Open mend-for-github-com[bot] opened 1 year ago
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
11 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2016-10195
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsThe name_parse function in evdns.c in libevent before 2.1.6-beta allows remote attackers to have unspecified impact via vectors involving the label_len variable, which triggers an out-of-bounds stack read.
Publish Date: 2017-03-15
URL: CVE-2016-10195
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6797
Release Date: 2017-03-15
Fix Resolution: 2.1.6
CVE-2022-26376
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsA memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
Publish Date: 2022-08-05
URL: CVE-2022-26376
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.
WS-2022-0246
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)
/release/src/router/pppd/pppdump/pppdump.c
/release/src/router/pppd/pppdump/pppdump.c
/release/src/router/pppd/pppdump/pppdump.c
### Vulnerability DetailsA global overflow vulnerability was discovered in pppdump 2.4.9. Specifically, when the -p flag is given for enabling the pppmodeon the pppdump command, a malicious crafted pppdump file can trigger a global overflow, which may lead to a Remote Code Execution (RCE) on the victim side by running malicious crafted ppp packets with the pppdump utility.
Publish Date: 2022-06-28
URL: WS-2022-0246
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2022-44640
### Vulnerable Libraries - asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3
### Vulnerability DetailsHeimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC).
Publish Date: 2022-12-25
URL: CVE-2022-44640
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/heimdal/heimdal/security/advisories/GHSA-88pm-hfmq-7vv4
Release Date: 2022-11-03
Fix Resolution: heimdal-7.7.1
CVE-2018-19760
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (2)
/release/src/router/libconfuse/src/confuse.c
/release/src/router/libconfuse/src/confuse.c
### Vulnerability Detailscfg_init in confuse.c in libConfuse 3.2.2 has a memory leak.
Publish Date: 2018-11-30
URL: CVE-2018-19760
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2022-32744
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsA flaw was found in Samba. The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change other users' passwords, enabling full domain takeover.
Publish Date: 2022-08-25
URL: CVE-2022-32744
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.samba.org/samba/security/CVE-2022-32744.html
Release Date: 2022-06-10
Fix Resolution: samba-4.14.14,samba-4.15.9,samba-4.16.4
CVE-2022-40320
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (2)
/release/src/router/libconfuse/src/confuse.c
/release/src/router/libconfuse/src/confuse.c
### Vulnerability Detailscfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read.
Publish Date: 2022-09-09
URL: CVE-2022-40320
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2018-10858
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)
/release/src/router/samba-3.6.x_opwrt/source/source3/libsmb/libsmb_dir.c
/release/src/router/samba-3.6.x_opwrt/source/source3/libsmb/libsmb_dir.c
/release/src/router/samba-3.6.x_opwrt/source/source3/libsmb/libsmb_dir.c
### Vulnerability DetailsA heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.
Publish Date: 2018-08-22
URL: CVE-2018-10858
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.samba.org/samba/security/CVE-2018-10858.html
Release Date: 2018-08-22
Fix Resolution: 4.6.16,4.7.9,4.8.4
CVE-2018-1139
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsA flaw was found in the way samba before 4.7.9 and 4.8.4 allowed the use of weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A man-in-the-middle attacker could use this flaw to read the credential and other details passed between the samba server and client.
Publish Date: 2018-08-22
URL: CVE-2018-1139
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.samba.org/samba/security/CVE-2018-1139.html
Release Date: 2018-08-22
Fix Resolution: 4.7.9,4.8.4
CVE-2020-12762
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (3)
/release/src/router/json-c/printbuf.c
/release/src/router/json-c/printbuf.c
/release/src/router/json-c/printbuf.c
### Vulnerability Detailsjson-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.
Publish Date: 2020-05-09
URL: CVE-2020-12762
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-05-09
Fix Resolution: 0.15
CVE-2016-2118
### Vulnerable Libraries - asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3
### Vulnerability DetailsThe MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "BADLOCK."
Publish Date: 2016-04-12
URL: CVE-2016-2118
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2118
Release Date: 2016-04-12
Fix Resolution: 4.2.11,4.3.8,4.4.2
CVE-2021-44758
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsHeimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept.
Publish Date: 2022-12-26
URL: CVE-2021-44758
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2021-44758
Release Date: 2021-12-09
Fix Resolution: heimdal-7.7.1
CVE-2022-3116
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsThe Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.
Publish Date: 2023-03-27
URL: CVE-2022-3116
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2020-10704
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsA flaw was found when using samba as an Active Directory Domain Controller. Due to the way samba handles certain requests as an Active Directory Domain Controller LDAP server, an unauthorized user can cause a stack overflow leading to a denial of service. The highest threat from this vulnerability is to system availability. This issue affects all samba versions before 4.10.15, before 4.11.8 and before 4.12.2.
Publish Date: 2020-05-06
URL: CVE-2020-10704
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12704
Release Date: 2020-05-06
Fix Resolution: 2020.2
CVE-2016-10197
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsThe search_make_new function in evdns.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (out-of-bounds read) via an empty hostname.
Publish Date: 2017-03-15
URL: CVE-2016-10197
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6797
Release Date: 2017-03-15
Fix Resolution: 2.1.6
CVE-2022-41916
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsHeimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. Versions prior to 7.7.1 are vulnerable to a denial of service vulnerability in Heimdal's PKI certificate validation library, affecting the KDC (via PKINIT) and kinit (via PKINIT), as well as any third-party applications using Heimdal's libhx509. Users should upgrade to Heimdal 7.7.1 or 7.8. There are no known workarounds for this issue.
Publish Date: 2022-11-15
URL: CVE-2022-41916
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/heimdal/heimdal/security/advisories/GHSA-mgqr-gvh6-23cx
Release Date: 2022-11-15
Fix Resolution: heimdal-7.7.1
CVE-2016-4425
### Vulnerable Libraries - asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3
### Vulnerability DetailsJansson 2.7 and earlier allows context-dependent attackers to cause a denial of service (deep recursion, stack consumption, and crash) via crafted JSON data.
Publish Date: 2016-05-17
URL: CVE-2016-4425
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4425
Release Date: 2016-05-17
Fix Resolution: v2.8
CVE-2022-45142
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsThe fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.
Publish Date: 2023-03-06
URL: CVE-2022-45142
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.
CVE-2016-2113
### Vulnerable Libraries - asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3
### Vulnerability DetailsSamba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof LDAPS and HTTPS servers and obtain sensitive information via a crafted certificate.
Publish Date: 2016-04-25
URL: CVE-2016-2113
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.alpinelinux.org//issues/5494
Release Date: 2016-04-25
Fix Resolution: 4.2.11,4.3.8,4.4.2
CVE-2019-12098
### Vulnerable Libraries - asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3
### Vulnerability DetailsIn the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.
Publish Date: 2019-05-15
URL: CVE-2019-12098
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/10551
Release Date: 2019-05-15
Fix Resolution: 7.6.0
CVE-2017-12150
### Vulnerable Libraries - asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3
### Vulnerability DetailsIt was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8 did not enforce "SMB signing" when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text.
Publish Date: 2018-07-26
URL: CVE-2017-12150
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.samba.org/samba/security/CVE-2017-12150.html
Release Date: 2018-07-26
Fix Resolution: 4.4.16,4.5.14,4.6.8
CVE-2010-3069
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsStack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse functions in Samba before 3.5.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Windows Security ID (SID) on a file share.
Publish Date: 2010-09-15
URL: CVE-2010-3069
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3069
Release Date: 2010-09-15
Fix Resolution: 3.5.5
CVE-2022-37967
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsWindows Kerberos Elevation of Privilege Vulnerability
Publish Date: 2022-11-09
URL: CVE-2022-37967
### CVSS 3 Score Details (7.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-11-09
Fix Resolution: samba-4.17.4
CVE-2018-14629
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsA denial of service vulnerability was discovered in Samba's LDAP server before versions 4.7.12, 4.8.7, and 4.9.3. A CNAME loop could lead to infinite recursion in the server. An unprivileged local attacker could create such an entry, leading to denial of service.
Publish Date: 2018-11-28
URL: CVE-2018-14629
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.alpinelinux.org//issues/9705
Release Date: 2018-11-28
Fix Resolution: 4.7.12,4.8.7,4.9.3
CVE-2016-2125
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (2)
/release/src/router/samba-3.5.8/source4/auth/gensec/gensec_gssapi.c
/release/src/router/samba-3.5.8/source4/auth/gensec/gensec_gssapi.c
### Vulnerability DetailsIt was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users.
Publish Date: 2018-10-31
URL: CVE-2016-2125
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.samba.org/samba/security/CVE-2016-2125.html
Release Date: 2018-10-31
Fix Resolution: samba-4.5.3
CVE-2015-7560
### Vulnerable Libraries - asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3
### Vulnerability DetailsThe SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x before 4.4.0rc4 allows remote authenticated users to modify arbitrary ACLs by using a UNIX SMB1 call to create a symlink, and then using a non-UNIX SMB1 call to write to the ACL content.
Publish Date: 2016-03-13
URL: CVE-2015-7560
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7560
Release Date: 2016-03-13
Fix Resolution: 4.1.23,4.2.9,4.3.6,4.4.0rc4
WS-2017-3802
### Vulnerable Library - asuswrt-merlin.ng388.3Third party firmware for Asus routers (newer codebase)
Library home page: https://github.com/RMerl/asuswrt-merlin.ng.git
Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5
Found in base branch: master
### Vulnerable Source Files (1)
### Vulnerability DetailsIn libevent in versions release-1.4.0-beta to release-2.1.5-beta is vulnerable to stack overread vulnerability in evdns.c
Publish Date: 2017-04-24
URL: WS-2017-3802
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://hackerone.com/reports/112632
Release Date: 2017-04-24
Fix Resolution: release-2.1.6-beta
CVE-2016-2111
### Vulnerable Libraries - asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3
### Vulnerability DetailsThe NETLOGON service in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2, when a domain controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic, a related issue to CVE-2015-0005.
Publish Date: 2016-04-25
URL: CVE-2016-2111
### CVSS 3 Score Details (6.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.alpinelinux.org//issues/5494
Release Date: 2016-04-25
Fix Resolution: 4.2.11,4.3.8,4.4.2
CVE-2016-2110
### Vulnerable Libraries - asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3, asuswrt-merlin.ng388.3
### Vulnerability DetailsThe NTLMSSP authentication implementation in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 allows man-in-the-middle attackers to perform protocol-downgrade attacks by modifying the client-server data stream to remove application-layer flags or encryption settings, as demonstrated by clearing the NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN option to disrupt LDAP security.
Publish Date: 2016-04-25
URL: CVE-2016-2110
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.alpinelinux.org//issues/5494
Release Date: 2016-04-25
Fix Resolution: 4.2.11,4.3.8,4.4.2