This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Netapp First view 2017-07-13
Product Oncommand Unified Manager Last view 2019-05-10
Version - Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software 7-mode  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:netapp:oncommand_unified_manager

Activity : Overall

Related : CVE

  Date Alert Description
7.5 2019-05-10 CVE-2019-5495

OnCommand Unified Manager for VMware vSphere, Linux and Windows prior to 9.5 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors.

7.5 2019-05-10 CVE-2019-5494

OnCommand Unified Manager 7-Mode prior to version 5.2.4 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors.

7.5 2019-04-08 CVE-2019-0217

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

4.9 2019-01-16 CVE-2019-2539

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

4.9 2019-01-16 CVE-2019-2537

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

5 2019-01-16 CVE-2019-2536

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 8.0.13 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:H).

4.1 2019-01-16 CVE-2019-2535

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 8.0.13 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

7.1 2019-01-16 CVE-2019-2534

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

6.5 2019-01-16 CVE-2019-2533

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

2.5 2019-01-16 CVE-2019-2513

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Shell). Supported versions that are affected are 8.0.13 and prior. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 2.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N).

7.4 2019-01-07 CVE-2018-5481

OnCommand Unified Manager for 7-Mode (core package) prior to 5.2.4 uses cookies that lack the secure attribute in certain circumstances making it vulnerable to impersonation via man-in-the-middle (MITM) attacks.

4.9 2018-10-16 CVE-2018-3212

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Information Schema). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

6.5 2018-10-16 CVE-2018-3203

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

6.5 2018-10-16 CVE-2018-3145

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

9.8 2018-06-26 CVE-2017-7657

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

5.3 2018-06-22 CVE-2017-7568

NetApp OnCommand Unified Manager for 7-Mode (core package) versions prior to 5.2.3 may disclose sensitive LDAP account information to authenticated users when the LDAP authentication configuration is tested via the user interface.

9.8 2018-05-24 CVE-2018-5487

NetApp OnCommand Unified Manager for Linux versions 7.2 through 7.3 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service bound to the network, and are susceptible to unauthenticated remote code execution.

7.8 2018-05-24 CVE-2018-5485

NetApp OnCommand Unified Manager for Windows versions 7.2 through 7.3 are susceptible to a vulnerability which could lead to a privilege escalation attack.

7.8 2018-04-25 CVE-2018-5486

NetApp OnCommand Unified Manager for Linux versions 7.2 though 7.3 ship with the Java Debug Wire Protocol (JDWP) enabled which allows unauthorized local attackers to execute arbitrary code.

8.3 2018-04-18 CVE-2018-2826

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

7.5 2017-11-13 CVE-2016-8610

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.

4.3 2017-11-09 CVE-2017-11461

NetApp OnCommand Unified Manager for 7-mode (core package) versions prior to 5.2.1 are susceptible to a clickjacking or "UI redress attack" which could be used to cause a user to perform an unintended action in the user interface.

9.1 2017-07-13 CVE-2017-9788

In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service.

CWE : Common Weakness Enumeration

%idName
36% (7) CWE-284 Access Control (Authorization) Issues
15% (3) CWE-200 Information Exposure
15% (3) CWE-20 Improper Input Validation
5% (1) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
5% (1) CWE-362 Race Condition
5% (1) CWE-311 Missing Encryption of Sensitive Data
5% (1) CWE-306 Missing Authentication for Critical Function
5% (1) CWE-254 Security Features
5% (1) CWE-190 Integer Overflow or Wraparound

Snort® IPS/IDS

Date Description
2017-08-31 Apache mod_auth_digest out of bounds read attempt
RuleID : 43790 - Type : SERVER-OTHER - Revision : 2
2016-12-29 OpenSSL SSLv3 warning denial of service attempt
RuleID : 40843 - Type : SERVER-OTHER - Revision : 3

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-17 Name: The remote database server is affected by multiple vulnerabilities.
File: mysql_8_0_14.nasl - Type: ACT_GATHER_INFO
2019-01-17 Name: The remote database server is affected by multiple vulnerabilities.
File: mysql_5_7_25.nasl - Type: ACT_GATHER_INFO
2019-01-17 Name: The remote database server is affected by multiple vulnerabilities.
File: mysql_5_6_43.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-c82fc3e109.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-48b73ed393.nasl - Type: ACT_GATHER_INFO
2018-11-27 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZLSA-2017-2478.nasl - Type: ACT_GATHER_INFO
2018-11-21 Name: The remote EulerOS Virtualization host is missing a security update.
File: EulerOS_SA-2018-1379.nasl - Type: ACT_GATHER_INFO
2018-10-22 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_ec5072b0d43a11e8a6d2b499baebfeaf.nasl - Type: ACT_GATHER_INFO
2018-10-19 Name: The remote database server is affected by multiple vulnerabilities.
File: mysql_8_0_13.nasl - Type: ACT_GATHER_INFO
2018-08-20 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4278.nasl - Type: ACT_GATHER_INFO
2018-08-17 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-1_0-0130.nasl - Type: ACT_GATHER_INFO
2018-08-17 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2017-0027.nasl - Type: ACT_GATHER_INFO
2018-07-24 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-2_0-0039.nasl - Type: ACT_GATHER_INFO
2018-07-13 Name: The remote Fedora host is missing a security update.
File: fedora_2018-93a507fd0f.nasl - Type: ACT_GATHER_INFO
2018-03-21 Name: The remote device is affected by multiple vulnerabilities.
File: juniper_space_jsa_10838.nasl - Type: ACT_GATHER_INFO
2018-03-08 Name: The remote AIX host has a version of OpenSSL installed that is affected by a ...
File: aix_openssl_advisory22.nasl - Type: ACT_GATHER_INFO
2017-11-20 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2017-3240.nasl - Type: ACT_GATHER_INFO
2017-11-14 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2017-3195.nasl - Type: ACT_GATHER_INFO
2017-11-14 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2017-3194.nasl - Type: ACT_GATHER_INFO
2017-11-14 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2017-3193.nasl - Type: ACT_GATHER_INFO
2017-11-08 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2017-3113.nasl - Type: ACT_GATHER_INFO
2017-11-03 Name: The remote host is missing a macOS or Mac OS X security update that fixes mul...
File: macosx_SecUpd2017-004.nasl - Type: ACT_GATHER_INFO
2017-10-30 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201710-32.nasl - Type: ACT_GATHER_INFO
2017-10-19 Name: The remote SUSE host is missing one or more security updates.
File: suse_SU-2017-2756-1.nasl - Type: ACT_GATHER_INFO
2017-10-18 Name: The remote host is affected by a TLS/SSL vulnerability.
File: screenos_JSA10808.nasl - Type: ACT_GATHER_INFO