| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1201 |
CVE-2014-3663 |
264 |
|
Bypass |
2014-10-16 |
2016-06-15 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors. |
|
1202 |
CVE-2014-3662 |
200 |
|
+Info |
2014-10-16 |
2016-06-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts. |
|
1203 |
CVE-2014-3661 |
399 |
|
DoS |
2014-10-16 |
2016-06-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake. |
|
1204 |
CVE-2014-3657 |
399 |
|
DoS |
2014-10-06 |
2014-11-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The virDomainListPopulate function in conf/domain_conf.c in libvirt before 1.2.9 does not clean up the lock on the list of domains, which allows remote attackers to cause a denial of service (deadlock) via a NULL value in the second parameter in the virConnectListAllDomains API command. |
|
1205 |
CVE-2014-3642 |
264 |
|
+Priv |
2014-10-06 |
2014-10-07 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
vmdb/app/controllers/application_controller/performance.rb in Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method." |
|
1206 |
CVE-2014-3641 |
200 |
|
+Info |
2014-10-08 |
2014-11-20 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header. |
|
1207 |
CVE-2014-3636 |
399 |
|
DoS |
2014-10-25 |
2018-10-30 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call. |
|
1208 |
CVE-2014-3633 |
119 |
|
DoS Overflow |
2014-10-06 |
2015-01-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt before 1.2.9, when a disk has been hot-plugged or removed from the live image, allows remote attackers to cause a denial of service (crash) or read sensitive heap information via a crafted blkiotune query, which triggers an out-of-bounds read. |
|
1209 |
CVE-2014-3632 |
264 |
|
+Priv |
2014-10-07 |
2018-10-22 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
The default configuration in a sudoers file in the Red Hat openstack-neutron package before 2014.1.2-4, as used in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6, allows remote attackers to gain privileges via a crafted configuration file. NOTE: this vulnerability exists because of a CVE-2013-6433 regression. |
|
1210 |
CVE-2014-3623 |
287 |
|
|
2014-10-30 |
2021-06-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors. |
|
1211 |
CVE-2014-3621 |
200 |
|
+Info |
2014-10-02 |
2020-06-02 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field. |
|
1212 |
CVE-2014-3608 |
399 |
|
DoS Bypass |
2014-10-06 |
2018-11-16 |
2.7 |
None |
Local Network |
Low |
??? |
None |
None |
Partial |
|
The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573. |
|
1213 |
CVE-2014-3604 |
310 |
|
|
2014-10-25 |
2018-01-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
1214 |
CVE-2014-3593 |
94 |
|
Exec Code |
2014-10-15 |
2014-10-22 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration. |
|
1215 |
CVE-2014-3584 |
399 |
|
DoS |
2014-10-30 |
2021-06-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service. |
|
1216 |
CVE-2014-3581 |
399 |
|
DoS |
2014-10-10 |
2021-06-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header. |
|
1217 |
CVE-2014-3573 |
20 |
|
|
2014-10-18 |
2014-10-23 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The oVirt Engine backend module, as used in Red Hat Enterprise Virtualization Manager before 3.4.2, uses an "insecure DocumentBuilderFactory," which allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML/RSDL document, related to an XML External Entity (XXE) issue. |
|
1218 |
CVE-2014-3568 |
310 |
|
Bypass |
2014-10-19 |
2017-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c. |
|
1219 |
CVE-2014-3567 |
20 |
|
DoS |
2014-10-19 |
2017-11-15 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure. |
|
1220 |
CVE-2014-3566 |
310 |
|
|
2014-10-15 |
2021-11-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. |
|
1221 |
CVE-2014-3565 |
399 |
|
DoS |
2014-10-07 |
2016-12-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
snmplib/mib.c in net-snmp 5.7.0 and earlier, when the -OQ option is used, allows remote attackers to cause a denial of service (snmptrapd crash) via a crafted SNMP trap message, which triggers a conversion to the variable type designated in the MIB file, as demonstrated by a NULL type in an ifMtu trap message. |
|
1222 |
CVE-2014-3564 |
119 |
|
DoS Exec Code Overflow |
2014-10-20 |
2016-10-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to "different line lengths in a specific order." |
|
1223 |
CVE-2014-3521 |
264 |
|
Bypass |
2014-10-06 |
2014-10-07 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
The component in (1) /luci/homebase and (2) /luci/cluster menu in Red Hat Conga 0.12.2 allows remote authenticated users to bypass intended access restrictions via a crafted URL. |
|
1224 |
CVE-2014-3520 |
863 |
|
|
2014-10-26 |
2020-06-02 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request. |
|
1225 |
CVE-2014-3513 |
20 |
|
DoS |
2014-10-19 |
2017-01-03 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message. |
|
1226 |
CVE-2014-3475 |
79 |
|
XSS |
2014-10-31 |
2021-03-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578. |
|
1227 |
CVE-2014-3474 |
79 |
|
XSS |
2014-10-31 |
2021-03-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name. |
|
1228 |
CVE-2014-3473 |
79 |
|
XSS |
2014-10-31 |
2021-03-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template. |
|
1229 |
CVE-2014-3446 |
89 |
|
Exec Code Sql |
2014-10-30 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter. |
|
1230 |
CVE-2014-3409 |
399 |
|
DoS |
2014-10-25 |
2017-08-29 |
6.1 |
None |
Local Network |
Low |
Not required |
None |
None |
Complete |
|
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406. |
|
1231 |
CVE-2014-3408 |
79 |
|
XSS |
2014-10-19 |
2015-09-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site scripting (XSS) vulnerability in the web framework in Cisco Prime Optical 10 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCuq80763. |
|
1232 |
CVE-2014-3406 |
362 |
|
DoS |
2014-10-19 |
2014-10-22 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Race condition in the IP logging feature in Cisco Intrusion Prevention System (IPS) Software 7.1(7)E4 and earlier allows remote attackers to cause a denial of service (device reload) via crafted IP traffic that matches a problematic rule, aka Bug ID CSCud82085. |
|
1233 |
CVE-2014-3405 |
|
|
|
2014-10-10 |
2014-10-10 |
4.8 |
None |
Local Network |
Low |
Not required |
None |
Partial |
Partial |
|
Cisco IOS XE enables the IPv6 Routing Protocol for Low-Power and Lossy Networks (aka RPL) on both the Autonomic Control Plane (ACP) and external Autonomic Networking Infrastructure (ANI) interfaces, which allows remote attackers to conduct route-injection attacks via crafted RPL advertisements on an ANI interface, aka Bug ID CSCuq22673. |
|
1234 |
CVE-2014-3404 |
310 |
|
|
2014-10-10 |
2014-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Autonomic Networking Infrastructure (ANI) component in Cisco IOS XE does not properly validate certificates, which allows remote attackers to trigger acceptance of an invalid message via crafted messages, aka Bug ID CSCuq22677. |
|
1235 |
CVE-2014-3403 |
310 |
|
|
2014-10-10 |
2014-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The Autonomic Networking Infrastructure (ANI) component in Cisco IOS XE does not properly validate certificates, which allows remote attackers to spoof devices via crafted messages, aka Bug ID CSCuq22647. |
|
1236 |
CVE-2014-3402 |
287 |
|
DoS |
2014-10-10 |
2014-10-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The authentication-manager process in the web framework in Cisco Intrusion Prevention System (IPS) 7.0(8)E4 and earlier in Cisco Intrusion Detection System (IDS) does not properly manage user tokens, which allows remote attackers to cause a denial of service (temporary MainApp hang) via a crafted connection request to the management interface, aka Bug ID CSCuq39550. |
|
1237 |
CVE-2014-3400 |
200 |
|
+Info |
2014-10-05 |
2014-10-06 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Cisco WebEx Meetings Server allows remote authenticated users to obtain sensitive information by reading logs, aka Bug IDs CSCuq36417 and CSCuq40344. |
|
1238 |
CVE-2014-3399 |
94 |
|
DoS |
2014-10-07 |
2022-06-02 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
|
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.2(.2.4) and earlier does not properly manage session information during creation of a SharePoint handler, which allows remote authenticated users to overwrite arbitrary RAMFS cache files or inject Lua programs, and consequently cause a denial of service (portal outage or system reload), via crafted HTTP requests, aka Bug ID CSCup54208. |
|
1239 |
CVE-2014-3398 |
200 |
|
+Info |
2014-10-05 |
2014-10-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to obtain potentially sensitive software-version information by reading the verbose response data that is provided for a request to an unspecified URL, aka Bug ID CSCuq65542. |
|
1240 |
CVE-2014-3397 |
399 |
|
DoS |
2014-10-19 |
2015-10-30 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The network stack in Cisco TelePresence MCU Software before 4.3(2.30) allows remote attackers to cause a denial of service (memory consumption) via crafted TCP packets, aka Bug ID CSCtz35468. |
|
1241 |
CVE-2014-3396 |
264 |
|
Bypass |
2014-10-05 |
2014-10-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Cisco IOS XR on ASR 9000 devices does not properly use compression for port-range and address-range encoding, which allows remote attackers to bypass intended Typhoon line-card ACL restrictions via transit traffic, aka Bug ID CSCup30133. |
|
1242 |
CVE-2014-3394 |
295 |
|
Bypass |
2014-10-10 |
2022-05-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Smart Call Home (SCH) implementation in Cisco ASA Software 8.2 before 8.2(5.50), 8.4 before 8.4(7.15), 8.6 before 8.6(1.14), 8.7 before 8.7(1.13), 9.0 before 9.0(4.8), and 9.1 before 9.1(5.1) allows remote attackers to bypass certificate validation via an arbitrary VeriSign certificate, aka Bug ID CSCun10916. |
|
1243 |
CVE-2014-3393 |
287 |
|
XSS |
2014-10-10 |
2022-05-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Clientless SSL VPN portal customization framework in Cisco ASA Software 8.2 before 8.2(5.51), 8.3 before 8.3(2.42), 8.4 before 8.4(7.23), 8.6 before 8.6(1.14), 9.0 before 9.0(4.24), 9.1 before 9.1(5.12), and 9.2 before 9.2(2.4) does not properly implement authentication, which allows remote attackers to modify RAMFS customization objects via unspecified vectors, as demonstrated by inserting XSS sequences or capturing credentials, aka Bug ID CSCup36829. |
|
1244 |
CVE-2014-3392 |
|
|
+Info |
2014-10-10 |
2022-05-23 |
8.3 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Complete |
|
The Clientless SSL VPN portal in Cisco ASA Software 8.2 before 8.2(5.51), 8.3 before 8.3(2.42), 8.4 before 8.4(7.23), 8.6 before 8.6(1.15), 9.0 before 9.0(4.24), 9.1 before 9.1(5.12), 9.2 before 9.2(2.8), and 9.3 before 9.3(1.1) allows remote attackers to obtain sensitive information from process memory or modify memory contents via crafted parameters, aka Bug ID CSCuq29136. |
|
1245 |
CVE-2014-3391 |
20 |
|
+Priv |
2014-10-10 |
2014-10-13 |
6.8 |
None |
Local |
Low |
??? |
Complete |
Complete |
Complete |
|
Untrusted search path vulnerability in Cisco ASA Software 8.x before 8.4(3), 8.5, and 8.7 before 8.7(1.13) allows local users to gain privileges by placing a Trojan horse library file in external memory, leading to library use after device reload because of an incorrect LD_LIBRARY_PATH value, aka Bug ID CSCtq52661. |
|
1246 |
CVE-2014-3390 |
20 |
|
|
2014-10-10 |
2014-10-13 |
6.8 |
None |
Local |
Low |
??? |
Complete |
Complete |
Complete |
|
The Virtual Network Management Center (VNMC) policy implementation in Cisco ASA Software 8.7 before 8.7(1.14), 9.2 before 9.2(2.8), and 9.3 before 9.3(1.1) allows local users to obtain Linux root access by leveraging administrative privileges and executing a crafted script, aka Bug IDs CSCuq41510 and CSCuq47574. |
|
1247 |
CVE-2014-3389 |
|
|
|
2014-10-10 |
2014-10-13 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The VPN implementation in Cisco ASA Software 7.2 before 7.2(5.15), 8.2 before 8.2(5.51), 8.3 before 8.3(2.42), 8.4 before 8.4(7.23), 8.6 before 8.6(1.15), 9.0 before 9.0(4.24), 9.1 before 9.1(5.12), 9.2 before 9.2(2.6), and 9.3 before 9.3(1.1) does not properly implement a tunnel filter, which allows remote authenticated users to obtain failover-unit access via crafted packets, aka Bug ID CSCuq28582. |
|
1248 |
CVE-2014-3388 |
399 |
|
DoS |
2014-10-10 |
2014-10-13 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The DNS inspection engine in Cisco ASA Software 9.0 before 9.0(4.13), 9.1 before 9.1(5.7), and 9.2 before 9.2(2) allows remote attackers to cause a denial of service (device reload) via crafted DNS packets, aka Bug ID CSCuo68327. |
|
1249 |
CVE-2014-3387 |
399 |
|
DoS |
2014-10-10 |
2014-10-13 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The SunRPC inspection engine in Cisco ASA Software 7.2 before 7.2(5.14), 8.2 before 8.2(5.51), 8.3 before 8.3(2.42), 8.4 before 8.4(7.23), 8.5 before 8.5(1.21), 8.6 before 8.6(1.14), 8.7 before 8.7(1.13), 9.0 before 9.0(4.5), and 9.1 before 9.1(5.3) allows remote attackers to cause a denial of service (device reload) via crafted SunRPC packets, aka Bug ID CSCun11074. |
|
1250 |
CVE-2014-3386 |
399 |
|
DoS |
2014-10-10 |
2014-10-13 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The GPRS Tunneling Protocol (GTP) inspection engine in Cisco ASA Software 8.2 before 8.2(5.51), 8.4 before 8.4(7.15), 8.7 before 8.7(1.13), 9.0 before 9.0(4.8), and 9.1 before 9.1(5.1) allows remote attackers to cause a denial of service (device reload) via a crafted series of GTP packets, aka Bug ID CSCum56399. |
