Vulnerabilities (CVE)

Filtered by vendor Netapp Subscribe
Filtered by product Snap Creator Framework
Total 29 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-11023 6 Debian, Drupal, Fedoraproject and 3 more 47 Debian Linux, Drupal, Fedora and 44 more 2021-11-17 4.3 MEDIUM 6.1 MEDIUM
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVE-2020-11022 7 Debian, Drupal, Fedoraproject and 4 more 72 Debian Linux, Drupal, Fedora and 69 more 2021-11-17 4.3 MEDIUM 6.1 MEDIUM
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVE-2021-34429 3 Apache, Eclipse, Netapp 9 Zookeeper, Jetty, E-series Santricity Os Controller and 6 more 2021-10-28 5.0 MEDIUM 5.3 MEDIUM
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
CVE-2021-23926 2 Apache, Netapp 4 Xmlbeans, Oncommand Unified Manager Core Package, Snap Creator Framework and 1 more 2021-10-20 6.4 MEDIUM 9.1 CRITICAL
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
CVE-2021-34428 3 Debian, Eclipse, Netapp 8 Debian Linux, Jetty, Active Iq Unified Manager and 5 more 2021-10-20 3.6 LOW 3.5 LOW
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CVE-2020-10683 5 Canonical, Dom4j Project, Netapp and 2 more 34 Ubuntu Linux, Dom4j, Oncommand Api Services and 31 more 2021-10-20 7.5 HIGH 9.8 CRITICAL
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
CVE-2020-13954 3 Apache, Netapp, Oracle 5 Cxf, Snap Creator Framework, Vasa Provider For Clustered Data Ontap and 2 more 2021-10-20 4.3 MEDIUM 6.1 MEDIUM
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
CVE-2020-27218 2 Eclipse, Netapp 3 Jetty, Oncommand System Manager, Snap Creator Framework 2021-10-20 5.8 MEDIUM 4.8 MEDIUM
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
CVE-2020-5421 4 Apache, Netapp, Oracle and 1 more 37 Ambari, Hive, Oncommand Insight and 34 more 2021-10-20 3.6 LOW 6.5 MEDIUM
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-10878 5 Fedoraproject, Netapp, Opensuse and 2 more 6 Fedora, Oncommand Workflow Automation, Snap Creator Framework and 3 more 2021-10-20 7.5 HIGH 8.6 HIGH
Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
CVE-2020-12723 5 Fedoraproject, Netapp, Opensuse and 2 more 6 Fedora, Oncommand Workflow Automation, Snap Creator Framework and 3 more 2021-10-20 5.0 MEDIUM 7.5 HIGH
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
CVE-2020-27216 6 Apache, Debian, Eclipse and 3 more 12 Beam, Debian Linux, Jetty and 9 more 2021-10-20 4.4 MEDIUM 7.0 HIGH
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
CVE-2020-27223 5 Apache, Debian, Eclipse and 2 more 16 Nifi, Solr, Spark and 13 more 2021-09-16 4.3 MEDIUM 5.3 MEDIUM
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
CVE-2018-1000632 5 Debian, Dom4j Project, Netapp and 2 more 15 Debian Linux, Dom4j, Oncommand Workflow Automation and 12 more 2021-09-07 5.0 MEDIUM 7.5 HIGH
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
CVE-2019-10247 3 Eclipse, Netapp, Oracle 24 Jetty, Element, Oncommand System Manager and 21 more 2021-08-05 5.0 MEDIUM 5.3 MEDIUM
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVE-2017-7658 5 Debian, Eclipse, Hp and 2 more 20 Debian Linux, Jetty, Xp P9000 and 17 more 2021-07-20 7.5 HIGH 9.8 CRITICAL
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CVE-2017-7657 5 Debian, Eclipse, Hp and 2 more 18 Debian Linux, Jetty, Xp P9000 and 15 more 2021-07-20 7.5 HIGH 9.8 CRITICAL
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CVE-2018-11784 6 Apache, Canonical, Debian and 3 more 15 Tomcat, Ubuntu Linux, Debian Linux and 12 more 2021-07-13 4.3 MEDIUM 4.3 MEDIUM
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
CVE-2019-10246 4 Eclipse, Microsoft, Netapp and 1 more 26 Jetty, Windows, Element and 23 more 2021-06-14 5.0 MEDIUM 5.3 MEDIUM
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
CVE-2021-23901 2 Apache, Netapp 2 Nutch, Snap Creator Framework 2021-05-17 6.4 MEDIUM 9.1 CRITICAL
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18.