Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Storage_automation_store
(Netapp)| Repositories |
• https://github.com/php/php-src
• https://github.com/openssh/openssh-portable • https://github.com/derickr/timelib |
| #Vulnerabilities | 115 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2018-03-26 | CVE-2018-1283 | In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications. | Http_server, Ubuntu_linux, Debian_linux, Clustered_data_ontap, Santricity_cloud_connector, Storage_automation_store, Storagegrid, Enterprise_linux | 5.3 | ||
| 2018-03-26 | CVE-2018-1301 | A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage. | Http_server, Ubuntu_linux, Debian_linux, Clustered_data_ontap, Santricity_cloud_connector, Storage_automation_store, Storagegrid, Enterprise_linux | 5.9 | ||
| 2018-03-26 | CVE-2018-1302 | When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk. | Http_server, Ubuntu_linux, Clustered_data_ontap, Santricity_cloud_connector, Storage_automation_store, Storagegrid | 5.9 | ||
| 2018-03-26 | CVE-2018-1303 | A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability. | Http_server, Ubuntu_linux, Debian_linux, Clustered_data_ontap, Santricity_cloud_connector, Storage_automation_store, Storagegrid | 7.5 | ||
| 2018-06-18 | CVE-2018-1333 | By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-2.4.30,2.4.33). | Http_server, Ubuntu_linux, Cloud_backup, Storage_automation_store, Jboss_core_services | 7.5 | ||
| 2018-09-25 | CVE-2018-11763 | In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. | Http_server, Ubuntu_linux, Storage_automation_store, Enterprise_manager_ops_center, Hospitality_guest_access, Instantis_enterprisetrack, Retail_xstore_point_of_service, Secure_global_desktop, Enterprise_linux | 5.9 | ||
| 2018-10-30 | CVE-2018-0734 | The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). | Ubuntu_linux, Debian_linux, Cloud_backup, Cn1610_firmware, Oncommand_unified_manager, Santricity_smi\-S_provider, Snapcenter, Steelstore, Storage_automation_store, Node\.js, Openssl, Api_gateway, E\-Business_suite_technology_stack, Enterprise_manager_base_platform, Enterprise_manager_ops_center, Mysql_enterprise_backup, Peoplesoft_enterprise_peopletools, Primavera_p6_professional_project_management, Tuxedo | 5.9 | ||
| 2019-01-27 | CVE-2019-6977 | gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data. | Ubuntu_linux, Debian_linux, Libgd, Storage_automation_store, Php | 8.8 | ||
| 2019-01-30 | CVE-2018-17189 | In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections. | Http_server, Ubuntu_linux, Debian_linux, Fedora, Santricity_cloud_connector, Storage_automation_store, Enterprise_manager_ops_center, Hospitality_guest_access, Instantis_enterprisetrack, Retail_xstore_point_of_service, Sun_zfs_storage_appliance_kit, Jboss_core_services | 5.3 | ||
| 2019-01-30 | CVE-2018-17199 | In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. | Http_server, Ubuntu_linux, Debian_linux, Santricity_cloud_connector, Storage_automation_store, Enterprise_manager_ops_center | 7.5 |