Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 67338 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2014-3591 Libgcrypt version 1.6.3 [1] and GnuPG version 1.4.19 [2] fix a side-channel attack which can potentially lead to an information leak. This issue is different from CVE-2014-5270. -- Mar 12, 2016 -- (VxWorks 7)
CVE-2014-3590 Versions of Foreman as shipped with Red Hat Satellite 6 does not check for a correct CSRF token in the logout action. Therefore, an attacker can log out a user by having them view specially crafted content. MEDIUM Jan 14, 2020 -- (VxWorks 7)
CVE-2014-3585 redhat-upgrade-tool: Does not check GPG signatures when upgrading versions HIGH Nov 25, 2019 -- (VxWorks 7)
CVE-2014-3582 The certificate signing REST API in Apache Ambari before 2.4.0 allows remote attackers to execute arbitrary code via shell metacharacters in the agentHostname value. High Apr 3, 2017 -- (VxWorks 7)
CVE-2014-3579 XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. -- Oct 27, 2017 -- (VxWorks 7)
CVE-2014-3572 The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message. Medium Jan 9, 2015 -- (VxWorks 7)
CVE-2014-3571 OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.<a href=http://cwe.mitre.org/data/definitions/476.html>CWE-476: NULL Pointer Dereference</a> Medium Jan 9, 2015 -- (VxWorks 7)
CVE-2014-3570 The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c. Medium Jan 9, 2015 -- (VxWorks 7)
CVE-2014-3569 The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.<a href=http://cwe.mitre.org/data/definitions/476.html>CWE-476: NULL Pointer Dereference</a> Medium Dec 24, 2014 -- (VxWorks 7)
CVE-2014-3568 OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c. Medium Oct 23, 2014 -- (VxWorks 7)
CVE-2014-3567 Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure. High Oct 23, 2014 -- (VxWorks 7)
CVE-2014-3566 The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the POODLE issue. Medium Oct 24, 2014 openSSL-1.0.2.0 (VxWorks 7)
CVE-2014-3539 base/oi/doa.py in the Rope library in CPython (aka Python) allows remote attackers to execute arbitrary code by leveraging an unsafe call to pickle.load. -- Apr 6, 2018 -- (VxWorks 7)
CVE-2014-3536 CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration -- Dec 15, 2019 -- (VxWorks 7)
CVE-2014-3531 Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description. -- Oct 18, 2017 -- (VxWorks 7)
CVE-2014-3527 When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed. If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users. High Jun 8, 2017 -- (VxWorks 7)
CVE-2014-3526 Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions. -- Oct 30, 2017 -- (VxWorks 7)
CVE-2014-3519 The open_by_handle_at function in vzkernel before 042stab090.5 in the OpenVZ modification for the Linux kernel 2.6.32, when using simfs, might allow local container users with CAP_DAC_READ_SEARCH capability to bypass an intended container protection mechanism and access arbitrary files on a filesystem via vectors related to use of the file_handle structure. -- Feb 1, 2018 -- (VxWorks 7)
CVE-2014-3513 Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message. High Oct 22, 2014 -- (VxWorks 7)
CVE-2014-3512 Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter. HIGH Aug 13, 2014 -- (VxWorks 7)
CVE-2014-3511 The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a protocol downgrade issue. MEDIUM Aug 13, 2014 -- (VxWorks 7)
CVE-2014-3510 The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite. MEDIUM Aug 13, 2014 -- (VxWorks 7)
CVE-2014-3508 The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of \'\\0\' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions. MEDIUM Aug 13, 2014 -- (VxWorks 7)
CVE-2014-3507 Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function. MEDIUM Aug 13, 2014 -- (VxWorks 7)
CVE-2014-3506 d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values. MEDIUM Aug 13, 2014 -- (VxWorks 7)
CVE-2014-3505 Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition. MEDIUM Aug 13, 2014 -- (VxWorks 7)
CVE-2014-3498 The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands. -- Jun 8, 2017 -- (VxWorks 7)
CVE-2014-3495 duplicity 0.6.24 has improper verification of SSL certificates -- Dec 13, 2019 -- (VxWorks 7)
CVE-2014-3484 Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid name length in a DNS response, related to an infinite loop with no output. HIGH Feb 28, 2020 -- (VxWorks 7)
CVE-2014-3471 Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virtio block devices. -- Jan 12, 2018 -- (VxWorks 7)
CVE-2014-3470 The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.Per: http://cwe.mitre.org/data/definitions/476.html CWE-476: NULL Pointer Dereference Medium Jun 13, 2014 -- (VxWorks 7)
CVE-2014-3462 The .encfs6.xml configuration file in encfs before 1.7.5 allows remote attackers to access sensitive data by setting blockMACBytes to 0 and adding 8 to blockMACRandBytes. -- Aug 7, 2017 -- (VxWorks 7)
CVE-2014-3451 OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks. -- Aug 18, 2017 -- (VxWorks 7)
CVE-2014-3449 BSS Continuity CMS 4.2.22640.0 has an Authentication Bypass vulnerability HIGH Jan 14, 2020 -- (VxWorks 7)
CVE-2014-3448 BSS Continuity CMS 4.2.22640.0 has a Remote Code Execution vulnerability due to unauthenticated file upload HIGH Jan 14, 2020 -- (VxWorks 7)
CVE-2014-3447 BSS Continuity CMS 4.2.22640.0 has a Remote Denial Of Service vulnerability MEDIUM Jan 14, 2020 -- (VxWorks 7)
CVE-2014-3445 backup.php in HandsomeWeb SOS Webpages before 1.1.12 does not require knowledge of the cleartext password, which allows remote attackers to bypass authentication by leveraging knowledge of the administrator password hash. HIGH Jan 31, 2020 -- (VxWorks 7)
CVE-2014-3413 The MySQL server in Juniper Networks Junos Space before 13.3R1.8 has an unspecified account with a hardcoded password, which allows remote attackers to obtain sensitive information and consequently obtain administrative control by leveraging database access. -- Apr 5, 2018 -- (VxWorks 7)
CVE-2014-3250 The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4. -- Dec 11, 2017 -- (VxWorks 7)
CVE-2014-3244 XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. High Feb 15, 2018 -- (VxWorks 7)
CVE-2014-3230 The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable. MEDIUM Feb 6, 2020 -- (VxWorks 7)
CVE-2014-3227 dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the patch program to be compliant with a need for the C-style encoded filenames feature, but is supported in environments with noncompliant patch programs, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this vulnerability exists because of reliance on unrealistic constraints on the behavior of an external program. Medium Jun 2, 2014 -- (VxWorks 7)
CVE-2014-3224 Huawei Quidway S9700 V200R003C00SPC500, Quidway S9300 V200R003C00SPC500, Quidway S7700 V200R003C00SPC500, Quidway S6700 V200R003C00SPC300, Quidway S6300 V200R003C00SPC300, Quidway S5700 V200R003C00SPC300, Quidway S5300 V200R003C00SPC300 enable attackers to launch DoS attacks by crafting and sending malformed packets to these vulnerable products. High Apr 5, 2017 -- (VxWorks 7)
CVE-2014-3223 Huawei S9300 with software before V100R006SPH013 and S2300,S3300,S5300,S6300 with software before V100R006SPH010 support Y.1731 and therefore have the Y.1731 vulnerability in processing special packets. The vulnerability causes the restart of switches. High Apr 5, 2017 -- (VxWorks 7)
CVE-2014-3222 In Huawei eSpace Meeting with software V100R001C03SPC201 and the earlier versions, attackers that obtain the permissions assigned to common users can elevate privileges to access and set specific key resources. Medium Apr 4, 2017 -- (VxWorks 7)
CVE-2014-3221 Huawei Eudemon8000E firewall with software V200R001C01SPC800 and earlier versions allows users to log in to the device using Telnet or SSH. When an attacker sends to the device a mass of TCP packets with special structure, the logging process becomes slow and users may be unable to log in to the device. Medium Apr 5, 2017 -- (VxWorks 7)
CVE-2014-3219 fish before 2.1.1 allows local users to write to arbitrary files via a symlink attack on (1) /tmp/fishd.log.%s, (2) /tmp/.pac-cache.$USER, (3) /tmp/.yum-cache.$USER, or (4) /tmp/.rpm-cache.$USER. -- Feb 9, 2018 -- (VxWorks 7)
CVE-2014-3211 Publify before 8.0.1 is vulnerable to a Denial of Service attack MEDIUM Jan 13, 2020 -- (VxWorks 7)
CVE-2014-3208 A Denial of Service vulnerability exists in askpop3d 0.7.7 in free (pszQuery), -- Feb 13, 2020 -- (VxWorks 7)
CVE-2014-3206 Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php. -- Feb 23, 2018 -- (VxWorks 7)
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version.
Live chat
Online