CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2021-30551

Google Chromium V8 Type Confusion Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-122 CWE-843

CVE-2021-37975

Google Chromium V8 Use-After-Free Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Google Chromium V8 Engine contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2020-6418

Google Chromium V8 Type Confusion Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2021-11-03

Due Date: 2022-05-03

Description:

Google Chromium V8 Engine contains a type confusion vulnerability allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-843

CVE-2021-30554

Google Chromium WebGL Use-After-Free Vulnerability

Vendor: Google

Product: Chromium WebGL

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Google Chromium WebGL contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2021-21206

Google Chromium Blink Use-After-Free Vulnerability

Vendor: Google

Product: Chromium Blink

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Google Chromium Blink contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2021-38000

Google Chromium Intents Improper Input Validation Vulnerability

Vendor: Google

Product: Chromium Intents

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Google Chromium Intents contains an improper input validation vulnerability that allows a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2021-38003

Google Chromium V8 Memory Corruption Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Google Chromium V8 Engine has a bug in JSON.stringify, where the internal TheHole value can leak to script code, causing memory corruption. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-122 CWE-755

CVE-2021-21224

Google Chromium V8 Type Confusion Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-843

CVE-2021-21193

Google Chromium Blink Use-After-Free Vulnerability

Vendor: Google

Product: Chromium Blink

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Google Chromium Blink contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2021-21220

Google Chromium V8 Improper Input Validation Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Google Chromium V8 Engine contains an improper input validation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20 CWE-122

CVE-2021-30563

Google Chromium V8 Type Confusion Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2021-11-03

Due Date: 2021-11-17

Description:

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-122 CWE-843

CVE-2020-4430

IBM Data Risk Manager Directory Traversal Vulnerability

Vendor: IBM

Product: Data Risk Manager

Added: 2021-11-03

Due Date: 2022-05-03

Description:

IBM Data Risk Manager contains a directory traversal vulnerability that could allow a remote authenticated attacker to traverse directories and send a specially crafted URL request to download arbitrary files from the system.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22

CVE-2020-4427

IBM Data Risk Manager Security Bypass Vulnerability

Vendor: IBM

Product: Data Risk Manager

Added: 2021-11-03

Due Date: 2022-05-03

Description:

IBM Data Risk Manager contains a security bypass vulnerability that could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system.

Required Action:

Apply updates per vendor instructions.

CVE-2020-4428

IBM Data Risk Manager Remote Code Execution Vulnerability

Vendor: IBM

Product: Data Risk Manager

Added: 2021-11-03

Due Date: 2022-05-03

Description:

IBM Data Risk Manager contains an unspecified vulnerability which could allow a remote, authenticated attacker to execute commands on the system.�

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2019-4716

IBM Planning Analytics Remote Code Execution Vulnerability

Vendor: IBM

Product: Planning Analytics

Added: 2021-11-03

Due Date: 2022-05-03

Description:

IBM Planning Analytics is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94