Total
1333 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-43998 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2024-08-04 | 6.5 Medium |
| HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0. | ||||
| CVE-2021-43065 | 1 Fortinet | 1 Fortinac | 2024-08-04 | 7.8 High |
| A incorrect permission assignment for critical resource in Fortinet FortiNAC version 9.2.0, version 9.1.3 and below, version 8.8.9 and below allows attacker to gain higher privileges via the access to sensitive system data. | ||||
| CVE-2021-43034 | 1 Kaseya | 1 Unitrends Backup | 2024-08-04 | 7.8 High |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A world writable file allowed local users to execute arbitrary code as the user apache, leading to privilege escalation. | ||||
| CVE-2021-42955 | 2 Microsoft, Zohocorp | 2 Windows, Manageengine Remote Access Plus | 2024-08-04 | 7.3 High |
| Zoho Remote Access Plus Server Windows Desktop binary fixed in version 10.1.2132 is affected by an unauthorized password reset vulnerability. Because of the designed password reset mechanism, any non-admin Windows user can reset the password of the Remote Access Plus Server Admin account. | ||||
| CVE-2021-42954 | 2 Microsoft, Zohocorp | 2 Windows, Manageengine Remote Access Plus | 2024-08-04 | 7.8 High |
| Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. The installation directory is vulnerable to weak file permissions by allowing full control for Windows Everyone user group (non-admin or any guest users), thereby allowing privilege escalation, unauthorized password reset, stealing of sensitive data, access to credentials in plaintext, access to registry values, tampering with configuration files, etc. | ||||
| CVE-2021-42309 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2024-08-04 | 8.8 High |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | ||||
| CVE-2021-42115 | 1 Businessdnasolutions | 1 Topease | 2024-08-04 | 8.1 High |
| Missing HTTPOnly flag in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an unauthenticated remote attacker to escalate privileges from unauthenticated to authenticated user via stealing and injecting the session- independent and static cookie UID. | ||||
| CVE-2021-41802 | 1 Hashicorp | 1 Vault | 2024-08-04 | 2.9 Low |
| HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4. | ||||
| CVE-2021-41589 | 1 Gradle | 2 Build Cache Node, Enterprise | 2024-08-04 | 9.8 Critical |
| In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user interface and anonymous write access to the build cache. If access control to the build cache is not changed from the default open configuration, a malicious actor with network access can populate the cache with manipulated entries that may execute malicious code as part of a build process. This applies to the build cache provided with Gradle Enterprise and the separate build cache node service if used. If access control to the user interface is not changed from the default open configuration, a malicious actor can undo build cache access control in order to populate the cache with manipulated entries that may execute malicious code as part of a build process. This does not apply to the build cache provided with Gradle Enterprise, but does apply to the separate build cache node service if used. | ||||
| CVE-2021-41170 | 1 Neoan | 1 Neoan3-template | 2024-08-04 | 9.8 Critical |
| neoan3-apps/template is a neoan3 minimal template engine. Versions prior to 1.1.1 have allowed for passing in closures directly into the template engine. As a result values that are callable are executed by the template engine. The issue arises if a value has the same name as a method or function in scope and can therefore be executed either by mistake or maliciously. In theory all users of the package are affected as long as they either deal with direct user input or database values. A multi-step attack on is therefore plausible. Version 1.1.1 has addressed this vulnerability. Unfortunately only working with hardcoded values is safe in prior versions. As this likely defeats the purpose of a template engine, please upgrade. | ||||
| CVE-2021-41091 | 2 Fedoraproject, Mobyproject | 2 Fedora, Moby | 2024-08-04 | 6.3 Medium |
| Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers. | ||||
| CVE-2021-41035 | 2 Eclipse, Redhat | 3 Openj9, Enterprise Linux, Rhel Extras | 2024-08-04 | 9.8 Critical |
| In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. | ||||
| CVE-2021-40649 | 1 Softwareag | 1 Connx | 2024-08-04 | 6.5 Medium |
| In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the application and not have the HttpOnly flag set. | ||||
| CVE-2021-40343 | 1 Nagios | 1 Nagios Xi | 2024-08-04 | 7.8 High |
| An issue was discovered in Nagios XI 5.8.5. Insecure file permissions on the nagios_unbundler.py file allow the nagios user to elevate their privileges to the root user. | ||||
| CVE-2021-40331 | 1 Apache | 1 Ranger | 2024-08-04 | 8.1 High |
| An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled This issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later. | ||||
| CVE-2021-40101 | 1 Concretecms | 1 Concrete Cms | 2024-08-04 | 7.2 High |
| An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password. | ||||
| CVE-2021-40067 | 1 Netmotionsoftware | 1 Mobility | 2024-08-04 | 6.8 Medium |
| The access controls on the Mobility read-write API improperly validate user access permissions; this API is disabled by default. If the API is manually enabled, attackers with both network access to the API and valid credentials can read and write data to it; regardless of access control group membership settings. This vulnerability is fixed in Mobility v12.14. | ||||
| CVE-2021-40066 | 1 Netmotionsoftware | 1 Mobility | 2024-08-04 | 5.3 Medium |
| The access controls on the Mobility read-only API improperly validate user access permissions. Attackers with both network access to the API and valid credentials can read data from it; regardless of access control group membership settings. This vulnerability is fixed in Mobility v11.76 and Mobility v12.14. | ||||
| CVE-2021-39992 | 1 Huawei | 1 Emui | 2024-08-04 | 7.8 High |
| There is an improper security permission configuration vulnerability on ACPU.Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability. | ||||
| CVE-2021-39868 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 4.3 Medium |
| In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export. | ||||