2016 VULNERABILITY DATABASE
CVE-2016-2002
Summary: The validateAdminConfig handler in the Analytics Management Console in HPE Vertica 7.0.x before 7.0.2.12, 7.1.x before 7.1.2-12, and 7.2.x before 7.2.2-1 allows remote attackers to execute arbitrary commands via the mcPort parameter, aka ZDI-CAN-3417.
Published: 4/20/2016 1:59:01 PM
CVE-2016-1384
Summary: The NTP implementation in Cisco IOS 15.1 and 15.5 and IOS XE 3.2 through 3.17 allows remote attackers to modify the system time via crafted packets, aka Bug ID CSCux46898.
Published: 4/20/2016 1:59:01 PM
CVE-2016-0891
Summary: Multiple cross-site request forgery (CSRF) vulnerabilities in administrative pages in EMC ViPR SRM before 3.7 allow remote attackers to hijack the authentication of administrators.
Published: 4/20/2016 1:59:00 PM
CVE-2015-8842
Summary: tmpfiles.d/systemd.conf in systemd before 229 uses weak permissions for /var/log/journal/%m/system.journal, which allows local users to obtain sensitive information by reading the file.
Published: 4/20/2016 12:59:03 PM
CVE-2015-7802
Summary: gifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote attackers to cause a denial of service (uninitialized memory read) via a crafted GIF file.
Published: 4/20/2016 12:59:02 PM
CVE-2015-7801
Summary: Use-after-free vulnerability in OptiPNG 0.6.4 allows remote attackers to execute arbitrary code via a crafted PNG file.
Published: 4/20/2016 12:59:01 PM
CVE-2014-9770
Summary: tmpfiles.d/systemd.conf in systemd before 214 uses weak permissions for journal files under (1) /run/log/journal/%m and (2) /var/log/journal/%m, which allows local users to obtain sensitive information by reading these files.
Published: 4/20/2016 12:59:00 PM
CVE-2016-3628
Summary: Buffer overflow in tibemsd in the server in TIBCO Enterprise Message Service (EMS) before 8.3.0 and EMS Appliance before 2.4.0 allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via crafted inbound data.
Published: 4/20/2016 6:59:00 AM
CVSS Severity: v3 - 8.8 HIGH v2 - 6.5 MEDIUM
CVE-2016-2390
Summary: The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message.
Published: 4/19/2016 5:59:07 PM
CVE-2016-0741
Summary: slapd/connection.c in 389 Directory Server (formerly Fedora Directory Server) 1.3.4.x before 1.3.4.7 allows remote attackers to cause a denial of service (infinite loop and connection blocking) by leveraging an abnormally closed connection.
Published: 4/19/2016 5:59:06 PM
CVE-2015-8779
Summary: Stack-based buffer overflow in the catopen function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long catalog name.
Published: 4/19/2016 5:59:05 PM
CVSS Severity: v3 - 9.8 CRITICAL v2 - 7.5 HIGH
CVE-2015-8778
Summary: Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the size argument to the __hcreate_r function, which triggers out-of-bounds heap-memory access.
Published: 4/19/2016 5:59:04 PM
CVSS Severity: v3 - 9.8 CRITICAL v2 - 7.5 HIGH
CVE-2015-8776
Summary: The strftime function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly obtain sensitive information via an out-of-range time value.
Published: 4/19/2016 5:59:04 PM
CVSS Severity: v3 - 9.1 CRITICAL v2 - 6.4 MEDIUM
CVE-2015-7511
Summary: Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations.
Published: 4/19/2016 5:59:03 PM
CVSS Severity: v3 - 2.0 LOW v2 - 1.9 LOW
CVE-2015-1776
Summary: Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.
Published: 4/19/2016 5:59:02 PM
CVSS Severity: v3 - 6.2 MEDIUM v2 - 2.1 LOW
CVE-2014-9765
Summary: Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file.
Published: 4/19/2016 5:59:01 PM
CVSS Severity: v3 - 8.8 HIGH v2 - 6.8 MEDIUM
CVE-2014-9761
Summary: Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function.
Published: 4/19/2016 5:59:00 PM
CVSS Severity: v3 - 9.8 CRITICAL v2 - 7.5 HIGH
CVE-2016-4040
Summary: SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter.
Published: 4/19/2016 10:59:03 AM
CVE-2016-3960
Summary: Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping.
Published: 4/19/2016 10:59:03 AM
CVSS Severity: v3 - 8.8 HIGH v2 - 7.2 HIGH
CVE-2016-3688
Summary: SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr.
Published: 4/19/2016 10:59:02 AM