Total
394 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-41573 | 1 Hitachi | 1 Content Platform Anywhere | 2024-11-21 | 7.5 High |
| Hitachi Content Platform Anywhere (HCP-AW) 4.4.5 and later allows information disclosure. If authenticated user creates a link to a file or folder while the system was running version 4.3.x or earlier and then shares the link and then later deletes the file or folder without deleting the link and before the link expires. If the system has been upgraded to version 4.4.5 or 4.5.0 a malicious user with the link could browse and download all files of the authenticated user that created the link . | ||||
| CVE-2021-41089 | 3 Fedoraproject, Mobyproject, Redhat | 3 Fedora, Moby, Migration Toolkit Virtualization | 2024-11-21 | 2.8 Low |
| Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted. | ||||
| CVE-2021-40150 | 1 Reolink | 2 E1 Zoom, E1 Zoom Firmware | 2024-11-21 | 7.5 High |
| The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. In this way an attacker can download the entire NGINX/FastCGI configurations by querying the /conf/nginx.conf or /conf/fastcgi.conf URI. | ||||
| CVE-2021-40149 | 1 Reolink | 2 E1 Zoom, E1 Zoom Firmware | 2024-11-21 | 5.9 Medium |
| The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private key via the root web server directory. In this way an attacker can download the entire key via the /self.key URI. | ||||
| CVE-2021-3996 | 2 Fedoraproject, Kernel | 2 Fedora, Util-linux | 2024-11-21 | 5.5 Medium |
| A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems. | ||||
| CVE-2021-3995 | 2 Fedoraproject, Kernel | 2 Fedora, Util-linux | 2024-11-21 | 5.5 Medium |
| A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems. | ||||
| CVE-2021-3856 | 1 Redhat | 2 Keycloak, Red Hat Single Sign On | 2024-11-21 | 4.3 Medium |
| ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available. | ||||
| CVE-2021-3800 | 4 Debian, Gnome, Netapp and 1 more | 4 Debian Linux, Glib, Active Iq Unified Manager and 1 more | 2024-11-21 | 5.5 Medium |
| A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition. | ||||
| CVE-2021-3717 | 1 Redhat | 9 Enterprise Linux, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus and 6 more | 2024-11-21 | 7.8 High |
| A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfly-core versions prior to 17.0. | ||||
| CVE-2021-38711 | 1 Gitit Project | 1 Gitit | 2024-11-21 | 7.5 High |
| In gitit before 0.15.0.0, the Export feature can be exploited to leak information from files. | ||||
| CVE-2021-37348 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 7.5 High |
| Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php. | ||||
| CVE-2021-36763 | 1 Codesys | 7 Control, Control Rte, Control Runtime System Toolkit and 4 more | 2024-11-21 | 7.5 High |
| In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External Parties. | ||||
| CVE-2021-36233 | 1 Unit4 | 1 Mik.starlight | 2024-11-21 | 6.5 Medium |
| The function AdminGetFirstFileContentByFilePath in MIK.starlight 7.9.5.24363 allows (by design) an authenticated attacker to read arbitrary files from the filesystem by specifying the file path. | ||||
| CVE-2021-35203 | 1 Netscout | 1 Ngeniusone | 2024-11-21 | 5.7 Medium |
| NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Arbitrary File Read operations via the FDSQueryService endpoint. | ||||
| CVE-2021-34765 | 1 Cisco | 1 Nexus Insights | 2024-11-21 | 4.3 Medium |
| A vulnerability in the web UI for Cisco Nexus Insights could allow an authenticated, remote attacker to view and download files related to the web application. The attacker requires valid device credentials. This vulnerability exists because proper role-based access control (RBAC) filters are not applied to file download actions. An attacker could exploit this vulnerability by logging in to the application and then navigating to the directory listing and download functions. A successful exploit could allow the attacker to download sensitive files that should be restricted, which could result in disclosure of sensitive information. | ||||
| CVE-2021-33359 | 1 Sensepost | 1 Gowitness | 2024-11-21 | 7.5 High |
| A vulnerability exists in gowitness < 2.3.6 that allows an unauthenticated attacker to perform an arbitrary file read using the file:// scheme in the url parameter to get an image of any file. | ||||
| CVE-2021-32833 | 1 Emby | 1 Emby.releases | 2024-11-21 | 8.6 High |
| Emby Server is a personal media server with apps on many devices. In Emby Server on Windows there is a set of arbitrary file read vulnerabilities. This vulnerability is known to exist in version 4.6.4.0 and may not be patched in later versions. Known vulnerable routes are /Videos/Id/hls/PlaylistId/SegmentId.SegmentContainer, /Images/Ratings/theme/name and /Images/MediaInfo/theme/name. For more details including proof of concept code, refer to the referenced GHSL-2021-051. This issue may lead to unauthorized access to the system especially when Emby Server is configured to be accessible from the Internet. | ||||
| CVE-2021-32752 | 1 Ethercreative | 1 Logs | 2024-11-21 | 7.2 High |
| Ether Logs is a package that allows one to check one's logs in the Craft 3 utilities section. A vulnerability was found in versions prior to 3.0.4 that allowed authenticated admin users to access any file on the server. The vulnerability has been fixed in version 3.0.4. As a workaround, one may disable the plugin if untrustworthy sources have admin access. | ||||
| CVE-2021-32688 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2024-11-21 | 8.8 High |
| Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading. | ||||
| CVE-2021-32008 | 1 Secomea | 1 Gatemanager | 2024-11-21 | 9.9 Critical |
| This issue affects: Secomea GateManager Version 9.6.621421014 and all prior versions. Improper Limitation of a Pathname to restricted directory, allows logged in GateManager admin to delete system Files or Directories. | ||||