| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-15769 |
320 |
|
DoS |
2018-11-16 |
2018-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is sent to the TLS client, and an Ephemeral or Anonymous Diffie-Hellman cipher suite (DHE or ADH) is used. |
|
2 |
CVE-2018-11054 |
190 |
|
DoS Overflow |
2018-08-31 |
2018-11-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
RSA BSAFE Micro Edition Suite, version 4.1.6, contains an integer overflow vulnerability. A remote attacker could use maliciously constructed ASN.1 data to potentially cause a Denial Of Service. |
|
3 |
CVE-2018-11051 |
22 |
|
+Priv Dir. Trav. |
2018-07-03 |
2018-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
RSA Certificate Manager Versions 6.9 build 560 through 6.9 build 564 contain a path traversal vulnerability in the RSA CMP Enroll Server and the RSA REST Enroll Server. A remote unauthenticated attacker could potentially exploit this vulnerability by manipulating input parameters of the application to gain unauthorized read access to the files stored on the server filesystem, with the privileges of the running web application. |
|
4 |
CVE-2017-14385 |
119 |
|
Exec Code Overflow |
2017-12-20 |
2018-01-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in EMC Data Domain DD OS 5.7 family, versions prior to 5.7.5.6; EMC Data Domain DD OS 6.0 family, versions prior to 6.0.2.9; EMC Data Domain DD OS 6.1 family, versions prior to 6.1.0.21; EMC Data Domain Virtual Edition 2.0 family, all versions; EMC Data Domain Virtual Edition 3.0 family, versions prior to 3.0 SP2 Update 1; and EMC Data Domain Virtual Edition 3.1 family, versions prior to 3.1 Update 2. EMC Data Domain DD OS contains a memory overflow vulnerability in SMBv1 which may potentially be exploited by an unauthenticated remote attacker. An attacker may completely shut down both the SMB service and active directory authentication. This may also allow remote code injection and execution. |
|
5 |
CVE-2017-8019 |
20 |
|
DoS |
2017-11-28 |
2017-12-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in EMC ScaleIO 2.0.1.x. A vulnerability in message parsers (MDM, SDS, and LIA) could potentially allow an unauthenticated remote attacker to send specifically crafted packets to stop ScaleIO services and cause a denial of service situation. |
|
6 |
CVE-2017-8018 |
20 |
|
DoS |
2017-10-02 |
2017-10-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
EMC AppSync host plug-in versions 3.5 and below (Windows platform only) includes a denial of service (DoS) vulnerability that could potentially be exploited by malicious users to compromise the affected system. |
|
7 |
CVE-2017-8012 |
284 |
|
DoS |
2017-09-21 |
2017-10-05 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
In EMC ViPR SRM, Storage M&R, VNX M&R, and M&R (Watch4Net) for SAS Solution Packs, the Java Management Extensions (JMX) protocol used to communicate between components in the Alerting and/or Compliance components can be leveraged to create a denial of service (DoS) condition. Attackers with knowledge of JMX agent user credentials could potentially exploit this vulnerability to create arbitrary files on the affected system and create a DoS condition by leveraging inherent JMX protocol capabilities. |
|
8 |
CVE-2017-5002 |
601 |
|
|
2017-07-06 |
2017-07-17 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an open redirect vulnerability. A remote unprivileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the victims' credentials and silently authenticate them to the RSA Archer application without the victims realizing an attack occurred. |
|
9 |
CVE-2017-4986 |
200 |
|
Bypass +Info |
2017-06-14 |
2017-07-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC ESRS VE 3.18 or earlier contains Authentication Bypass that could potentially be exploited by malicious users to compromise the affected system. |
|
10 |
CVE-2017-4980 |
22 |
|
Dir. Trav. |
2017-03-29 |
2017-04-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC Isilon OneFS is affected by a path traversal vulnerability that may potentially be exploited by attackers to compromise the affected system. Affected versions are 7.1.0 - 7.1.1.10, 7.2.0 - 7.2.1.3, and 8.0.0 - 8.0.0.1. |
|
11 |
CVE-2016-8217 |
200 |
|
+Info |
2017-02-03 |
2017-07-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC RSA BSAFE Crypto-J versions prior to 6.2.2 has a PKCS#12 Timing Attack Vulnerability. A possible timing attack could be carried out by modifying a PKCS#12 file that has an integrity MAC for which the password is not known. An attacker could then feed the modified PKCS#12 file to the toolkit and guess the current MAC one byte at a time. This is possible because Crypto-J uses a non-constant-time method to compare the stored MAC with the calculated MAC. This vulnerability is similar to the issue described in CVE-2015-2601. |
|
12 |
CVE-2016-8212 |
254 |
|
|
2017-02-03 |
2017-07-24 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
An issue was discovered in EMC RSA BSAFE Crypto-J versions prior to 6.2.2. There is an Improper OCSP Validation Vulnerability. OCSP responses have two time values: thisUpdate and nextUpdate. These specify a validity period; however, both values are optional. Crypto-J treats the lack of a nextUpdate as indicating that the OCSP response is valid indefinitely instead of restricting its validity for a brief period surrounding the thisUpdate time. This vulnerability is similar to the issue described in CVE-2015-4748. |
|
13 |
CVE-2016-8211 |
22 |
|
Dir. Trav. |
2017-02-03 |
2017-03-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC Data Protection Advisor 6.1.x, EMC Data Protection Advisor 6.2, EMC Data Protection Advisor 6.2.1, EMC Data Protection Advisor 6.2.2, EMC Data Protection Advisor 6.2.3 prior to patch 446 has a path traversal vulnerability that may potentially be exploited by malicious users to compromise the affected system. |
|
14 |
CVE-2016-6644 |
264 |
|
|
2016-09-17 |
2017-08-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC Documentum D2 4.5 before patch 15 and 4.6 before patch 03 allows remote attackers to read arbitrary Docbase documents by leveraging knowledge of an r_object_id value. |
|
15 |
CVE-2016-6642 |
352 |
|
CSRF |
2016-09-17 |
2016-11-28 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Cross-site request forgery (CSRF) vulnerability in EMC ViPR SRM before 3.7.2 allows remote attackers to hijack the authentication of administrators for requests that upload files. |
|
16 |
CVE-2016-0922 |
285 |
|
|
2016-09-17 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC ViPR SRM before 3.7.2 does not restrict the number of password-authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force guessing attack. |
|
17 |
CVE-2016-0915 |
264 |
|
DoS |
2016-08-22 |
2017-08-15 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
The Self-Service Portal in EMC RSA Authentication Manager (AM) Prime Self-Service 3.0 and 3.1 before 3.1 1915.42871 allows remote authenticated users to cause a denial of service (PIN change for an arbitrary user) via a modified token serial number within a PIN change request, related to a "direct object reference vulnerability." |
|
18 |
CVE-2016-0904 |
310 |
|
+Info |
2016-09-20 |
2017-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 use the same encryption key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms and obtain sensitive client-server traffic information by leveraging knowledge of this key from another installation. |
|
19 |
CVE-2016-0902 |
|
|
Http R.Spl. |
2016-05-07 |
2016-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
CRLF injection vulnerability in EMC RSA Authentication Manager before 8.1 SP1 P14 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. |
|
20 |
CVE-2016-0882 |
|
|
|
2016-02-11 |
2017-01-10 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows remote authenticated users to read arbitrary files via a POST request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
21 |
CVE-2015-6843 |
200 |
|
+Info |
2015-10-18 |
2016-12-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Reviewer in EMC SourceOne Email Supervisor before 7.2 does not properly limit attempts to authenticate, which makes it easier for remote attackers to obtain access via a brute-force approach. |
|
22 |
CVE-2015-4529 |
|
|
|
2015-07-16 |
2017-09-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in EMC Documentum WebTop before 6.8P02, Documentum Administrator before 7.2P01, Documentum Digital Assets Manager through 6.5SP6, Documentum Web Publishers through 6.5SP7, and Documentum Task Space through 6.7SP2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL. |
|
23 |
CVE-2015-0543 |
20 |
|
+Info |
2015-07-05 |
2016-12-27 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
EMC Secure Remote Services Virtual Edition (ESRS VE) 3.x before 3.06 does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
24 |
CVE-2015-0534 |
264 |
|
|
2015-08-20 |
2017-09-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x before 4.1.3, RSA BSAFE Crypto-J before 6.2, RSA BSAFE SSL-J before 6.2, and RSA BSAFE SSL-C 2.8.9 and earlier do not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, a similar issue to CVE-2014-8275. |
|
25 |
CVE-2015-0531 |
284 |
|
|
2015-05-06 |
2016-03-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC SourceOne Email Management before 7.2 does not have a lockout mechanism for invalid login attempts, which makes it easier for remote attackers to obtain access via a brute-force attack. |
|
26 |
CVE-2015-0529 |
255 |
|
+Info |
2015-04-04 |
2016-08-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC PowerPath Virtual Appliance (aka vApp) before 2.0 has default passwords for the (1) emcupdate and (2) svcuser accounts, which makes it easier for remote attackers to obtain potentially sensitive information via a login session. |
|
27 |
CVE-2015-0514 |
200 |
|
+Info |
2015-01-21 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack. |
|
28 |
CVE-2015-0512 |
|
|
|
2015-02-01 |
2015-09-17 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in EMC Unisphere Central before 4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter. |
|
29 |
CVE-2014-4639 |
189 |
|
|
2015-01-06 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
EMC Documentum Web Development Kit (WDK) before 6.8 does not properly generate random numbers for a certain parameter related to Webtop components, which makes it easier for remote attackers to conduct phishing attacks via brute-force attempts to predict the parameter value. |
|
30 |
CVE-2014-4638 |
200 |
|
+Info |
2015-01-06 |
2016-12-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to conduct frame-injection attacks and obtain sensitive information via unspecified vectors. |
|
31 |
CVE-2014-4631 |
287 |
|
Bypass |
2014-12-08 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
RSA Adaptive Authentication (On-Premise) 6.0.2.1 through 7.1 P3, when using device binding in a Challenge SOAP call or using the RSA Adaptive Authentication Integration Adapters with Out-of-Band Phone (Authentify) functionality, conducts permanent device binding even when authentication fails, which allows remote attackers to bypass authentication. |
|
32 |
CVE-2014-4193 |
310 |
|
|
2014-06-17 |
2017-01-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The TLS implementation in EMC RSA BSAFE-Java Toolkits (aka Share for Java) supports the Extended Random extension during use of the Dual_EC_DRBG algorithm, which makes it easier for remote attackers to obtain plaintext from TLS sessions by requesting long nonces from a server, a different issue than CVE-2007-6755. |
|
33 |
CVE-2014-4192 |
310 |
|
|
2014-06-17 |
2014-06-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Dual_EC_DRBG implementation in EMC RSA BSAFE-C Toolkits (aka Share for C and C++) processes certain requests for output bytes by considering only the requested byte count and not the use of cached bytes, which makes it easier for remote attackers to obtain plaintext from TLS sessions by recovering the algorithm's inner state, a different issue than CVE-2007-6755. |
|
34 |
CVE-2014-4191 |
310 |
|
|
2014-06-17 |
2014-06-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The TLS implementation in EMC RSA BSAFE-C Toolkits (aka Share for C and C++) sends a long series of random bytes during use of the Dual_EC_DRBG algorithm, which makes it easier for remote attackers to obtain plaintext from TLS sessions by recovering the algorithm's inner state, a different issue than CVE-2007-6755. |
|
35 |
CVE-2014-2519 |
200 |
|
DoS +Info |
2014-07-19 |
2017-01-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
The default configuration of EMC RecoverPoint Appliance (RPA) 4.1 before 4.1.0.1 does not enable a firewall, which allows remote attackers to obtain potentially sensitive information about open ports, or cause a denial of service, by sending packets to many ports. |
|
36 |
CVE-2014-2516 |
|
|
|
2014-12-12 |
2014-12-15 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in EMC RSA Authentication Manager 8.x before 8.1 Patch 6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
37 |
CVE-2014-2509 |
|
|
|
2014-06-30 |
2018-10-09 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Session fixation vulnerability in the Report Advisor (RA) component in EMC Network Configuration Manager (NCM) before 9.3 allows remote attackers to hijack web sessions via a session cookie. |
|
38 |
CVE-2014-2505 |
|
|
|
2014-08-20 |
2017-08-28 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors. |
|
39 |
CVE-2014-2276 |
264 |
|
+Info |
2014-03-21 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The FileUploadController servlet in EMC Connectrix Manager Converged Network Edition (CMCNE) before 12.1.5 does not properly restrict additions to the Connectrix Manager repository, which allows remote attackers to obtain sensitive information by importing a crafted firmware file. |
|
40 |
CVE-2014-0642 |
264 |
|
Bypass |
2014-04-15 |
2014-04-16 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
EMC Documentum Content Server before 6.7 SP1 P26, 6.7 SP2 before P13, 7.0 before P13, and 7.1 before P02 allows remote authenticated users to bypass intended access restrictions and read metadata from certain folders via unspecified vectors. |
|
41 |
CVE-2014-0636 |
310 |
|
|
2014-04-11 |
2016-09-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
EMC RSA BSAFE Micro Edition Suite (MES) 3.2.x before 3.2.6 and 4.0.x before 4.0.5 does not properly validate X.509 certificate chains, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate chain. |
|
42 |
CVE-2014-0628 |
20 |
|
DoS |
2014-03-25 |
2014-03-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The server in EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.5 does not properly process certificate chains, which allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors. |
|
43 |
CVE-2014-0627 |
310 |
|
|
2014-02-17 |
2014-02-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The SSLEngine API implementation in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 allows remote attackers to trigger the selection of a weak cipher suite by using the wrap method during a certain incomplete-handshake state. |
|
44 |
CVE-2014-0626 |
310 |
|
Bypass |
2014-02-17 |
2014-02-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated. |
|
45 |
CVE-2014-0625 |
399 |
|
DoS |
2014-02-17 |
2014-02-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The SSLSocket implementation in the (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 allows remote attackers to cause a denial of service (memory consumption) by triggering application-data processing during the TLS handshake, a time at which the data is internally buffered. |
|
46 |
CVE-2013-6174 |
20 |
|
|
2013-11-20 |
2015-07-22 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Multiple open redirect vulnerabilities in xAdmin in EMC Document Sciences xPression 4.1 SP1 before Patch 47, 4.2 before Patch 26, and 4.5 before Patch 05, as used in Documentum Edition, Enterprise Edition Publish Engine, and Enterprise Edition Compuset Engine, allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters. |
|
47 |
CVE-2013-6078 |
310 |
|
|
2014-06-17 |
2014-06-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The default configuration of EMC RSA BSAFE Toolkits and RSA Data Protection Manager (DPM) 20130918 uses the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by leveraging unspecified "security concerns," aka the ESA-2013-068 issue. NOTE: this issue has been SPLIT from CVE-2007-6755 because the vendor announcement did not state a specific technical rationale for a change in the algorithm; thus, CVE cannot reach a conclusion that a CVE-2007-6755 concern was the reason, or one of the reasons, for this change. |
|
48 |
CVE-2013-3279 |
255 |
|
+Info |
2013-10-16 |
2013-10-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC Atmos before 2.1.4 has a blank password for the PostgreSQL account, which allows remote attackers to obtain sensitive administrative information via a database-server connection. |
|
49 |
CVE-2013-3277 |
20 |
|
|
2013-09-05 |
2013-09-18 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in EMC RSA Archer GRC 5.x before 5.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
50 |
CVE-2013-3271 |
255 |
|
|
2013-08-28 |
2013-10-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EMC RSA Authentication Agent for PAM 7.0 before 7.0.2.1 enforces the maximum number of login attempts within the PAM-enabled application codebase, instead of within the Agent codebase, which makes it easier for remote attackers to discover correct login credentials via a brute-force attack. |
