The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of NetApp SnapManager

computer vulnerability alert CVE-2019-10241 CVE-2019-10246 CVE-2019-10247

Eclipse Jetty: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Eclipse Jetty, in order to run JavaScript code in the context of the web site.
Impacted products: Kafka, Jetty, Snap Creator Framework, SnapManager.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 23/04/2019.
Identifiers: CVE-2019-10241, CVE-2019-10246, CVE-2019-10247, NTAP-20190509-0003, VIGILANCE-VUL-29106.

Description of the vulnerability

The Eclipse Jetty product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Eclipse Jetty, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2018-11784

Apache Tomcat: open redirect via Directory Redirect

Synthesis of the vulnerability

An attacker can deceive the user via Directory Redirect of Apache Tomcat, in order to redirect him to a malicious site.
Impacted products: Tomcat, Debian, Fedora, QRadar SIEM, ePO, McAfee Web Gateway, Snap Creator Framework, SnapManager, openSUSE Leap, Oracle Communications, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 04/10/2018.
Identifiers: bulletinoct2018, cpuapr2019, CVE-2018-11784, DLA-1544-1, DLA-1545-1, FEDORA-2018-b18f9dd65b, FEDORA-2018-b89746cb9b, ibm10874888, NTAP-20181014-0002, openSUSE-SU-2018:3453-1, openSUSE-SU-2018:4042-1, openSUSE-SU-2019:0084-1, openSUSE-SU-2019:1547-1, RHSA-2019:0130-01, RHSA-2019:0131-01, RHSA-2019:0485-01, RHSA-2019:1529-01, SB10257, SB10264, SUSE-SU-2018:3261-1, SUSE-SU-2018:3388-1, SUSE-SU-2018:3393-1, SUSE-SU-2018:3935-1, SUSE-SU-2018:3968-1, USN-3787-1, VIGILANCE-VUL-27396.

Description of the vulnerability

An attacker can deceive the user via Directory Redirect of Apache Tomcat, in order to redirect him to a malicious site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-1000632

dom4j: external XML entity injection via XML Injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data via XML Injection to dom4j, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Debian, Snap Creator Framework, SnapManager, openSUSE Leap, JBoss EAP by Red Hat, Red Hat SSO, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 25/09/2018.
Identifiers: CVE-2018-1000632, DLA-1517-1, NTAP-20190530-0001, openSUSE-SU-2018:2931-1, openSUSE-SU-2018:3998-1, openSUSE-SU-2018:4045-1, RHSA-2019:0362-01, RHSA-2019:0364-01, RHSA-2019:0365-01, RHSA-2019:0380-01, RHSA-2019:1159-01, RHSA-2019:1160-01, RHSA-2019:1161-01, RHSA-2019:1162-01, SUSE-SU-2018:3424-1, SUSE-SU-2018:3908-1, VIGILANCE-VUL-27312.

Description of the vulnerability

An attacker can transmit malicious XML data via XML Injection to dom4j, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-2938 CVE-2018-2940 CVE-2018-2941

Oracle Java: vulnerabilities of July 2018

Synthesis of the vulnerability

Several vulnerabilities were announced in Oracle products.
Impacted products: Debian, Fedora, AIX, DB2 UDB, Domino, Notes, QRadar SIEM, Tivoli Workload Scheduler, ePO, SnapManager, Java OpenJDK, openSUSE Leap, Java Oracle, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 18/07/2018.
Identifiers: ADV-2018-022, CERTFR-2018-AVI-348, cpujul2018, CVE-2018-2938, CVE-2018-2940, CVE-2018-2941, CVE-2018-2942, CVE-2018-2952, CVE-2018-2964, CVE-2018-2972, CVE-2018-2973, DLA-1590-1, DSA-4268-1, FEDORA-2018-0b6ccd1c68, FEDORA-2018-40decc4158, FEDORA-2018-4d58785bcd, FEDORA-2018-877fdbb3f0, FEDORA-2018-c650019e9c, FEDORA-2018-d4bfa98f6a, ibm10725491, ibm10738401, ibm10742729, ibm10743351, NTAP-20180726-0001, openSUSE-SU-2018:2206-1, openSUSE-SU-2018:2247-1, openSUSE-SU-2018:3057-1, openSUSE-SU-2018:3103-1, openSUSE-SU-2019:0042-1, RHSA-2018:2241-01, RHSA-2018:2242-01, RHSA-2018:2253-01, RHSA-2018:2254-01, RHSA-2018:2255-01, RHSA-2018:2256-01, RHSA-2018:2283-01, RHSA-2018:2286-01, RHSA-2018:2568-01, RHSA-2018:2569-01, RHSA-2018:2575-01, RHSA-2018:2576-01, RHSA-2018:3007-01, RHSA-2018:3008-01, SB10247, SUSE-SU-2018:2083-1, SUSE-SU-2018:2574-1, SUSE-SU-2018:2583-1, SUSE-SU-2018:2649-1, SUSE-SU-2018:2839-1, SUSE-SU-2018:3045-1, SUSE-SU-2018:3064-1, SUSE-SU-2018:3064-3, SUSE-SU-2018:3082-1, SUSE-SU-2019:0049-1, USN-3734-1, USN-3735-1, USN-3747-1, USN-3747-2, VIGILANCE-VUL-26767.

Description of the vulnerability

Several vulnerabilities were announced in Oracle products.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-11212

libjpeg: denial of service via alloc_sarray

Synthesis of the vulnerability

An attacker can generate a fatal error via alloc_sarray() of libjpeg, in order to trigger a denial of service.
Impacted products: Debian, Fedora, AIX, IBM API Connect, IBM i, SnapManager, Java OpenJDK, openSUSE Leap, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 10/07/2018.
Identifiers: cpujan2019, CVE-2018-11212, DLA-1638-1, FEDORA-2019-362387a66d, FEDORA-2019-b084fa3ea5, ibm10875554, ibm10878376, ibm10882598, NTAP-20190118-0001, openSUSE-SU-2019:0161-1, openSUSE-SU-2019:0346-1, openSUSE-SU-2019:1439-1, openSUSE-SU-2019:1500-1, RHSA-2019:0469-01, RHSA-2019:0472-01, RHSA-2019:0473-01, RHSA-2019:0474-01, RHSA-2019:1238-01, SUSE-SU-2019:0221-1, SUSE-SU-2019:0574-1, SUSE-SU-2019:0604-1, SUSE-SU-2019:0617-1, SUSE-SU-2019:1219-1, SUSE-SU-2019:1392-1, SUSE-SU-2019:13975-1, SUSE-SU-2019:13978-1, SUSE-SU-2019:14069-1, USN-3706-1, USN-3706-2, VIGILANCE-VUL-26667.

Description of the vulnerability

An attacker can generate a fatal error via alloc_sarray() of libjpeg, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-8960

TLS: information disclosure via KCI Attacks

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via KCI Attacks of TLS, in order to obtain sensitive information.
Impacted products: Snap Creator Framework, SnapManager, SSL protocol.
Severity: 1/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 27/06/2018.
Identifiers: CVE-2015-8960, NTAP-20180626-0002, VIGILANCE-VUL-26550.

Description of the vulnerability

An attacker can bypass access restrictions to data via KCI Attacks of TLS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2018-12536

Eclipse Jetty: information disclosure via InvalidPathException Message

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via InvalidPathException Message of Eclipse Jetty, in order to obtain sensitive information.
Impacted products: Jetty, SnapManager, Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 26/06/2018.
Identifiers: CVE-2018-12536, NTAP-20181014-0001, VIGILANCE-VUL-26536.

Description of the vulnerability

An attacker can bypass access restrictions to data via InvalidPathException Message of Eclipse Jetty, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-7658

Eclipse Jetty: information disclosure via Double Content-Length

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Double Content-Length of Eclipse Jetty, in order to obtain sensitive information.
Impacted products: Debian, Jetty, Fedora, SnapManager, Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 26/06/2018.
Identifiers: CVE-2017-7658, DSA-4278-1, FEDORA-2018-48b73ed393, FEDORA-2018-93a507fd0f, NTAP-20181014-0001, VIGILANCE-VUL-26535.

Description of the vulnerability

An attacker can bypass access restrictions to data via Double Content-Length of Eclipse Jetty, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-7657

Eclipse Jetty: information disclosure via Transfer-Encoding Request Smuggling

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Transfer-Encoding Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Impacted products: Debian, Jetty, Fedora, SnapManager, Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 26/06/2018.
Identifiers: CVE-2017-7657, DSA-4278-1, FEDORA-2018-48b73ed393, FEDORA-2018-93a507fd0f, NTAP-20181014-0001, VIGILANCE-VUL-26534.

Description of the vulnerability

An attacker can bypass access restrictions to data via Transfer-Encoding Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-7656

Eclipse Jetty: information disclosure via HTTP/0.9 Request Smuggling

Synthesis of the vulnerability

An attacker can use a vulnerability via HTTP/0.9 Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Impacted products: Debian, Jetty, Fedora, SnapManager, Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 26/06/2018.
Identifiers: CVE-2017-7656, DSA-4278-1, FEDORA-2018-48b73ed393, FEDORA-2018-93a507fd0f, NTAP-20181014-0001, VIGILANCE-VUL-26533.

Description of the vulnerability

The Eclipse Jetty product offers a web service.

However, an attacker can bypass access restrictions to data.

An attacker can therefore use a vulnerability via HTTP/0.9 Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.