CVE-2020-4185
https://notcve.org/view.php?id=CVE-2020-4185
IBM Security Guardium 10.5, 10.6, and 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 174803. IBM Security Guardium versiones 10.5, 10.6 y 11.1, usa algoritmos criptográficos más débiles de lo esperado que podrían permitir a un atacante descifrar información altamente confidencial. IBM X-Force ID: 174803 • https://exchange.xforce.ibmcloud.com/vulnerabilities/174803 https://www.ibm.com/support/pages/node/6254369 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVE-2020-4173
https://notcve.org/view.php?id=CVE-2020-4173
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 174682. IBM Guardium Activity Insights versiones 10.6 y 11.0, no establece el atributo seguro sobre los tokens de autorización o las cookies de sesión. • https://exchange.xforce.ibmcloud.com/vulnerabilities/174682 https://www.ibm.com/support/pages/node/6244924 •
CVE-2020-4188
https://notcve.org/view.php?id=CVE-2020-4188
IBM Security Guardium 10.6 and 11.1 may use insufficiently random numbers or values in a security context that depends on unpredictable numbers. IBM X-Force ID: 174807. IBM Security Guardium versiones 10.6 y 11.1, puede utilizar números o valores insuficientemente aleatorios en un contexto de seguridad que depende de números impredecibles. IBM X-Force ID: 174807 • https://exchange.xforce.ibmcloud.com/vulnerabilities/174807 https://www.ibm.com/support/pages/node/6237074 • CWE-330: Use of Insufficiently Random Values •
CVE-2020-4190
https://notcve.org/view.php?id=CVE-2020-4190
IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174851. IBM Security Guardium versiones 10.6, 11.0 y 11.1, contiene credenciales embebidas, tales como una contraseña o clave criptográfica, que las usa para su propia autenticación entrante, comunicación saliente hacia componentes externos o cifrado de datos internos. IBM X-Force ID: 174851. • https://exchange.xforce.ibmcloud.com/vulnerabilities/174851 https://www.ibm.com/support/pages/node/6218958 • CWE-798: Use of Hard-coded Credentials •
CVE-2014-7169 – GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-7169
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. GNU Bash hasta 4.3 bash43-025 procesa cadenas finales después de la definición malformada de funciones en los valores de variables de entorno, lo que permite a atacantes remotos escribir hacia ficheros o posiblemente tener otro impacto desconocido a través de un entorno manipulado, tal y como se ha demostrado por vectores que involucran la característica ForceCommand en sshd OpenSSH, los módulos mod_cgi y mod_cgid en el Apache HTTP Server, scripts ejecutados por clientes DHCP no especificados, y otras situaciones en la cual establecer el entorno ocurre a través de un límite privilegiado de la ejecución de Bash. Nota: Esta vulnerabilidad existe debido a una solución incompleta para CVE-2014-6271. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. • https://www.exploit-db.com/exploits/34777 https://www.exploit-db.com/exploits/34895 https://www.exploit-db.com/exploits/34839 https://www.exploit-db.com/exploits/36503 https://www.exploit-db.com/exploits/36504 https://www.exploit-db.com/exploits/34766 https://www.exploit-db.com/exploits/35115 https://www.exploit-db.com/exploits/36933 https://www.exploit-db.com/exploits/34765 https://www.exploit-db.com/exploits/34860 https://www.exploit-db.com/exploits/34879 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-228: Improper Handling of Syntactically Invalid Structure •