Filtered by vendor Netapp
Subscriptions
Filtered by product Active Iq Unified Manager
Subscriptions
Total
835 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9823 | 3 Eclipse, Netapp, Redhat | 5 Jetty, Active Iq Unified Manager, Bootstrap Os and 2 more | 2025-07-30 | 5.3 Medium |
| There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally. | ||||
| CVE-2024-2398 | 6 Apple, Curl, Fedoraproject and 3 more | 27 Macos, Curl, Fedora and 24 more | 2025-07-30 | 8.6 High |
| When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. | ||||
| CVE-2024-8096 | 4 Curl, Debian, Haxx and 1 more | 16 Curl, Debian Linux, Curl and 13 more | 2025-07-30 | 6.5 Medium |
| When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. | ||||
| CVE-2024-2379 | 4 Apple, Haxx, Netapp and 1 more | 21 Macos, Curl, Active Iq Unified Manager and 18 more | 2025-07-30 | 6.3 Medium |
| libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. | ||||
| CVE-2024-7254 | 3 Google, Netapp, Redhat | 15 Google-protobuf, Protobuf, Protobuf-java and 12 more | 2025-07-30 | 7.5 High |
| Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. | ||||
| CVE-2017-12617 | 6 Apache, Canonical, Debian and 3 more | 60 Tomcat, Ubuntu Linux, Debian Linux and 57 more | 2025-07-30 | 8.1 High |
| When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. | ||||
| CVE-2018-11776 | 3 Apache, Netapp, Oracle | 8 Struts, Active Iq Unified Manager, Oncommand Insight and 5 more | 2025-07-30 | 8.1 High |
| Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. | ||||
| CVE-2019-13272 | 6 Canonical, Debian, Fedoraproject and 3 more | 25 Ubuntu Linux, Debian Linux, Fedora and 22 more | 2025-07-30 | 7.8 High |
| In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments. | ||||
| CVE-2020-11023 | 8 Debian, Drupal, Fedoraproject and 5 more | 78 Debian Linux, Drupal, Fedora and 75 more | 2025-07-30 | 6.9 Medium |
| In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | ||||
| CVE-2021-3156 | 9 Beyondtrust, Debian, Fedoraproject and 6 more | 38 Privilege Management For Mac, Privilege Management For Unix\/linux, Debian Linux and 35 more | 2025-07-30 | 7.8 High |
| Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character. | ||||
| CVE-2021-44228 | 13 Apache, Apple, Bentley and 10 more | 178 Log4j, Xcode, Synchro and 175 more | 2025-07-30 | 10 Critical |
| Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. | ||||
| CVE-2023-4863 | 10 Bandisoft, Bentley, Debian and 7 more | 17 Honeyview, Seequent Leapfrog, Debian Linux and 14 more | 2025-07-30 | 8.8 High |
| Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical) | ||||
| CVE-2023-41993 | 7 Apple, Debian, Fedoraproject and 4 more | 17 Ipad Os, Ipados, Iphone Os and 14 more | 2025-07-30 | 8.8 High |
| The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. | ||||
| CVE-2020-15778 | 4 Broadcom, Netapp, Openbsd and 1 more | 11 Fabric Operating System, A700s, A700s Firmware and 8 more | 2025-07-28 | 7.4 High |
| scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows." | ||||
| CVE-2025-26465 | 4 Debian, Netapp, Openbsd and 1 more | 9 Debian Linux, Active Iq Unified Manager, Ontap and 6 more | 2025-07-25 | 6.8 Medium |
| A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high. | ||||
| CVE-2025-31672 | 2 Apache, Netapp | 2 Poi, Active Iq Unified Manager | 2025-07-15 | 5.3 Medium |
| Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry. This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file. Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely. | ||||
| CVE-2024-1635 | 2 Netapp, Redhat | 26 Active Iq Unified Manager, Oncommand Workflow Automation, Amq Streams and 23 more | 2025-07-08 | 7.5 High |
| A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak. | ||||
| CVE-2019-10219 | 3 Netapp, Oracle, Redhat | 199 Active Iq Unified Manager, Element, Management Services For Element Software And Netapp Hci and 196 more | 2025-07-07 | 6.1 Medium |
| A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. | ||||
| CVE-2025-30722 | 2 Netapp, Oracle | 4 Active Iq Unified Manager, Snapcenter, Mysql Client and 1 more | 2025-06-27 | 5.3 Medium |
| Vulnerability in the MySQL Client product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Client accessible data as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N). | ||||
| CVE-2021-32292 | 2 Json-c, Netapp | 2 Json-c, Active Iq Unified Manager | 2025-06-25 | 9.8 Critical |
| An issue was discovered in json-c from 20200420 (post 0.14 unreleased code) through 0.15-20200726. A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit. | ||||