Dear CREODIAS Users,

In the section below, we collected information about latest and most critical security vulnerabilities, published in the last month by the SANS Institute (www.sans.org).
Security vulnerabilities in software and hardware are very often used by cyber criminals to attack IT infrastructure and steal or destroy company's data, that is why companies are advised to fix those vulnerabilities as soon as possible.
 
ID: CVE-2021-20016
Title: SQL Injection Vulnerability in SonicWall SSL VPN
Vendor: SonicWall
Description: A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build versions 10.x.
 
ID: CVE-2020-13957
Title: Remote Code Execution Vulnerability in Apache Solr
Vendor: Apache
Description: Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
 
ID: CVE-2021-1388
Title: Unauthorized Authentication Vulnerability in Cisco MSO
Vendor: Cisco
Description: A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The vulnerability is due to improper token validation on a specific API endpoint. An attacker could exploit this vulnerability by sending a crafted request to the affected API. A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.
 
 
ID: CVE-2021-1393
Title: Cisco Application Services Engine Unauthorized Access Vulnerabilities
Vendor: Cisco
Description: Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes. For more information about these vulnerabilities, see the Details section of this advisory.
 
ID: CVE-2021-26855
Title: Microsoft Exchange Server Remote Code Execution Vulnerability (Proxylogon)
Vendor: Microsoft

Description: This is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate to on-premise Exchange server. Attackers can also trick the Exchange server to execute arbitrary commands by exploiting this vulnerability.
ID: CVE-2021-27886
Title: Command Injection Vulnerability in Docker Dashboard
Vendor: Docker Dashboard Project
Description: rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
 
ID: CVE-2021-2047
Title: Unauthenticated Access Vulnerability in Oracle WebLogic Server
Vendor: Oracle
Description: This vulnerability is in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). 

Best regards,
CREODIAS Team