These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2021-41617 is a local privilege-escalation issue in OpenSSH sshd that affects versions 6.2 through 8.x before 8.8 when specific non-default configuration options are used. In the affected setup, helper programs for AuthorizedKeysCommand or AuthorizedPrincipalsCommand may inherit unexpected group-related privileges from the sshd process, which can let a user with limited access gain elevated privileges.
CVE-2023-5363 is an OpenSSL bug in the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), and EVP_CipherInit_ex2() path where keylen and ivlen parameters inside an OSSL_PARAM array are processed too late. That can cause truncation or overruns of key and IV values for some symmetric ciphers and modes. The most security-relevant case is IV truncation in CCM, GCM, or OCB, where it can lead to IV reuse and loss of [truncated]
CVE-2022-43945 is a Linux kernel NFSD buffer overflow that can be triggered by a network client sending a TCP RPC message with trailing garbage data. NVD lists impacted Linux kernel ranges as versions before 5.19.17 and 6.0 through 6.0.1, and the issue is rated high severity because it can cause a denial of service. The record was published on 2022-11-04 and later modified by NVD, but the original publica [truncated]
CVE-2021-4090 is an out-of-bounds write in Linux NFSD’s bitmap decode path. A local user with low privileges may be able to write past the end of a bitmap buffer, which can threaten kernel memory integrity and confidentiality. NVD also maps the issue to several NetApp H-series firmware CPEs, so both Linux kernel and affected appliance inventories should be checked.
CVE-2021-38202 is a network-reachable denial-of-service issue in the Linux kernel’s nfsd trace path. According to the CVE description and NVD, remote attackers can send NFS traffic that triggers an out-of-bounds read in strlen when the trace event framework is being used for nfsd. The issue is fixed in Linux kernel 5.13.4 and is mapped by NVD to affected NetApp-related CPE entries as well as the Linux kernel CPE.
CVE-2023-28531 is a critical OpenSSH issue in which ssh-add can add smartcard keys to ssh-agent without the intended per-hop destination constraints. The supplied corpus says the earliest affected version is 8.9, and NVD lists the vulnerable OpenSSH range as 8.9 through 9.2. Because the issue touches SSH authentication and agent key handling, organizations that rely on constrained agent workflows should t [truncated]
CVE-2017-5995 is a high-severity information disclosure issue in NetApp ONTAP Select Deploy administration utility versions 2.0 through 2.2.1. The public record says remote attackers may obtain sensitive information via unspecified vectors. NVD assigns CVSS 3.1 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), which points to a network-reachable confidentiality impact with no listed integrity or availability imp [truncated]
CVE-2016-5374 is a high-severity access-control issue in NetApp Data ONTAP affecting SMB-hosted data. According to the CVE description, a remote authenticated user who owns SMB-hosted data can bypass intended sharing restrictions because of improper handling of the owner_rights ACL entry. The vulnerability was published on 2017-03-01, and the supplied NVD record identifies affected Data ONTAP 9.0 and 9.1 [truncated]
CVE-2016-6667 is a critical remote code execution issue in NetApp OnCommand Unified Manager for Clustered Data ONTAP. The vulnerability is tied to a default privileged account and affects the 6.3, 6.4, and 6.4P1 release lines listed by NVD. Because the issue is network-reachable and rated 9.8, affected systems should be treated as urgent remediation candidates.
CVE-2016-6495 is a medium-severity information disclosure issue in NetApp Data ONTAP before 8.2.4P5 when operating in 7-Mode. According to NVD, a remote attacker can obtain information about the volumes configured for HTTP access. This is a confidentiality impact only issue, but it affects a network-reachable service path and does not require privileges or user interaction.
CVE-2016-5711 affects NetApp Virtual Storage Console for VMware vSphere and is described as a non-unique certificate issue that can let remote attackers conduct man-in-the-middle attacks. The CVE was published on 2017-02-07 and is rated critical in NVD with a network-reachable, no-authentication attack profile.
CVE-2016-5372 describes a cross-site request forgery (CSRF) issue in NetApp Snap Creator Framework. The flaw can allow a remote attacker to hijack a user's authenticated session for unintended requests. NVD rates the issue as medium severity (CVSS 6.3), and the vulnerability affects Snap Creator Framework versions before 4.3.0P1.
CVE-2016-4341 is a high-severity information disclosure affecting NetApp Clustered Data ONTAP. According to the NVD record, remote attackers can obtain SMB share information via unspecified vectors, and the issue is rated CVSS 3.0 7.5 (HIGH). The published record points to NetApp guidance for remediation and describes affected versions as Clustered Data ONTAP before 8.3.2P7.
CVE-2016-3063 affects NetApp OnCommand System Manager before 8.3.2. According to the NVD description and NetApp references, multiple functions do not properly escape special characters, which can let a remote authenticated user execute arbitrary API calls through unspecified vectors. NetApp’s advisory and KB entry indicate a vendor fix is available, and the vulnerable version range ends at 8.3.1.
CVE-2016-1894 is an authentication bypass issue in NetApp OnCommand Workflow Automation. According to the CVE/NVD record and NetApp references, affected releases are versions before 3.1P2. Because the flaw can let a remote attacker bypass authentication, it should be treated as a high-priority exposure on any internet-reachable or broadly trusted Workflow Automation deployment.
CVE-2016-1502 is an authentication-bypass vulnerability in NetApp SnapCenter Server 1.0 and 1.0P1. Per the NVD description, a remote attacker could partially bypass authentication and then list and delete backups. The issue was published on 2017-02-07 and is rated CVSS 7.3 (High).
CVE-2015-8544 is a high-severity information disclosure issue in NetApp SnapDrive for Windows. According to the NVD record and NetApp references, remote attackers could obtain sensitive information through unspecified vectors in affected versions before 7.0.2P4, 7.0.3, and 7.1 before 7.1.3P1. The official CVSS 3.0 vector indicates a network-reachable, no-authentication, no-user-interaction impact that aff [truncated]
CVE-2015-8322 is a high-severity remote code execution issue in NetApp OnCommand System Manager 8.3.x before 8.3.2. The NVD record says a remote authenticated attacker could execute arbitrary code through unspecified vectors. The record also maps vulnerable CPE entries to NetApp Data ONTAP 8.3 and 8.3.1 and points to NetApp patch/advisory references.
CVE-2016-10165 affects Little CMS (lcms2) profile parsing. A crafted ICC profile embedded in an image can trigger an out-of-bounds heap read in Type_MLU_Read, which may expose sensitive memory contents or crash the process.
CVE-2017-5600 is a critical authentication/credential-management issue in the Data Warehouse component of NetApp OnCommand Insight. According to the CVE record, remote attackers could obtain administrative access by leveraging a default privileged account in versions before 7.2.3. NVD maps the weakness to CWE-798 and rates the issue CVSS 3.0 9.8, reflecting network access, no required privileges, no user [truncated]