Netapp: >> Cloud Manager Security Vulnerabilities
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
CVSS Score
2.7
EPSS Score
0.042
Published
2021-04-01
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVSS Score
5.3
EPSS Score
0.824
Published
2021-04-01
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVSS Score
7.5
EPSS Score
0.539
Published
2021-04-01
Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerability that could allow a remote attacker to overwrite arbitrary system files.
CVSS Score
9.1
EPSS Score
0.015
Published
2021-03-19
Cloud Manager versions prior to 3.9.4 contain an insecure Cross-Origin Resource Sharing (CORS) policy which could allow a remote attacker to interact with Cloud Manager.
CVSS Score
7.5
EPSS Score
0.012
Published
2021-03-19
Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerability which could allow a remote attacker to cause a Denial of Service (DoS).
CVSS Score
7.5
EPSS Score
0.014
Published
2021-03-19
An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.
CVSS Score
8.6
EPSS Score
0.082
Published
2021-03-19
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score
7.2
EPSS Score
0.224
Published
2021-02-15
An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string.
CVSS Score
7.5
EPSS Score
0.026
Published
2020-06-30
Page 2