This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).
CVE-2019-0193
Vendor: Apache
Product: Solr
Added: 2021-12-10
Due Date: 2022-06-10
Description:
The optional Apache Solr module DataImportHandler contains a code injection vulnerability.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2021-44168
Vendor: Fortinet
Product: FortiOS
Added: 2021-12-10
Due Date: 2021-12-24
Description:
Fortinet FortiOS "execute restore src-vis" downloads code without integrity checking, allowing an attacker to arbitrarily download files.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2017-17562
Vendor: Embedthis
Product: GoAhead
Added: 2021-12-10
Due Date: 2022-06-10
Description:
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2017-12149
Vendor: Red Hat
Product: JBoss Application Server
Added: 2021-12-10
Due Date: 2022-06-10
Description:
The JBoss Application Server, shipped with Red Hat Enterprise Application Platform 5.2, allows an attacker to execute arbitrary code via crafted serialized data.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2010-1871
Vendor: Red Hat
Product: JBoss Seam 2
Added: 2021-12-10
Due Date: 2022-06-10
Description:
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, allows attackers to perform remote code execution. This vulnerability can only be exploited when the Java Security Manager is not properly configured.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2020-17463
Vendor: Fuel CMS
Product: Fuel CMS
Added: 2021-12-10
Due Date: 2022-06-10
Description:
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2020-8816
Vendor: Pi-hole
Product: AdminLTE
Added: 2021-12-10
Due Date: 2022-06-10
Description:
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2019-10758
Vendor: MongoDB
Product: mongo-express
Added: 2021-12-10
Due Date: 2022-06-10
Description:
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method.
Required Action:
Apply updates per vendor instructions.
CVE-2021-44228
Vendor: Apache
Product: Log4j2
Added: 2021-12-10
Due Date: 2021-12-24
Description:
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
Required Action:
For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.
CWEs:
CVE-2020-11261
Vendor: Qualcomm
Product: Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Added: 2021-12-01
Due Date: 2022-06-01
Description:
Memory corruption due to improper check to return error when user application requests memory allocation of a huge size in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2018-14847
Vendor: MikroTik
Product: RouterOS
Added: 2021-12-01
Due Date: 2022-06-01
Description:
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2021-37415
Vendor: Zoho
Product: ManageEngine ServiceDesk Plus (SDP)
Added: 2021-12-01
Due Date: 2021-12-15
Description:
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2021-40438
Vendor: Apache
Product: Apache
Added: 2021-12-01
Due Date: 2021-12-15
Description:
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2021-44077
Vendor: Zoho
Product: ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus
Added: 2021-12-01
Due Date: 2021-12-15
Description:
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution
Required Action:
Apply updates per vendor instructions.
CWEs:
CVE-2021-22204
Vendor: Perl
Product: Exiftool
Added: 2021-11-17
Due Date: 2021-12-01
Description:
Improper neutralization of user data in the DjVu file format in Exiftool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
Required Action:
Apply updates per vendor instructions.
CWEs: