Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 202260 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2016-1502 NetApp SnapCenter Server 1.0 and 1.0P1 allows remote attackers to partially bypass authentication and then list and delete backups via unspecified vectors. HIGH Feb 7, 2017 n/a
CVE-2016-1504 dhcpcd before 6.10.0 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related to the option length. MEDIUM Feb 7, 2017 n/a
CVE-2016-1894 NetApp OnCommand Workflow Automation before 3.1P2 allows remote attackers to bypass authentication via unspecified vectors. HIGH Feb 7, 2017 n/a
CVE-2016-2317 Multiple buffer overflows in GraphicsMagick 1.3.23 allow remote attackers to cause a denial of service (crash) via a crafted SVG file, related to the (1) TracePoint function in magick/render.c, (2) GetToken function in magick/utility.c, and (3) GetTransformTokens function in coders/svg.c. MEDIUM Feb 7, 2017 n/a
CVE-2016-2318 GraphicsMagick 1.3.23 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted SVG file, related to the (1) DrawImage function in magick/render.c, (2) SVGStartElement function in coders/svg.c, and (3) TraceArcPath function in magick/render.c. MEDIUM Feb 7, 2017 n/a
CVE-2016-2403 Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. HIGH Feb 7, 2017 n/a
CVE-2016-2539 Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving a crafted zip file. MEDIUM Feb 7, 2017 n/a
CVE-2016-2779 runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal\'s input buffer. HIGH Feb 7, 2017 n/a
CVE-2016-2781 chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal\'s input buffer. LOW Feb 7, 2017 n/a
CVE-2016-2908 IBM Single Sign On for Bluemix could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. A remote attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service. MEDIUM Feb 7, 2017 n/a
CVE-2016-2987 An undisclosed vulnerability in CLM applications may result in some administrative deployment parameters being shown to an attacker. MEDIUM Feb 7, 2017 n/a
CVE-2016-3016 IBM Security Access Manager for Web processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code, which could allow an authenticated attacker to load malicious code. LOW Feb 7, 2017 n/a
CVE-2016-3017 IBM Security Access Manager for Web could allow a remote attacker to obtain sensitive information due to security misconfigurations. MEDIUM Feb 7, 2017 n/a
CVE-2016-3020 IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 could allow a remote attacker to bypass security restrictions, caused by improper content validation. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to bypass validation and load a page with malicious content. MEDIUM Feb 7, 2017 n/a
CVE-2016-3021 IBM Security Access Manager for Web could allow an authenticated attacker to obtain sensitive information from error message using a specially crafted HTTP request. MEDIUM Feb 7, 2017 n/a
CVE-2016-3022 IBM Security Access Manager for Web could allow an authenticated user to gain access to highly sensitive information due to incorrect file permissions. MEDIUM Feb 7, 2017 n/a
CVE-2016-3023 IBM Security Access Manager for Web could allow an unauthenticated user to gain access to sensitive information by entering invalid file names. MEDIUM Feb 7, 2017 n/a
CVE-2016-3024 IBM Security Access Manager for Web allows web pages to be stored locally which can be read by another user on the system. LOW Feb 7, 2017 n/a
CVE-2016-3027 IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. MEDIUM Feb 7, 2017 n/a
CVE-2016-3029 IBM Security Access Manager for Web is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. MEDIUM Feb 7, 2017 n/a
CVE-2016-3053 IBM AIX contains an unspecified vulnerability that would allow a locally authenticated user to obtain root level privileges. HIGH Feb 7, 2017 n/a
CVE-2016-3063 Multiple functions in NetApp OnCommand System Manager before 8.3.2 do not properly escape special characters, which allows remote authenticated users to execute arbitrary API calls via unspecified vectors. MEDIUM Feb 7, 2017 n/a
CVE-2016-3124 The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote attackers to learn the PHP version on the system via unspecified vectors. MEDIUM Feb 7, 2017 n/a
CVE-2016-3176 Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient. MEDIUM Feb 7, 2017 n/a
CVE-2016-3180 Tor Browser Launcher (aka torbrowser-launcher) before 0.2.4, during the initial run, allows man-in-the-middle attackers to bypass the PGP signature verification and execute arbitrary code via a Trojan horse tar file and a signature file with the valid tarball and signature. MEDIUM Feb 7, 2017 n/a
CVE-2016-3183 The sycc422_t_rgb function in common/color.c in OpenJPEG before 2.1.1 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted jpeg2000 file. MEDIUM Feb 7, 2017 n/a
CVE-2016-3996 ClipboardDataMgr in Samsung KNOX 1.0.0 and 2.3.0 does not properly check the caller, which allows local users to read KNOX clipboard data via a crafted application. MEDIUM Feb 7, 2017 n/a
CVE-2016-4341 NetApp Clustered Data ONTAP before 8.3.2P7 allows remote attackers to obtain SMB share information via unspecified vectors. MEDIUM Feb 7, 2017 n/a
CVE-2016-4352 Integer overflow in the demuxer function in libmpdemux/demux_gif.c in Mplayer allows remote attackers to cause a denial of service (crash) via large dimensions in a gif file. MEDIUM Feb 7, 2017 n/a
CVE-2016-4570 The mxmlDelete function in mxml-node.c in mxml 2.9, 2.7, and possibly earlier allows remote attackers to cause a denial of service (stack consumption) via crafted xml file. HIGH Feb 7, 2017 n/a
CVE-2016-4571 The mxml_write_node function in mxml-file.c in mxml 2.9, 2.7, and possibly earlier allows remote attackers to cause a denial of service (stack consumption) via crafted xml file. HIGH Feb 7, 2017 n/a
CVE-2016-4796 Heap-based buffer overflow in the color_cmyk_to_rgb in common/color.c in OpenJPEG before 2.1.1 allows remote attackers to cause a denial of service (crash) via a crafted .j2k file. MEDIUM Feb 7, 2017 n/a
CVE-2016-4797 Divide-by-zero vulnerability in the opj_tcd_init_tile function in tcd.c in OpenJPEG before 2.1.1 allows remote attackers to cause a denial of service (application crash) via a crafted jp2 file. NOTE: this issue exists because of an incorrect fix for CVE-2014-7947. MEDIUM Feb 7, 2017 n/a
CVE-2016-5102 Buffer overflow in the readgifimage function in gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (segmentation fault) via a crafted gif file. MEDIUM Feb 7, 2017 n/a
CVE-2016-5115 The avcodec_decode_audio4 function in libavcodec in libavformat 57.34.103, as used in MPlayer, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mp3 file. MEDIUM Feb 7, 2017 n/a
CVE-2016-5241 magick/render.c in GraphicsMagick before 1.3.24 allows remote attackers to cause a denial of service (arithmetic exception and application crash) via a crafted svg file. MEDIUM Feb 7, 2017 n/a
CVE-2016-5372 Cross-site request forgery (CSRF) vulnerability in NetApp Snap Creator Framework before 4.3.0P1 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors. MEDIUM Feb 7, 2017 n/a
CVE-2016-5711 NetApp Virtual Storage Console for VMware vSphere before 6.2.1 uses a non-unique certificate, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors. MEDIUM Feb 7, 2017 n/a
CVE-2016-5897 IBM Jazz Reporting Service (JRS) is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. LOW Feb 7, 2017 n/a
CVE-2016-5898 IBM Jazz Reporting Service (JRS) could allow a remote attacker to obtain sensitive information, caused by not restricting JSON serialization. By sending a direct request, an attacker could exploit this vulnerability to obtain sensitive information. MEDIUM Feb 7, 2017 n/a
CVE-2016-5899 IBM Jazz Reporting Service (JRS) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. LOW Feb 7, 2017 n/a
CVE-2016-5958 IBM Security Privileged Identity Manager could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for the session cookie in SSL mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information. MEDIUM Feb 7, 2017 n/a
CVE-2016-5966 IBM Security Privileged Identity Manager Virtual Appliance could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. MEDIUM Feb 7, 2017 n/a
CVE-2016-5988 IBM Security Privileged Identity Manager Virtual Appliance could disclose sensitive information in generated error messages that would be available to an authenticated user. MEDIUM Feb 7, 2017 n/a
CVE-2016-5990 IBM Security Privileged Identity Manager Virtual Appliance allows an authenticated user to upload malicious files that would be automatically executed by the server. MEDIUM Feb 7, 2017 n/a
CVE-2016-6028 IBM Jazz technology based products might allow an attacker to view work item titles that they do not have privilege to view. MEDIUM Feb 7, 2017 n/a
CVE-2016-6030 IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. LOW Feb 7, 2017 n/a
CVE-2016-6039 IBM Jazz Reporting Service (JRS) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. LOW Feb 7, 2017 n/a
CVE-2016-6047 IBM Jazz Reporting Service (JRS) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. LOW Feb 7, 2017 n/a
CVE-2016-6054 IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. LOW Feb 7, 2017 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online