CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2023-32409

Apple Multiple Products WebKit Sandbox Escape Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2023-05-22

Due Date: 2023-06-12

Description:

Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain an unspecified vulnerability that can allow a remote attacker to break out of the Web Content sandbox. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

Required Action:

Apply updates per vendor instructions.

CVE-2023-28204

Apple Multiple Products WebKit Out-of-Bounds Read Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2023-05-22

Due Date: 2023-06-12

Description:

Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain an out-of-bounds read vulnerability that may disclose sensitive information when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-125

CVE-2023-32373

Apple Multiple Products WebKit Use-After-Free Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2023-05-22

Due Date: 2023-06-12

Description:

Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2004-1464

Cisco IOS Denial-of-Service Vulnerability

Vendor: Cisco

Product: IOS

Added: 2023-05-19

Due Date: 2023-06-09

Description:

Cisco IOS contains an unspecified vulnerability that may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases, Hypertext Transport Protocol (HTTP) access to the Cisco device.

Required Action:

Apply updates per vendor instructions.

CVE-2016-6415

Cisco IOS, IOS XR, and IOS XE IKEv1 Information Disclosure Vulnerability

Vendor: Cisco

Product: IOS, IOS XR, and IOS XE

Added: 2023-05-19

Due Date: 2023-06-09

Description:

Cisco IOS, IOS XR, and IOS XE contain insufficient condition checks in the part of the code that handles Internet Key Exchange version 1 (IKEv1) security negotiation requests. contains an information disclosure vulnerability in the Internet Key Exchange version 1 (IKEv1) that could allow an attacker to retrieve memory contents. Successful exploitation could allow the attacker to retrieve memory contents, which can lead to information disclosure.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-200

CVE-2023-21492

Samsung Mobile Devices Insertion of Sensitive Information Into Log File Vulnerability

Vendor: Samsung

Product: Mobile Devices

Added: 2023-05-19

Due Date: 2023-06-09

Description:

Samsung mobile devices running Android 11, 12, and 13 contain an insertion of sensitive information into log file vulnerability that allows a privileged, local attacker to conduct an address space layout randomization (ASLR) bypass.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-532

CVE-2023-25717

Multiple Ruckus Wireless Products CSRF and RCE Vulnerability

Vendor: Ruckus Wireless

Product: Multiple Products

Added: 2023-05-12

Due Date: 2023-06-02

Description:

Ruckus Wireless Access Point (AP) software contains an unspecified vulnerability in the web services component. If the web services component is enabled on the AP, an attacker can perform cross-site request forgery (CSRF) or remote code execution (RCE). This vulnerability impacts Ruckus ZoneDirector, SmartZone, and Solo APs.

Required Action:

Apply updates per vendor instructions or disconnect product if it is end-of-life.

CWEs:

CWE-94

CVE-2021-3560

Red Hat Polkit Incorrect Authorization Vulnerability

Vendor: Red Hat

Product: Polkit

Added: 2023-05-12

Due Date: 2023-06-02

Description:

Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-863

CVE-2014-0196

Linux Kernel Race Condition Vulnerability

Vendor: Linux

Product: Kernel

Added: 2023-05-12

Due Date: 2023-06-02

Description:

Linux Kernel contains a race condition vulnerability within the n_tty_write function that allows local users to cause a denial-of-service (DoS) or gain privileges via read and write operations with long strings.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-362

CVE-2010-3904

Linux Kernel Improper Input Validation Vulnerability

Vendor: Linux

Product: Kernel

Added: 2023-05-12

Due Date: 2023-06-02

Description:

Linux Kernel contains an improper input validation vulnerability in the Reliable Datagram Sockets (RDS) protocol implementation that allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-20

CVE-2015-5317

Jenkins User Interface (UI) Information Disclosure Vulnerability

Vendor: Jenkins

Product: Jenkins User Interface (UI)

Added: 2023-05-12

Due Date: 2023-06-02

Description:

Jenkins User Interface (UI) contains an information disclosure vulnerability that allows users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-200

CVE-2016-3427

Oracle Java SE and JRockit Unspecified Vulnerability

Vendor: Oracle

Product: Java SE and JRockit

Added: 2023-05-12

Due Date: 2023-06-02

Description:

Oracle Java SE and JRockit contains an unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Management Extensions (JMX). This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Required Action:

Apply updates per vendor instructions.

CVE-2016-8735

Apache Tomcat Remote Code Execution Vulnerability

Vendor: Apache

Product: Tomcat

Added: 2023-05-12

Due Date: 2023-06-02

Description:

Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-284

CVE-2023-29336

Microsoft Win32K Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2023-05-09

Due Date: 2023-05-30

Description:

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation up to SYSTEM privileges.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2023-1389

TP-Link Archer AX-21 Command Injection Vulnerability

Vendor: TP-Link

Product: Archer AX21

Added: 2023-05-01

Due Date: 2023-05-22

Description:

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-77