All customers except US A&D: to ensure that you can access all of your product downloads, you must log in to the Wind River Delivers portal https://delivers.windriver.com and visit the My Products page to force an initial sync of your product entitlement. Only after you’ve completed this step will you be able to access and download product content through the Artifacts, Registry, and Git interfaces. This also applies to users attempting to run the Wind River installer in maintenance or update mode or Linux installation updates at the command line.

Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 142792 entries
IDDescriptionPriorityModified date
CVE-2022-23045 PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the Site title parameter while updating the site settings. The Site title setting is injected in several locations which triggers the XSS. -- Jan 20, 2022
CVE-2022-22820 Due to the lack of media file checks before rendering, it was possible for an attacker to cause abnormal CPU consumption for message recipient by sending specially crafted gif image in LINE for Windows before 7.4. -- Jan 20, 2022
CVE-2022-22769 The Web server component of TIBCO Software Inc.\'s TIBCO EBX, TIBCO EBX, TIBCO EBX, TIBCO EBX Add-ons, TIBCO EBX Add-ons, TIBCO EBX Add-ons, and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.\'s TIBCO EBX: versions 5.8.124 and below, TIBCO EBX: versions 5.9.3, 5.9.4, 5.9.5, 5.9.6, 5.9.7, 5.9.8, 5.9.9, 5.9.10, 5.9.11, 5.9.12, 5.9.13, 5.9.14, and 5.9.15, TIBCO EBX: versions 6.0.0, 6.0.1, 6.0.2, and 6.0.3, TIBCO EBX Add-ons: versions 3.20.18 and below, TIBCO EBX Add-ons: versions 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, and 4.5.6, TIBCO EBX Add-ons: versions 5.0.0, 5.0.1, 5.1.0, 5.1.1, and 5.2.0, and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 1.1.0 and below. -- Jan 20, 2022
CVE-2022-22733 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions. -- Jan 20, 2022
CVE-2022-21704 log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update. -- Jan 20, 2022
CVE-2022-21701 Istio is an open platform to connect, manage, and secure microservices. In versions 1.12.0 and 1.12.1 Istio is vulnerable to a privilege escalation attack. Users who have `CREATE` permission for `gateways.gateway.networking.k8s.io` objects can escalate this privilege to create other resources that they may not have access to, such as `Pod`. This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio Gateway type (gateways.networking.istio.io), which is not vulnerable. Users are advised to upgrade to resolve this issue. Users unable to upgrade should implement any of the following which will prevent this vulnerability: Remove the gateways.gateway.networking.k8s.io CustomResourceDefinition, set PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=true environment variable in Istiod, or remove CREATE permissions for gateways.gateway.networking.k8s.io objects from untrusted users. -- Jan 20, 2022
CVE-2022-21699 IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade. -- Jan 20, 2022
CVE-2022-21679 Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1. Istio 1.12 supports the hosts and notHosts fields in authorization policy with a new Envoy API shipped with the 1.12 data plane. A bug in the 1.12.0 and 1.12.1 incorrectly uses the new Envoy API with the 1.11 data plane. This will cause the hosts and notHosts fields to be always matched regardless of the actual value of the host header when mixing 1.12.0/1.12.1 control plane and 1.11 data plane. Users are advised to upgrade or to not mix the 1.12.0/1.12.1 control plane with 1.11 data plane if using hosts or notHosts field in authorization policy. -- Jan 20, 2022
CVE-2022-21658 Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn\'t otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don\'t have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions. -- Jan 20, 2022
CVE-2022-21242 Vulnerability in the Primavera Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Supported versions that are affected are 18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0 and 20.0.0.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera Portfolio Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). MEDIUM Jan 20, 2022
CVE-2022-0285 Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.9. -- Jan 20, 2022
CVE-2022-0282 Code Injection in Packagist microweber/microweber prior to 1.2.11. -- Jan 20, 2022
CVE-2022-0281 Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11. -- Jan 20, 2022
CVE-2022-0278 Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. -- Jan 20, 2022
CVE-2022-0277 Improper Access Control in Packagist microweber/microweber prior to 1.2.11. -- Jan 20, 2022
CVE-2022-0219 Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2. -- Jan 20, 2022
CVE-2021-46351 There is an Assertion \'local_tza == ecma_date_local_time_zone_adjustment (date_value)\' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46350 There is an Assertion \'ecma_is_value_object (value)\' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46349 There is an Assertion \'type == ECMA_OBJECT_TYPE_GENERAL || type == ECMA_OBJECT_TYPE_PROXY\' failed at /jerry-core/ecma/operations/ecma-objects.c in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46348 There is an Assertion \'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)\' failed at /jerry-core/ecma/base/ecma-literal-storage.c in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46347 There is an Assertion \'ecma_object_check_class_name_is_object (obj_p)\' failed at /jerry-core/ecma/operations/ecma-objects.c in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46346 There is an Assertion \'local_tza == ecma_date_local_time_zone_adjustment (date_value)\' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46345 There is an Assertion \'cesu8_cursor_p == cesu8_end_p\' failed at /jerry-core/lit/lit-strings.c in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46344 There is an Assertion \'flags & PARSER_PATTERN_HAS_REST_ELEMENT\' failed at /jerry-core/parser/js/js-parser-expr.c in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46343 There is an Assertion \'context_p->token.type == LEXER_LITERAL\' failed at /jerry-core/parser/js/js-parser-expr.c in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46342 There is an Assertion \'ecma_is_lexical_environment (obj_p) || !ecma_op_object_is_fast_array (obj_p)\' failed at /jerry-core/ecma/base/ecma-helpers.c in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46340 There is an Assertion \'context_p->stack_top_uint8 == SCAN_STACK_TRY_STATEMENT || context_p->stack_top_uint8 == SCAN_STACK_CATCH_STATEMENT\' failed at /parser/js/js-scanner.c(scanner_scan_statement_end) in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46339 There is an Assertion \'lit_is_valid_cesu8_string (string_p, string_size)\' failed at /base/ecma-helpers-string.c(ecma_new_ecma_string_from_utf8) in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46338 There is an Assertion \'ecma_is_lexical_environment (object_p)\' failed at /base/ecma-helpers.c(ecma_get_lex_env_type) in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46337 There is an Assertion \'page_p != NULL\' failed at /parser/js/js-parser-mem.c(parser_list_get) in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46336 There is an Assertion \'opts & PARSER_CLASS_LITERAL_CTOR_PRESENT\' failed at /parser/js/js-parser-expr.c(parser_parse_class_body) in JerryScript 3.0.0. -- Jan 20, 2022
CVE-2021-46335 Moddable SDK v11.5.0 was discovered to contain a NULL pointer dereference in the component fx_Function_prototype_hasInstance. -- Jan 20, 2022
CVE-2021-46334 Moddable SDK v11.5.0 was discovered to contain a stack buffer overflow via the component __interceptor_strcat. -- Jan 20, 2022
CVE-2021-46333 Moddable SDK v11.5.0 was discovered to contain an invalid memory access vulnerability via the component __asan_memmove. -- Jan 20, 2022
CVE-2021-46332 Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via xs/sources/xsDataView.c in fxUint8Getter. -- Jan 20, 2022
CVE-2021-46331 Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsProxy.c in fxProxyGetPrototype. -- Jan 20, 2022
CVE-2021-46330 Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsDataView.c in fx_ArrayBuffer_prototype_concat. -- Jan 20, 2022
CVE-2021-46329 Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via the component _fini. -- Jan 20, 2022
CVE-2021-46328 Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via the component __libc_start_main. -- Jan 20, 2022
CVE-2021-46327 Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability via xs/sources/xsArray.c in fx_Array_prototype_sort. -- Jan 20, 2022
CVE-2021-46326 Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow via the component __asan_memcpy. -- Jan 20, 2022
CVE-2021-46325 Espruino 2v10.246 was discovered to contain a stack buffer overflow via src/jsutils.c in vcbprintf. -- Jan 20, 2022
CVE-2021-46324 Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString. -- Jan 20, 2022
CVE-2021-46323 Espruino 2v11.251 was discovered to contain a SEGV vulnerability via src/jsinteractive.c in jsiGetDeviceFromClass. -- Jan 20, 2022
CVE-2021-46322 Duktape v2.99.99 was discovered to contain a SEGV vulnerability via the component duk_push_tval in duktape/duk_api_stack.c. -- Jan 20, 2022
CVE-2021-46061 An SQL Injection vulnerability exists in Sourcecodester Computer and Mobile Repair Shop Management system (RSMS) 1.0 via the code parameter in /rsms/ node app. -- Jan 20, 2022
CVE-2021-46028 In mblog <= 3.5.0 there is a CSRF vulnerability in the background article management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, the article will be deleted. -- Jan 20, 2022
CVE-2021-46027 mysiteforme, as of 19-12-2022, has a CSRF vulnerability in the background blog management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, a blog tag will be added -- Jan 20, 2022
CVE-2021-46026 mysiteforme, as of 19-12-2022, is vulnerable to Cross Site Scripting (XSS) via the add blog tag function in the blog tag in the background blog management. -- Jan 20, 2022
CVE-2021-46025 A Cross SIte Scripting (XSS) vulnerability exists in OneBlog <= 2.2.8. via the add function in the operation tab list in the background. -- Jan 20, 2022
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online