Total
3455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1343 | 1 Netiq | 1 Privileged Account Manager | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| PAM exposure enabling unauthenticated access to remote host | |||||
| CVE-2018-1317 | 1 Apache | 1 Zeppelin | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication. | |||||
| CVE-2018-1312 | 5 Apache, Canonical, Debian and 2 more | 14 Http Server, Ubuntu Linux, Debian Linux and 11 more | 2023-11-07 | 6.8 MEDIUM | 9.8 CRITICAL |
| In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. | |||||
| CVE-2018-1286 | 1 Apache | 1 Openmeetings | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users. | |||||
| CVE-2018-19834 | 1 Bombba Project | 1 Bombba | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The quaker function of a smart contract implementation for BOMBBA (BOMB), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19833 | 1 Ddq Project | 1 Ddq | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The owned function of a smart contract implementation for DDQ, an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19832 | 1 Newinteltechmedia Project | 1 Newinteltechmedia | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The NETM() function of a smart contract implementation for NewIntelTechMedia (NETM), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19831 | 1 Cryptbond Network Project | 1 Cryptbond Network | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The ToOwner() function of a smart contract implementation for Cryptbond Network (CBN), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19645 | 1 Microfocus | 1 Solutions Business Manager | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| An Authentication Bypass issue exists in Solutions Business Manager (SBM) (formerly Serena Business Manager (SBM)) versions prior to 11.5. | |||||
| CVE-2018-18095 | 1 Intel | 4 Ssd Dc S4500, Ssd Dc S4500 Firmware, Ssd Dc S4600 and 1 more | 2023-11-07 | 4.6 MEDIUM | 6.8 MEDIUM |
| Improper authentication in firmware for Intel(R) SSD DC S4500 Series and Intel(R) SSD DC S4600 Series before SCV10150 may allow an unprivileged user to potentially enable escalation of privilege via physical access. | |||||
| CVE-2018-17957 | 1 Suse | 1 Repository Mirroring Tool | 2023-11-07 | 2.1 LOW | 7.8 HIGH |
| The YaST2 RMT module for configuring the SUSE Repository Mirroring Tool (RMT) before 1.1.2 exposed MySQL database passwords on process commandline, allowing local attackers to access or corrupt the RMT database. | |||||
| CVE-2018-16886 | 3 Etcd, Fedoraproject, Redhat | 5 Etcd, Fedora, Enterprise Linux Desktop and 2 more | 2023-11-07 | 6.8 MEDIUM | 8.1 HIGH |
| etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway. | |||||
| CVE-2018-16877 | 6 Canonical, Clusterlabs, Debian and 3 more | 9 Ubuntu Linux, Pacemaker, Debian Linux and 6 more | 2023-11-07 | 4.6 MEDIUM | 7.8 HIGH |
| A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation. | |||||
| CVE-2018-16738 | 3 Debian, Starwindsoftware, Tinc-vpn | 3 Debian Linux, Starwind Virtual San, Tinc | 2023-11-07 | 4.3 MEDIUM | 3.7 LOW |
| tinc 1.0.30 through 1.0.34 has a broken authentication protocol, although there is a partial mitigation. This is fixed in 1.1. | |||||
| CVE-2018-16737 | 2 Starwindsoftware, Tinc-vpn | 2 Starwind Virtual San, Tinc | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| tinc before 1.0.30 has a broken authentication protocol, without even a partial mitigation. | |||||
| CVE-2018-14786 | 1 Bd | 8 Alaris Cc, Alaris Cc Firmware, Alaris Gh and 5 more | 2023-11-07 | 7.5 HIGH | 9.4 CRITICAL |
| Becton, Dickinson and Company (BD) Alaris Plus medical syringe pumps (models Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA) versions 2.3.6 and prior are affected by an improper authentication vulnerability where the software does not perform authentication for functionality that requires a provable user identity, where it may allow a remote attacker to gain unauthorized access to various Alaris Syringe pumps and impact the intended operation of the pump when it is connected to a terminal server via the serial port. | |||||
| CVE-2018-12472 | 1 Suse | 1 Subscription Management Tool | 2023-11-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| A improper authentication using the HOST header in SUSE Linux SMT allows remote attackers to spoof a sibling server. Affected releases are SUSE Linux SMT: versions prior to 3.0.37. | |||||
| CVE-2018-11787 | 1 Apache | 1 Karaf | 2023-11-07 | 6.8 MEDIUM | 8.1 HIGH |
| In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised. | |||||
| CVE-2018-11765 | 1 Apache | 1 Hadoop | 2023-11-07 | 4.3 MEDIUM | 7.5 HIGH |
| In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled. | |||||
| CVE-2018-10825 | 1 Mimobaby | 2 Mimo Baby 2, Mimo Baby 2 Firmware | 2023-11-07 | 2.9 LOW | 5.3 MEDIUM |
| Mimo Baby 2 devices do not use authentication or encryption for the Bluetooth Low Energy (BLE) communication from a Turtle to a Lilypad, which allows attackers to inject fake information about the position and temperature of a baby via a replay or spoofing attack. | |||||