Filtered by vendor Netapp Subscriptions
Filtered by product Active Iq Unified Manager Subscriptions
Total 791 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-45862 3 Linux, Netapp, Redhat 6 Linux Kernel, Active Iq Unified Manager, H410c and 3 more 2024-11-21 5.5 Medium
An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.
CVE-2023-41105 3 Netapp, Python, Redhat 3 Active Iq Unified Manager, Python, Enterprise Linux 2024-11-21 7.5 High
An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.
CVE-2023-3338 4 Debian, Linux, Netapp and 1 more 4 Debian Linux, Linux Kernel, Active Iq Unified Manager and 1 more 2024-11-21 6.5 Medium
A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue could allow a remote user to crash the system.
CVE-2023-38545 5 Fedoraproject, Haxx, Microsoft and 2 more 19 Fedora, Libcurl, Windows 10 1809 and 16 more 2024-11-21 8.8 High
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
CVE-2023-36054 4 Debian, Mit, Netapp and 1 more 8 Debian Linux, Kerberos 5, Active Iq Unified Manager and 5 more 2024-11-21 6.5 Medium
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.
CVE-2023-31102 3 7-zip, Linux, Netapp 4 7-zip, Linux Kernel, Active Iq Unified Manager and 1 more 2024-11-21 7.8 High
Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.
CVE-2023-2953 4 Apple, Netapp, Openldap and 1 more 17 Macos, Active Iq Unified Manager, Clustered Data Ontap and 14 more 2024-11-21 7.5 High
A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.
CVE-2023-28487 3 Netapp, Redhat, Sudo Project 5 Active Iq Unified Manager, Enterprise Linux, Openshift Data Foundation and 2 more 2024-11-21 5.3 Medium
Sudo before 1.9.13 does not escape control characters in sudoreplay output.
CVE-2023-28486 3 Netapp, Redhat, Sudo Project 5 Active Iq Unified Manager, Enterprise Linux, Openshift Data Foundation and 2 more 2024-11-21 5.3 Medium
Sudo before 1.9.13 does not escape control characters in log messages.
CVE-2023-27538 7 Broadcom, Debian, Fedoraproject and 4 more 16 Brocade Fabric Operating System Firmware, Debian Linux, Fedora and 13 more 2024-11-21 5.5 Medium
An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.
CVE-2023-27537 4 Broadcom, Haxx, Netapp and 1 more 13 Brocade Fabric Operating System Firmware, Libcurl, Active Iq Unified Manager and 10 more 2024-11-21 5.9 Medium
A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.
CVE-2023-27536 6 Debian, Fedoraproject, Haxx and 3 more 16 Debian Linux, Fedora, Libcurl and 13 more 2024-11-21 5.9 Medium
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
CVE-2023-27535 6 Debian, Fedoraproject, Haxx and 3 more 16 Debian Linux, Fedora, Libcurl and 13 more 2024-11-21 5.9 Medium
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
CVE-2023-27534 6 Broadcom, Fedoraproject, Haxx and 3 more 15 Brocade Fabric Operating System Firmware, Fedora, Curl and 12 more 2024-11-21 8.8 High
A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.
CVE-2023-27533 5 Fedoraproject, Haxx, Netapp and 2 more 15 Fedora, Curl, Active Iq Unified Manager and 12 more 2024-11-21 8.8 High
A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.
CVE-2023-26049 4 Debian, Eclipse, Netapp and 1 more 15 Debian Linux, Jetty, Active Iq Unified Manager and 12 more 2024-11-21 2.4 Low
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
CVE-2023-24329 4 Fedoraproject, Netapp, Python and 1 more 14 Fedora, Active Iq Unified Manager, Management Services For Element Software and 11 more 2024-11-21 7.5 High
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
CVE-2023-23915 4 Haxx, Netapp, Redhat and 1 more 13 Curl, Active Iq Unified Manager, Clustered Data Ontap and 10 more 2024-11-21 6.5 Medium
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.
CVE-2023-23914 4 Haxx, Netapp, Redhat and 1 more 13 Curl, Active Iq Unified Manager, Clustered Data Ontap and 10 more 2024-11-21 9.1 Critical
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.
CVE-2023-22058 4 Fedoraproject, Netapp, Oracle and 1 more 8 Fedora, Active Iq Unified Manager, Oncommand Insight and 5 more 2024-11-21 4.4 Medium
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).