VDE-2023-009
Vulnerability from csaf_adstecindustrialitgmbh - Published: 2023-05-08 13:37 - Updated: 2023-05-08 13:37Summary
ads-tec: Multiple Vulnerabilities in IRF1000, IRF2000 and IRF3000
Notes
Impact: The affected products integrate the vulnerable libraries in a way so that the vulnerabilities can't be exploited remotely without prior authentication.
Mitigation: It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Remediation: Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231.
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value.
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.
CWE-404 - Improper Resource Shutdown or Release
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.
CWE-908 - Use of Uninitialized Resource
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not validate certain Exception objects, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger unintended method execution via crafted serialized data.
9.8 (Critical)
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
9.8 (Critical)
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to a "type confusion" issue.
9.8 (Critical)
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.
9.8 (Critical)
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.
9.8 (Critical)
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.
9.8 (Critical)
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.
7.5 (High)
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.
9.8 (Critical)
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.
9.8 (Critical)
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.
7.5 (High)
Mitigation
It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.
Vendor Fix
Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.
References
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "description",
"text": "The affected products integrate the vulnerable libraries in a way so that the vulnerabilities can\u0027t be exploited remotely without prior authentication.",
"title": "Impact"
},
{
"category": "description",
"text": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"title": "Mitigation"
},
{
"category": "description",
"text": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@ads-tec.de",
"name": "ads-tec Industrial IT GmbH",
"namespace": "https://www.ads-tec-iit.com"
},
"references": [
{
"category": "self",
"summary": "VDE-2023-009: ads-tec: Multiple Vulnerabilities in IRF1000, IRF2000 and IRF3000 - HTML",
"url": "https://certvde.com/en/advisories/VDE-2023-009/"
},
{
"category": "self",
"summary": "VDE-2023-009: ads-tec: Multiple Vulnerabilities in IRF1000, IRF2000 and IRF3000 - CSAF",
"url": "https://ads-tec-iit.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-009.json"
},
{
"category": "external",
"summary": "Vendor PSIRT",
"url": "https://www.ads-tec-iit.com"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for ads-tec Industrial IT GmbH",
"url": "https://certvde.com/en/advisories/vendor/ads-tec-iit/"
}
],
"title": "ads-tec: Multiple Vulnerabilities in IRF1000, IRF2000 and IRF3000",
"tracking": {
"aliases": [
"VDE-2023-009"
],
"current_release_date": "2023-05-08T13:37:00.000Z",
"generator": {
"date": "2025-04-14T08:26:31.923Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.23"
}
},
"id": "VDE-2023-009",
"initial_release_date": "2023-05-08T13:37:00.000Z",
"revision_history": [
{
"date": "2023-05-08T13:37:00.000Z",
"number": "1",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IRF1000",
"product": {
"name": "IRF1000",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"DVG-IRF1401, DVG-IRF1421"
]
}
}
},
{
"category": "product_name",
"name": "IRF2000",
"product": {
"name": "IRF2000",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"DVG-IRF2200, DVG-IRF2100, DVG-IRF2220, DVG-IRF2621, DVG-IRF2601"
]
}
}
},
{
"category": "product_name",
"name": "IRF3000",
"product": {
"name": "IRF3000",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"DVG-IRF3401, DVG-IRF3421, DVG-IRF3801. DVG-IRF3821"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.5.0",
"product": {
"name": "Firmware \u003c1.5.0",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version_range",
"name": "\u003c4.4.0",
"product": {
"name": "Firmware \u003c4.4.0",
"product_id": "CSAFPID-21002"
}
},
{
"category": "product_version_range",
"name": "\u003c1.2.0",
"product": {
"name": "Firmware \u003c1.2.0",
"product_id": "CSAFPID-21003"
}
},
{
"category": "product_version",
"name": "1.5.0",
"product": {
"name": "Firmware 1.5.0",
"product_id": "CSAFPID-22001"
}
},
{
"category": "product_version",
"name": "4.4.0",
"product": {
"name": "Firmware 4.4.0",
"product_id": "CSAFPID-22002"
}
},
{
"category": "product_version",
"name": "1.2.0",
"product": {
"name": "Firmware 1.2.0",
"product_id": "CSAFPID-22003"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "ads-tec Industrial IT"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c1.5.0 installed on IRF1000",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c4.4.0 installed on IRF2000",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c1.2.0 installed on IRF3000",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21003",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.5.0 installed on IRF1000",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 4.4.0 installed on IRF2000",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.2.0 installed on IRF3000",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-22003",
"relates_to_product_reference": "CSAFPID-11003"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-9425",
"notes": [
{
"category": "description",
"text": "Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"title": "CVE-2014-9425"
},
{
"cve": "CVE-2014-8142",
"notes": [
{
"category": "description",
"text": "Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"title": "CVE-2014-8142"
},
{
"cve": "CVE-2015-2787",
"notes": [
{
"category": "description",
"text": "Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"title": "CVE-2015-2787"
},
{
"cve": "CVE-2015-2348",
"notes": [
{
"category": "description",
"text": "The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \\x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"title": "CVE-2015-2348"
},
{
"cve": "CVE-2014-3669",
"notes": [
{
"category": "description",
"text": "Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"title": "CVE-2014-3669"
},
{
"cve": "CVE-2015-0231",
"notes": [
{
"category": "description",
"text": "Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"title": "CVE-2015-0231"
},
{
"cve": "CVE-2015-3415",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "description",
"text": "The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0\u0026O\u003eO) in a CREATE TABLE statement.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"title": "CVE-2015-3415"
},
{
"cve": "CVE-2015-3414",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"notes": [
{
"category": "description",
"text": "SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE\"\"\"\"\"\"\"\" at the end of a SELECT statement.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"title": "CVE-2015-3414"
},
{
"cve": "CVE-2015-8876",
"notes": [
{
"category": "description",
"text": "Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not validate certain Exception objects, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger unintended method execution via crafted serialized data.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
}
],
"title": "CVE-2015-8876"
},
{
"cve": "CVE-2015-6835",
"notes": [
{
"category": "description",
"text": "The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
}
],
"title": "CVE-2015-6835"
},
{
"cve": "CVE-2015-4602",
"notes": [
{
"category": "description",
"text": "The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to a \"type confusion\" issue.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
}
],
"title": "CVE-2015-4602"
},
{
"cve": "CVE-2016-7411",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "description",
"text": "ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
}
],
"title": "CVE-2016-7411"
},
{
"cve": "CVE-2016-7124",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "description",
"text": "ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
}
],
"title": "CVE-2016-7124"
},
{
"cve": "CVE-2016-9138",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
}
],
"title": "CVE-2016-9138"
},
{
"cve": "CVE-2016-10161",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
}
],
"title": "CVE-2016-10161"
},
{
"cve": "CVE-2017-8923",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script\u0027s use of .= with a long string.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
}
],
"title": "CVE-2017-8923"
},
{
"cve": "CVE-2017-12933",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
}
],
"title": "CVE-2017-12933"
},
{
"cve": "CVE-2017-11142",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "description",
"text": "In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"remediations": [
{
"category": "mitigation",
"details": "It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.It is further recommended to use best practice password policies.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Update firmware to the latest version available.\u00a0The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
}
],
"title": "CVE-2017-11142"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…