CVSS: 10.0EPSS: 0%CPEs: 58EXPL: 0CVE-2019-5490
https://notcve.org/view.php?id=CVE-2019-5490
Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed version of Service Processor firmware IMMEDIATELY. Ciertas versiones entre la 2.x y la 5.x (véase el advisory) del firmware de NetApp Service Processor se distribuían con una cuenta por defecto habilitada que podría permitir la ejecución no autorizada de comandos arbitrarios. Cualquier plataforma listada en la sección "impact" del advisory podría haberse visto afectada y debe actualizarse a una versión solucionada del firmware de Service Processor INMEDIATAMENTE. • http://support.lenovo.com/us/en/solutions/LEN-26771 https://security.netapp.com/advisory/ntap-20190305-0001 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 5.9EPSS: 1%CPEs: 180EXPL: 0CVE-2019-1559 – 0-byte record padding oracle
https://notcve.org/view.php?id=CVE-2019-1559
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html http://www.securityfocus.com/bid/107174 https://access. • CWE-203: Observable Discrepancy CWE-325: Missing Cryptographic Step •
CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2018-5496
https://notcve.org/view.php?id=CVE-2018-5496
Data ONTAP operating in 7-Mode versions prior to 8.2.5P2 are susceptible to a vulnerability which discloses sensitive information to an unauthorized user. Data ONTAP, operando en modo7-Mode, en versiones anteriores a la 8.2.5P2, es susceptible a una vulnerabilidad que revela información sensible a un usuario no autorizado. • https://security.netapp.com/advisory/ntap-20181204-0001 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2016-1895
https://notcve.org/view.php?id=CVE-2016-1895
NetApp Data ONTAP before 8.2.5 and 8.3.x before 8.3.2P12 allow remote authenticated users to cause a denial of service via vectors related to unsafe user input string handling. NetApp Data ONTAP en versiones anteriores a la 8.2.5 y 8.3.x en versiones anteriores a la 8.3.2P12 permite que atacantes remotos autenticados provoquen una denegación de servicio mediante vectores relacionados con la gestión no segura de cadenas de entrada de usuario. • https://kb.netapp.com/support/s/article/NTAP-20170831-0003 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7746
https://notcve.org/view.php?id=CVE-2015-7746
NetApp Data ONTAP before 8.2.4, when operating in 7-Mode, allows remote attackers to bypass authentication and (1) obtain sensitive information from or (2) modify volumes via vectors related to UTF-8 in the volume language. NetApp Data ONTAP en versiones anteriores a la 8.2.4, al operar en 7-Mode, permite que atacantes remotos omitan la autenticación y (1) obtengan información sensible de o (2) modificar volúmenes mediante vectores relacionados con UTF-8 en el lenguaje del volumen. • https://kb.netapp.com/support/index?page=content&id=9010049 • CWE-287: Improper Authentication •