MidnightBSD

Advisories for snowsoftware

CVE-2021-27579 MEDIUM

Snow Inventory Agent through 6.7.0 on Windows uses CPUID to report on processor types and versions that may be deployed and in use across an IT environment. A privilege-escalation vulnerability exists if CPUID is enabled, and thus it should be disabled via configuration settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
snowsoftware snow_inventory_agent *
CVE-2021-4106 HIGH

A vulnerability in Snow Inventory Java Scanner allows an attacker to run malicious code at a higher level of privileges. This issue affects: SNOW Snow Inventory Java Scanner 1.0

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
security@snowsoftware.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-691,NVD-CWE-Other,

Products Affected

Vendor Product Version
snowsoftware snow_inventory_java_scanner 1.0
CVE-2021-41562 LOW

A vulnerability in Snow Snow Agent for Windows allows a non-admin user to cause arbitrary deletion of files. This issue affects: Snow Snow Agent for Windows version 5.0.0 to 6.7.1 on Windows.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H 1.8 4.2
security@snowsoftware.com 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H 1.8 4.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-64,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
snowsoftware snow_inventory_agent *
CVE-2021-44228 HIGH

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-400,CWE-502,CWE-917,

Products Affected

Vendor Product Version
cisco unified_sip_proxy 010.002(000)
cisco firepower_threat_defense 6.3.0
cisco contact_center_management_portal *
cisco network_services_orchestrator *
cisco unified_communications_manager 11.5(1.22900.28)
cisco prime_service_catalog *
cisco network_dashboard_fabric_controller 11.5(1)
cisco connected_analytics_for_network_deployment 007.002.000
cisco connected_analytics_for_network_deployment 007.003.003
cisco optical_network_controller *
netapp solidfire_enterprise_sds -
siemens captial 2019.1
cisco iot_operations_dashboard -
cisco identity_services_engine 003.002(000.116)
cisco unified_communications_manager 11.5(1.17900.52)
cisco crosswork_optimization_engine *
cisco unified_communications_manager_im_and_presence_service *
cisco network_assurance_engine 6.0(2.1912)
cisco packaged_contact_center_enterprise *
cisco enterprise_chat_and_email 12.6(1)
siemens 6bk1602-0aa22-0tp0_firmware *
cisco dna_center 2.2.2.8
cisco identity_services_engine 002.007(000.356)
cisco identity_services_engine 003.001(000.518)
netapp brocade_san_navigator -
siemens energyip_prepay 3.7
cisco crosswork_data_gateway *
cisco crosswork_platform_infrastructure *
cisco data_center_network_manager *
siemens e-car_operation_center *
cisco paging_server 8.5(1)
siemens opcenter_intelligence *
cisco cloud_connect *
siemens teamcenter *
cisco crosswork_zero_touch_provisioning 3.0.0
netapp active_iq_unified_manager -
cisco crosswork_platform_infrastructure 4.1.0
cisco identity_services_engine 003.000(000.458)
netapp oncommand_insight -
siemens energyip 8.6
cisco unified_contact_center_enterprise *
siemens sppa-t3000_ses3000_firmware *
cisco cyber_vision 4.0.2
cisco ucs_central_software 2.0(1g)
cisco firepower_threat_defense 6.4.0
cisco customer_experience_cloud_agent *
siemens siveillance_identity 1.5
siemens sentron_powermanager 4.2
fedoraproject fedora 34
cisco connected_analytics_for_network_deployment 7.3
cisco cyber_vision_sensor_management_extension 4.0.2
cisco data_center_network_manager 11.3(1)
cisco firepower_threat_defense 7.0.0
siemens desigo_cc_advanced_reports 5.1
cisco dna_spaces:_connector *
cisco crosswork_network_automation 3.0.0
cisco fxos 7.1.0
cisco smart_phy 3.1.4
cisco evolved_programmable_network_manager 4.0
cisco video_surveillance_operations_manager *
cisco unity_connection 11.5
intel data_center_manager *
intel system_debugger -
netapp cloud_secure_agent -
cisco advanced_malware_protection_virtual_private_cloud_appliance *
cisco contact_center_domain_manager *
cisco finesse *
cisco unified_sip_proxy 010.000(001)
cisco broadworks -
cisco unified_computing_system 006.008(001.000)
cisco connected_analytics_for_network_deployment 007.003.001.001
cisco automated_subsea_tuning *
cisco unified_customer_voice_portal 11.6
intel datacenter_manager *
cisco unified_communications_manager 11.5(1.18119.2)
siemens siguard_dsa 4.3
cisco unity_connection *
siemens desigo_cc_advanced_reports 4.1
cisco connected_analytics_for_network_deployment 008.000.000
cisco business_process_automation *
cisco unified_customer_voice_portal 12.0
cisco common_services_platform_collector 002.009(000.001)
cisco crosswork_network_automation 4.1.1
cisco video_surveillance_manager 7.14(3.025)
siemens spectrum_power_7 *
cisco paging_server 9.0(1)
siemens energy_engage 3.1
cisco unified_communications_manager *
siemens desigo_cc_advanced_reports 5.0
cisco intersight_virtual_appliance *
siemens energyip_prepay *
cisco webex_meetings_server 3.0
cisco unified_customer_voice_portal 12.5(1)
cisco packaged_contact_center_enterprise 11.6(1)
cisco ucs_central_software 2.0(1c)
cisco unified_contact_center_enterprise 12.0(1)
cisco network_insights_for_data_center 6.0(2.1914)
cisco broadworks *
cisco paging_server *
cisco sd-wan_vmanage 20.5
cisco crosswork_network_automation -
cisco sd-wan_vmanage 20.6
cisco unified_customer_voice_portal 11.6(1)
cisco unified_contact_center_enterprise 11.6(2)
cisco common_services_platform_collector 002.009(000.000)
cisco integrated_management_controller_supervisor 2.3.2.0
siemens siveillance_identity 1.6
cisco connected_analytics_for_network_deployment 008.000.000.000.004
cisco smart_phy 3.1.5
cisco evolved_programmable_network_manager *
siemens gma-manager *
cisco evolved_programmable_network_manager 3.1
cisco finesse 12.5(1)
cisco fxos 6.7.0
cisco unified_workforce_optimization 11.5(1)
cisco nexus_insights *
cisco optical_network_controller 1.1
cisco cloudcenter_suite 5.3(0)
cisco unified_contact_center_express 12.6(1)
cisco cloudcenter_suite 5.4(1)
siemens logo!_soft_comfort *
cisco workload_optimization_manager *
siemens vesys 2020.1
siemens head-end_system_universal_device_integration_system *
cisco network_dashboard_fabric_controller 11.5(3)
cisco unity_connection 11.5(1.10000.6)
cisco smart_phy 21.3
cisco sd-wan_vmanage 20.7
cisco network_dashboard_fabric_controller 11.1(1)
cisco cloudcenter_suite 5.5(0)
cisco cloudcenter_suite 4.10(0.15)
cisco webex_meetings_server 4.0
cisco unified_sip_proxy *
cisco virtual_topology_system 2.6.6
apache log4j 2.0
cisco network_dashboard_fabric_controller 11.0(1)
cisco cloudcenter_suite 5.4.1
cisco ucs_central *
cisco firepower_threat_defense 6.7.0
cisco integrated_management_controller_supervisor 002.003(002.000)
cisco sd-wan_vmanage 20.8
cisco network_dashboard_fabric_controller 11.4(1)
cisco unified_communications_manager_im_&_presence_service 11.5(1.22900.6)
cisco unified_customer_voice_portal 12.5
cisco enterprise_chat_and_email 12.5(1)
cisco connected_analytics_for_network_deployment 007.001.000
cisco ucs_central_software 2.0(1a)
siemens desigo_cc_info_center 5.1
siemens solid_edge_cam_pro *
cisco unified_communications_manager_im_&_presence_service 11.5(1)
netapp cloud_insights -
cisco crosswork_network_controller *
siemens capital 2019.1
siemens siveillance_command *
siemens capital *
siemens vesys *
cisco finesse 12.6(1)
apache log4j *
cisco ucs_central_software 2.0(1e)
cisco unified_communications_manager 11.5(1)su3
cisco emergency_responder 11.5(4.66000.14)
siemens siguard_dsa *
cisco connected_analytics_for_network_deployment 006.004.000.003
cisco unified_contact_center_enterprise 12.5(1)
siemens industrial_edge_management_hub *
cisco unified_sip_proxy 010.002(001)
siemens xpedition_enterprise -
siemens siveillance_control_pro *
cisco common_services_platform_collector 002.009(000.002)
cisco cloudcenter_cost_optimizer *
siemens energyip_prepay 3.8
cisco video_surveillance_manager 7.14(2.26)
cisco cloudcenter *
siemens mendix *
siemens spectrum_power_7 2.30
cisco sd-wan_vmanage 20.6.1
cisco wan_automation_engine *
cisco network_dashboard_fabric_controller 11.3(1)
cisco firepower_threat_defense 6.2.3
cisco virtualized_infrastructure_manager *
cisco unified_workforce_optimization *
cisco cloudcenter_suite 5.5(1)
cisco firepower_threat_defense 7.1.0
cisco enterprise_chat_and_email 12.0(1)
cisco sd-wan_vmanage 20.4
cisco wan_automation_engine 7.3
cisco fog_director -
cisco wan_automation_engine 7.1.3
cisco evolved_programmable_network_manager 5.0
cisco common_services_platform_collector 002.009(001.000)
cisco cloudcenter_suite 5.5.1
cisco unified_intelligence_center 12.6(2)
cisco unified_sip_proxy 010.000(000)
cisco enterprise_chat_and_email *
cisco connected_analytics_for_network_deployment 006.005.000.
cisco common_services_platform_collector 002.009(001.001)
cisco cloudcenter_suite 5.5.0
cisco crosswork_network_automation 2.0.0
cisco network_services_orchestrator -
siemens energyip 8.5
cisco video_surveillance_manager 7.14(4.018)
cisco network_dashboard_fabric_controller 11.2(1)
cisco crosswork_zero_touch_provisioning *
cisco crosswork_optimization_engine 3.0.0
cisco common_services_platform_collector 002.009(001.002)
siemens desigo_cc_info_center 5.0
siemens 6bk1602-0aa12-0tp0_firmware *
cisco paging_server 14.0(1)
snowsoftware vm_access_proxy *
siemens desigo_cc_advanced_reports 3.0
siemens industrial_edge_management *
cisco cloudcenter_suite 4.10.0.15
percussion rhythmyx *
cisco unified_contact_center_express 12.5(1)
siemens navigator *
cisco emergency_responder 11.5(4.65000.14)
cisco unified_communications_manager 11.5(1.18900.97)
siemens comos *
cisco unified_contact_center_express 12.6(2)
siemens siguard_dsa 4.4
bentley synchro_4d *
cisco wan_automation_engine 7.5
fedoraproject fedora 35
debian debian_linux 9.0
cisco ucs_director *
intel sensor_solution_firmware_development_kit -
cisco firepower_threat_defense 6.6.0
cisco cx_cloud_agent 001.012
cisco intersight_virtual_appliance 1.0.9-343
cisco cloudcenter_suite_admin *
cisco crosswork_network_controller 3.0.0
siemens 6bk1602-0aa52-0tp0_firmware *
cisco fxos 6.4.0
cisco connected_analytics_for_network_deployment 007.000.001
cisco ucs_central_software 2.0(1b)
cisco unified_contact_center_management_portal 12.6(1)
siemens operation_scheduler *
cisco sd-wan_vmanage *
siemens siguard_dsa 4.2
cisco unified_communications_manager 11.5(1)
cisco network_assurance_engine *
intel computer_vision_annotation_tool -
cisco wan_automation_engine 7.2.2
siemens mindsphere *
cisco paging_server 8.4(1)
cisco sd-wan_vmanage 20.3
cisco smart_phy *
cisco fxos 7.0.0
netapp solidfire_&_hci_storage_node -
cisco mobility_services_engine -
cisco dna_spaces -
cisco unified_intelligence_center *
siemens spectrum_power_4 4.70
cisco video_surveillance_manager 7.14(1.26)
cisco evolved_programmable_network_manager 5.1
netapp cloud_manager -
cisco ucs_central_software 2.0(1k)
cisco fxos 6.3.0
cisco ucs_central_software 2.0(1h)
cisco paging_server 9.0(2)
cisco unified_contact_center_enterprise 12.6(1)
siemens siveillance_viewpoint *
cisco unified_communications_manager_im_and_presence_service 11.5(1)
debian debian_linux 10.0
cisco wan_automation_engine 7.2.3
cisco wan_automation_engine 7.4
cisco prime_service_catalog 12.1
cisco unified_contact_center_enterprise 12.6(2)
cisco ucs_central_software 2.0(1l)
debian debian_linux 11.0
siemens sipass_integrated 2.80
cisco connected_analytics_for_network_deployment 007.003.000
cisco fxos 6.2.3
cisco virtual_topology_system *
cisco paging_server 8.3(1)
cisco identity_services_engine 002.004(000.914)
cisco evolved_programmable_network_manager 3.0
cisco emergency_responder *
siemens desigo_cc_advanced_reports 4.0
cisco paging_server 9.1(1)
siemens siveillance_vantage *
cisco dna_center *
cisco firepower_threat_defense 6.5.0
cisco common_services_platform_collector 002.010(000.000)
snowsoftware snow_commander *
siemens energyip 9.0
netapp snapcenter -
siemens sipass_integrated 2.85
cisco smart_phy 3.1.2
siemens vesys 2019.1
intel genomics_kernel_library -
cisco connected_mobile_experiences -
cisco common_services_platform_collector *
cisco cyber_vision_sensor_management_extension *
siemens sentron_powermanager 4.1
cisco evolved_programmable_network_manager 4.1
cisco unified_intelligence_center 12.6(1)
cisco unified_communications_manager 11.5(1.21900.40)
cisco identity_services_engine *
netapp ontap_tools -
siemens solid_edge_harness_design *
cisco wan_automation_engine 7.6
cisco unified_customer_voice_portal *
siemens spectrum_power_4 *
cisco ucs_central_software 2.0
cisco ucs_central_software 2.0(1f)
cisco integrated_management_controller_supervisor *
cisco virtualized_voice_browser *
cisco identity_services_engine 002.006(000.156)
cisco smart_phy 3.2.1
cisco unified_customer_voice_portal 12.6(1)
cisco network_dashboard_fabric_controller 11.5(2)
siemens solid_edge_harness_design 2020
cisco ucs_central_software 2.0(1d)
cisco unified_customer_voice_portal 12.0(1)
intel secure_device_onboard -
cisco automated_subsea_tuning 02.01.00
cisco webex_meetings_server *
cisco paging_server 12.5(2)
siemens captial *
cisco emergency_responder 11.5
cisco cloudcenter_suite 5.3.0
sonicwall email_security *
cisco crosswork_network_automation 4.1.0
cisco fxos 6.5.0
intel oneapi_sample_browser -
siemens vesys 2021.1
cisco wan_automation_engine 7.2.1
cisco cloudcenter_workload_manager *
apple xcode *
siemens nx *
cisco fxos 6.6.0
intel audio_development_kit -
bentley synchro *
cisco nexus_dashboard *
cisco dna_spaces_connector -
siemens 6bk1602-0aa42-0tp0_firmware *
cisco crosswork_data_gateway 3.0.0
cisco smart_phy 3.1.3
cisco connected_analytics_for_network_deployment 006.005.000.000
intel system_studio -
cisco unified_contact_center_express *
siemens desigo_cc_advanced_reports 4.2
siemens xpedition_package_integrator -
siemens energyip 8.7
siemens 6bk1602-0aa32-0tp0_firmware *
cisco identity_services_engine 2.4.0
CVE-2022-0883 MEDIUM

SLM has an issue with Windows Unquoted/Trusted Service Paths Security Issue. All installations version 9.x.x prior to 9.20.1 should be patched.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
security@snowsoftware.com 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 1.3 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-428,CWE-428,

Products Affected

Vendor Product Version
snowsoftware snow_license_manager *
CVE-2023-2679

Data leakage in Adobe connector in Snow Software SPE 9.27.0 on Windows allows privileged user to observe other users data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@snowsoftware.com 4.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N 2.3 1.4

Products Affected

Vendor Product Version
snowsoftware snow_license_manager *
CVE-2023-3864

Blind SQL injection in a service running in Snow Software license manager from version 8.0.0 up to and including 9.30.1 on Windows allows a logged in user with high privileges to inject SQL commands via the web portal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
security@snowsoftware.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
snowsoftware snow_license_manager *
CVE-2023-3937

Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7
security@snowsoftware.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
snowsoftware snow_license_manager *
CVE-2023-7169

Authentication Bypass by Spoofing vulnerability in Snow Software Snow Inventory Agent on Windows allows Signature Spoof.This issue affects Snow Inventory Agent: through 6.14.5. Customers advised to upgrade to version 7.0

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@snowsoftware.com 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N 0.8 5.2

Products Affected

Vendor Product Version
snowsoftware snow_inventory_agent *
CVE-2024-1149

Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@snowsoftware.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
snowsoftware snow_inventory_agent 6.12.0
snowsoftware snow_inventory_agent *
CVE-2024-1150

Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 7.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@snowsoftware.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
snowsoftware snow_inventory_agent *