Forum

Message Boards Message Boards

Announcements

Security Vulnerabilities Notification

Security Vulnerabilities Notification
Answer
29 October 2021 2:35
Dear CREODIAS Users,

In the Security section customers will find information about latest and most critical security vulnerabilities, published in the last month by the SANS Institute (www.sans.org). Security vulnerabilities in software and hardware are very often used by cyber criminals to attack IT infrastructure and steal or destroy company's data, that is why companies are advice to fix those vulnerabilities as soon as possible.


ID: CVE-2020-27134

Title: Arbitrary Code Execution in Cisco Jabber

Vendor: Cisco

Description: Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. For more information about these vulnerabilities, see the Details section of this advisory.


ID: CVE-2021-31556

Title: Weak Cryptography Usage in Mediawiki

Vendor: Media Wiki

Description: An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. MWOAuthConsumerSubmitControl.php does not ensure that the length of an RSA key will fit in a MySQL blob.


ID: CVE-2021-26085

Title: Arbitrary File Read Vulnerability in Atlassian Confluence Server

Vendor: Atlassian

Description Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.


ID: CVE-2021-37716

Title: Buffer Overflow Vulnerability in Aruba SD-WAN

Vendor: Aruba Networks

Description: A remote buffer overflow vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.15. Aruba has released patches for Aruba SD-WAN Software and Gateways and ArubaOS that address this security vulnerability.


ID: CVE-2021-41773

Title: Apache HTTP Traversal Vulnerability

Vendor: Apache

Description: This vulnerability is in Apache Server version 2.4.49. It is a path traversal and file disclosure flaw that could allow attackers to gain access to sensitive data, and according to the report, is being actively exploited. This vulnerability allows attackers to map URLs to files outside of the expected document root using a path traversal attack.Path traversal attacks entail sending requests to get access to the backend or sensitive server directories that should not be accessible. The attackers bypass the filters using encoded characters (ASCII) for the URLs. According to the advisory, the problem might potentially reveal the source of interpreted files like CGI scripts, which could contain sensitive information that attackers could use for future attacks. The target must be running Apache HTTP Server 2.4.49 and have the “require all denied” access control parameter deactivated for the attack to work. However, this is the default setting.


ID: CVE-2020-26301

Title: Command injection Vulnerability in ssh2

Vendor: ssh2 project

Description: ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID: CVE-2020-14343

Title: Arbitrary Code Execution in PyYaml

Vendor: Pyyaml

Description: A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.


ID: CVE-2021-34345

Title: Buffer Overflow Vulnerability in QNap Device

Vendor: Qnap

Description: A stack buffer overflow vulnerability has been reported to affect QNAP device running NVR Storage Expansion. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of NVR Storage Expansion: NVR Storage Expansion 1.0.6 ( 2021/08/03 ) and later


ID: CVE-2021-39296

Title: Weak Authentication in Open BMC

Vendor: Open BMC Project

Description: In OpenBMC 2.9, crafted IPMI messages allow an attacker to bypass authentication and gain full control of the system.

0 (0 Votes)