Security Vulnerabilities - CVEs Published In March 2019
Previously, Puppet Discovery was shipped with a default generated TLS certificate in the nginx container. In version 1.4.0, a unique certificate will be generated on installation or the user will be able to provide their own TLS certificate for ingress.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-03-21
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
CVSS Score
7.4
EPSS Score
0.022
Published
2019-03-21
AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow XSS.
CVSS Score
4.8
EPSS Score
0.002
Published
2019-03-21
AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow Remote Code Execution.
CVSS Score
8.8
EPSS Score
0.674
Published
2019-03-21
It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
CVSS Score
5.3
EPSS Score
0.003
Published
2019-03-21
In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used
CVSS Score
5.5
EPSS Score
0.001
Published
2019-03-21
LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue
CVSS Score
7.5
EPSS Score
0.017
Published
2019-03-21
IBM InfoSphere Streams 4.2.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134632.
CVSS Score
5.9
EPSS Score
0.001
Published
2019-03-21
NetIQ eDirectory versions prior to 9.0.2, under some circumstances, could be susceptible to downgrade of communication security.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-03-21
Moxa G3100V2 Series, editions prior to Version 2.8, and OnCell G3111/G3151/G3211/G3251 Series, editions prior to Version 1.7 allows a reflected cross-site scripting attack which may allow an attacker to execute arbitrary script code in the user’s browser within the trust relationship between their browser and the server.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-03-21