VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202108-2409 No CVE Fuji Xerox (China) Co., Ltd. DocuCentre-V C2263 has unauthorized access vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fuji Xerox (China) Co., Ltd. was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Fuji Xerox (China) Co., Ltd. DocuCentre-V C2263 has an unauthorized access vulnerability. Attackers can use the vulnerability to obtain sensitive information and perform unauthorized operations.
VAR-202108-2320 No CVE Unauthorized access vulnerability exists in Schneider Electric (China) Co., Ltd. PowerLogic ION7550 CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Schneider Electric (China) Co., Ltd. is a leader in the field of global energy efficiency management. The main business includes power, industrial automation, infrastructure, energy efficiency, energy, building automation and security electronics, data centers and smart living spaces and other business areas. Schneider Electric (China) Co., Ltd. PowerLogic ION7550 has an unauthorized access vulnerability. Attackers can use this vulnerability to gain unauthorized access to obtain sensitive information and perform unauthorized operations.
VAR-202108-2321 No CVE Tenda Roteador Multilaser 1200AC device has unauthorized access vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Shenzhen Jixiang Tengda Technology Co., Ltd. is a high-tech enterprise integrating independent research and development, production and sales of network equipment. The Tenda Roteador Multilaser 1200AC device has an unauthorized access vulnerability. Attackers can use the vulnerability to access the device management page to obtain sensitive information.
VAR-202108-2322 No CVE Command execution vulnerability exists in the intelligent edge gateway of China Mobile Communications Group Co., Ltd. CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
China Mobile Communications Corporation is the largest mobile communications operator in China, mainly engaged in mobile voice, data, IP telephony and multimedia services. The intelligent edge gateway of China Mobile Communications Group Co., Ltd. has a command execution vulnerability. Attackers can use this vulnerability to execute arbitrary commands.
VAR-202108-2323 No CVE Unauthorized access vulnerability exists in Fuji Xerox (China) Co., Ltd. DocuPrint C5005 d CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fuji Xerox (China) Co., Ltd. was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Fuji Xerox (China) Co., Ltd. DocuPrint C5005 d has an unauthorized access vulnerability. Attackers can use this vulnerability to gain unauthorized access to obtain sensitive information and perform unauthorized operations.
VAR-202108-2325 No CVE Zhejiang Dahua Technology Co., Ltd. WEB SERVICE has a weak password vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Zhejiang Dahua Technology Co., Ltd. is the world's leading video-centric smart IoT solution provider and operation service provider. Zhejiang Dahua Technology Co., Ltd. WEB SERVICE has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.
VAR-202108-2327 No CVE Pacom 8501 Input/Output Module has weak password vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Pacom is a Swedish company. Pacom 8501 Input/Output Module has a weak password vulnerability. Attackers can use this vulnerability to enter the background and obtain sensitive information.
VAR-202108-2329 No CVE Unauthorized access vulnerability exists in Cisco IP Phone CP-8845 CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Cisco generally refers to Cisco. Cisco is the world's leading provider of network solutions. Cisco IP Phone CP-8845 has an unauthorized access vulnerability. Attackers can use this vulnerability to access unauthorized access to obtain sensitive information and perform unauthorized operations.
VAR-202108-2404 No CVE Unauthorized access vulnerability exists in Fuji Xerox (China) Co., Ltd. DocuCentre-IV 3065 CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fuji Xerox (China) Co., Ltd. was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Fuji Xerox (China) Co., Ltd. DocuCentre-IV 3065 has an unauthorized access vulnerability. Attackers can use this vulnerability to obtain sensitive information and perform unauthorized operations.
VAR-202108-2221 CVE-2021-22925 Ubuntu Security Notice USN-5021-2 CVSS V2: 5.0
CVSS V3: 5.3
Severity: MEDIUM
curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application. ========================================================================== Ubuntu Security Notice USN-5021-2 January 20, 2022 curl vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: curl could be made to expose sensitive information if it received a specially crafted input. Software Description: - curl: HTTP, HTTPS, and FTP client and client libraries Details: USN-5021-1 fixed vulnerabilities in curl. This update provides the corresponding updates for Ubuntu 16.04 ESM. Uninitialized data possibly containing sensitive information could be sent to the remote server, contrary to expectations. (CVE-2021-22898, CVE-2021-22925) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: curl 7.47.0-1ubuntu2.19+esm3 libcurl3 7.47.0-1ubuntu2.19+esm3 libcurl3-gnutls 7.47.0-1ubuntu2.19+esm3 libcurl3-nss 7.47.0-1ubuntu2.19+esm3 In general, a standard system update will make all the necessary changes. Solution: OSP 16.2.z Release - OSP Director Operator Containers 4. Bugs fixed (https://bugzilla.redhat.com/): 2025995 - Rebase tech preview on latest upstream v1.2.x branch 2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache 2036784 - osp controller (fencing enabled) in downed state after system manual crash test 5. Summary: The Migration Toolkit for Containers (MTC) 1.5.4 is now available. Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Solution: For details on how to install and use MTC, refer to: https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 5. Clusters and applications are all visible and managed from a single console — with security policy built in. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.2/html/release_notes/ Security fixes: * CVE-2021-3795 semver-regex: inefficient regular expression complexity * CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747 Related bugs: * RHACM 2.2.10 images (Bugzilla #2013652) 3. Bugs fixed (https://bugzilla.redhat.com/): 2004944 - CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747 2006009 - CVE-2021-3795 semver-regex: inefficient regular expression complexity 2013652 - RHACM 2.2.10 images 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-09-20-7 Additional information for APPLE-SA-2021-09-13-3 macOS Big Sur 11.6 macOS Big Sur 11.6 addresses the following issues. CoreGraphics Available for: macOS Big Sur Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: An integer overflow was addressed with improved input validation. CVE-2021-30860: The Citizen Lab CUPS Available for: macOS Big Sur Impact: A local attacker may be able to elevate their privileges Description: A permissions issue existed. This issue was addressed with improved permission validation. CVE-2021-30827: an anonymous researcher Entry added September 20, 2021 CUPS Available for: macOS Big Sur Impact: A local user may be able to read arbitrary files as root Description: This issue was addressed with improved checks. CVE-2021-30828: an anonymous researcher Entry added September 20, 2021 CUPS Available for: macOS Big Sur Impact: A local user may be able to execute arbitrary files Description: A URI parsing issue was addressed with improved parsing. CVE-2021-22925 Entry added September 20, 2021 CVMS Available for: macOS Big Sur Impact: A local attacker may be able to elevate their privileges Description: A memory corruption issue was addressed with improved state management. CVE-2021-30832: Mickey Jin (@patch1t) of Trend Micro Entry added September 20, 2021 FontParser Available for: macOS Big Sur Impact: Processing a maliciously crafted dfont file may lead to arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-30841: Xingwei Lin of Ant Security Light-Year Lab CVE-2021-30842: Xingwei Lin of Ant Security Light-Year Lab CVE-2021-30843: Xingwei Lin of Ant Security Light-Year Lab Entry added September 20, 2021 Gatekeeper Available for: macOS Big Sur Impact: A malicious application may bypass Gatekeeper checks Description: This issue was addressed with improved checks. CVE-2021-30853: Gordon Long (@ethicalhax) of Box, Inc. Entry added September 20, 2021 ImageIO Available for: macOS Big Sur Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-30847: Mike Zhang of Pangu Lab Entry added September 20, 2021 Kernel Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2021-30830: Zweig of Kunlun Lab Entry added September 20, 2021 Kernel Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds read was addressed with improved input validation. CVE-2021-30865: Zweig of Kunlun Lab Entry added September 20, 2021 Kernel Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved locking. CVE-2021-30857: Zweig of Kunlun Lab Entry added September 20, 2021 Kernel Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A type confusion issue was addressed with improved state handling. CVE-2021-30859: Apple Entry added September 20, 2021 libexpat Available for: macOS Big Sur Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed by updating expat to version 2.4.1. CVE-2013-0340: an anonymous researcher Entry added September 20, 2021 Preferences Available for: macOS Big Sur Impact: An application may be able to access restricted files Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. CVE-2021-30855: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com) Entry added September 20, 2021 Sandbox Available for: macOS Big Sur Impact: A user may gain access to protected parts of the file system Description: An access issue was addressed with improved access restrictions. CVE-2021-30850: an anonymous researcher Entry added September 20, 2021 SMB Available for: macOS Big Sur Impact: A local user may be able to read kernel memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2021-30845: Peter Nguyen Vu Hoang of STAR Labs Entry added September 20, 2021 SMB Available for: macOS Big Sur Impact: A remote attacker may be able to leak memory Description: A logic issue was addressed with improved state management. CVE-2021-30844: Peter Nguyen Vu Hoang of STAR Labs Entry added September 20, 2021 WebKit Available for: macOS Big Sur Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A use after free issue was addressed with improved memory management. CVE-2021-30858: an anonymous researcher Additional recognition APFS We would like to acknowledge Koh M. Nakagawa of FFRI Security, Inc. for their assistance. Entry added September 20, 2021 App Support We would like to acknowledge @CodeColorist, an anonymous researcher for their assistance. Entry added September 20, 2021 CoreML We would like to acknowledge hjy79425575 working with Trend Micro Zero Day Initiative for their assistance. Entry added September 20, 2021 CUPS We would like to acknowledge an anonymous researcher for their assistance. Entry added September 20, 2021 Kernel We would like to acknowledge Anthony Steinhauser of Google's Safeside project for their assistance. Entry added September 20, 2021 Sandbox We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance. Entry added September 20, 2021 smbx We would like to acknowledge Zhongcheng Li (CK01) for their assistance. Entry added September 20, 2021 Installation note: This update may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmFI888ACgkQeC9qKD1p rhi/Bg/9GiqXl8sxPjDpATJqneZ1GcAxWxBZgkFrcLV/cMwrVqniWsOeVHqHjMSY eJUkGehUtKsYE0g8Uk0qJqOUl3dxxGJpIDytOQJB3TFdd1BpZSK/tOChVem1JV1B +CMhqDnmR/u7bLqfCr1p6J5QJNHjTjgBA4RthdzZZ52pLGql7/2qfaJwpeHkheS4 5EKmch8zh0CGRqrUTg1HgY67ierNsz47jIU6n7UeMwjskRU3xM9VqJ9s4eKGAtSv 4Ry16pv0xUZ4cmL5EiLm2/eFbY8ByCji7jYPP0POBO4l518TGpaX2PaZBP9v0rrD t6cPEZHnsRaZ49OYak6z9iA8teKGSs6aCMuzSxExvlT8+YySf1o1nefbRH/tZMfn bwSO0ZyPsS9WYyuG/zX08U3CKOTkjqhLaOwVwte+cAeg2QS85aa9XPMG6PKcpyfu R7auxS92+Dg+R+97dAsI9TprSutCTw4iY8lyK9MVJSnh+zQSZEihUh4EaSufTHRC NlOSHvsTfXqsHaeed6sVKyX4ADHCUvRbCCIrqJKUs6waNd2T2XF7SzvgTSDJMHU9 4AL/jpnltTjDJTtMO999VZKNzYurrGiHvBs5zHWr91+eaHW8YGdsDERsX3BFYLe3 85i+Yge0iXlP7mT32cWxIw4AWDFITFiHnmV1/cdsCd2GIkqkhFw= =9bjT -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ACS 3.67 security and enhancement update Advisory ID: RHSA-2021:4902-01 Product: RHACS Advisory URL: https://access.redhat.com/errata/RHSA-2021:4902 Issue date: 2021-12-01 CVE Names: CVE-2018-20673 CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 CVE-2020-12762 CVE-2020-13435 CVE-2020-14155 CVE-2020-16135 CVE-2020-24370 CVE-2020-27304 CVE-2021-3200 CVE-2021-3445 CVE-2021-3580 CVE-2021-3749 CVE-2021-3800 CVE-2021-3801 CVE-2021-20231 CVE-2021-20232 CVE-2021-20266 CVE-2021-22876 CVE-2021-22898 CVE-2021-22925 CVE-2021-23343 CVE-2021-23840 CVE-2021-23841 CVE-2021-27645 CVE-2021-28153 CVE-2021-29923 CVE-2021-32690 CVE-2021-33560 CVE-2021-33574 CVE-2021-35942 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2021-39293 ===================================================================== 1. Summary: Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: The release of RHACS 3.67 provides the following new features, bug fixes, security patches and system changes: OpenShift Dedicated support RHACS 3.67 is thoroughly tested and supported on OpenShift Dedicated on Amazon Web Services and Google Cloud Platform. 1. Use OpenShift OAuth server as an identity provider If you are using RHACS with OpenShift, you can now configure the built-in OpenShift OAuth server as an identity provider for RHACS. 2. Enhancements for CI outputs Red Hat has improved the usability of RHACS CI integrations. CI outputs now show additional detailed information about the vulnerabilities and the security policies responsible for broken builds. 3. Runtime Class policy criteria Users can now use RHACS to define the container runtime configuration that may be used to run a pod’s containers using the Runtime Class policy criteria. Security Fix(es): * civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API (CVE-2020-27304) * nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749) * nodejs-prismjs: ReDoS vulnerability (CVE-2021-3801) * golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923) * helm: information disclosure vulnerability (CVE-2021-32690) * golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196) (CVE-2021-39293) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fixes The release of RHACS 3.67 includes the following bug fixes: 1. Previously, when using RHACS with the Compliance Operator integration, RHACS did not respect or populate Compliance Operator TailoredProfiles. This has been fixed. 2. Previously, the Alpine Linux package manager (APK) in Image policy looked for the presence of apk package in the image rather than the apk-tools package. This issue has been fixed. System changes The release of RHACS 3.67 includes the following system changes: 1. Scanner now identifies vulnerabilities in Ubuntu 21.10 images. 2. The Port exposure method policy criteria now include route as an exposure method. 3. The OpenShift: Kubeadmin Secret Accessed security policy now allows the OpenShift Compliance Operator to check for the existence of the Kubeadmin secret without creating a violation. 4. The OpenShift Compliance Operator integration now supports using TailoredProfiles. 5. The RHACS Jenkins plugin now provides additional security information. 6. When you enable the environment variable ROX_NETWORK_ACCESS_LOG for Central, the logs contain the Request URI and X-Forwarded-For header values. 7. The default uid:gid pair for the Scanner image is now 65534:65534. 8. RHACS adds a new default Scope Manager role that includes minimum permissions to create and modify access scopes. 9. If microdnf is part of an image or shows up in process execution, RHACS reports it as a security violation for the Red Hat Package Manager in Image or the Red Hat Package Manager Execution security policies. 10. In addition to manually uploading vulnerability definitions in offline mode, you can now upload definitions in online mode. 11. You can now format the output of the following roxctl CLI commands in table, csv, or JSON format: image scan, image check & deployment check 12. You can now use a regular expression for the deployment name while specifying policy exclusions 3. Solution: To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67. 4. Bugs fixed (https://bugzilla.redhat.com/): 1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe 1978144 - CVE-2021-32690 helm: information disclosure vulnerability 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet 1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function 2005445 - CVE-2021-3801 nodejs-prismjs: ReDoS vulnerability 2006044 - CVE-2021-39293 golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196) 2016640 - CVE-2020-27304 civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API 5. JIRA issues fixed (https://issues.jboss.org/): RHACS-65 - Release RHACS 3.67.0 6. References: https://access.redhat.com/security/cve/CVE-2018-20673 https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-12762 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-16135 https://access.redhat.com/security/cve/CVE-2020-24370 https://access.redhat.com/security/cve/CVE-2020-27304 https://access.redhat.com/security/cve/CVE-2021-3200 https://access.redhat.com/security/cve/CVE-2021-3445 https://access.redhat.com/security/cve/CVE-2021-3580 https://access.redhat.com/security/cve/CVE-2021-3749 https://access.redhat.com/security/cve/CVE-2021-3800 https://access.redhat.com/security/cve/CVE-2021-3801 https://access.redhat.com/security/cve/CVE-2021-20231 https://access.redhat.com/security/cve/CVE-2021-20232 https://access.redhat.com/security/cve/CVE-2021-20266 https://access.redhat.com/security/cve/CVE-2021-22876 https://access.redhat.com/security/cve/CVE-2021-22898 https://access.redhat.com/security/cve/CVE-2021-22925 https://access.redhat.com/security/cve/CVE-2021-23343 https://access.redhat.com/security/cve/CVE-2021-23840 https://access.redhat.com/security/cve/CVE-2021-23841 https://access.redhat.com/security/cve/CVE-2021-27645 https://access.redhat.com/security/cve/CVE-2021-28153 https://access.redhat.com/security/cve/CVE-2021-29923 https://access.redhat.com/security/cve/CVE-2021-32690 https://access.redhat.com/security/cve/CVE-2021-33560 https://access.redhat.com/security/cve/CVE-2021-33574 https://access.redhat.com/security/cve/CVE-2021-35942 https://access.redhat.com/security/cve/CVE-2021-36084 https://access.redhat.com/security/cve/CVE-2021-36085 https://access.redhat.com/security/cve/CVE-2021-36086 https://access.redhat.com/security/cve/CVE-2021-36087 https://access.redhat.com/security/cve/CVE-2021-39293 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYafeGdzjgjWX9erEAQgZ8Q/9H5ov4ZfKZszdJu0WvRMetEt6DMU2RTZr Kjv4h4FnmsMDYYDocnkFvsRjcpdGxtoUShAqD6+FrTNXjPtA/v1tsQTJzhg4o50w tKa9T4aHfrYXjGvWgQXJJEGmGaYMYePUOv77x6pLfMB+FmgfOtb8kzOdNzAtqX3e lq8b2DrQuPSRiWkUgFM2hmS7OtUsqTIShqWu67HJdOY74qDN4DGp7GnG6inCrUjV x4/4X5Fb7JrAYiy57C5eZwYW61HmrG7YHk9SZTRYgRW0rfgLncVsny4lX1871Ch2 e8ttu0EJFM1EJyuCJwJd1Q+rhua6S1VSY+etLUuaYme5DtvozLXQTLUK31qAq/hK qnLYQjaSieea9j1dV6YNHjnvV0XGczyZYwzmys/CNVUxwvSHr1AJGmQ3zDeOt7Qz vguWmPzyiob3RtHjfUlUpPYeI6HVug801YK6FAoB9F2BW2uHVgbtKOwG5pl5urJt G4taizPtH8uJj5hem5nHnSE1sVGTiStb4+oj2LQonRkgLQ2h7tsX8Z8yWM/3TwUT PTBX9AIHwt8aCx7XxTeEIs0H9B1T9jYfy06o9H2547un9sBoT0Sm7fqKuJKic8N/ pJ2kXBiVJ9B4G+JjWe8rh1oC1yz5Q5/5HZ19VYBjHhYEhX4s9s2YsF1L1uMoT3NN T0pPNmsPGZY= =ux5P -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Summary: An update is now available for OpenShift Logging 5.2. Description: Openshift Logging Bug Fix Release (5.2.3) Security Fix(es): * nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369) * nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/): 1948761 - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option 1956688 - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1857 - OpenShift Alerting Rules Style-Guide Compliance LOG-1904 - [release-5.2] Fix the Display of ClusterLogging type in OLM LOG-1916 - [release-5.2] Fluentd logs emit transaction failed: error_class=NoMethodError while forwarding to external syslog server 6
VAR-202108-2380 No CVE Unauthorized access vulnerability exists in Fuji Xerox (China) Co., Ltd. DocuPrint M225 dw CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fuji Xerox (China) Co., Ltd. was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Fuji Xerox (China) Co., Ltd. DocuPrint M225 dw has an unauthorized access vulnerability. Attackers can use this vulnerability to access unauthorized access to obtain sensitive information and perform unauthorized operations.
VAR-202108-2381 No CVE Unauthorized access vulnerability exists in Fuji Xerox (China) Co., Ltd. DocuPrint M285 z CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fuji Xerox (China) Co., Ltd. was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Fuji Xerox (China) Co., Ltd. DocuPrint M285 z has an unauthorized access vulnerability. Attackers can use the vulnerability to access unauthorized access to obtain sensitive information and perform unauthorized operations.
VAR-202108-2382 No CVE Fuji Xerox (China) Co., Ltd. DocuPrint CP305 d has an unauthorized access vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fuji Xerox (China) Co., Ltd. was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Fuji Xerox (China) Co., Ltd. DocuPrint CP305 d has an unauthorized access vulnerability. Attackers can use this vulnerability to access unauthorized access to obtain sensitive information and perform unauthorized operations.
VAR-202108-2383 No CVE Unauthorized access vulnerability exists in Fujifilm DocuPrint CM305 df series printers CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fujifilm was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Fujifilm DocuPrint CM305 df has an unauthorized access vulnerability. Attackers can use this vulnerability to gain unauthorized access to obtain sensitive information and perform unauthorized operations.
VAR-202108-2384 No CVE Multiple Fuji Xerox (China) Co., Ltd. products have unauthorized access vulnerabilities CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fuji Xerox (China) Co., Ltd. was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Many Fuji Xerox (China) Co., Ltd. products have unauthorized access vulnerabilities. Attackers can use this vulnerability to gain unauthorized access to obtain sensitive information and perform unauthorized operations.
VAR-202108-2385 No CVE Fuji Xerox (China) Co., Ltd. ApeosPort-V C4475 T2 has unauthorized access vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fuji Xerox (China) Co., Ltd. was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Fuji Xerox (China) Co., Ltd. ApeosPort-V C4475 T2 has an unauthorized access vulnerability. Attackers can use this vulnerability to gain unauthorized access to obtain sensitive information and perform unauthorized operations.
VAR-202108-2386 No CVE Fuji Xerox (China) Co., Ltd. ApeosPort-IV C3375 has unauthorized access vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fuji Xerox (China) Co., Ltd. was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Fuji Xerox (China) Co., Ltd. ApeosPort-IV C3375 has an unauthorized access vulnerability. Attackers can use this vulnerability to gain unauthorized access to obtain sensitive information and perform unauthorized operations.
VAR-202108-2387 No CVE Fuji Xerox (China) Co., Ltd. DocuCentre-III 2007 has an unauthorized access vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fuji Xerox (China) Co., Ltd. was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Fuji Xerox (China) Co., Ltd. DocuCentre-III 2007 has an unauthorized access vulnerability. Attackers can use this vulnerability to gain unauthorized access to obtain sensitive information and perform unauthorized operations.
VAR-202108-2388 No CVE Fuji Xerox (China) Co., Ltd. DocuCentre-IV C2260 has unauthorized access vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fuji Xerox (China) Co., Ltd. was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Fuji Xerox (China) Co., Ltd. DocuCentre-IV C2260 has an unauthorized access vulnerability. Attackers can use this vulnerability to gain unauthorized access to obtain sensitive information and perform unauthorized operations.
VAR-202108-2389 No CVE Fuji Xerox (China) Co., Ltd. Xerox WorkCentre 5325 has unauthorized access vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Fuji Xerox (China) Co., Ltd. was established on January 3, 1995. It is a wholly-owned holding company of Fuji Xerox in China with a registered capital of US$39 million. Fuji Xerox (China) Co., Ltd. is headquartered in Beijing. Fuji Xerox (China) Co., Ltd. Xerox WorkCentre 5325 has an unauthorized access vulnerability. Attackers can use this vulnerability to gain unauthorized access to obtain sensitive information and perform unauthorized operations.