Dear CREODIAS users,

In the Security section customers will find information about latest and most critical security vulnerabilities, published in the last month by the SANS Institute (www.sans.org). Security vulnerabilities in software and hardware are very often used by cyber criminals to attack IT infrastructure and steal or destroy company's data, that is why companies are adviced to fix those vulnerabilities as soon as possible.
 
ID: CVE-2021-0248
Title: Authentication Bypass Vulnerability in Juniper
Vendor: Juniper
Description: This issue is not applicable to NFX NextGen Software. On NFX Series devices the use of Hard-coded Credentials in Juniper Networks Junos OS allows an attacker to take over any instance of an NFX deployment. This issue is only exploitable through administrative interfaces. This issue affects: Juniper Networks Junos OS versions prior to 19.1R1 on NFX Series. No other platforms besides NFX Series devices are affected.
 
ID: CVE-2021-2177
Title: Remote Code Execution in Oracle Global Desktop
Vendor: Oracle
Description: Vulnerability in the Oracle Secure Global Desktop product of Oracle Virtualization (component: Gateway). The supported version that is affected is 5.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Secure Global Desktop. While the vulnerability is in Oracle Secure Global Desktop, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Secure Global Desktop.
 
ID: CVE-2021-2256
Title: Remote Code Execution in Oracle Storage Cloud
Vendor: Oracle
Description: Vulnerability in the Oracle Storage Cloud Software Appliance product of Oracle Storage Gateway (component: Management Console). The supported version that is affected is Prior to 16.3.1.4.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Storage Cloud Software Appliance. While the vulnerability is in Oracle Storage Cloud Software Appliance, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Storage Cloud Software Appliance. Note: Updating the Oracle Storage Cloud Software Appliance to version 16.3.1.4.2 or later will address these vulnerabilities.
 
ID: CVE-2017-3167
Title: Authentication Bypass Vulnerability in Apache httpd
Vendor: Apache and multiple other vendors
Description: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
 
ID: CVE-2021-21346
Title: Deserialization Vulnerability in XStream Library
Vendor: XStream_project
Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

ID: CVE-2020-11975
Title: Privilege Escalation Vulnerability in Apache Unomi
Vendor: Apache
Description: Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.
 
ID: CVE-2020-17510
Title: Authentication Bypass Vulnerability in Apache Shiro
Vendor: Apache
Description: Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

ID: CVE-2020-18020
Title: SQL Injection Vulnerability in PHPSHE Mail System
Vendor: PHPSHE
Description: SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user phone" parameter of a crafted HTTP request to the "admin.php" component.

Best regards,
CREODIAS Team