CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 0CVE-2019-3612 – Information disclosure vulnerability in McAfee TIE Server and DXL Platform
https://notcve.org/view.php?id=CVE-2019-3612
Information Disclosure vulnerability in McAfee DXL Platform and TIE Server in DXL prior to 5.0.1 HF2 and TIE prior to 2.3.1 HF1 allows Authenticated users to view sensitive information in plain text via the GUI or command line. Se presenta una vulnerabilidad de divulgación de información en McAfee DXL Platform y TIE Server en DXL versión anterior a 5.0.1 HF2 y TIE versión anterior a 2.3.1 HF1 este permite a los usuarios autenticados ver información confidencial en texto plano por medio de la GUI o la línea de comandos. • https://kc.mcafee.com/corporate/index?page=content&id=SB10279 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 5.9EPSS: 1%CPEs: 180EXPL: 0CVE-2019-1559 – 0-byte record padding oracle
https://notcve.org/view.php?id=CVE-2019-1559
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html http://www.securityfocus.com/bid/107174 https://access. • CWE-203: Observable Discrepancy CWE-325: Missing Cryptographic Step •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2018-6695 – Threat Intelligence Exchange Server (TIE Server) SSH host keys generation vulnerability
https://notcve.org/view.php?id=CVE-2018-6695
SSH host keys generation vulnerability in the server in McAfee Threat Intelligence Exchange Server (TIE Server) 1.3.0, 2.0.x, 2.1.x, 2.2.0 allows man-in-the-middle attackers to spoof servers via acquiring keys from another environment. Vulnerabilidad de generación de claves de host SSH en el servidor en McAfee Threat Intelligence Exchange Server (TIE Server) 1.3.0, 2.0.x, 2.1.x y 2.2.0 permite que atacantes Man-in-the-Middle (MitM) suplanten servidores mediante la adquisición de claves de otro entorno. • https://kc.mcafee.com/corporate/index?page=content&id=SB10253 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-3907 – McAfee Threat Intelligence Exchange (TIE) Server - Code Injection vulnerability
https://notcve.org/view.php?id=CVE-2017-3907
Code Injection vulnerability in the ePolicy Orchestrator (ePO) extension in McAfee Threat Intelligence Exchange (TIE) Server 2.1.0 and earlier allows remote attackers to execute arbitrary HTML code to be reflected in the response web page via unspecified vector. Vulnerabilidad de inyección de código en la extensión ePolicy Orchestrator (ePO) en McAfee Threat Intelligence Exchange (TIE) Server en versiones 2.1.0 y anteriores permite que atacantes remotos ejecuten código HTML arbitrario que se refleja en la página web de respuesta mediante vectores sin especificar. • https://kc.mcafee.com/corporate/index?page=content&id=SB10207 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7238
https://notcve.org/view.php?id=CVE-2015-7238
The Secondary server in Threat Intelligence Exchange (TIE) before 1.2.0 uses weak permissions for unspecified (1) configuration files and (2) installation logs, which allows local users to obtain sensitive information by reading the files. Vulnerabilidad en el servidor Secondary en Threat Intelligence Exchange (TIE) en versiones anteriores a 1.2.0, utiliza permisos débiles para (1) archivos de configuración y (2) registros de instalación no especificados, lo que permite a usuarios locales obtener información sensible mediante la lectura de los archivos. • https://kc.mcafee.com/corporate/index?page=content&id=SB10132 • CWE-264: Permissions, Privileges, and Access Controls •