Hp: Security Vulnerabilities
A security vulnerability has been identified in HPE SimpliVity 380 Gen 9, HPE SimpliVity 380 Gen 10, HPE SimpliVity 380 Gen 10 G, HPE SimpliVity 2600 Gen 10, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for Lenovo and SimpliVity OmniStack for Dell nodes. Two now deprecated APIs run as root, accept a file name path, and can be used to create or delete arbitrary files on the nodes. These APIs do not require user authentication and are accessible over the management network, resulting in remote availability and integrity vulnerabilities For all customers running HPE OmniStack version 3.7.9 and earlier. HPE recommends upgrading the OmniStack software to version 3.7.10 or later, which contains a permanent resolution. Customers and partners who can upgrade to 3.7.10 should upgrade at the earliest convenience. For all customers and partners unable to upgrade their environments to the recommended version 3.7.10, HPE has created a Temporary Workaround https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=mmr_sf-EN_US000061675&withFrame for you to implement. All customer should upgrade to the recommended 3.7.10 or later version at the earliest convenience.
CVSS Score
7.5
EPSS Score
0.005
Published
2020-01-03
A security vulnerability has been identified in HPE SimpliVity 380 Gen 9, HPE SimpliVity 380 Gen 10, HPE SimpliVity 380 Gen 10 G, HPE SimpliVity 2600 Gen 10, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for Lenovo and SimpliVity OmniStack for Dell nodes. An API is used to execute a command manifest file during upgrade does not correctly prevent directory traversal and so can be used to execute manifest files in arbitrary locations on the node. The API does not require user authentication and is accessible over the management network, resulting in the potential for unauthenticated remote execution of manifest files. For all customers running HPE OmniStack version 3.7.9 and earlier. HPE recommends upgrading the OmniStack software to version 3.7.10 or later, which contains a permanent resolution. Customers and partners who can upgrade to 3.7.10 should upgrade at the earliest convenience. For all customers and partners unable to upgrade their environments to the recommended version 3.7.10, HPE has created a Temporary Workaround https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=mmr_sf-EN_US000061901&withFrame for you to implement. All customer should upgrade to the recommended 3.7.10 or later version at the earliest convenience.
CVSS Score
9.8
EPSS Score
0.043
Published
2020-01-03
Security vulnerabilities in HPE UIoT version 1.2.4.2 could allow unauthorized remote access and access to sensitive data. HPE has addressed this issue in HPE UIoT: For customers with release UIoT 1.2.4.2 fixes are made available with 1.2.4.2 RP3 HF1. For customers with release older than 1.2.4.2, such as 1.2.4.1, 1.2.4.0, the resolution will be to upgrade to 1.2.4.2 RP3 HF1 Customers are requested to upgrade to the updated versions or contact HPE support for further assistance.
CVSS Score
7.5
EPSS Score
0.011
Published
2019-12-18
A security vulnerability in HPE OneView for VMware vCenter 9.5 could be exploited remotely to allow Cross-Site Scripting.
CVSS Score
6.1
EPSS Score
0.009
Published
2019-12-18
If a local user has been configured and logged in, an unauthenticated attacker with physical access may be able to extract sensitive information onto a local drive.
CVSS Score
4.6
EPSS Score
0.003
Published
2019-11-22
An attacker may be able to bypass the OS application filter meant to restrict applications that can be executed by changing browser preferences to launch a separate process that in turn can execute arbitrary commands.
CVSS Score
6.8
EPSS Score
0.002
Published
2019-11-22
In HP ThinPro Linux 6.2, 6.2.1, 7.0 and 7.1, an attacker may be able to leverage the application filter bypass vulnerability to gain privileged access to create a file on the local file system whose presence puts the device in Administrative Mode, which will allow the attacker to executed commands with elevated privileges.
CVSS Score
6.8
EPSS Score
0.002
Published
2019-11-22
The VPN software within HP ThinPro does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with root privileges.
CVSS Score
8.0
EPSS Score
0.002
Published
2019-11-22
The Citrix Receiver wrapper function does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with local user privileges.
CVSS Score
6.8
EPSS Score
0.009
Published
2019-11-22
Integer overflow to buffer overflow vulnerability in PostScript image handling code used by the PostScript- and PDF-compatible interpreters due to incorrect buffer size calculation. in PostScript and PDF printers that use IPS versions prior to 2019.2 in PostScript and PDF printers that use IPS versions prior to 2019.2
CVSS Score
9.8
EPSS Score
0.006
Published
2019-11-21