Dell EMC Unity update for third-party components
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 82 |
| CVE-ID | CVE-2019-2987 CVE-2019-2978 CVE-2019-2981 CVE-2019-2973 CVE-2019-2964 CVE-2019-2992 CVE-2019-2988 CVE-2019-2962 CVE-2019-2996 CVE-2019-2983 CVE-2019-2999 CVE-2019-2975 CVE-2019-2977 CVE-2019-11068 CVE-2019-2958 CVE-2019-2989 CVE-2019-2949 CVE-2019-2766 CVE-2019-2894 CVE-2019-2933 CVE-2019-2786 CVE-2020-2590 CVE-2019-5953 CVE-2019-12735 CVE-2019-14287 CVE-2017-2518 CVE-2020-8597 CVE-2020-2583 CVE-2020-2659 CVE-2020-2654 CVE-2019-2945 CVE-2020-2593 CVE-2020-2655 CVE-2020-2585 CVE-2020-2601 CVE-2019-13118 CVE-2019-13117 CVE-2019-16168 CVE-2020-2604 CVE-2019-2818 CVE-2019-2842 CVE-2012-6711 CVE-2018-18606 CVE-2018-19931 CVE-2018-17985 CVE-2018-17358 CVE-2018-1000876 CVE-2018-19932 CVE-2018-17359 CVE-2018-18605 CVE-2018-18309 CVE-2019-11477 CVE-2019-1010180 CVE-2018-18607 CVE-2018-20651 CVE-2018-20671 CVE-2018-20623 CVE-2018-18483 CVE-2018-17360 CVE-2018-18484 CVE-2019-12749 CVE-2019-11478 CVE-2019-2816 CVE-2019-1559 CVE-2019-2745 CVE-2019-2769 CVE-2019-2762 CVE-2019-2821 CVE-2019-2422 CVE-2019-2449 CVE-2019-2426 CVE-2018-11212 CVE-2019-1563 CVE-2019-11479 CVE-2019-1547 CVE-2019-3689 CVE-2019-17498 CVE-2019-7317 CVE-2017-12652 CVE-2018-16301 CVE-2019-15165 CVE-2019-2201 |
| CWE-ID | CWE-125 CWE-264 CWE-20 CWE-284 CWE-693 CWE-119 CWE-78 CWE-120 CWE-200 CWE-369 CWE-122 CWE-476 CWE-400 CWE-190 CWE-835 CWE-416 CWE-287 CWE-327 CWE-310 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #24 is available. Public exploit code for vulnerability #25 is available. Public exploit code for vulnerability #27 is available. Public exploit code for vulnerability #33 is available. Public exploit code for vulnerability #38 is available. Public exploit code for vulnerability #47 is available. Public exploit code for vulnerability #51 is available. Public exploit code for vulnerability #77 is available. |
| Vulnerable software |
Dell EMC Unity Operating Environment (OE) Hardware solutions / Other hardware appliances Dell EMC Unity VSA Operating Environment (OE) Hardware solutions / Other hardware appliances |
| Vendor | Dell |
Security Bulletin
This security bulletin contains information about 82 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU28691
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2987
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the 2D component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU28698
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2978
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Networking component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU28697
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2981
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JAXP component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper input validation
EUVDB-ID: #VU28696
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2973
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JAXP component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper input validation
EUVDB-ID: #VU28695
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2964
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Concurrency component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper input validation
EUVDB-ID: #VU28694
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2992
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the 2D component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper input validation
EUVDB-ID: #VU28693
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2988
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the 2D component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper input validation
EUVDB-ID: #VU28692
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2962
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the 2D component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper input validation
EUVDB-ID: #VU28690
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2996
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Deployment component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper input validation
EUVDB-ID: #VU28700
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2983
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improper input validation
EUVDB-ID: #VU28689
Risk: Medium
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-2999
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Javadoc component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper input validation
EUVDB-ID: #VU28688
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-2975
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
The vulnerability exists due to improper input validation within the Scripting component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate or delete data.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Improper input validation
EUVDB-ID: #VU28687
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-2977
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read memory contents or crash the application.
The vulnerability exists due to improper input validation within the Hotspot component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to read memory contents or crash the application.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU18276
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-11068
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to an error within the xsltCheckRead() and xsltCheckWrite() functions when processing requests from remote servers. A remote attacker can trick the victim into opening a specially crafted URL that will result in "-1 error" code but the URL itself will be processed by the application later.
Successful exploitation of the vulnerability may allow an attacker to bypass certain security restrictions and perform XXE attacks.Mitigation
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Improper input validation
EUVDB-ID: #VU28686
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-2958
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Improper input validation
EUVDB-ID: #VU28680
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-2989
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Java component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Improper input validation
EUVDB-ID: #VU28685
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-2949
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Kerberos component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Improper access control
EUVDB-ID: #VU33423
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2766
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Improper input validation
EUVDB-ID: #VU28699
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2894
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Security component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Improper input validation
EUVDB-ID: #VU28701
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2933
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Protection Mechanism Failure
EUVDB-ID: #VU19281
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2786
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Improper input validation
EUVDB-ID: #VU25093
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-2590
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Security component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Buffer overflow
EUVDB-ID: #VU18143
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-5953
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when handling Internationalized Resource Identifiers (IRI) during recursive downloading. A remote attacker can trick the victim to connect to a malicious web server, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) OS Command Injection
EUVDB-ID: #VU31049
Risk: Low
CVSSv4.0: 7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-12735
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a local non-authenticated attacker to execute arbitrary code.
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
25) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU21782
Risk: Low
CVSSv4.0: 6.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-14287
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in the implementation of the "sudo" application when processing commands that are configured to run with ALL keyword. A local user with privileges to use sudo for specific applications on the system can escalate privileges and run the application as root (even if precisely restricted), if user id "-1" or "4294967295" is used.
Example:
The following entry instructs sudo to allow user bob to run "/usr/bin/id" command as any user on the system but root:
myhost bob = (ALL, !root) /usr/bin/id
The following command will allow bob execute the "/usr/bin/id" command as root:
sudo -u#-1 id -uMitigation
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
26) Buffer overflow
EUVDB-ID: #VU6582
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-2518
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to buffer overflow when processing SQL queries. A remote attacker can send specially crafted SQL queries, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may allow an attacker to gain complete control over affected system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Buffer overflow
EUVDB-ID: #VU24916
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2020-8597
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the "eap_request" and "eap_response" functions in "eap.c" file in pppd. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
28) Improper input validation
EUVDB-ID: #VU25095
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-2583
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Improper input validation
EUVDB-ID: #VU25094
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-2659
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Networking component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Improper input validation
EUVDB-ID: #VU25092
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-2654
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Libraries component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Improper input validation
EUVDB-ID: #VU28702
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2945
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Networking component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Improper input validation
EUVDB-ID: #VU25091
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-2593
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Networking component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Improper input validation
EUVDB-ID: #VU25090
Risk: Medium
CVSSv4.0: 2.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-2655
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
34) Improper input validation
EUVDB-ID: #VU25089
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-2585
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the JavaFX component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
35) Improper input validation
EUVDB-ID: #VU25088
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-2601
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Security component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
36) Information disclosure
EUVDB-ID: #VU18966
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-13118
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to uninitialized stack data exposure in numbers.c in libxslt library when processing an invalid character/length combination in xsltNumberFormatDecimal. A remote attacker can gain pass specially crafted data to the application using the affected library and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
37) Information disclosure
EUVDB-ID: #VU18965
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-13117
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to information disclosure in numbers.c in libxslt library where an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. A remote attacker can gain knowledge whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
38) Division by zero
EUVDB-ID: #VU23188
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-16168
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a division by zero error within the whereLoopAddBtreeIndex in sqlite3.c due to improper input validation in the sqlite_stat1 sz field. A remote attacker can pass specially crafted data to the application, trigger division by zero error and crash the vulnerable application.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
39) Improper input validation
EUVDB-ID: #VU25077
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-2604
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Java component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
40) Improper input validation
EUVDB-ID: #VU109742
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2818
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Security component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
41) Input validation error
EUVDB-ID: #VU33426
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2842
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., via a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts).
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
42) Heap-based buffer overflow
EUVDB-ID: #VU109674
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2012-6711
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the ansicstr() function in lib/sh/strtrans.c when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local user can trigger a heap-based buffer overflow and escalate privileges on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
43) NULL pointer dereference
EUVDB-ID: #VU109671
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-18606
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to NULL pointer dereference within the merge_strings() function in merge.c. A remote attacker can trick the victim into processing a specially crafted file and crash the application.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
44) Heap-based buffer overflow
EUVDB-ID: #VU16338
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-19931
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The vulnerability exists due to heap-based buffer overflow in the bfd_elf32_swap_phdr_in function, as defined in the elfcode.h source code file when handling malicious input. A local attacker can supply a specially crafted file that may trigger memory corruption and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
45) Resource exhaustion
EUVDB-ID: #VU36558
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-17985
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
46) Buffer overflow
EUVDB-ID: #VU24443
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-17358
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing ELF files within the _bfd_stab_section_find_nearest_line() function in syms.c in Binary File Descriptor (BFD) library (aka libbfd). A remote attacker can create a specially crafted ELF file, pass it to the affected application and trigger invalid memory access, resulting in denial of service conditions.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
47) Integer overflow
EUVDB-ID: #VU16695
Risk: Low
CVSSv4.0: 7.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2018-1000876
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to integer overflow in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc. A local attacker can trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
48) Integer overflow
EUVDB-ID: #VU16339
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-19932
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The vulnerability exists due to integer overflow in the IS_CONTAINED_BY_LMAfunction, as defined in the elf.c source code file when handling malicious input. A local attacker can map a section to a segment, trigger an infinite loop condition, resulting in a DoS condition.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
49) Buffer overflow
EUVDB-ID: #VU36619
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-17359
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
50) Out-of-bounds read
EUVDB-ID: #VU109669
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-18605
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the sec_merge_hash_lookup() function in merge.c. A remote attacker can pass a specially crafted ELF file to the application and crash it.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
51) Memory corruption
EUVDB-ID: #VU15370
Risk: Low
CVSSv4.0: 5.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2018-18309
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The vulnerability exists due to invalid memory address dereference in the read_relocfunction, as defined in the reloc.c source code after boundary error in the _bfd_clear_contents function. A local attacker can submit malicious input using the objdump command, trigger a segmentation fault and cause the affected application to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
52) Integer overflow
EUVDB-ID: #VU18813
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-11477
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to integer overflow when handling TCP Selective Acknowledgments (SACKs) due to incorrect processing of TCP_SKB_CB(skb)->tcp_gso_segs value in Linux kernel. A remote non-authenticated attacker can send specially crafted network traffic to the affected system, trigger integer overflow and render the system unavailable.
Successful exploitation of the vulnerability allows a remote attacker to perform denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
53) Buffer overflow
EUVDB-ID: #VU109675
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-1010180
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing ELF files. A remote attacker can create a specially crafted file, trick the victim into opening it with a debugger, trigger memory corruption and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
54) NULL pointer dereference
EUVDB-ID: #VU109672
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-18607
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to NULL pointer dereference within the elf_link_input_bfd() function in elflink.c. A remote attacker can trick the victim into processing a specially crafted file and crash the application.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
55) NULL pointer dereference
EUVDB-ID: #VU16809
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-20651
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in elf_link_add_object_symbols in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd). A remote attacker can supply a specially crafted ELF file and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
56) Heap-based buffer overflow
EUVDB-ID: #VU16828
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-20671
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in load_specific_debug_section in objdump.c. A remote attacker can supply a specially crafted section size, trigger heap-based buffer overflow and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
57) Use-after-free
EUVDB-ID: #VU16781
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-20623
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.
The vulnerability exists due to use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c. A remote attacker can supply a specially crafted ELF file, trigger heap-based buffer overflow and cause the service to crash or execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
58) Integer overflow
EUVDB-ID: #VU36486
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-18483
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
59) Input validation error
EUVDB-ID: #VU36620
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-17360
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows an attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PE file.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
60) Resource exhaustion
EUVDB-ID: #VU36487
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-18484
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
61) Improper Authentication
EUVDB-ID: #VU19274
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-12749
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a an attacker to bypass authentication process.
The vulnerability exists due to an error when handling symlinks within the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. A malicious client with access to to its own home directory can manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write into unintended locations.
Successful exploitation of the vulnerability may allow an attacker to bypass DBUS_COOKIE_SHA1 authentication mechanis.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
62) Resource exhaustion
EUVDB-ID: #VU18946
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-11478
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to an error when processing TCP Selective Acknowledgment (SACK) sequences within the Linux kernel TCP retransmission queue implementation in tcp_fragment. A remote non-authenticated attacker can send specially crafted network traffic to the affected system and perform a denial of service (DoS) attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
63) Improper access control
EUVDB-ID: #VU33425
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-2816
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
64) Use of a broken or risky cryptographic algorithm
EUVDB-ID: #VU17860
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-1559
CWE-ID:
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to decrypt sensitive information.
The vulnerability exists due to the way an application behaves, when it receives a 0-byte record with invalid padding compared to the record with an invalid MAC, which results in padding oracle. A remote attacker can decrypt data.
Successful exploitation of the vulnerability requires that the application is using "non-stitched" ciphersuites and calls SSL_shutdown() twice (first, via a BAD_RECORD_MAC and again via a CLOSE_NOTIFY).Mitigation
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
65) Improper access control
EUVDB-ID: #VU33421
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2745
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
66) Input validation error
EUVDB-ID: #VU33424
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-2769
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., via a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts).
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
67) Input validation error
EUVDB-ID: #VU33422
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-2762
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., via a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts).
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
68) Improper input validation
EUVDB-ID: #VU109741
Risk: Medium
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-2821
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
69) Information disclosure
EUVDB-ID: #VU17051
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2422
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to unspecified flaw in Libraries component. A remote attacker can gain access to sensitive information on the system.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
70) Denial of service
EUVDB-ID: #VU17052
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2449
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to unspecified flaw in Deployment component. A remote attacker cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
71) Information disclosure
EUVDB-ID: #VU17050
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-2426
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to unspecified flaw in Networking component. A remote attacker read arbitrary data.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
72) Division by zero
EUVDB-ID: #VU17049
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-11212
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to division by zero error within the libjpeg library within the libjpeg-turbo in alloc_sarray() function of jmemmgr.c file. A remote attacker can pass a specially crafted file the to affected application and cause application to crash.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
73) Padding oracle attack
EUVDB-ID: #VU21045
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-1563
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform padding oracle attack.
The vulnerability exists due to possibility to perform a Bleichenbacher padding oracle attack against the RSA key, in situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker. A remote attacker can send a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
74) Resource exhaustion
EUVDB-ID: #VU18947
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-11479
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to presence of hard-coded MSS value (48 bytes) in the Linux kernel source code. A remote attacker can fragment TCP resend queues significantly more than if a larger MSS were enforced and perform denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
75) Cryptographic issues
EUVDB-ID: #VU21043
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-1547
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to decrypt traffic.
The vulnerability exists due to insufficient enforcement of side channel resistant code paths. A remote attacker with ability to create a large number of signatures, where explicit parameters with no co-factor is present, can force the application to fall back to non-side channel resistant code pathsduring ECDSA signature operation and perform full key recovery.
Successful exploitation of the vulnerability may allow an attacker to decrypt communication between server and client.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
76) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU22333
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-3689
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insecure permissions on the " /var/lib/nfs" directory owned by statd:nogroup in the nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system.
Successful exploitation of the vulnerability may allow a local user to escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
77) Integer overflow
EUVDB-ID: #VU22574
Risk: High
CVSSv4.0: 5.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2019-17498
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack or access sensitive information.
The vulnerability exists due to integer overflow in the "SSH_MSG_DISCONNECT" logic in "packet.c" in a bounds check. A remote attacker can specify an arbitrary (out-of-bounds) offset for a subsequent memory read, trigger out-of-bounds read, disclose sensitive information or cause a denial of service condition on the target system when a user connects to the malicious SSH server.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
78) Use-after-free
EUVDB-ID: #VU17708
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-7317
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The vulnerability exists due to a use-after-free memory error in the png_image_free function, as defined in the png.c source code file when calling on png_safe_execute. A remote attacker can send specially crafted data, trigger a call on png_safe_execute and trigger memory corruption, resulting in a DoS condition.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
79) Input validation error
EUVDB-ID: #VU19180
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-12652
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in libpng when checking the chuck length against the user limit. A remote attacker can supply a specially crafted PNG image and crash the affected application.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
80) Out-of-bounds read
EUVDB-ID: #VU21949
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-16301
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in libpcap when during pcapng reading. A remote attacker can pass specially crafted data to the application that uses the affected library, trigger out-of-bounds read error and read contents of memory on the system or crash the application.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
81) Buffer overflow
EUVDB-ID: #VU21950
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-15165
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the sf-pcapng.c in libpcap when processing the PHB header length before allocating memory. A remote attacker can pass specially crafted data to the application that uses the vulnerable library, trigger memory corruption and perform denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
82) Integer overflow
EUVDB-ID: #VU22854
Risk: High
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-2201
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in tjbench.c when handling JPEG images. A remote attacker can create a specially crafted JPEG image, pass it to the affected application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity Operating Environment (OE): before 5.0.3.0.5.014
Dell EMC Unity VSA Operating Environment (OE): before 5.0.3.0.5.014
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
