| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
39101 |
CVE-2016-3106 |
362 |
|
|
2017-04-13 |
2017-04-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Pulp before 2.8.3 creates a temporary directory during CA key generation in an insecure manner. |
|
39102 |
CVE-2016-3105 |
284 |
|
Exec Code |
2016-05-09 |
2017-06-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name. |
|
39103 |
CVE-2016-3104 |
400 |
|
DoS |
2017-04-14 |
2017-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database. |
|
39104 |
CVE-2016-3102 |
254 |
|
Bypass |
2017-02-09 |
2017-02-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations. |
|
39105 |
CVE-2016-3101 |
79 |
|
XSS |
2017-02-09 |
2017-02-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips through the configured markup formatter. |
|
39106 |
CVE-2016-3099 |
327 |
|
|
2017-06-08 |
2017-06-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
mod_ns in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to force the use of ciphers that were not intended to be enabled. |
|
39107 |
CVE-2016-3097 |
79 |
|
XSS |
2016-08-05 |
2016-08-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in spacewalk-java in Red Hat Satellite 5.7 allows remote attackers to inject arbitrary web script or HTML via a group name, related to viewing snapshot data. |
|
39108 |
CVE-2016-3096 |
59 |
|
+Priv |
2016-06-03 |
2018-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory. |
|
39109 |
CVE-2016-3094 |
20 |
|
DoS |
2016-06-01 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception. |
|
39110 |
CVE-2016-3093 |
20 |
|
DoS |
2016-06-07 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. |
|
39111 |
CVE-2016-3092 |
20 |
|
DoS |
2016-07-04 |
2019-04-23 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. |
|
39112 |
CVE-2016-3091 |
19 |
|
DoS |
2017-06-08 |
2017-06-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Cloud Foundry Diego 0.1468.0 through 0.1470.0 allows remote attackers to cause a denial of service. |
|
39113 |
CVE-2016-3090 |
20 |
|
Exec Code |
2017-10-30 |
2018-06-30 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. |
|
39114 |
CVE-2016-3089 |
79 |
|
XSS |
2016-08-19 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the SWF panel in Apache OpenMeetings before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the swf parameter. |
|
39115 |
CVE-2016-3088 |
20 |
|
|
2016-06-01 |
2018-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. |
|
39116 |
CVE-2016-3087 |
20 |
|
Exec Code |
2016-06-07 |
2019-08-12 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin. |
|
39117 |
CVE-2016-3086 |
200 |
|
+Info |
2017-09-05 |
2017-09-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications. |
|
39118 |
CVE-2016-3085 |
287 |
|
Bypass |
2016-06-10 |
2018-10-09 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x before 4.7.1.1, and 4.8.x before 4.8.0.1, when SAML-based authentication is enabled and used, allow remote attackers to bypass authentication and access the user interface via vectors related to the SAML plugin. |
|
39119 |
CVE-2016-3084 |
264 |
|
|
2017-05-25 |
2017-06-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. |
|
39120 |
CVE-2016-3083 |
295 |
|
|
2017-05-30 |
2017-05-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client will accept that as a valid certificate and the SSL handshake will go through. |
|
39121 |
CVE-2016-3082 |
20 |
|
Exec Code |
2016-04-26 |
2016-11-28 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. |
|
39122 |
CVE-2016-3081 |
77 |
|
Exec Code |
2016-04-26 |
2019-08-12 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. |
|
39123 |
CVE-2016-3080 |
79 |
|
XSS |
2016-08-05 |
2016-08-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in spacewalk-java in Red Hat Satellite 5.7 allows remote attackers to inject arbitrary web script or HTML via the (1) RHNMD User or (2) Filesystem parameters, related to display of monitoring probes. |
|
39124 |
CVE-2016-3079 |
79 |
|
XSS |
2016-04-14 |
2016-04-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in Spacewalk and Red Hat Satellite 5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to systems/SystemEntitlements.do; (2) the label parameter to admin/multiorg/EntitlementDetails.do; or the name of a (3) snapshot tag or (4) system group in System Set Manager (SSM). |
|
39125 |
CVE-2016-3078 |
190 |
|
DoS Overflow |
2016-08-07 |
2017-09-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted call to (1) getFromIndex or (2) getFromName in the ZipArchive class. |
|
39126 |
CVE-2016-3077 |
119 |
|
DoS Overflow |
2017-06-06 |
2017-06-15 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The VersionMapper.fromKernelVersionString method in oVirt Engine allows remote authenticated users to cause a denial of service (process crash) for all VMs. |
|
39127 |
CVE-2016-3076 |
119 |
|
DoS Overflow Mem. Corr. |
2017-04-24 |
2017-04-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file. |
|
39128 |
CVE-2016-3075 |
119 |
|
DoS Overflow |
2016-06-01 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Stack-based buffer overflow in the nss_dns implementation of the getnetbyname function in GNU C Library (aka glibc) before 2.24 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a long name. |
|
39129 |
CVE-2016-3074 |
189 |
|
DoS Exec Code Overflow |
2016-04-26 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow. |
|
39130 |
CVE-2016-3072 |
89 |
|
Exec Code Sql |
2016-06-07 |
2019-04-22 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in the scoped_search function in app/controllers/katello/api/v2/api_controller.rb in Katello allow remote authenticated users to execute arbitrary SQL commands via the (1) sort_by or (2) sort_order parameter. |
|
39131 |
CVE-2016-3071 |
20 |
|
DoS |
2016-04-18 |
2017-02-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Libreswan 3.16 might allow remote attackers to cause a denial of service (daemon restart) via an IKEv2 aes_xcbc transform. |
|
39132 |
CVE-2016-3070 |
476 |
|
DoS |
2016-08-06 |
2018-01-04 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move. |
|
39133 |
CVE-2016-3069 |
20 |
|
Exec Code |
2016-04-13 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. |
|
39134 |
CVE-2016-3068 |
20 |
|
Exec Code |
2016-04-13 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository. |
|
39135 |
CVE-2016-3067 |
264 |
|
+Priv |
2017-04-21 |
2017-04-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Cygwin before 2.5.0 does not properly handle updating permissions when changing users, which allows attackers to gain privileges. |
|
39136 |
CVE-2016-3066 |
200 |
|
+Info |
2017-06-06 |
2017-06-14 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The spice-gtk widget allows remote authenticated users to obtain information from the host clipboard. |
|
39137 |
CVE-2016-3065 |
264 |
|
DoS Bypass +Info |
2016-04-11 |
2016-04-14 |
8.5 |
None |
Remote |
Low |
Not required |
Partial |
None |
Complete |
|
The (1) brin_page_type and (2) brin_metapage_info functions in the pageinspect extension in PostgreSQL before 9.5.x before 9.5.2 allows attackers to bypass intended access restrictions and consequently obtain sensitive server memory information or cause a denial of service (server crash) via a crafted bytea value in a BRIN index page. |
|
39138 |
CVE-2016-3064 |
200 |
|
+Info |
2016-08-31 |
2017-11-15 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
NetApp Clustered Data ONTAP before 8.2.4P4 and 8.3.x before 8.3.2P2 allows remote authenticated users to obtain sensitive cluster and tenant information via unspecified vectors. |
|
39139 |
CVE-2016-3063 |
116 |
|
Exec Code |
2017-02-07 |
2017-11-15 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple functions in NetApp OnCommand System Manager before 8.3.2 do not properly escape special characters, which allows remote authenticated users to execute arbitrary API calls via unspecified vectors. |
|
39140 |
CVE-2016-3062 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2016-06-16 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The mov_read_dref function in libavformat/mov.c in Libav before 11.7 and FFmpeg before 0.11 allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via the entries value in a dref box in an MP4 file. |
|
39141 |
CVE-2016-3057 |
79 |
|
XSS |
2016-11-30 |
2016-11-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator 5.2 before 5020500_14 and 5.2 06 before 5020602_1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
39142 |
CVE-2016-3055 |
611 |
|
DoS |
2016-12-01 |
2016-12-01 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
IBM FileNet Workplace 4.0.2 before 4.0.2.14 LA012 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
39143 |
CVE-2016-3053 |
264 |
|
|
2017-02-01 |
2017-09-02 |
7.2 |
Admin |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM AIX contains an unspecified vulnerability that would allow a locally authenticated user to obtain root level privileges. |
|
39144 |
CVE-2016-3052 |
200 |
|
+Info |
2017-02-22 |
2017-07-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Under non-standard configurations, IBM WebSphere MQ might send password data in clear text over the network. This data could be intercepted using man in the middle techniques. |
|
39145 |
CVE-2016-3051 |
264 |
|
|
2017-06-07 |
2017-07-07 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
IBM Security Access Manager for Web 9.0.0 could allow an authenticated user to access some privileged functionality of the server. IBM X-Force ID: 114714. |
|
39146 |
CVE-2016-3047 |
601 |
|
|
2016-12-01 |
2016-12-01 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
Open redirect vulnerability in IBM FileNet Workplace 4.0.2 through 4.0.2.14 IF001 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
39147 |
CVE-2016-3046 |
89 |
|
Sql |
2017-02-01 |
2017-02-13 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Security Access Manager for Web is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements which could allow the attacker to view information in the back-end database. |
|
39148 |
CVE-2016-3045 |
200 |
|
+Info |
2017-02-01 |
2017-02-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager for Web stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referer header or browser history. |
|
39149 |
CVE-2016-3044 |
20 |
|
DoS |
2016-12-01 |
2018-01-04 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The Linux kernel component in IBM PowerKVM 2.1 before 2.1.1.3-65.10 and 3.1 before 3.1.0.2 allows guest OS users to cause a denial of service (host OS infinite loop and hang) via unspecified vectors. |
|
39150 |
CVE-2016-3043 |
200 |
|
+Info |
2017-02-01 |
2017-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager for Web could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. |
