Product:

Snap_creator_framework

(Netapp)
Repositories https://github.com/Perl/perl5
https://github.com/dom4j/dom4j
#Vulnerabilities 41
Date Id Summary Products Score Patch Annotated
2020-11-28 CVE-2020-27218 In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject... Kafka, Spark, Debian_linux, Jetty, Oncommand_system_manager, Snap_creator_framework, Blockchain_platform, Communications_converged_application_server_\-_service_controller, Communications_offline_mediation_controller, Communications_pricing_design_center, Communications_services_gatekeeper, Communications_session_route_manager, Flexcube_private_banking, Hyperion_infrastructure_technology, Rest_data_services, Retail_eftlink, Siebel_core_\-_automation 4.8
2017-08-10 CVE-2016-0762 The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. Tomcat, Ubuntu_linux, Debian_linux, Oncommand_insight, Oncommand_shift, Snap_creator_framework, Communications_diameter_signaling_router, Tekelec_platform_distribution, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Jboss_enterprise_web_server 5.9
2017-08-10 CVE-2016-5018 In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. Tomcat, Ubuntu_linux, Debian_linux, Oncommand_insight, Oncommand_shift, Snap_creator_framework, Tekelec_platform_distribution, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Jboss_enterprise_application_platform, Jboss_enterprise_web_server 9.1
2017-08-10 CVE-2016-6794 When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. Tomcat, Ubuntu_linux, Debian_linux, Oncommand_insight, Oncommand_shift, Snap_creator_framework, Tekelec_platform_distribution, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Jboss_enterprise_web_server 5.3
2017-08-10 CVE-2016-6797 The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. Tomcat, Ubuntu_linux, Debian_linux, Oncommand_insight, Oncommand_shift, Snap_creator_framework, Tekelec_platform_distribution, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Jboss_enterprise_web_server 7.5
2017-08-11 CVE-2016-6796 A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. Tomcat, Ubuntu_linux, Debian_linux, Oncommand_insight, Oncommand_shift, Snap_creator_framework, Tekelec_platform_distribution, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Jboss_enterprise_application_platform, Jboss_enterprise_web_server 7.5
2018-10-04 CVE-2018-11784 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. Tomcat, Ubuntu_linux, Debian_linux, Snap_creator_framework, Communications_application_session_controller, Hospitality_guest_access, Instantis_enterprisetrack, Retail_order_broker, Secure_global_desktop, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_workstation 4.3
2018-06-22 CVE-2018-12538 In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore. Jetty, E\-Series_santricity_management_plug\-Ins, E\-Series_santricity_os_controller, E\-Series_santricity_web_services_proxy, Element_software, Hyper_converged_infrastructure, Oncommand_system_manager, Oncommand_unified_manager, Santricity_cloud_connector, Snap_creator_framework, Snapcenter, Snapmanager 8.8
2018-06-26 CVE-2017-7657 In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary... Debian_linux, Jetty, Xp_p9000_command_view, E\-Series_santricity_management, E\-Series_santricity_os_controller, E\-Series_santricity_web_services, Element_software, Element_software_management_node, Hci_storage_nodes, Oncommand_system_manager, Oncommand_unified_manager, Santricity_cloud_connector, Snap_creator_framework, Snapcenter, Snapmanager, Rest_data_services, Retail_xstore_point_of_service 9.8
2018-06-26 CVE-2017-7658 In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the... Debian_linux, Jetty, Xp_p9000_command_view, E\-Series_santricity_management, E\-Series_santricity_os_controller, E\-Series_santricity_web_services, Hci_management_node, Hci_storage_node, Oncommand_system_manager, Oncommand_unified_manager_for_7\-Mode, Santricity_cloud_connector, Snap_creator_framework, Snapcenter, Snapmanager, Solidfire, Storage_services_connector, Rest_data_services, Retail_xstore_payment, Retail_xstore_point_of_service 9.8