CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Netapp : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-15516 352 CSRF 2017-11-16 2017-12-02
6.8
None Remote Medium Not required Partial Partial Partial
NetApp SnapCenter Server versions 1.1 through 2.x are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability which could be used to cause an unintended authenticated action in the user interface.
2 CVE-2017-14053 200 +Info 2017-09-01 2017-09-06
5.0
None Remote Low Not required Partial None None
NetApp OnCommand Unified Manager for Clustered Data ONTAP before 7.2P1 does not set the secure flag for an unspecified cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.
3 CVE-2017-12859 20 DoS 2017-08-18 2017-08-26
4.3
None Remote Medium Not required None None Partial
NetApp Data ONTAP before 8.2.5, when operating in 7-Mode in NFS environments, allows remote attackers to cause a denial of service via unspecified vectors.
4 CVE-2017-12423 284 2017-09-01 2017-09-06
4.0
None Remote Low Single system Partial None None
NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote authenticated users to read data on other Storage Virtual Machines (SVMs) via unspecified vectors.
5 CVE-2017-12422 264 2017-08-29 2017-09-06
4.0
None Remote Low Single system None None Partial
NetApp StorageGRID Webscale 10.2.x before 10.2.2.3, 10.3.x before 10.3.0.4, and 10.4.x before 10.4.0.2 allow remote authenticated users to delete arbitrary objects via unspecified vectors.
6 CVE-2017-12421 284 Exec Code 2017-09-01 2017-09-06
6.5
None Remote Low Single system Partial Partial Partial
NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote authenticated users to execute arbitrary code on the storage controller via unspecified vectors.
7 CVE-2017-12420 119 DoS Exec Code Overflow 2017-08-18 2017-08-26
6.5
None Remote Low Single system Partial Partial Partial
Heap-based buffer overflow in the SMB implementation in NetApp Clustered Data ONTAP before 8.3.2P8 and 9.0 before P2 allows remote authenticated users to cause a denial of service or execute arbitrary code.
8 CVE-2017-8919 284 +Info 2017-07-25 2017-08-10
4.0
None Remote Low Single system Partial None None
NetApp OnCommand API Services before 1.2P3 logs the LDAP BIND password when a user attempts to log in using the REST API, which allows remote authenticated users to obtain sensitive password information via unspecified vectors.
9 CVE-2017-7947 200 +Info 2017-07-17 2017-08-08
5.0
None Remote Low Not required Partial None None
NetApp Clustered Data ONTAP before 8.3.2P11, 9.0 before P4, and 9.1 before P5 allow attackers to obtain sensitive password information by leveraging logging of passwords entered non-interactively on the command line.
10 CVE-2017-7439 200 +Info 2017-05-25 2017-06-02
5.0
None Remote Low Not required Partial None None
NetApp OnCommand Unified Manager Core Package 5.x before 5.2.2P1 might allow remote attackers to obtain sensitive information via vectors involving error messages.
11 CVE-2017-7345 200 +Info 2017-04-10 2017-04-17
5.0
None Remote Low Not required Partial None None
NetApp OnCommand Performance Manager and OnCommand Unified Manager for Clustered Data ONTAP before 7.1P1 improperly bind the Java Management Extension Remote Method Invocation (aka JMX RMI) service to the network, which allows remote attackers to obtain sensitive information via unspecified vectors.
12 CVE-2017-7236 89 Exec Code Sql 2017-05-25 2017-06-02
5.0
None Remote Low Not required Partial None None
SQL injection vulnerability in NetApp OnCommand Unified Manager Core Package 5.x before 5.2.2P1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
13 CVE-2017-5995 200 +Info 2017-03-01 2017-03-09
5.0
None Remote Low Not required Partial None None
The NetApp ONTAP Select Deploy administration utility 2.0 through 2.2.1 might allow remote attackers to obtain sensitive information via unspecified vectors.
14 CVE-2017-5988 DoS 2017-04-10 2017-04-14
5.0
None Remote Low Not required None None Partial
NetApp Clustered Data ONTAP 8.1 through 9.1P1, when NFS or SMB is enabled, allows remote attackers to cause a denial of service via unspecified vectors.
15 CVE-2017-5600 264 2017-02-02 2017-02-09
7.5
None Remote Low Not required Partial Partial Partial
The Data Warehouse component in NetApp OnCommand Insight before 7.2.3 allows remote attackers to obtain administrative access by leveraging a default privileged account.
16 CVE-2017-5201 200 +Info 2017-11-09 2017-11-29
2.7
None Local Network Low Single system Partial None None
NetApp Clustered Data ONTAP before 8.3.2P8 and 9.0 before P2 allow remote authenticated users to obtain sensitive cluster and tenant information via unspecified vectors, a different vulnerability than CVE-2016-3064.
17 CVE-2016-7172 200 +Info 2016-12-21 2017-07-26
5.0
None Remote Low Not required Partial None None
NetApp Snap Creator Framework before 4.3.1 discloses sensitive information which could be viewed by an unauthorized user.
18 CVE-2016-7171 295 2016-12-05 2016-12-23
6.8
None Remote Medium Not required Partial Partial Partial
NetApp Plug-in for Symantec NetBackup prior to version 2.0.1 makes use of a non-unique server certificate, making it vulnerable to impersonation.
19 CVE-2016-6820 200 +Info 2017-01-11 2017-11-15
5.0
None Remote Low Not required Partial None None
MetroCluster Tiebreaker for clustered Data ONTAP in versions before 1.2 discloses sensitive information in cleartext which may be viewed by an unauthenticated user.
20 CVE-2016-6667 Exec Code 2017-02-07 2017-02-24
7.5
None Remote Low Not required Partial Partial Partial
NetApp OnCommand Unified Manager for Clustered Data ONTAP 6.3 through 6.4P1 contain a default privileged account, which allows remote attackers to execute arbitrary code via unspecified vectors.
21 CVE-2016-6495 200 +Info 2017-02-07 2017-02-24
4.3
None Remote Medium Not required Partial None None
NetApp Data ONTAP before 8.2.4P5, when operating in 7-Mode, allows remote attackers to obtain information about the volumes configured for HTTP access.
22 CVE-2016-5711 2017-02-07 2017-02-24
6.8
None Remote Medium Not required Partial Partial Partial
NetApp Virtual Storage Console for VMware vSphere before 6.2.1 uses a non-unique certificate, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.
23 CVE-2016-5374 264 Bypass 2017-03-01 2017-03-14
6.5
None Remote Low Single system Partial Partial Partial
NetApp Data ONTAP 9.0 and 9.1 before 9.1P1 allows remote authenticated users that own SMB-hosted data to bypass intended sharing restrictions by leveraging improper handling of the owner_rights ACL entry.
24 CVE-2016-5372 352 CSRF 2017-02-07 2017-11-15
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in NetApp Snap Creator Framework before 4.3.0P1 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors.
25 CVE-2016-5047 DoS 2016-09-01 2017-11-15
4.0
None Remote Low Single system None None Partial
NetApp OnCommand System Manager 8.3.x before 8.3.2P5 allows remote authenticated users to cause a denial of service via unspecified vectors.
26 CVE-2016-5045 200 +Info 2017-07-03 2017-07-05
6.8
None Remote Medium Not required Partial Partial Partial
NetApp OnCommand System Manager before 9.0 allows remote attackers to obtain sensitive credentials via vectors related to cluster peering setup.
27 CVE-2016-4341 200 +Info 2017-02-07 2017-02-24
5.0
None Remote Low Not required Partial None None
NetApp Clustered Data ONTAP before 8.3.2P7 allows remote attackers to obtain SMB share information via unspecified vectors.
28 CVE-2016-3998 264 DoS +Priv +Info 2017-07-03 2017-07-05
5.1
None Remote High Not required Partial Partial Partial
NetApp AltaVault 4.1 and earlier allows man-in-the-middle attackers to obtain sensitive information, gain privileges, or cause a denial of service via vectors related to the SMB protocol.
29 CVE-2016-3997 254 DoS +Priv +Info 2017-07-03 2017-07-05
6.8
None Remote Medium Not required Partial Partial Partial
NetApp Clustered Data ONTAP allows man-in-the-middle attackers to obtain sensitive information, gain privileges, or cause a denial of service by leveraging failure to enable SMB signing enforcement in its default state.
30 CVE-2016-3400 254 DoS +Priv +Info 2017-07-03 2017-08-30
6.8
None Remote Medium Not required Partial Partial Partial
NetApp Data ONTAP 8.1 and 8.2, when operating in 7-Mode, allows man-in-the-middle attackers to obtain sensitive information, gain privileges, or cause a denial of service via vectors related to the SMB protocol.
31 CVE-2016-3064 200 +Info 2016-08-31 2017-11-15
4.0
None Remote Low Single system Partial None None
NetApp Clustered Data ONTAP before 8.2.4P4 and 8.3.x before 8.3.2P2 allows remote authenticated users to obtain sensitive cluster and tenant information via unspecified vectors.
32 CVE-2016-3063 116 Exec Code 2017-02-07 2017-11-15
4.4
None Local Medium Not required Partial Partial Partial
Multiple functions in NetApp OnCommand System Manager before 8.3.2 do not properly escape special characters, which allows remote authenticated users to execute arbitrary API calls via unspecified vectors.
33 CVE-2016-1895 134 DoS 2017-09-01 2017-09-06
4.0
None Remote Low Single system None None Partial
NetApp Data ONTAP before 8.2.5 and 8.3.x before 8.3.2P12 allow remote authenticated users to cause a denial of service via vectors related to unsafe user input string handling.
34 CVE-2016-1894 284 Bypass 2017-02-07 2017-11-15
9.3
None Remote Medium Not required Complete Complete Complete
NetApp OnCommand Workflow Automation before 3.1P2 allows remote attackers to bypass authentication via unspecified vectors.
35 CVE-2016-1563 20 +Info 2016-04-07 2017-11-15
5.8
None Remote Medium Not required Partial Partial None
NetApp Clustered Data ONTAP 8.3.1 does not properly verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
36 CVE-2016-1502 287 Bypass 2017-02-07 2017-02-24
7.5
None Remote Low Not required Partial Partial Partial
NetApp SnapCenter Server 1.0 and 1.0P1 allows remote attackers to partially bypass authentication and then list and delete backups via unspecified vectors.
37 CVE-2015-8544 200 +Info 2017-02-07 2017-11-15
5.0
None Remote Low Not required Partial None None
NetApp SnapDrive for Windows before 7.0.2P4, 7.0.3, and 7.1 before 7.1.3P1 allows remote attackers to obtain sensitive information via unspecified vectors.
38 CVE-2015-8322 Exec Code 2017-02-07 2017-11-15
6.5
None Remote Low Single system Partial Partial Partial
NetApp OnCommand System Manager 8.3.x before 8.3.2 allows remote authenticated users to execute arbitrary code via unspecified vectors.
39 CVE-2015-8020 200 +Info 2017-01-11 2017-11-15
4.3
None Remote Medium Not required Partial None None
Clustered Data ONTAP versions 8.0, 8.3.1, and 8.3.2 contain a default privileged account which under certain conditions can be used for unauthorized information disclosure.
40 CVE-2015-7887 284 2017-08-07 2017-08-10
6.5
None Remote Low Single system Partial Partial Partial
NetApp SnapCenter Server 1.0 allows remote authenticated users to list and delete backups.
41 CVE-2015-7886 200 +Info 2016-01-18 2017-11-15
4.3
None Remote Medium Not required Partial None None
NetApp Data ONTAP before 8.2.4P1, when 7-Mode and HTTP access are enabled, allows remote attackers to obtain sensitive volume information via unspecified vectors.
42 CVE-2015-7746 287 Bypass +Info 2017-09-01 2017-09-06
7.5
None Remote Low Not required Partial Partial Partial
NetApp Data ONTAP before 8.2.4, when operating in 7-Mode, allows remote attackers to bypass authentication and (1) obtain sensitive information from or (2) modify volumes via vectors related to UTF-8 in the volume language.
43 CVE-2015-3292 17 Exec Code 2015-05-31 2016-12-02
10.0
None Remote Low Not required Complete Complete Complete
The installer in NetApp OnCommand Workflow Automation before 2.2.1P1 and 3.x before 3.0P1 sets up the Java Debugging Wire Protocol (JDWP) service, which allows remote attackers to execute arbitrary code via unspecified vectors.
44 CVE-2014-9354 200 +Info 2015-02-06 2015-02-09
4.0
None Remote Low Single system Partial None None
NetApp OnCommand Balance before 4.2P3 allows local users to obtain sensitive information via unspecified vectors related to cleartext storage.
45 CVE-2014-9353 264 +Priv 2015-02-06 2015-02-06
10.0
None Remote Low Not required Complete Complete Complete
NetApp OnCommand Balance before 4.2P2 contains a "default privileged account," which allows remote attackers to gain privileges via unspecified vectors.
46 CVE-2008-3349 264 DoS Exec Code +Info 2008-07-28 2017-08-07
10.0
None Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in NetApp Data ONTAP, as used on NetApp and IBM eServer platforms, allow remote attackers to execute arbitrary commands, cause a denial of service (system crash), or obtain sensitive information, probably related to insufficient access control for HTTP requests. NOTE: this may overlap CVE-2008-3160.
Total number of vulnerabilities : 46   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.