| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
Computer vulnerabilities of HP SiteScope
HP SiteScope: information disclosure
Synthesis of the vulnerability
An attacker can bypass access restrictions to data of HP SiteScope, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 02/10/2017.
Identifiers: CVE-2017-14349, HPESBGN03772, KM02948051, VIGILANCE-VUL-23995.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
An attacker can bypass access restrictions to data of HP SiteScope, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial) |
HPE SiteScope: four vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of HPE SiteScope.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 15/06/2017.
Revision date: 12/07/2017.
Identifiers: CVE-2017-8949, CVE-2017-8950, CVE-2017-8951, CVE-2017-8952, HPESBGN03763, hpesbgn03763en_us, VIGILANCE-VUL-22981, VU#768399.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
An attacker can use several vulnerabilities of HPE SiteScope.
Full Vigil@nce bulletin... (Free trial) |
HP SiteScope: code execution via JMX
Synthesis of the vulnerability
An attacker can use a vulnerability via JMX of HP SiteScope, in order to run code.
Severity: 3/4.
Creation date: 22/05/2017.
Identifiers: VIGILANCE-VUL-22778.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
An attacker can use a vulnerability via JMX of HP SiteScope, in order to run code.
Full Vigil@nce bulletin... (Free trial) |
Blowfish, Triple-DES: algorithms too weak, SWEET32
Synthesis of the vulnerability
An attacker can create a TLS/VPN session with a Blowfish/Triple-DES algorithm, and perform a two days attack, in order to decrypt data.
Severity: 1/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 25/08/2016.
Identifiers: 1610582, 1991866, 1991867, 1991870, 1991871, 1991875, 1991876, 1991878, 1991880, 1991882, 1991884, 1991885, 1991886, 1991887, 1991889, 1991892, 1991894, 1991896, 1991902, 1991903, 1991951, 1991955, 1991959, 1991960, 1991961, 1992681, 1993777, 1994375, 1995099, 1995922, 1998797, 1999054, 1999421, 2000209, 2000212, 2000370, 2000544, 2001608, 2002021, 2002335, 2002336, 2002479, 2002537, 2002870, 2002897, 2002991, 2003145, 2003480, 2003620, 2003673, 2004036, 2008828, 523628, 9010102, bulletinapr2017, c05349499, c05369403, c05369415, c05390849, CERTFR-2017-AVI-012, CERTFR-2019-AVI-049, CERTFR-2019-AVI-311, cisco-sa-20160927-openssl, cpuapr2017, cpujan2018, cpujul2017, cpujul2019, cpuoct2017, CVE-2016-2183, CVE-2016-6329, DSA-2018-124, DSA-2019-131, DSA-3673-1, DSA-3673-2, FEDORA-2016-7810e24465, FEDORA-2016-dc2cb4ad6b, FG-IR-16-047, FG-IR-16-048, FG-IR-17-127, FG-IR-17-173, HPESBGN03697, HPESBGN03765, HPESBUX03725, HPSBGN03690, HPSBGN03694, HPSBHF03674, ibm10718843, java_jan2017_advisory, JSA10770, KM03060544, NTAP-20160915-0001, openSUSE-SU-2016:2199-1, openSUSE-SU-2016:2391-1, openSUSE-SU-2016:2407-1, openSUSE-SU-2016:2496-1, openSUSE-SU-2016:2537-1, openSUSE-SU-2017:1638-1, openSUSE-SU-2018:0458-1, RHSA-2017:0336-01, RHSA-2017:0337-01, RHSA-2017:0338-01, RHSA-2017:3113-01, RHSA-2017:3114-01, RHSA-2017:3239-01, RHSA-2017:3240-01, RHSA-2018:2123-01, SA133, SA40312, SB10171, SB10186, SB10197, SB10215, SOL13167034, SP-CAAAPUE, SPL-129207, SSA:2016-266-01, SSA:2016-363-01, SSA-556833, SUSE-SU-2016:2387-1, SUSE-SU-2016:2394-1, SUSE-SU-2016:2458-1, SUSE-SU-2016:2468-1, SUSE-SU-2016:2469-1, SUSE-SU-2016:2470-1, SUSE-SU-2016:2470-2, SUSE-SU-2017:1444-1, SUSE-SU-2017:2838-1, SUSE-SU-2017:3177-1, SWEET32, TNS-2016-16, USN-3087-1, USN-3087-2, USN-3270-1, USN-3339-1, USN-3339-2, USN-3372-1, VIGILANCE-VUL-20473.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The Blowfish and Triple-DES symetric encryption algorithms use 64 bit blocks.
However, if they are used in CBC mode, a collision occurs after 785 GB transferred, and it is then possible to decrypt blocks with an attack lasting two days.
An attacker can therefore create a TLS/VPN session with a Blowfish/Triple-DES algorithm, and perform a two days attack, in order to decrypt data.
Full Vigil@nce bulletin... (Free trial) |
Apache Tomcat: read-write access via setGlobalContext
Synthesis of the vulnerability
An attacker, who is allowed to upload a malicious web application on the service, can bypass access restrictions via setGlobalContext of Apache Tomcat, in order to read or alter data.
Severity: 2/4.
Creation date: 22/02/2016.
Identifiers: 1980693, c05150442, c05324755, cpuapr2017, cpuoct2017, CVE-2016-0763, DSA-3530-1, DSA-3552-1, DSA-3609-1, FEDORA-2016-e6651efbaf, HPSBGN03669, HPSBUX03606, NTAP-20180531-0001, openSUSE-SU-2016:0865-1, RHSA-2016:1087-01, RHSA-2016:1088-01, RHSA-2016:1089-01, RHSA-2016:2599-02, RHSA-2016:2807-01, RHSA-2016:2808-01, SUSE-SU-2016:0769-1, SUSE-SU-2016:0822-1, USN-3024-1, VIGILANCE-VUL-18999.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The Apache Tomcat product can execute a web application from an untrusted source with a Security Manager.
However, a malicious application can use ResourceLinkFactory.setGlobalContext() to inject a context in another application, and access to its data.
An attacker, who is allowed to upload a malicious web application on the service, can therefore bypass access restrictions via setGlobalContext of Apache Tomcat, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial) |
HP SiteScope: privilege escalation via DNS Tool
Synthesis of the vulnerability
A local attacker can use the DNS Tool of HP SiteScope, in order to escalate his privileges.
Severity: 2/4.
Creation date: 12/10/2015.
Identifiers: R7-2015-17, SSRT103139, VIGILANCE-VUL-18072, VU#626368.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The HP SiteScope product usually allows local users to access to DNS tools.
However, on Windows, an attacker can ask the resolution of "example.com & shell-command". In this case, as "&" is a command separator, the shell command is run with privileges of the SiteScope service (SYSTEM).
A local attacker can therefore use the DNS Tool of HP SiteScope, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial) |
Apache Groovy: code execution via MethodClosure
Synthesis of the vulnerability
An attacker can use a vulnerability in MethodClosure of Apache Groovy, in order to run code.
Severity: 2/4.
Creation date: 24/09/2015.
Identifiers: c05324755, cpuapr2019, cpujan2018, cpujul2017, cpuoct2016, cpuoct2017, CVE-2015-3253, FEDORA-2015-15907, FEDORA-2017-6a0389a6a7, FEDORA-2017-9899aba20e, HPSBGN03669, RHSA-2015:2556-01, RHSA-2015:2557-01, RHSA-2015:2558-01, RHSA-2016:0066-01, RHSA-2016:0118-01, RHSA-2017:2596-01, SA110, VIGILANCE-VUL-17973.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
An attacker can use a vulnerability in MethodClosure of Apache Groovy, in order to run code.
Full Vigil@nce bulletin... (Free trial) |
HP SiteScope: privilege escalation
Synthesis of the vulnerability
An attacker can bypass restrictions of HP SiteScope, in order to escalate his privileges.
Severity: 2/4.
Creation date: 26/05/2015.
Revision date: 27/05/2015.
Identifiers: c04688784, CVE-2015-2120, HPSBGN03325, SSRT101902, VIGILANCE-VUL-16988, ZDI-15-239, ZDI-CAN-2567.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The HP SiteScope product is used for software monitoring.
However, a remote authenticated user can read the users.config file, containing information about users.
An attacker can therefore bypass restrictions of HP SiteScope, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial) |
TLS: RC4 decryption via Bar Mitzvah
Synthesis of the vulnerability
An attacker can use the Bar Mitzvah Attack on TLS, in order to obtain sensitive information encrypted by RC4.
Severity: 2/4.
Creation date: 27/03/2015.
Identifiers: 1450666, 1610582, 1647054, 1882708, 1883551, 1883553, 1902260, 1903541, 1960659, 1963275, 1967498, 523628, 7014463, 7022958, 7045736, 9010041, 9010044, Bar Mitzvah, BSA-2015-007, c04708650, c04767175, c04770140, c04772305, c04773119, c04773241, c04777195, c04777255, c04832246, c04926789, c05085988, c05336888, cpujan2018, cpuoct2017, CVE-2015-2808, DSA-2018-124, HPSBGN03350, HPSBGN03393, HPSBGN03399, HPSBGN03407, HPSBGN03414, HPSBGN03415, HPSBGN03580, HPSBHF03673, HPSBMU03345, HPSBMU03401, HPSBUX03435, HPSBUX03512, NTAP-20150715-0001, NTAP-20151028-0001, RHSA-2015:1020-01, RHSA-2015:1021-01, RHSA-2015:1091-01, SOL16864, SSRT102254, SSRT102977, SUSE-SU-2015:1073-1, SUSE-SU-2015:1085-1, SUSE-SU-2015:1086-1, SUSE-SU-2015:1086-2, SUSE-SU-2015:1086-3, SUSE-SU-2015:1086-4, SUSE-SU-2015:1138-1, SUSE-SU-2015:1161-1, VIGILANCE-VUL-16486, VN-2015-004.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
During the initialization of a TLS session, the client and the server negotiate cryptographic algorithms. The RC4 algorithm can be chosen to encrypt data.
For some weak keys (one over 2^24), the Invariance Weakness can be used to predict the two LSB (Least Significant Bit) of the 100 first bytes encrypted with RC4. The first TLS message is "Finished" (36 bytes), thus an attacker can predict LSBs of 64 bytes.
An attacker can therefore use the Bar Mitzvah Attack on TLS, in order to obtain sensitive information encrypted by RC4.
Full Vigil@nce bulletin... (Free trial) |
HP SiteScope: privilege escalation
Synthesis of the vulnerability
A remote attacker can use HP SiteScope, in order to escalate his privileges.
Severity: 3/4.
Creation date: 26/01/2015.
Identifiers: c04539443, CVE-2014-7882, HPSBMU03232, VIGILANCE-VUL-16043.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
A remote attacker can use HP SiteScope, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial) |
Our database contains other pages. You can request a free trial to read them.
Display information about HP SiteScope:
|