Message Boards Message Boards


Security Vulnerabilities Notification

Security Vulnerabilities Notification
30 June 2021 10:08
Dear CREODIAS Users,

In the Security section customers will find information about latest and most critical security vulnerabilities, published in the last month by the SANS Institute ( Security vulnerabilities in software and hardware are very often used by cyber criminals to attack IT infrastructure and steal or destroy company's data, tjat is why companies are advice to fix those vulnerabilities as soon as possible.
ID: CVE-2021-27135
Title: Denial of Service Vulnerability in xTerm
Vendor: Debian, Fedora Project, Invisible-Island
Description: xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
ID: CVE-2020-36326
Title: Object Injection Vulnerability in PHPMailer
Vendor: PHPmailer_project
Description: PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
ID: CVE-2021-26937
Title: Denial of Service Vulnerability in GNU Screen
Vendor: Gnu, Debian, and Fedora Project
Description: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
ID: CVE-2021-20231
Title: Memory Corruption Vulnerability in Gnutls
Vendor: Gnu, Redhat, NetApp, and Fedora Project
Description A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.
ID: CVE-2021-31800
Title: Arbitrary Code Execution Vulnerability in SMbserver Instance
Vendor: SecureAuth, Fedora Project
Description: Multiple path traversal vulnerabilities exist in in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
ID: CVE-2021-29921
Title: Weak Authentication Control in Python Version < 3,9,5
Vendor: Python
Description: In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
ID: CVE-2021-28799
Title: Weak Authorization Vulnerability in QNAP
Vendor: Qnap
Description: An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .

ID: CVE-2021-31474
Title: Arbitrary Code Execution Vulnerability in SolarWinds
Vendor: Solarwinds
Description: This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SolarWinds.Serialization library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12213.
ID: CVE-2021-33574
Title: Buffer Overflow Vulnerability in GNU
Vendor: Gnu
Description: The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
ID: CVE-2021-33180
Title: SQL Injection Vulnerability in Synology Media Server
Vendor: Synology
Description: Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Kind regards,
0 (0 Votes)