Vulnerabilities (CVE)

Filtered by vendor Netapp Subscribe
Filtered by product Active Iq Unified Manager
Total 677 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-43618 3 Debian, Gmplib, Netapp 13 Debian Linux, Gmp, Active Iq Unified Manager and 10 more 2023-09-29 5.0 MEDIUM 7.5 HIGH
GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.
CVE-2023-24329 3 Fedoraproject, Netapp, Python 6 Fedora, Active Iq Unified Manager, Management Services For Element Software and 3 more 2023-09-20 N/A 7.5 HIGH
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
CVE-2022-0391 4 Fedoraproject, Netapp, Oracle and 1 more 10 Fedora, Active Iq Unified Manager, Hci and 7 more 2023-09-20 5.0 MEDIUM 7.5 HIGH
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
CVE-2022-45061 3 Fedoraproject, Netapp, Python 10 Fedora, Active Iq Unified Manager, Bootstrap Os and 7 more 2023-09-15 N/A 7.5 HIGH
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
CVE-2019-17267 5 Debian, Fasterxml, Netapp and 2 more 13 Debian Linux, Jackson-databind, Active Iq Unified Manager and 10 more 2023-09-13 7.5 HIGH 9.8 CRITICAL
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVE-2021-20190 5 Apache, Debian, Fasterxml and 2 more 8 Nifi, Debian Linux, Jackson-databind and 5 more 2023-09-13 8.3 HIGH 8.1 HIGH
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-9548 4 Debian, Fasterxml, Netapp and 1 more 25 Debian Linux, Jackson-databind, Active Iq Unified Manager and 22 more 2023-09-13 6.8 MEDIUM 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
CVE-2020-9547 4 Debian, Fasterxml, Netapp and 1 more 16 Debian Linux, Jackson-databind, Active Iq Unified Manager and 13 more 2023-09-13 6.8 MEDIUM 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
CVE-2020-24616 4 Debian, Fasterxml, Netapp and 1 more 25 Debian Linux, Jackson-databind, Active Iq Unified Manager and 22 more 2023-09-13 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CVE-2019-20330 4 Debian, Fasterxml, Netapp and 1 more 30 Debian Linux, Jackson-databind, Active Iq Unified Manager and 27 more 2023-09-13 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
CVE-2019-16943 6 Debian, Fasterxml, Fedoraproject and 3 more 27 Debian Linux, Jackson-databind, Fedora and 24 more 2023-09-13 6.8 MEDIUM 9.8 CRITICAL
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
CVE-2019-14379 7 Apple, Debian, Fasterxml and 4 more 25 Xcode, Debian Linux, Jackson-databind and 22 more 2023-09-13 7.5 HIGH 9.8 CRITICAL
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CVE-2019-17498 5 Debian, Fedoraproject, Libssh2 and 2 more 11 Debian Linux, Fedora, Libssh2 and 8 more 2023-09-08 5.8 MEDIUM 8.1 HIGH
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
CVE-2022-21248 4 Debian, Fedoraproject, Netapp and 1 more 18 Debian Linux, Fedora, 7-mode Transition Tool and 15 more 2023-09-08 4.3 MEDIUM 3.7 LOW
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21291 3 Debian, Netapp, Oracle 17 Debian Linux, 7-mode Transition Tool, Active Iq Unified Manager and 14 more 2023-09-08 5.0 MEDIUM 5.3 MEDIUM
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-3970 3 Debian, Libtiff, Netapp 3 Debian Linux, Libtiff, Active Iq Unified Manager 2023-09-06 N/A 8.8 HIGH
A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.
CVE-2022-28796 4 Fedoraproject, Linux, Netapp and 1 more 24 Fedora, Linux Kernel, Active Iq Unified Manager and 21 more 2023-08-29 6.9 MEDIUM 7.0 HIGH
jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.
CVE-2023-20862 2 Netapp, Vmware 2 Active Iq Unified Manager, Spring Security 2023-08-23 N/A 6.3 MEDIUM
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
CVE-2023-0045 3 Debian, Linux, Netapp 13 Debian Linux, Linux Kernel, Active Iq Unified Manager and 10 more 2023-08-11 N/A 7.5 HIGH
The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set  function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall.  The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96
CVE-2022-38177 4 Debian, Fedoraproject, Isc and 1 more 4 Debian Linux, Fedora, Bind and 1 more 2023-08-08 N/A 7.5 HIGH
By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.