Vulnerabilities (CVE)

Filtered by vendor Netapp Subscribe
Filtered by product E-series Performance Analyzer
Total 60 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-31123 2 Grafana, Netapp 2 Grafana, E-series Performance Analyzer 2023-12-10 N/A 7.8 HIGH
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
CVE-2021-3999 3 Debian, Gnu, Netapp 15 Debian Linux, Glibc, E-series Performance Analyzer and 12 more 2023-12-10 N/A 7.8 HIGH
A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.
CVE-2022-45061 3 Fedoraproject, Netapp, Python 10 Fedora, Active Iq Unified Manager, Bootstrap Os and 7 more 2023-12-10 N/A 7.5 HIGH
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
CVE-2022-31107 2 Grafana, Netapp 2 Grafana, E-series Performance Analyzer 2023-12-10 N/A 7.5 HIGH
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.
CVE-2022-31097 2 Grafana, Netapp 2 Grafana, E-series Performance Analyzer 2023-12-10 N/A 8.7 HIGH
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.
CVE-2022-21702 3 Fedoraproject, Grafana, Netapp 3 Fedora, Grafana, E-series Performance Analyzer 2023-12-10 2.1 LOW 5.4 MEDIUM
Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability.
CVE-2021-4044 3 Netapp, Nodejs, Openssl 26 500f, 500f Firmware, A250 and 23 more 2023-12-10 5.0 MEDIUM 7.5 HIGH
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).
CVE-2022-21703 3 Fedoraproject, Grafana, Netapp 3 Fedora, Grafana, E-series Performance Analyzer 2023-12-10 6.8 MEDIUM 8.8 HIGH
Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
CVE-2022-21713 3 Fedoraproject, Grafana, Netapp 3 Fedora, Grafana, E-series Performance Analyzer 2023-12-10 3.5 LOW 4.3 MEDIUM
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
CVE-2021-32640 2 Netapp, Ws Project 2 E-series Performance Analyzer, Ws 2023-12-10 5.0 MEDIUM 5.3 MEDIUM
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.
CVE-2021-23383 2 Handlebarsjs, Netapp 2 Handlebars, E-series Performance Analyzer 2023-12-10 7.5 HIGH 9.8 CRITICAL
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
CVE-2021-28163 5 Apache, Eclipse, Fedoraproject and 2 more 23 Ignite, Solr, Jetty and 20 more 2023-12-10 4.0 MEDIUM 2.7 LOW
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
CVE-2021-28164 3 Eclipse, Netapp, Oracle 17 Jetty, Cloud Manager, E-series Performance Analyzer and 14 more 2023-12-10 5.0 MEDIUM 5.3 MEDIUM
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-33587 2 Css-what Project, Netapp 2 Css-what, E-series Performance Analyzer 2023-12-10 5.0 MEDIUM 7.5 HIGH
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
CVE-2021-28165 4 Eclipse, Jenkins, Netapp and 1 more 21 Jetty, Jenkins, Cloud Manager and 18 more 2023-12-10 7.8 HIGH 7.5 HIGH
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVE-2021-33623 3 Debian, Netapp, Trim-newlines Project 3 Debian Linux, E-series Performance Analyzer, Trim-newlines 2023-12-10 5.0 MEDIUM 7.5 HIGH
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
CVE-2021-26707 2 Merge-deep Project, Netapp 2 Merge-deep, E-series Performance Analyzer 2023-12-10 7.5 HIGH 9.8 CRITICAL
The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.
CVE-2020-14782 5 Debian, Mcafee, Netapp and 2 more 15 Debian Linux, Epolicy Orchestrator, Active Iq Unified Manager and 12 more 2023-12-10 4.3 MEDIUM 3.7 LOW
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2021-20231 4 Fedoraproject, Gnu, Netapp and 1 more 5 Fedora, Gnutls, Active Iq Unified Manager and 2 more 2023-12-10 7.5 HIGH 9.8 CRITICAL
A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.
CVE-2021-27219 5 Broadcom, Debian, Fedoraproject and 2 more 7 Brocade Fabric Operating System Firmware, Debian Linux, Fedora and 4 more 2023-12-10 5.0 MEDIUM 7.5 HIGH
An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.