cvelistv5 - cve-2016-2402

cve-2016-2402

Vulnerability from cvelistv5

Published

2017-01-30 22:00

Modified

2024-08-05 23:24

Severity ?

Summary

OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.

References

URL	Tags
cve@mitre.org	http://www.openwall.com/lists/oss-security/2016/02/10/8	Mailing List, Third Party Advisory
cve@mitre.org	http://www.openwall.com/lists/oss-security/2016/02/18/7	Mailing List, Third Party Advisory
cve@mitre.org	https://koz.io/pinning-cve-2016-2402/	Technical Description, Third Party Advisory
cve@mitre.org	https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
cve@mitre.org	https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2016/02/10/8	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2016/02/18/7	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://koz.io/pinning-cve-2016-2402/	Technical Description, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/	Vendor Advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T23:24:49.347Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://koz.io/pinning-cve-2016-2402/",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/",
               },
               {
                  name: "[oss-security] 20160210 CVE request - OkHttp Certificate Pining Bypass",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2016/02/10/8",
               },
               {
                  name: "[oss-security] 20160217 Re: CVE request - OkHttp Certificate Pining Bypass",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2016/02/18/7",
               },
               {
                  name: "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2016-02-10T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-12-16T05:06:12",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://koz.io/pinning-cve-2016-2402/",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/",
            },
            {
               name: "[oss-security] 20160210 CVE request - OkHttp Certificate Pining Bypass",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2016/02/10/8",
            },
            {
               name: "[oss-security] 20160217 Re: CVE request - OkHttp Certificate Pining Bypass",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2016/02/18/7",
            },
            {
               name: "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2016-2402",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://koz.io/pinning-cve-2016-2402/",
                     refsource: "MISC",
                     url: "https://koz.io/pinning-cve-2016-2402/",
                  },
                  {
                     name: "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/",
                     refsource: "CONFIRM",
                     url: "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/",
                  },
                  {
                     name: "[oss-security] 20160210 CVE request - OkHttp Certificate Pining Bypass",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2016/02/10/8",
                  },
                  {
                     name: "[oss-security] 20160217 Re: CVE request - OkHttp Certificate Pining Bypass",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2016/02/18/7",
                  },
                  {
                     name: "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
                     refsource: "MLIST",
                     url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2016-2402",
      datePublished: "2017-01-30T22:00:00",
      dateReserved: "2016-02-17T00:00:00",
      dateUpdated: "2024-08-05T23:24:49.347Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2016-2402\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-01-30T22:59:00.390\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.\"},{\"lang\":\"es\",\"value\":\"OkHttp antes de 2.7.4 y 3.x antes de 3.1.2 permite que los atacantes man-in-the-middle eludan la fijación de certificados enviando una cadena de certificados con un CA no fijado confiable y el certificado fijado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squareup:okhttp:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.7.3\",\"matchCriteriaId\":\"770E740C-33B8-4A51-B55F-B240F33960BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squareup:okhttp3:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A4AD815F-E998-4C8D-B64C-B5C6E0750D3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squareup:okhttp3:3.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D6367344-FB92-46BE-B460-423573309C88\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squareup:okhttp3:3.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"37FD7BC3-0E9A-4BFE-9058-8C55A495EF2C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squareup:okhttp3:3.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA32D418-4F2A-4CE8-9AE0-5168B7DDF7A8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squareup:okhttp3:3.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AA482A17-1951-4725-90C5-CCD39CD4A220\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2016/02/10/8\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/02/18/7\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://koz.io/pinning-cve-2016-2402/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/02/10/8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/02/18/7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://koz.io/pinning-cve-2016-2402/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
   },
}

ghsa-4hc2-jh7r-wrc3

Vulnerability from github

Published

2022-05-13 01:11

Modified

2022-11-15 17:53

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

Improper Certificate Validation in OkHttp

Details

Show details on source website

JSON

To clipboard

{
   affected: [
      {
         database_specific: {
            last_known_affected_version_range: "<= 2.7.3",
         },
         package: {
            ecosystem: "Maven",
            name: "com.squareup.okhttp3:okhttp",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "0",
                  },
                  {
                     fixed: "2.7.4",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
      {
         database_specific: {
            last_known_affected_version_range: "<= 3.1.1",
         },
         package: {
            ecosystem: "Maven",
            name: "com.squareup.okhttp3:okhttp",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "3.0.0",
                  },
                  {
                     fixed: "3.1.2",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
   ],
   aliases: [
      "CVE-2016-2402",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-295",
      ],
      github_reviewed: true,
      github_reviewed_at: "2022-07-06T19:58:11Z",
      nvd_published_at: "2017-01-30T22:59:00Z",
      severity: "MODERATE",
   },
   details: "OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.",
   id: "GHSA-4hc2-jh7r-wrc3",
   modified: "2022-11-15T17:53:00Z",
   published: "2022-05-13T01:11:51Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2016-2402",
      },
      {
         type: "PACKAGE",
         url: "https://github.com/square/okhttp",
      },
      {
         type: "WEB",
         url: "https://koz.io/pinning-cve-2016-2402",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E",
      },
      {
         type: "WEB",
         url: "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability",
      },
      {
         type: "WEB",
         url: "http://www.openwall.com/lists/oss-security/2016/02/10/8",
      },
      {
         type: "WEB",
         url: "http://www.openwall.com/lists/oss-security/2016/02/18/7",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
         type: "CVSS_V3",
      },
   ],
   summary: "Improper Certificate Validation in OkHttp",
}

gsd-2016-2402

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Aliases

CVE-2016-2402

Aliases

CVE-2016-2402

JSON

To clipboard

{
   GSD: {
      alias: "CVE-2016-2402",
      description: "OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.",
      id: "GSD-2016-2402",
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2016-2402",
         ],
         details: "OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.",
         id: "GSD-2016-2402",
         modified: "2023-12-13T01:21:20.031784Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "cve@mitre.org",
            ID: "CVE-2016-2402",
            STATE: "PUBLIC",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "n/a",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "n/a",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "n/a",
                  },
               ],
            },
         },
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.",
               },
            ],
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        lang: "eng",
                        value: "n/a",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "https://koz.io/pinning-cve-2016-2402/",
                  refsource: "MISC",
                  url: "https://koz.io/pinning-cve-2016-2402/",
               },
               {
                  name: "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/",
                  refsource: "CONFIRM",
                  url: "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/",
               },
               {
                  name: "[oss-security] 20160210 CVE request - OkHttp Certificate Pining Bypass",
                  refsource: "MLIST",
                  url: "http://www.openwall.com/lists/oss-security/2016/02/10/8",
               },
               {
                  name: "[oss-security] 20160217 Re: CVE request - OkHttp Certificate Pining Bypass",
                  refsource: "MLIST",
                  url: "http://www.openwall.com/lists/oss-security/2016/02/18/7",
               },
               {
                  name: "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
                  refsource: "MLIST",
                  url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E",
               },
            ],
         },
      },
      "gitlab.com": {
         advisories: [
            {
               affected_range: "(,2.7.4),(3.0,3.1.2)",
               affected_versions: "All versions before 2.7.4, all versions after 3.0 before 3.1.2",
               cvss_v2: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
               cvss_v3: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
               cwe_ids: [
                  "CWE-1035",
                  "CWE-295",
                  "CWE-937",
               ],
               date: "2021-01-01",
               description: "OkHttp allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.",
               fixed_versions: [
                  "2.7.4",
                  "3.1.2",
               ],
               identifier: "CVE-2016-2402",
               identifiers: [
                  "CVE-2016-2402",
               ],
               not_impacted: "All versions starting from 2.7.4 up to 3.0, all versions starting from 3.1.2",
               package_slug: "maven/com.squareup.okhttp/okhttp",
               pubdate: "2017-01-30",
               solution: "Upgrade to versions 2.7.4, 3.1.2 or above.",
               title: "Improper Certificate Validation",
               urls: [
                  "https://nvd.nist.gov/vuln/detail/CVE-2016-2402",
               ],
               uuid: "ccb69bc8-3084-4dcb-8eed-f68d215756e9",
            },
            {
               affected_range: "(,3.1.2)",
               affected_versions: "All versions before 3.1.2",
               cvss_v2: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
               cvss_v3: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
               cwe_ids: [
                  "CWE-1035",
                  "CWE-295",
                  "CWE-937",
               ],
               date: "2021-01-01",
               description: "OkHttp allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.",
               fixed_versions: [
                  "3.1.2",
               ],
               identifier: "CVE-2016-2402",
               identifiers: [
                  "CVE-2016-2402",
               ],
               not_impacted: "All versions starting from 3.1.2",
               package_slug: "maven/com.squareup.okhttp3/okhttp",
               pubdate: "2017-01-30",
               solution: "Upgrade to version 3.1.2 or above",
               title: "Improper Certificate Validation",
               urls: [
                  "https://nvd.nist.gov/vuln/detail/CVE-2016-2402",
               ],
               uuid: "f8d72f7b-38c8-4063-9940-ae9767d7a63f",
            },
         ],
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:squareup:okhttp3:3.1.1:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:squareup:okhttp:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndIncluding: "2.7.3",
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:squareup:okhttp3:3.0.0:rc1:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:squareup:okhttp3:3.1.0:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:squareup:okhttp3:3.0.0:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:squareup:okhttp3:3.0.1:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2016-2402",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "CWE-295",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/",
                     refsource: "CONFIRM",
                     tags: [
                        "Vendor Advisory",
                     ],
                     url: "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/",
                  },
                  {
                     name: "https://koz.io/pinning-cve-2016-2402/",
                     refsource: "MISC",
                     tags: [
                        "Technical Description",
                        "Third Party Advisory",
                     ],
                     url: "https://koz.io/pinning-cve-2016-2402/",
                  },
                  {
                     name: "[oss-security] 20160217 Re: CVE request - OkHttp Certificate Pining Bypass",
                     refsource: "MLIST",
                     tags: [
                        "Mailing List",
                        "Third Party Advisory",
                     ],
                     url: "http://www.openwall.com/lists/oss-security/2016/02/18/7",
                  },
                  {
                     name: "[oss-security] 20160210 CVE request - OkHttp Certificate Pining Bypass",
                     refsource: "MLIST",
                     tags: [
                        "Mailing List",
                        "Third Party Advisory",
                     ],
                     url: "http://www.openwall.com/lists/oss-security/2016/02/10/8",
                  },
                  {
                     name: "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list",
                     refsource: "MLIST",
                     tags: [
                        "Mailing List",
                        "Third Party Advisory",
                     ],
                     url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E",
                  },
               ],
            },
         },
         impact: {
            baseMetricV2: {
               cvssV2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  confidentialityImpact: "NONE",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                  version: "2.0",
               },
               exploitabilityScore: 8.6,
               impactScore: 2.9,
               obtainAllPrivilege: false,
               obtainOtherPrivilege: false,
               obtainUserPrivilege: false,
               severity: "MEDIUM",
               userInteractionRequired: false,
            },
            baseMetricV3: {
               cvssV3: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.1",
               },
               exploitabilityScore: 2.2,
               impactScore: 3.6,
            },
         },
         lastModifiedDate: "2021-02-01T21:28Z",
         publishedDate: "2017-01-30T22:59Z",
      },
   },
}

wid-sec-w-2022-0770

Vulnerability from csaf_certbund

Published

2020-04-23 22:00

Modified

2024-05-16 22:00

Summary

IBM DB2: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.

Angriff

Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erhöhen oder einen Denial of Service zu verursachen

Betroffene Betriebssysteme

- Linux - UNIX - Windows

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         text: "hoch",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erhöhen oder einen Denial of Service zu verursachen",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- Linux\n- UNIX\n- Windows",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2022-0770 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2022-0770.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2022-0770 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0770",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 6198380 vom 2020-04-23",
            url: "https://www.ibm.com/support/pages/node/6198380",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2020:2603 vom 2020-06-17",
            url: "https://access.redhat.com/errata/RHSA-2020:2603",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2020:4807 vom 2020-11-04",
            url: "https://access.redhat.com/errata/RHSA-2020:4807",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:3225 vom 2021-08-20",
            url: "https://access.redhat.com/errata/RHSA-2021:3225",
         },
         {
            category: "external",
            summary: "Hitachi Vulnerability Information HITACHI-SEC-2022-115 vom 2022-05-27",
            url: "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-115/index.html",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 6605881 vom 2022-07-21",
            url: "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-db2-shipped-with-ibm-puredata-system-for-operational-analytics/",
         },
         {
            category: "external",
            summary: "Dell Security Advisory DSA-2024-070 vom 2024-02-03",
            url: "https://www.dell.com/support/kbdoc/000221770/dsa-2024-=",
         },
         {
            category: "external",
            summary: "Hitachi Vulnerability Information HITACHI-SEC-2023-144 vom 2023-10-03",
            url: "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-144/index.html",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 7153639 vom 2024-05-17",
            url: "https://www.ibm.com/support/pages/node/7153639",
         },
      ],
      source_lang: "en-US",
      title: "IBM DB2: Mehrere Schwachstellen",
      tracking: {
         current_release_date: "2024-05-16T22:00:00.000+00:00",
         generator: {
            date: "2024-08-15T17:32:05.856+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.5",
            },
         },
         id: "WID-SEC-W-2022-0770",
         initial_release_date: "2020-04-23T22:00:00.000+00:00",
         revision_history: [
            {
               date: "2020-04-23T22:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
            {
               date: "2020-06-17T22:00:00.000+00:00",
               number: "2",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2020-11-03T23:00:00.000+00:00",
               number: "3",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2021-08-19T22:00:00.000+00:00",
               number: "4",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2022-05-26T22:00:00.000+00:00",
               number: "5",
               summary: "Neue Updates von HITACHI aufgenommen",
            },
            {
               date: "2022-07-20T22:00:00.000+00:00",
               number: "6",
               summary: "Neue Updates von IBM aufgenommen",
            },
            {
               date: "2023-10-03T22:00:00.000+00:00",
               number: "7",
               summary: "Neue Updates von HITACHI aufgenommen",
            },
            {
               date: "2024-02-04T23:00:00.000+00:00",
               number: "8",
               summary: "Neue Updates von Dell aufgenommen",
            },
            {
               date: "2024-05-16T22:00:00.000+00:00",
               number: "9",
               summary: "Neue Updates von IBM aufgenommen",
            },
         ],
         status: "final",
         version: "9",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  category: "product_name",
                  name: "EMC Avamar",
                  product: {
                     name: "EMC Avamar",
                     product_id: "T014381",
                     product_identification_helper: {
                        cpe: "cpe:/a:emc:avamar:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "EMC",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Hitachi Ops Center",
                        product: {
                           name: "Hitachi Ops Center",
                           product_id: "T017562",
                           product_identification_helper: {
                              cpe: "cpe:/a:hitachi:ops_center:-",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<Analyzer 10.9.3-00",
                        product: {
                           name: "Hitachi Ops Center <Analyzer 10.9.3-00",
                           product_id: "T030196",
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<Viewpoint 10.9.3-00",
                        product: {
                           name: "Hitachi Ops Center <Viewpoint 10.9.3-00",
                           product_id: "T030197",
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Ops Center",
               },
            ],
            category: "vendor",
            name: "Hitachi",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "11.1",
                        product: {
                           name: "IBM DB2 11.1",
                           product_id: "342000",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:db2:11.1",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "11.5",
                        product: {
                           name: "IBM DB2 11.5",
                           product_id: "695419",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:db2:11.5",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "DB2",
               },
            ],
            category: "vendor",
            name: "IBM",
         },
         {
            branches: [
               {
                  category: "product_name",
                  name: "Red Hat Enterprise Linux",
                  product: {
                     name: "Red Hat Enterprise Linux",
                     product_id: "67646",
                     product_identification_helper: {
                        cpe: "cpe:/o:redhat:enterprise_linux:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2009-0001",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2009-0001",
      },
      {
         cve: "CVE-2014-0114",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2014-0114",
      },
      {
         cve: "CVE-2014-0193",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2014-0193",
      },
      {
         cve: "CVE-2014-3488",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2014-3488",
      },
      {
         cve: "CVE-2015-2156",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2015-2156",
      },
      {
         cve: "CVE-2016-2402",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2016-2402",
      },
      {
         cve: "CVE-2017-12972",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2017-12972",
      },
      {
         cve: "CVE-2017-12973",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2017-12973",
      },
      {
         cve: "CVE-2017-12974",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2017-12974",
      },
      {
         cve: "CVE-2017-18640",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2017-18640",
      },
      {
         cve: "CVE-2017-3734",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2017-3734",
      },
      {
         cve: "CVE-2017-5637",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2017-5637",
      },
      {
         cve: "CVE-2018-10237",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2018-10237",
      },
      {
         cve: "CVE-2018-11771",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2018-11771",
      },
      {
         cve: "CVE-2018-8009",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2018-8009",
      },
      {
         cve: "CVE-2018-8012",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2018-8012",
      },
      {
         cve: "CVE-2019-0201",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-0201",
      },
      {
         cve: "CVE-2019-10086",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-10086",
      },
      {
         cve: "CVE-2019-10172",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-10172",
      },
      {
         cve: "CVE-2019-10202",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-10202",
      },
      {
         cve: "CVE-2019-12402",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-12402",
      },
      {
         cve: "CVE-2019-16869",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-16869",
      },
      {
         cve: "CVE-2019-17195",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-17195",
      },
      {
         cve: "CVE-2019-17571",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-17571",
      },
      {
         cve: "CVE-2019-9512",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-9512",
      },
      {
         cve: "CVE-2019-9514",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-9514",
      },
      {
         cve: "CVE-2019-9515",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-9515",
      },
      {
         cve: "CVE-2019-9518",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-9518",
      },
   ],
}

WID-SEC-W-2022-0770

Vulnerability from csaf_certbund

Published

2020-04-23 22:00

Modified

2024-05-16 22:00

Summary

IBM DB2: Mehrere Schwachstellen

Notes

Produktbeschreibung

IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.

Angriff

Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erhöhen oder einen Denial of Service zu verursachen

Betroffene Betriebssysteme

- Linux - UNIX - Windows

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         text: "hoch",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erhöhen oder einen Denial of Service zu verursachen",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- Linux\n- UNIX\n- Windows",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2022-0770 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2022-0770.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2022-0770 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0770",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 6198380 vom 2020-04-23",
            url: "https://www.ibm.com/support/pages/node/6198380",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2020:2603 vom 2020-06-17",
            url: "https://access.redhat.com/errata/RHSA-2020:2603",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2020:4807 vom 2020-11-04",
            url: "https://access.redhat.com/errata/RHSA-2020:4807",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:3225 vom 2021-08-20",
            url: "https://access.redhat.com/errata/RHSA-2021:3225",
         },
         {
            category: "external",
            summary: "Hitachi Vulnerability Information HITACHI-SEC-2022-115 vom 2022-05-27",
            url: "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-115/index.html",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 6605881 vom 2022-07-21",
            url: "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-db2-shipped-with-ibm-puredata-system-for-operational-analytics/",
         },
         {
            category: "external",
            summary: "Dell Security Advisory DSA-2024-070 vom 2024-02-03",
            url: "https://www.dell.com/support/kbdoc/000221770/dsa-2024-=",
         },
         {
            category: "external",
            summary: "Hitachi Vulnerability Information HITACHI-SEC-2023-144 vom 2023-10-03",
            url: "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-144/index.html",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 7153639 vom 2024-05-17",
            url: "https://www.ibm.com/support/pages/node/7153639",
         },
      ],
      source_lang: "en-US",
      title: "IBM DB2: Mehrere Schwachstellen",
      tracking: {
         current_release_date: "2024-05-16T22:00:00.000+00:00",
         generator: {
            date: "2024-08-15T17:32:05.856+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.5",
            },
         },
         id: "WID-SEC-W-2022-0770",
         initial_release_date: "2020-04-23T22:00:00.000+00:00",
         revision_history: [
            {
               date: "2020-04-23T22:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
            {
               date: "2020-06-17T22:00:00.000+00:00",
               number: "2",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2020-11-03T23:00:00.000+00:00",
               number: "3",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2021-08-19T22:00:00.000+00:00",
               number: "4",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2022-05-26T22:00:00.000+00:00",
               number: "5",
               summary: "Neue Updates von HITACHI aufgenommen",
            },
            {
               date: "2022-07-20T22:00:00.000+00:00",
               number: "6",
               summary: "Neue Updates von IBM aufgenommen",
            },
            {
               date: "2023-10-03T22:00:00.000+00:00",
               number: "7",
               summary: "Neue Updates von HITACHI aufgenommen",
            },
            {
               date: "2024-02-04T23:00:00.000+00:00",
               number: "8",
               summary: "Neue Updates von Dell aufgenommen",
            },
            {
               date: "2024-05-16T22:00:00.000+00:00",
               number: "9",
               summary: "Neue Updates von IBM aufgenommen",
            },
         ],
         status: "final",
         version: "9",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  category: "product_name",
                  name: "EMC Avamar",
                  product: {
                     name: "EMC Avamar",
                     product_id: "T014381",
                     product_identification_helper: {
                        cpe: "cpe:/a:emc:avamar:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "EMC",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Hitachi Ops Center",
                        product: {
                           name: "Hitachi Ops Center",
                           product_id: "T017562",
                           product_identification_helper: {
                              cpe: "cpe:/a:hitachi:ops_center:-",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<Analyzer 10.9.3-00",
                        product: {
                           name: "Hitachi Ops Center <Analyzer 10.9.3-00",
                           product_id: "T030196",
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<Viewpoint 10.9.3-00",
                        product: {
                           name: "Hitachi Ops Center <Viewpoint 10.9.3-00",
                           product_id: "T030197",
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Ops Center",
               },
            ],
            category: "vendor",
            name: "Hitachi",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "11.1",
                        product: {
                           name: "IBM DB2 11.1",
                           product_id: "342000",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:db2:11.1",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "11.5",
                        product: {
                           name: "IBM DB2 11.5",
                           product_id: "695419",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:db2:11.5",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "DB2",
               },
            ],
            category: "vendor",
            name: "IBM",
         },
         {
            branches: [
               {
                  category: "product_name",
                  name: "Red Hat Enterprise Linux",
                  product: {
                     name: "Red Hat Enterprise Linux",
                     product_id: "67646",
                     product_identification_helper: {
                        cpe: "cpe:/o:redhat:enterprise_linux:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2009-0001",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2009-0001",
      },
      {
         cve: "CVE-2014-0114",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2014-0114",
      },
      {
         cve: "CVE-2014-0193",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2014-0193",
      },
      {
         cve: "CVE-2014-3488",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2014-3488",
      },
      {
         cve: "CVE-2015-2156",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2015-2156",
      },
      {
         cve: "CVE-2016-2402",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2016-2402",
      },
      {
         cve: "CVE-2017-12972",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2017-12972",
      },
      {
         cve: "CVE-2017-12973",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2017-12973",
      },
      {
         cve: "CVE-2017-12974",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2017-12974",
      },
      {
         cve: "CVE-2017-18640",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2017-18640",
      },
      {
         cve: "CVE-2017-3734",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2017-3734",
      },
      {
         cve: "CVE-2017-5637",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2017-5637",
      },
      {
         cve: "CVE-2018-10237",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2018-10237",
      },
      {
         cve: "CVE-2018-11771",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2018-11771",
      },
      {
         cve: "CVE-2018-8009",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2018-8009",
      },
      {
         cve: "CVE-2018-8012",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2018-8012",
      },
      {
         cve: "CVE-2019-0201",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-0201",
      },
      {
         cve: "CVE-2019-10086",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-10086",
      },
      {
         cve: "CVE-2019-10172",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-10172",
      },
      {
         cve: "CVE-2019-10202",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-10202",
      },
      {
         cve: "CVE-2019-12402",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-12402",
      },
      {
         cve: "CVE-2019-16869",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-16869",
      },
      {
         cve: "CVE-2019-17195",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-17195",
      },
      {
         cve: "CVE-2019-17571",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-17571",
      },
      {
         cve: "CVE-2019-9512",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-9512",
      },
      {
         cve: "CVE-2019-9514",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-9514",
      },
      {
         cve: "CVE-2019-9515",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-9515",
      },
      {
         cve: "CVE-2019-9518",
         notes: [
            {
               category: "description",
               text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.",
            },
         ],
         product_status: {
            known_affected: [
               "T014381",
               "342000",
               "67646",
               "695419",
               "T030196",
               "T017562",
               "T030197",
            ],
         },
         release_date: "2020-04-23T22:00:00.000+00:00",
         title: "CVE-2019-9518",
      },
   ],
}

fkie_cve-2016-2402

Vulnerability from fkie_nvd

Published

2017-01-30 22:59

Modified

2025-04-20 01:37

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

URL	Tags
cve@mitre.org	http://www.openwall.com/lists/oss-security/2016/02/10/8	Mailing List, Third Party Advisory
cve@mitre.org	http://www.openwall.com/lists/oss-security/2016/02/18/7	Mailing List, Third Party Advisory
cve@mitre.org	https://koz.io/pinning-cve-2016-2402/	Technical Description, Third Party Advisory
cve@mitre.org	https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
cve@mitre.org	https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2016/02/10/8	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2016/02/18/7	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://koz.io/pinning-cve-2016-2402/	Technical Description, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/	Vendor Advisory

Impacted products

Vendor	Product	Version
squareup	okhttp	*
squareup	okhttp3	3.0.0
squareup	okhttp3	3.0.0
squareup	okhttp3	3.0.1
squareup	okhttp3	3.1.0
squareup	okhttp3	3.1.1

JSON

To clipboard

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:squareup:okhttp:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "770E740C-33B8-4A51-B55F-B240F33960BD",
                     versionEndIncluding: "2.7.3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:squareup:okhttp3:3.0.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "A4AD815F-E998-4C8D-B64C-B5C6E0750D3D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:squareup:okhttp3:3.0.0:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "D6367344-FB92-46BE-B460-423573309C88",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:squareup:okhttp3:3.0.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "37FD7BC3-0E9A-4BFE-9058-8C55A495EF2C",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:squareup:okhttp3:3.1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "FA32D418-4F2A-4CE8-9AE0-5168B7DDF7A8",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:squareup:okhttp3:3.1.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "AA482A17-1951-4725-90C5-CCD39CD4A220",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.",
      },
      {
         lang: "es",
         value: "OkHttp antes de 2.7.4 y 3.x antes de 3.1.2 permite que los atacantes man-in-the-middle eludan la fijación de certificados enviando una cadena de certificados con un CA no fijado confiable y el certificado fijado.",
      },
   ],
   id: "CVE-2016-2402",
   lastModified: "2025-04-20T01:37:25.860",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.9,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.2,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2017-01-30T22:59:00.390",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2016/02/10/8",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2016/02/18/7",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Technical Description",
            "Third Party Advisory",
         ],
         url: "https://koz.io/pinning-cve-2016-2402/",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2016/02/10/8",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2016/02/18/7",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Technical Description",
            "Third Party Advisory",
         ],
         url: "https://koz.io/pinning-cve-2016-2402/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Deferred",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-295",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2016-2402

Vulnerability from cvelistv5

ghsa-4hc2-jh7r-wrc3

Vulnerability from github

gsd-2016-2402

Vulnerability from gsd

wid-sec-w-2022-0770

Vulnerability from csaf_certbund

WID-SEC-W-2022-0770

Vulnerability from csaf_certbund

fkie_cve-2016-2402

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature