Filtered by vendor Netapp
Subscriptions
Total
2377 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-23302 | 6 Apache, Broadcom, Netapp and 3 more | 44 Log4j, Brocade Sannav, Snapmanager and 41 more | 2024-11-21 | 8.8 High |
| JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. | ||||
| CVE-2022-23241 | 1 Netapp | 1 Clustered Data Ontap | 2024-11-21 | 8.1 High |
| Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock configured FlexGroups are susceptible to a vulnerability which could allow an authenticated remote attacker to arbitrarily modify or delete WORM data prior to the end of the retention period. | ||||
| CVE-2022-23239 | 1 Netapp | 1 Active Iq Unified Manager | 2024-11-21 | 4.8 Medium |
| Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows administrative users to perform a Stored Cross-Site Scripting (XSS) attack. | ||||
| CVE-2022-23238 | 5 Canonical, Centos, Linux and 2 more | 5 Ubuntu Linux, Centos, Linux Kernel and 2 more | 2024-11-21 | 6.5 Medium |
| Linux deployments of StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through 11.6.0.2 deployed with a Linux kernel version less than 4.7.0 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to view limited metrics information and modify alert email recipients and content. | ||||
| CVE-2022-23237 | 1 Netapp | 1 E-series Santricity Os Controller | 2024-11-21 | 6.1 Medium |
| E-Series SANtricity OS Controller Software 11.x versions through 11.70.2 are vulnerable to host header injection attacks that could allow an attacker to redirect users to malicious websites. | ||||
| CVE-2022-23236 | 1 Netapp | 1 E-series Santricity Os Controller | 2024-11-21 | 4.4 Medium |
| E-Series SANtricity OS Controller Software versions 11.40 through 11.70.2 store the LDAP BIND password in plaintext within a file accessible only to privileged users. | ||||
| CVE-2022-23235 | 1 Netapp | 1 Active Iq Unified Manager | 2024-11-21 | 5.3 Medium |
| Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.10P1 are susceptible to a vulnerability which could allow an attacker to discover cluster, node and Active IQ Unified Manager specific information via AutoSupport telemetry data that is sent even when AutoSupport has been disabled. | ||||
| CVE-2022-23234 | 1 Netapp | 1 Snapcenter | 2024-11-21 | 5.5 Medium |
| SnapCenter versions prior to 4.5 are susceptible to a vulnerability which could allow a local authenticated attacker to discover plaintext HANA credentials. | ||||
| CVE-2022-23233 | 1 Netapp | 1 Storagegrid | 2024-11-21 | 7.5 High |
| StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could lead to Denial of Service (DoS) of the Local Distribution Router (LDR) service. | ||||
| CVE-2022-23232 | 1 Netapp | 1 Storagegrid | 2024-11-21 | 4.9 Medium |
| StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could allow disabled, expired, or locked external user accounts to access S3 data to which they previously had access. StorageGRID 11.6.0 obtains the user account status from Active Directory or Azure and will block S3 access for disabled user accounts during the subsequent background synchronization. User accounts that are expired or locked for Active Directory or Azure, or user accounts that are disabled, expired, or locked in identity sources other than Active Directory or Azure must be manually removed from group memberships or have their S3 keys manually removed from Tenant Manager in all versions of StorageGRID (formerly StorageGRID Webscale). | ||||
| CVE-2022-23222 | 5 Debian, Fedoraproject, Linux and 2 more | 22 Debian Linux, Fedora, Linux Kernel and 19 more | 2024-11-21 | 7.8 High |
| kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local users to gain privileges because of the availability of pointer arithmetic via certain *_OR_NULL pointer types. | ||||
| CVE-2022-22978 | 4 Netapp, Oracle, Redhat and 1 more | 5 Active Iq Unified Manager, Financial Services Crime And Compliance Management Studio, Jboss Fuse and 2 more | 2024-11-21 | 9.8 Critical |
| In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass. | ||||
| CVE-2022-22976 | 4 Netapp, Oracle, Redhat and 1 more | 5 Active Iq Unified Manager, Financial Services Crime And Compliance Management Studio, Jboss Fuse and 2 more | 2024-11-21 | 5.3 Medium |
| Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE. | ||||
| CVE-2022-22971 | 4 Netapp, Oracle, Redhat and 1 more | 6 Cloud Secure Agent, Oncommand Insight, Financial Services Crime And Compliance Management Studio and 3 more | 2024-11-21 | 6.5 Medium |
| In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user. | ||||
| CVE-2022-22970 | 4 Netapp, Oracle, Redhat and 1 more | 8 Active Iq Unified Manager, Brocade San Navigator, Cloud Secure Agent and 5 more | 2024-11-21 | 5.3 Medium |
| In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. | ||||
| CVE-2022-22968 | 4 Netapp, Oracle, Redhat and 1 more | 9 Active Iq Unified Manager, Cloud Secure Agent, Metrocluster Tiebreaker and 6 more | 2024-11-21 | 5.3 Medium |
| In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. | ||||
| CVE-2022-22844 | 4 Debian, Libtiff, Netapp and 1 more | 4 Debian Linux, Libtiff, Ontap Select Deploy Administration Utility and 1 more | 2024-11-21 | 5.5 Medium |
| LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field. | ||||
| CVE-2022-22576 | 6 Brocade, Debian, Haxx and 3 more | 18 Fabric Operating System, Debian Linux, Curl and 15 more | 2024-11-21 | 8.1 High |
| An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). | ||||
| CVE-2022-21824 | 5 Debian, Netapp, Nodejs and 2 more | 16 Debian Linux, Oncommand Insight, Oncommand Workflow Automation and 13 more | 2024-11-21 | 8.2 High |
| Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to. | ||||
| CVE-2022-21713 | 4 Fedoraproject, Grafana, Netapp and 1 more | 4 Fedora, Grafana, E-series Performance Analyzer and 1 more | 2024-11-21 | 4.3 Medium |
| Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. | ||||