfire_&_hci_management_node -
netapp ontap_select_deploy_administration_utility -
netapp h500s_firmware -
netapp ontap_tools 9
netapp h410c_firmware -
haxx curl *
netapp h700s_firmware -
netapp h410s_firmware -
netapp h615c_firmware -
netapp bootstrap_os -
netapp solidfire_&_hci_storage_node -
netapp h610c_firmware -
netapp ontap 9
CVE-2025-0411

7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
7-zip 7-zip *
netapp active_iq_unified_manager -
CVE-2025-0509

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.3 HIGH CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H 0.7 6.0

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
netapp hci_compute_node -
sparkle-project sparkle *
CVE-2025-0665

libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp bootstrap_os -
haxx curl 8.11.1
netapp h500s_firmware -
netapp h410c_firmware -
netapp h700s_firmware -
CVE-2025-0725

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4

Products Affected

Vendor Product Version
netapp hci_h610s_firmware -
netapp hci_h610c_firmware -
netapp solidfire_&_hci_storage_node -
netapp solidfire_&_hci_management_node -
haxx curl *
netapp hci_baseboard_management_controller -
haxx libcurl *
netapp hci_h615c_firmware -
CVE-2025-1178 MEDIUM

A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 5.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 2.2 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
netapp active_iq_unified_manager -
gnu binutils 2.43
CVE-2025-1181 MEDIUM

A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 1.6 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
netapp ontap_select_deploy_administration_utility -
netapp active_iq_unified_manager -
gnu binutils 2.43
CVE-2025-1215 LOW

A vulnerability classified as problematic was found in vim up to 9.1.1096. This vulnerability affects unknown code of the file src/main.c. The manipulation of the argument --log leads to memory corruption. It is possible to launch the attack on the local host. Upgrading to version 9.1.1097 is able to address this issue. The patch is identified as c5654b84480822817bb7b69ebc97c174c91185e9. It is recommended to upgrade the affected component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 2.8 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L 1.3 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,

Products Affected

Vendor Product Version
netapp bootstrap_os -
vim vim *
CVE-2025-1734

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
netapp ontap 9
php php *
CVE-2025-1736

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4

Products Affected

Vendor Product Version
netapp ontap 9
php php *
CVE-2025-1861

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
netapp ontap 9
php php *
CVE-2025-21502

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

Products Affected

Vendor Product Version
netapp oncommand_workflow_automation -
oracle jdk 21.0.5
oracle jdk 23.0.1
oracle jdk 1.8.0
oracle graalvm_for_jdk 23.0.1
oracle graalvm 21.3.12
netapp oncommand_insight -
oracle jre 23.0.1
netapp active_iq_unified_manager -
oracle jre 11.0.25
debian debian_linux 11.0
oracle graalvm 20.3.16
oracle graalvm_for_jdk 21.0.5
netapp bootstrap_os -
oracle jdk 11.0.25
oracle jre 1.8.0
oracle jdk 17.0.13
oracle graalvm_for_jdk 17.0.13
oracle jre 21.0.5
netapp brocade_san_navigator -
oracle jre 17.0.13
netapp data_infrastructure_insights_storage_workload_security_agent -
CVE-2025-21583

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.4.0 and 9.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
oracle mysql_server 8.4.0
oracle mysql_server 9.0.0
netapp snapcenter -
CVE-2025-22134

When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because Vim does not properly end visual mode and therefore may try to access beyond the end of a line in a buffer. In Patch 9.1.1003 Vim will correctly reset the visual mode before opening other windows and buffers and therefore fix this bug. In addition it does verify that it won't try to access a position if the position is greater than the corresponding buffer line. Impact is medium since the user must have switched on visual mode when executing the :all ex command. The Vim project would like to thank github user gandalf4a for reporting this issue. The issue has been fixed as of Vim patch v9.1.1003

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6
security-advisories@github.com 4.2 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L 0.8 3.4

Products Affected

Vendor Product Version
netapp bootstrap_os -
vim vim *
CVE-2025-24014

Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In silent Ex mode (-s -e), Vim typically doesn't show a screen and just operates silently in batch mode. However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim by feeding some binary characters to Vim. The function that handles the scrolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn't been allocated (since there is no screen). This vulnerability is fixed in 9.1.1043.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.2 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L 0.8 3.4
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H 0.8 4.7

Products Affected

Vendor Product Version
vim vim *
netapp hci_compute_node_firmware -
CVE-2025-24813

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
apache tomcat 10.1.0
netapp bootstrap_os -
apache tomcat *
apache tomcat 9.0.0
apache tomcat 11.0.0
debian debian_linux 11.0
CVE-2025-24928

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N 1.4 5.8

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp manageability_software_development_kit -
netapp solidfire_&_hci_management_node -
xmlsoft libxml2 *
netapp h500s_firmware -
netapp active_iq_unified_manager -
netapp h410c_firmware -
netapp hci_compute_node -
netapp h700s_firmware -
netapp ontap 9
CVE-2025-24970

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
netapp oncommand_insight -
netapp active_iq_unified_manager -
netty netty *
CVE-2025-25291

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
omniauth omniauth_saml *
onelogin ruby-saml *
netapp storagegrid -
CVE-2025-25292

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
omniauth omniauth_saml *
onelogin ruby-saml *
netapp storagegrid -
CVE-2025-26465

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N 1.6 5.2
secalert@redhat.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N 1.6 5.2

Products Affected

Vendor Product Version
redhat enterprise_linux 9.0
openbsd openssh 6.8
debian debian_linux 12.0
openbsd openssh *
netapp active_iq_unified_manager -
openbsd openssh 9.9
redhat openshift_container_platform 4.0
debian debian_linux 11.0
netapp ontap 9
CVE-2025-26512

SnapCenter versions prior to 6.0.1P1 and 6.1P1 are susceptible to a vulnerability which may allow an authenticated SnapCenter Server user to become an admin user on a remote system where a SnapCenter plug-in has been installed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

Products Affected

Vendor Product Version
netapp snapcenter 6.0.1
netapp snapcenter *
netapp snapcenter 6.1
CVE-2025-26513

The installer for SAN Host Utilities for Windows versions prior to 8.0 is susceptible to a vulnerability which when successfully exploited could allow a local user to escalate their privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
netapp san_host_utilities *
CVE-2025-26514

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a Reflected Cross-Site Scripting vulnerability. Successful exploit could allow an attacker to view or modify configuration settings or add or modify user accounts but requires the attacker to know specific information about the target instance and then trick a privileged user into clicking a specially crafted link.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L 1.6 4.7

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2025-26515

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 without Single Sign-on enabled are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. Successful exploit could allow an unauthenticated attacker to change the password of any Grid Manager or Tenant Manager non-federated user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2025-26516

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a Denial of Service vulnerability. Successful exploit could allow an unauthenticated attacker to cause a Denial of Service on the Admin node.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2025-26517

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a privilege escalation vulnerability. Successful exploit could allow an unauthorized authenticated attacker to discover Grid node names and IP addresses or modify Storage Grades.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-alert@netapp.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
netapp storagegrid *
CVE-2025-26603

Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.2 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L 0.8 3.4

Products Affected

Vendor Product Version
vim vim *
netapp hci_compute_node -
CVE-2025-27423

Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 1.8 5.2

Products Affected

Vendor Product Version
vim vim *
netapp hci_compute_node -
CVE-2025-27820

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
netapp ontap_tools 10
apache httpclient *
CVE-2025-29768

Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim patch v9.1.1198.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 1.8 2.5

Products Affected

Vendor Product Version
netapp bootstrap_os -
vim vim *
CVE-2025-30691

Vulnerability in Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle GraalVM for JDK: 21.0.6 and 24. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data as well as unauthorized read access to a subset of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

Products Affected

Vendor Product Version
oracle jdk 24
netapp bootstrap_os -
oracle jre 21.0.6
oracle graalvm_for_jdk 24
oracle jre 24
oracle graalvm_for_jdk 21.0.6
oracle jdk 21.0.6
CVE-2025-30722

Vulnerability in the MySQL Client product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Client accessible data as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N 1.6 5.2
secalert_us@oracle.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

Products Affected

Vendor Product Version
oracle mysql_cluster *
oracle mysql_client *
netapp active_iq_unified_manager -
netapp snapcenter -
CVE-2025-31672

Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry. This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file. Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
apache poi *
netapp active_iq_unified_manager -
CVE-2026-22050

ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none.

Products Affected

Vendor Product Version
netapp ontap 9.16.1
netapp ontap 9.17.1
CVE-2026-22052

ONTAP versions 9.12.1 and higher with S3 NAS buckets are susceptible to an information disclosure vulnerability. Successful exploit could allow an authenticated attacker to view a listing of the contents in a directory for which they lack permission.

Products Affected

Vendor Product Version
netapp ontap 9
netapp ontap *