This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).
CVE-2023-4911
Vendor: GNU
Product: GNU C Library
Added: 2023-11-21
Due Date: 2023-12-12
Description:
GNU C Library's dynamic loader ld.so contains a buffer overflow vulnerability when processing the GLIBC_TUNABLES environment variable, allowing a local attacker to execute code with elevated privileges.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36584
Vendor: Microsoft
Product: Windows
Added: 2023-11-16
Due Date: 2023-12-07
Description:
Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability of security features.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CVE-2023-1671
Vendor: Sophos
Product: Web Appliance
Added: 2023-11-16
Due Date: 2023-12-07
Description:
Sophos Web Appliance contains a command injection vulnerability in the warn-proceed handler that allows for remote code execution.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2020-2551
Vendor: Oracle
Product: Fusion Middleware
Added: 2023-11-16
Due Date: 2023-12-07
Description:
Oracle Fusion Middleware contains an unspecified vulnerability in the WLS Core Components that allows an unauthenticated attacker with network access via IIOP to compromise the WebLogic Server.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CVE-2023-36033
Vendor: Microsoft
Product: Windows
Added: 2023-11-14
Due Date: 2023-12-05
Description:
Microsoft Windows Desktop Window Manager (DWM) Core Library contains an unspecified vulnerability that allows for privilege escalation.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36025
Vendor: Microsoft
Product: Windows
Added: 2023-11-14
Due Date: 2023-12-05
Description:
Microsoft Windows SmartScreen contains a security feature bypass vulnerability that could allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CVE-2023-36036
Vendor: Microsoft
Product: Windows
Added: 2023-11-14
Due Date: 2023-12-05
Description:
Microsoft Windows Cloud Files Mini Filter Driver contains a privilege escalation vulnerability that could allow an attacker to gain SYSTEM privileges.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-47246
Vendor: SysAid
Product: SysAid Server
Added: 2023-11-13
Due Date: 2023-12-04
Description:
SysAid Server (on-premises version) contains a path traversal vulnerability that leads to code execution.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36844
Vendor: Juniper
Product: Junos OS
Added: 2023-11-13
Due Date: 2023-11-17
Description:
Juniper Junos OS on EX Series contains a PHP external variable modification vulnerability that allows an unauthenticated, network-based attacker to control certain, important environment variables. Using a crafted request an attacker is able to modify certain PHP environment variables, leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36845
Vendor: Juniper
Product: Junos OS
Added: 2023-11-13
Due Date: 2023-11-17
Description:
Juniper Junos OS on EX Series and SRX Series contains a PHP external variable modification vulnerability that allows an unauthenticated, network-based attacker to control an important environment variable. Using a crafted request, which sets the variable PHPRC, an attacker is able to modify the PHP execution environment allowing the injection und execution of code.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36846
Vendor: Juniper
Product: Junos OS
Added: 2023-11-13
Due Date: 2023-11-17
Description:
Juniper Junos OS on SRX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to user.php that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36847
Vendor: Juniper
Product: Junos OS
Added: 2023-11-13
Due Date: 2023-11-17
Description:
Juniper Junos OS on EX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-36851
Vendor: Juniper
Product: Junos OS
Added: 2023-11-13
Due Date: 2023-11-17
Description:
Juniper Junos OS on SRX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to webauth_operation.php that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs:
CVE-2023-29552
Vendor: IETF
Product: Service Location Protocol (SLP)
Added: 2023-11-08
Due Date: 2023-11-29
Description:
The Service Location Protocol (SLP) contains a denial-of-service (DoS) vulnerability that could allow an unauthenticated, remote attacker to register services and use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.
Required Action:
Apply mitigations per vendor instructions or disable SLP service or port 427/UDP on all systems running on untrusted networks, including those directly connected to the Internet.
CVE-2023-22518
Vendor: Atlassian
Product: Confluence Data Center and Server
Added: 2023-11-07
Due Date: 2023-11-28
Description:
Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an unauthenticated attacker. There is no impact on confidentiality since the attacker cannot exfiltrate any data.
Required Action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CWEs: