Common Weakness Enumeration

CWE-1395

Allowed-with-Review

Dependency on Vulnerable Third-Party Component

Abstraction: Class · Status: Incomplete

The product has a dependency on a third-party component that contains one or more known vulnerabilities.

110 vulnerabilities reference this CWE, most recent first.

CVE-2024-32753 (GCVE-0-2024-32753)

Vulnerability from cvelistv5 – Published: 2024-07-11 15:30 – Updated: 2024-08-16 14:50
VLAI
Title
TYCO Illustra Pro Gen 4 - JQuery version
Summary
Under certain circumstances the camera may be susceptible to known vulnerabilities associated with the JQuery versions prior to 3.5.0 third-party component
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
jci
Impacted products
Vendor Product Version
Johnson Controls TYCO Illustra Pro4 Fixed cameras Affected: 0 , ≤ Illustra.SS016.05.03.01.0007 (custom)
Create a notification for this product.
Johnson Controls TYCO Illustra Pro4 PTZ cameras Affected: 0 , ≤ Illustra.SS010.24.03.00.0005 (custom)
Create a notification for this product.
Johnson Controls TYCO Illustra Flex4 Fixed & PTZ cameras Affected: 0 , ≤ Illustra.SS018.24.03.00.0010 (custom)
Create a notification for this product.
Johnson Controls TYCO Illustra Pro4 MultiSensor Cameras Affected: 0 , ≤ Illustra.SS017.24.03.00.0009 (custom)
Create a notification for this product.
Johnson Controls TYCO Illustra Flex4 DualSensor Cameras Affected: 0 , ≤ Illustra.SS022.24.03.00.0008 (custom)
Create a notification for this product.
johnsoncontrols illustra_flex4_dualsensor_firmware Affected: 0 , ≤ Illustra.SS022.24.03.00.0008 (custom)
    cpe:2.3:o:johnsoncontrols:illustra_flex4_dualsensor_firmware:*:*:*:*:*:*:*:*
Create a notification for this product.
johnsoncontrols illustra_pro4_multisensor_firmware Affected: 0 , ≤ Illustra.SS017.24.03.00.0009 (custom)
    cpe:2.3:o:johnsoncontrols:illustra_pro4_multisensor_firmware:*:*:*:*:*:*:*:*
Create a notification for this product.
johnsoncontrols illustra_flex4_fixed_firmware Affected: 0 , ≤ Illustra.SS018.24.03.00.0010 (custom)
    cpe:2.3:o:johnsoncontrols:illustra_flex4_fixed_firmware:*:*:*:*:*:*:*:*
Create a notification for this product.
johnsoncontrols illustra_flex4_ptz_firmware Affected: 0 , ≤ Illustra.SS018.24.03.00.0010 (custom)
    cpe:2.3:o:johnsoncontrols:illustra_flex4_ptz_firmware:*:*:*:*:*:*:*:*
Create a notification for this product.
johnsoncontrols illustra_pro4_ptz_firmware Affected: 0 , ≤ Illustra.SS010.24.03.00.0005 (custom)
    cpe:2.3:o:johnsoncontrols:illustra_pro4_ptz_firmware:*:*:*:*:*:*:*:*
Create a notification for this product.
johnsoncontrols illustra_pro_gen_4_firmware Affected: 0 , ≤ Illustra.SS016.05.03.01.0007 (custom)
    cpe:2.3:o:johnsoncontrols:illustra_pro_gen_4_firmware:*:*:*:*:*:*:*:*
Create a notification for this product.
Date Public
2024-07-09 16:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:johnsoncontrols:illustra_flex4_dualsensor_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "illustra_flex4_dualsensor_firmware",
            "vendor": "johnsoncontrols",
            "versions": [
              {
                "lessThanOrEqual": "Illustra.SS022.24.03.00.0008",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:johnsoncontrols:illustra_pro4_multisensor_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "illustra_pro4_multisensor_firmware",
            "vendor": "johnsoncontrols",
            "versions": [
              {
                "lessThanOrEqual": "Illustra.SS017.24.03.00.0009",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:johnsoncontrols:illustra_flex4_fixed_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "illustra_flex4_fixed_firmware",
            "vendor": "johnsoncontrols",
            "versions": [
              {
                "lessThanOrEqual": "Illustra.SS018.24.03.00.0010",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:johnsoncontrols:illustra_flex4_ptz_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "illustra_flex4_ptz_firmware",
            "vendor": "johnsoncontrols",
            "versions": [
              {
                "lessThanOrEqual": "Illustra.SS018.24.03.00.0010",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:johnsoncontrols:illustra_pro4_ptz_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "illustra_pro4_ptz_firmware",
            "vendor": "johnsoncontrols",
            "versions": [
              {
                "lessThanOrEqual": "Illustra.SS010.24.03.00.0005",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:johnsoncontrols:illustra_pro_gen_4_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "illustra_pro_gen_4_firmware",
            "vendor": "johnsoncontrols",
            "versions": [
              {
                "lessThanOrEqual": "Illustra.SS016.05.03.01.0007",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32753",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-12T19:41:41.470969Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-17T14:23:41.965Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:20:35.268Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "TYCO Illustra Pro4 Fixed cameras",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "lessThanOrEqual": "Illustra.SS016.05.03.01.0007",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TYCO Illustra Pro4 PTZ cameras",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "lessThanOrEqual": "Illustra.SS010.24.03.00.0005",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TYCO Illustra Flex4 Fixed \u0026 PTZ cameras",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "lessThanOrEqual": "Illustra.SS018.24.03.00.0010",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TYCO Illustra Pro4 MultiSensor Cameras",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "lessThanOrEqual": "Illustra.SS017.24.03.00.0009",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TYCO Illustra Flex4 DualSensor Cameras",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "lessThanOrEqual": "Illustra.SS022.24.03.00.0008",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2024-07-09T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUnder certain circumstances the camera may be susceptible to known vulnerabilities associated with the JQuery versions prior to 3.5.0 third-party component\u003c/span\u003e"
            }
          ],
          "value": "Under certain circumstances the camera may be susceptible to known vulnerabilities associated with the JQuery versions prior to 3.5.0 third-party component"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-588",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-588: DOM-Based XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-16T14:50:34.077Z",
        "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "shortName": "jci"
      },
      "references": [
        {
          "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-03"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cul\u003e\u003cli\u003e\u003cp\u003eUpdate firmware of \u003cstrong\u003ePro4 Fixed\u003c/strong\u003e cameras to \u003cstrong\u003eIllustra.SS016.24.03.00.0007\u003c/strong\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eUpdate firmware of \u003cstrong\u003ePro4 PTZ\u003c/strong\u003e cameras to\u003cstrong\u003e Illustra.SS010.24.03.00.0005\u003c/strong\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eUpdate firmware of \u003cstrong\u003eFlex4 Fixed \u0026amp; PTZ\u003c/strong\u003e cameras to \u003cstrong\u003eIllustra.SS018.24.03.00.0010\u003c/strong\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eUpdate firmware of \u003cstrong\u003ePro4 MultiSensor \u003c/strong\u003ecameras to \u003cstrong\u003eIllustra.SS017.24.03.00.0009\u003c/strong\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eUpdate firmware of \u003cstrong\u003eFlex4 DualSensor \u003c/strong\u003ecameras to \u003cstrong\u003eIllustra.SS022.24.03.00.0008\u003c/strong\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "*  Update firmware of Pro4 Fixed cameras to Illustra.SS016.24.03.00.0007\n\n\n  *  Update firmware of Pro4 PTZ cameras to Illustra.SS010.24.03.00.0005\n\n\n  *  Update firmware of Flex4 Fixed \u0026 PTZ cameras to Illustra.SS018.24.03.00.0010\n\n\n  *  Update firmware of Pro4 MultiSensor cameras to Illustra.SS017.24.03.00.0009\n\n\n  *  Update firmware of Flex4 DualSensor cameras to Illustra.SS022.24.03.00.0008"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "TYCO Illustra Pro Gen 4 - JQuery version",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
    "assignerShortName": "jci",
    "cveId": "CVE-2024-32753",
    "datePublished": "2024-07-11T15:30:39.367Z",
    "dateReserved": "2024-04-17T17:26:35.180Z",
    "dateUpdated": "2024-08-16T14:50:34.077Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26293 (GCVE-0-2024-26293)

Vulnerability from cvelistv5 – Published: 2025-07-14 09:18 – Updated: 2025-07-14 14:40
VLAI
Title
Unauthenticated Path Traversal affecting Avid NEXIS
Summary
The Avid Nexis Agent uses a vulnerable gSOAP version. An undocumented vulnerability impacting gSOAP v2.8 makes the application vulnerable to an Unauthenticated Path Traversal vulnerability. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
References
Impacted products
Credits
DriveByte CERT-Bund
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26293",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-14T14:37:19.883688Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-14T14:40:41.420Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux",
            "Windows"
          ],
          "product": "Avid NEXIS E-series",
          "vendor": "Avid",
          "versions": [
            {
              "lessThan": "2025.5.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux",
            "Windows"
          ],
          "product": "Avid NEXIS F-series",
          "vendor": "Avid",
          "versions": [
            {
              "lessThan": "2025.5.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux",
            "windows"
          ],
          "product": "Avid NEXIS PRO+",
          "vendor": "Avid",
          "versions": [
            {
              "lessThan": "2025.5.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux",
            "Windows"
          ],
          "product": "System Director Appliance (SDA+)",
          "vendor": "Avid",
          "versions": [
            {
              "lessThan": "2025.5.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "DriveByte"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "CERT-Bund"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The Avid Nexis Agent uses a vulnerable gSOAP\nversion. An undocumented vulnerability impacting gSOAP v2.8 makes the application vulnerable to an Unauthenticated Path Traversal vulnerability.\u003cbr\u003e\u003cp\u003eThis issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.\u003c/p\u003e"
            }
          ],
          "value": "The Avid Nexis Agent uses a vulnerable gSOAP\nversion. An undocumented vulnerability impacting gSOAP v2.8 makes the application vulnerable to an Unauthenticated Path Traversal vulnerability.\nThis issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-14T09:18:18.045Z",
        "orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
        "shortName": "ENISA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://resources.avid.com/SupportFiles/attach/AvidNEXIS/AvidNEXIS_2025_5_1_ReadMe.pdf"
        },
        {
          "tags": [
            "third-party-advisory",
            "technical-description"
          ],
          "url": "https://raeph123.github.io/BlogPosts/Avid_Nexis/Advisory_Avid_Nexus_Agent_Multiple_Vulnerabilities_en.html"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.genivia.com/changelog.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unauthenticated Path Traversal affecting Avid NEXIS",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
    "assignerShortName": "ENISA",
    "cveId": "CVE-2024-26293",
    "datePublished": "2025-07-14T09:18:18.045Z",
    "dateReserved": "2024-02-16T16:12:43.383Z",
    "dateUpdated": "2025-07-14T14:40:41.420Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-21421 (GCVE-0-2024-21421)

Vulnerability from cvelistv5 – Published: 2024-03-12 16:57 – Updated: 2025-05-03 00:46
VLAI
Title
Azure SDK Spoofing Vulnerability
Summary
Azure SDK Spoofing Vulnerability
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
References
Impacted products
Vendor Product Version
Microsoft Azure SDK Affected: 1.0.0 , < 1.29.5 (custom)
Create a notification for this product.
Date Public
2024-03-12 07:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:20:40.662Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "Azure SDK Spoofing Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21421"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21421",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-12T19:21:36.716605Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-09T14:16:37.921Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "Unknown"
          ],
          "product": "Azure SDK",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.29.5",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:azure_sdk:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.29.5",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2024-03-12T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Azure SDK Spoofing Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-03T00:46:37.963Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Azure SDK Spoofing Vulnerability",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21421"
        }
      ],
      "title": "Azure SDK Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2024-21421",
    "datePublished": "2024-03-12T16:57:43.762Z",
    "dateReserved": "2023-12-08T22:45:21.301Z",
    "dateUpdated": "2025-05-03T00:46:37.963Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-14031 (GCVE-0-2024-14031)

Vulnerability from cvelistv5 – Published: 2026-03-31 11:31 – Updated: 2026-04-01 16:30
VLAI
Title
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library
Summary
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
Impacted products
Vendor Product Version
YVES Sereal::Encoder Affected: 4.000 , ≤ 4.009_002 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-14031",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T14:19:21.141997Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1395",
                "description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T14:19:27.286Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Sereal-Encoder",
          "product": "Sereal::Encoder",
          "repo": "https://github.com/Sereal/Sereal",
          "vendor": "YVES",
          "versions": [
            {
              "lessThanOrEqual": "4.009_002",
              "status": "affected",
              "version": "4.000",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.\n\nSereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922.  This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T16:30:00.649Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/advisories/GHSA-w77f-wv46-4vcx"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-11922"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/YVES/Sereal-Encoder-4.010/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to Sereal::Encoder version 4.010 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2017-02-06T00:00:00.000Z",
          "value": "Sereal::Encoder version 4.001_001 released."
        },
        {
          "lang": "en",
          "time": "2018-12-27T00:00:00.000Z",
          "value": "Zstandard 1.3.8 released."
        },
        {
          "lang": "en",
          "time": "2019-07-25T00:00:00.000Z",
          "value": "CVE-2019-11922 for Zstandard published"
        },
        {
          "lang": "en",
          "time": "2020-02-04T00:00:00.000Z",
          "value": "Sereal::Encoder version 4.010 released."
        },
        {
          "lang": "en",
          "time": "2023-02-09T00:00:00.000Z",
          "value": "Advisory added to the CPANSA database."
        },
        {
          "lang": "en",
          "time": "2024-02-17T00:00:00.000Z",
          "value": "Advisory updated in the CPANSA database."
        }
      ],
      "title": "Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library",
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2024-14031",
    "datePublished": "2026-03-31T11:31:28.100Z",
    "dateReserved": "2026-03-29T15:12:06.674Z",
    "dateUpdated": "2026-04-01T16:30:00.649Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-14030 (GCVE-0-2024-14030)

Vulnerability from cvelistv5 – Published: 2026-03-31 11:31 – Updated: 2026-04-01 16:29
VLAI
Title
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library
Summary
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
Impacted products
Vendor Product Version
YVES Sereal::Decoder Affected: 4.000 , ≤ 4.009_002 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-14030",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T14:18:18.323057Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1395",
                "description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T14:18:55.221Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Sereal-Decoder",
          "product": "Sereal::Decoder",
          "repo": "https://github.com/Sereal/Sereal",
          "vendor": "YVES",
          "versions": [
            {
              "lessThanOrEqual": "4.009_002",
              "status": "affected",
              "version": "4.000",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.\n\nSereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922.  This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T16:29:33.903Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/advisories/GHSA-w77f-wv46-4vcx"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-11922"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/YVES/Sereal-Decoder-4.010/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to Sereal::Decoder version 4.010 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2017-02-06T00:00:00.000Z",
          "value": "Sereal::Decoder version 4.001_001 released."
        },
        {
          "lang": "en",
          "time": "2018-12-27T00:00:00.000Z",
          "value": "Zstandard 1.3.8 released."
        },
        {
          "lang": "en",
          "time": "2019-07-25T00:00:00.000Z",
          "value": "CVE-2019-11922 for Zstandard published"
        },
        {
          "lang": "en",
          "time": "2020-02-04T00:00:00.000Z",
          "value": "Sereal::Decoder version 4.010 released."
        },
        {
          "lang": "en",
          "time": "2023-02-09T00:00:00.000Z",
          "value": "Advisory added to the CPANSA database."
        },
        {
          "lang": "en",
          "time": "2024-02-17T00:00:00.000Z",
          "value": "Advisory updated in the CPANSA database."
        }
      ],
      "title": "Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library",
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2024-14030",
    "datePublished": "2026-03-31T11:31:08.541Z",
    "dateReserved": "2026-03-28T19:49:07.023Z",
    "dateUpdated": "2026-04-01T16:29:33.903Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-12740 (GCVE-0-2024-12740)

Vulnerability from cvelistv5 – Published: 2025-01-27 17:17 – Updated: 2025-01-27 18:52
VLAI
Title
Dependency on Vulnerable Third-Party Component exposes Vulnerabilities in NI Vision Software
Summary
Vision related software from NI used a third-party library for image processing that exposes several vulnerabilities. These vulnerabilities may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted file.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
NI
Credits
kimiya working with Trend Micro Zero Day Initiative
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12740",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-27T18:52:49.924917Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-27T18:52:58.721Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Vision Development Module",
          "vendor": "NI",
          "versions": [
            {
              "lessThanOrEqual": "24.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "FlexRIO",
          "vendor": "NI",
          "versions": [
            {
              "lessThan": "25.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "NI-IMAQdx",
          "vendor": "NI",
          "versions": [
            {
              "lessThanOrEqual": "23.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Vision Acquisition Software",
          "vendor": "NI",
          "versions": [
            {
              "lessThanOrEqual": "23.1",
              "status": "affected",
              "version": "0",
              "versionType": "sem"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Vision Builder for Automated Inspection",
          "vendor": "NI",
          "versions": [
            {
              "lessThanOrEqual": "23.*",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Data Record AD",
          "vendor": "NI",
          "versions": [
            {
              "lessThanOrEqual": "2.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "FRC Game Tools",
          "vendor": "NI",
          "versions": [
            {
              "lessThanOrEqual": "25.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "kimiya working with Trend Micro Zero Day Initiative"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVision related software from NI used a third-party library for image processing that exposes several vulnerabilities.  These vulnerabilities may result in arbitrary code execution.  Successful exploitation requires an attacker to get a user to open a specially crafted file.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "Vision related software from NI used a third-party library for image processing that exposes several vulnerabilities.  These vulnerabilities may result in arbitrary code execution.  Successful exploitation requires an attacker to get a user to open a specially crafted file."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-23",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-23 File Content Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-27T17:17:28.308Z",
        "orgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4",
        "shortName": "NI"
      },
      "references": [
        {
          "url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/dependency-on-vulnerable-third-party-component-exposes-vulnerabi.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Dependency on Vulnerable Third-Party Component exposes Vulnerabilities in NI Vision Software",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4",
    "assignerShortName": "NI",
    "cveId": "CVE-2024-12740",
    "datePublished": "2025-01-27T17:17:28.308Z",
    "dateReserved": "2024-12-17T20:42:45.704Z",
    "dateUpdated": "2025-01-27T18:52:58.721Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-11948 (GCVE-0-2024-11948)

Vulnerability from cvelistv5 – Published: 2024-12-11 21:55 – Updated: 2024-12-12 15:47
VLAI
Title
GFI Archiver Telerik Web UI Remote Code Execution Vulnerability
Summary
GFI Archiver Telerik Web UI Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Authentication is not required to exploit this vulnerability. The specific flaw exists within the product installer. The issue results from the use of a vulnerable version of Telerik Web UI. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-24041.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
zdi
References
Impacted products
Vendor Product Version
GFI Archiver Affected: 15.6
Create a notification for this product.
Date Public
2024-12-11 17:27
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-11948",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-12T15:46:50.107404Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-12T15:47:00.578Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Archiver",
          "vendor": "GFI",
          "versions": [
            {
              "status": "affected",
              "version": "15.6"
            }
          ]
        }
      ],
      "dateAssigned": "2024-11-27T23:38:31.799Z",
      "datePublic": "2024-12-11T17:27:20.803Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "GFI Archiver Telerik Web UI Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the product installer. The issue results from the use of a vulnerable version of Telerik Web UI. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-24041."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-11T21:55:03.698Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-24-1671",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1671/"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)"
      },
      "title": "GFI Archiver Telerik Web UI Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2024-11948",
    "datePublished": "2024-12-11T21:55:03.698Z",
    "dateReserved": "2024-11-27T23:38:31.773Z",
    "dateUpdated": "2024-12-12T15:47:00.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-6121 (GCVE-0-2024-6121)

Vulnerability from cvelistv5 – Published: 2024-07-22 19:46 – Updated: 2024-08-01 21:33
VLAI
Title
NI SystemLink Server Ships Out of Date Redis Version
Summary
An out-of-date version of Redis shipped with NI SystemLink Server is susceptible to multiple vulnerabilities, including CVE-2022-24834. This affects NI SystemLink Server 2024 Q1 and prior versions. It also affects NI FlexLogger 2023 Q2 and prior versions which installed this shared service.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
NI
Impacted products
Vendor Product Version
NI SystemLink Server Affected: 0 , ≤ 24.1 (semver)
Create a notification for this product.
NI FlexLogger Affected: 0 , ≤ 23.2 (semver)
Create a notification for this product.
Credits
06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Micro Zero Day Initiative
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6121",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-29T16:55:03.521839Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-29T16:55:16.740Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:33:05.149Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/ni-systemlink-server-ships-out-of-date-redis-version.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "SystemLink Server",
          "vendor": "NI",
          "versions": [
            {
              "lessThanOrEqual": "24.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "FlexLogger",
          "vendor": "NI",
          "versions": [
            {
              "lessThanOrEqual": "23.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Micro Zero Day Initiative"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn out-of-date version of Redis shipped with NI SystemLink Server is susceptible to multiple vulnerabilities, including CVE-2022-24834.  This affects NI SystemLink Server 2024 Q1 and prior versions.  It also affects NI FlexLogger 2023 Q2 and prior versions which installed this shared service. \u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "An out-of-date version of Redis shipped with NI SystemLink Server is susceptible to multiple vulnerabilities, including CVE-2022-24834.  This affects NI SystemLink Server 2024 Q1 and prior versions.  It also affects NI FlexLogger 2023 Q2 and prior versions which installed this shared service."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-22T19:46:11.685Z",
        "orgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4",
        "shortName": "NI"
      },
      "references": [
        {
          "url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/ni-systemlink-server-ships-out-of-date-redis-version.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "NI SystemLink Server Ships Out of Date Redis Version",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4",
    "assignerShortName": "NI",
    "cveId": "CVE-2024-6121",
    "datePublished": "2024-07-22T19:46:11.685Z",
    "dateReserved": "2024-06-18T11:41:52.912Z",
    "dateUpdated": "2024-08-01T21:33:05.149Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-5246 (GCVE-0-2024-5246)

Vulnerability from cvelistv5 – Published: 2024-05-23 22:07 – Updated: 2024-08-01 21:03
VLAI
Title
NETGEAR ProSAFE Network Management System Tomcat Remote Code Execution Vulnerability
Summary
NETGEAR ProSAFE Network Management System Tomcat Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Authentication is required to exploit this vulnerability. The specific flaw exists within the product installer. The issue results from the use of a vulnerable version of Apache Tomcat. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22868.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
zdi
References
Impacted products
Vendor Product Version
NETGEAR ProSAFE Network Management System Affected: 1.7.0.34 x64
Create a notification for this product.
netgear prosafe_network_management_system Affected: 1.7.0.34 x64
    cpe:2.3:a:netgear:prosafe_network_management_system:*:*:*:*:*:*:*:*
Create a notification for this product.
Date Public
2024-05-22 23:32
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:netgear:prosafe_network_management_system:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "prosafe_network_management_system",
            "vendor": "netgear",
            "versions": [
              {
                "status": "affected",
                "version": "1.7.0.34 x64"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-5246",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-24T19:21:20.249999Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T18:02:38.927Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:03:11.154Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "ZDI-24-497",
            "tags": [
              "x_research-advisory",
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-497/"
          },
          {
            "name": "vendor-provided URL",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://kb.netgear.com/000066164/Security-Advisory-for-Multiple-Vulnerabilities-on-the-NMS300-PSV-2024-0003-PSV-2024-0004"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "ProSAFE Network Management System",
          "vendor": "NETGEAR",
          "versions": [
            {
              "status": "affected",
              "version": "1.7.0.34 x64"
            }
          ]
        }
      ],
      "dateAssigned": "2024-05-22T21:06:59.239Z",
      "datePublic": "2024-05-22T23:32:36.807Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "NETGEAR ProSAFE Network Management System Tomcat Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the product installer. The issue results from the use of a vulnerable version of Apache Tomcat. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22868."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-23T22:07:15.475Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-24-497",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-497/"
        },
        {
          "name": "vendor-provided URL",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.netgear.com/000066164/Security-Advisory-for-Multiple-Vulnerabilities-on-the-NMS300-PSV-2024-0003-PSV-2024-0004"
        }
      ],
      "source": {
        "lang": "en",
        "value": "191bb9f9c7b3a89d5a586e15299e24417a4aca4d"
      },
      "title": "NETGEAR ProSAFE Network Management System Tomcat Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2024-5246",
    "datePublished": "2024-05-23T22:07:15.475Z",
    "dateReserved": "2024-05-22T21:06:59.213Z",
    "dateUpdated": "2024-08-01T21:03:11.154Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-0552 (GCVE-0-2024-0552)

Vulnerability from cvelistv5 – Published: 2024-01-15 04:03 – Updated: 2024-10-14 06:11
VLAI
Title
Intumit inc. SmartRobot - Remote Code Execution
Summary
Intumit inc. SmartRobot's web framwork has a remote code execution vulnerability. An unauthorized remote attacker can exploit this vulnerability to execute arbitrary commands on the remote server.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
References
Impacted products
Vendor Product Version
Intumit inc. SmartRobot Affected: 0 , ≤ v6.0.0-202012tw (custom)
Create a notification for this product.
intumit smartrobot Affected: v6.0.0-202012tw
    cpe:2.3:h:intumit:smartrobot:-:*:*:*:*:*:*:*
Create a notification for this product.
Date Public
2024-01-15 04:30
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:h:intumit:smartrobot:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "smartrobot",
            "vendor": "intumit",
            "versions": [
              {
                "status": "affected",
                "version": "v6.0.0-202012tw"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-0552",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-22T16:20:10.789210Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:58:39.837Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:11:35.273Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://www.twcert.org.tw/tw/cp-132-7662-41d50-1.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SmartRobot",
          "vendor": "Intumit inc.",
          "versions": [
            {
              "lessThanOrEqual": "v6.0.0-202012tw",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2024-01-15T04:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Intumit inc. SmartRobot\u0027s web framwork has a remote code execution vulnerability. An unauthorized remote attacker can exploit this vulnerability to execute arbitrary commands on the remote server."
            }
          ],
          "value": "Intumit inc. SmartRobot\u0027s web framwork has a remote code execution vulnerability. An unauthorized remote attacker can exploit this vulnerability to execute arbitrary commands on the remote server."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-88",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-88 OS Command Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-14T06:11:21.141Z",
        "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "shortName": "twcert"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.twcert.org.tw/tw/cp-132-7662-41d50-1.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to latest version"
            }
          ],
          "value": "Update to latest version"
        }
      ],
      "source": {
        "advisory": "TVN-202401001",
        "discovery": "EXTERNAL"
      },
      "title": "Intumit inc. SmartRobot - Remote Code Execution",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
    "assignerShortName": "twcert",
    "cveId": "CVE-2024-0552",
    "datePublished": "2024-01-15T04:03:07.044Z",
    "dateReserved": "2024-01-15T02:07:52.690Z",
    "dateUpdated": "2024-10-14T06:11:21.141Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Requirements Policy

In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.

Mitigation
Requirements

Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].

Mitigation
Architecture and Design Implementation Integration Manufacturing

Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."

Mitigation
Operation Patching and Maintenance

Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.

Mitigation
Operation Patching and Maintenance

Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.

No CAPEC attack patterns related to this CWE.