CVE-2017-14376
https://notcve.org/view.php?id=CVE-2017-14376
EMC AppSync Server prior to 3.5.0.1 contains database accounts with hardcoded passwords that could potentially be exploited by malicious users to compromise the affected system. EMC AppSync Server, en versiones anteriores a la 3.5.0.1, contiene cuentas de bases de datos con contraseñas embebidas, lo que podría ser explotado por usuarios maliciosos con el fin de comprometer el sistema afectado. • http://seclists.org/fulldisclosure/2017/Oct/68 http://www.securityfocus.com/bid/101626 • CWE-798: Use of Hard-coded Credentials •
CVE-2017-8018
https://notcve.org/view.php?id=CVE-2017-8018
EMC AppSync host plug-in versions 3.5 and below (Windows platform only) includes a denial of service (DoS) vulnerability that could potentially be exploited by malicious users to compromise the affected system. El plugin host EMC AppSync en versiones 3.5 y anteriores (sólo en la plataforma Windows) incluye una vulnerabilidad de denegación de servicio (DoS) que podría se explotada por usuarios maliciosos para comprometer el sistema afectado. • http://seclists.org/fulldisclosure/2017/Sep/75 http://www.securityfocus.com/bid/101016 • CWE-20: Improper Input Validation •
CVE-2017-8015 – EMC AppSync Apollo REST Services SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2017-8015
EMC AppSync (all versions prior to 3.5) contains a SQL injection vulnerability that could potentially be exploited by malicious users to compromise the affected system. EMC AppSync (en todas las versiones anteriores a la 3.5) contiene una vulnerabilidad de inyección SQL que podría ser explotada por usuarios maliciosos con el fin de comprometer el sistema afectado. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of EMC Appsync. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be easily bypassed. The specific flaw exists within Apollo REST services, which listens on TCP port 8445 by default. When parsing the query request parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. • http://seclists.org/fulldisclosure/2017/Sep/14 http://www.securityfocus.com/bid/100683 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-4634
https://notcve.org/view.php?id=CVE-2014-4634
Unquoted Windows search path vulnerability in EMC Replication Manager through 5.5.2 and AppSync before 2.1.0 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character. Vulnerabilidad de búsqueda de ruta en Windows sin entrecomillar en EMC Replication Manager a través de 5.5.2 y AppSync anterior a 2.1.0 permite a usuarios locales obtener privilegios a través de un troyano con el nombre compuesto por una subcadena inicial de una ruta que contiene el carácter de espacio. • http://archives.neohapsis.com/archives/bugtraq/2014-12/0170.html •