CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2021-21315

System Information Library for Node.JS Command Injection

Vendor: Npm package

Product: System Information Library for Node.JS

Added: 2022-01-18

Due Date: 2022-02-01

Description:

In this vulnerability, an attacker can send a malicious payload that will exploit the name parameter. After successful exploitation, attackers can execute remote.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2021-22991

F5 BIG-IP Traffic Management Microkernel Buffer Overflow

Vendor: F5

Product: BIG-IP Traffic Management Microkernel

Added: 2022-01-18

Due Date: 2022-02-01

Description:

The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-119

CVE-2020-14864

Oracle Business Intelligence Enterprise Edition Path Transversal

Vendor: Oracle

Product: Intelligence Enterprise Edition

Added: 2022-01-18

Due Date: 2022-07-18

Description:

Path traversal vulnerability, where an attacker can target the preview FilePath parameter of the getPreviewImage function to get access to arbitrary system file.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22

CVE-2020-13671

Drupal core Un-restricted Upload of File

Vendor: Drupal

Product: Drupal core

Added: 2022-01-18

Due Date: 2022-07-18

Description:

Improper sanitization in the extension file names is present in Drupal core.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-434

CVE-2020-11978

Apache Airflow Command Injection

Vendor: Apache

Product: Airflow

Added: 2022-01-18

Due Date: 2022-07-18

Description:

A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2020-13927

Apache Airflow's Experimental API Authentication Bypass

Vendor: Apache

Product: Airflow's Experimental API

Added: 2022-01-18

Due Date: 2022-07-18

Description:

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-1188 CWE-306

CVE-2021-22017

VMware vCenter Server Improper Access Control

Vendor: VMware

Product: vCenter Server

Added: 2022-01-10

Due Date: 2022-01-24

Description:

Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-23

CVE-2021-36260

Hikvision Improper Input Validation

Vendor: Hikvision

Product: Security cameras web server

Added: 2022-01-10

Due Date: 2022-01-24

Description:

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2020-6572

Google Chrome Media Use-After-Free Vulnerability

Vendor: Google

Product: Chrome Media

Added: 2022-01-10

Due Date: 2022-07-10

Description:

Google Chrome Media contains a use-after-free vulnerability that allows a remote attacker to execute code via a crafted HTML page.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2019-1458

Ransomware

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-01-10

Due Date: 2022-07-10

Description:

A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP.

Required Action:

Apply updates per vendor instructions.

CVE-2013-3900

Microsoft WinVerifyTrust function Remote Code Execution

Vendor: Microsoft

Product: WinVerifyTrust function

Added: 2022-01-10

Due Date: 2022-07-10

Description:

A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for PE files.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2019-2725

Ransomware

Oracle WebLogic Server, Injection

Vendor: Oracle

Product: WebLogic Server

Added: 2022-01-10

Due Date: 2022-07-10

Description:

Injection vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services).

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-74

CVE-2019-9670

Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference

Vendor: Synacor

Product: Zimbra Collaboration Suite (ZCS)

Added: 2022-01-10

Due Date: 2022-07-10

Description:

Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-611

CVE-2018-13382

Ransomware

Fortinet FortiOS and FortiProxy Improper Authorization

Vendor: Fortinet

Product: FortiOS and FortiProxy

Added: 2022-01-10

Due Date: 2022-07-10

Description:

An Improper Authorization vulnerability in Fortinet FortiOS and FortiProxy under SSL VPN web portal allows an unauthenticated attacker to modify the password.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-285

CVE-2018-13383

Ransomware

Fortinet FortiOS and FortiProxy Out-of-bounds Write

Vendor: Fortinet

Product: FortiOS and FortiProxy

Added: 2022-01-10

Due Date: 2022-07-10

Description:

A heap buffer overflow in Fortinet FortiOS and FortiProxy may cause the SSL VPN web service termination for logged in users.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-787