Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-36562
Publication date:
15/09/2023
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
01/01/2025

CVE-2023-36727
Publication date:
15/09/2023
Microsoft Edge (Chromium-based) Spoofing Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
01/01/2025

CVE-2023-36735
Publication date:
15/09/2023
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
01/01/2025

CVE-2023-41901
Publication date:
15/09/2023
Rejected reason: Further research determined the issue is not a vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-41886
Publication date:
15/09/2023
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, an arbitrary file read vulnerability allows any unauthenticated user to read a file on a server. Version 3.7.5 fixes this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2023

CVE-2023-41887
Publication date:
15/09/2023
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2023

CVE-2023-41889
Publication date:
15/09/2023
SHIRASAGI is a Content Management System. Prior to version 1.18.0, SHIRASAGI is vulnerable to a Post-Unicode normalization issue. This happens when a logical validation or a security check is performed before a Unicode normalization. The Unicode character equivalent of a character would resurface after the normalization. The fix is initially performing the Unicode normalization and then strip for all whitespaces and then checking for a blank string. This issue has been fixed in version 1.18.0.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2023

CVE-2023-42442
Publication date:
15/09/2023
JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).<br />
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2023

CVE-2023-42439
Publication date:
15/09/2023
GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. A SSRF vulnerability exists starting in version 3.2.0, bypassing existing controls on the software. This can allow a user to request internal services for a full read SSRF, returning any data from the internal network. The application is using a whitelist, but the whitelist can be bypassed. The bypass will trick the application that the first host is a whitelisted address, but the browser will use `@` or `%40` as a credential to the host geoserver on port 8080, this will return the data to that host on the response. Version 4.1.3.post1 is the first available version that contains a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2023

CVE-2023-41900
Publication date:
15/09/2023
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2024

CVE-2023-0923
Publication date:
15/09/2023
A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2024

CVE-2023-0813
Publication date:
15/09/2023
A flaw was found in the Network Observability plugin for OpenShift console. Unless the Loki authToken configuration is set to FORWARD mode, authentication is no longer enforced, allowing any user who can connect to the OpenShift Console in an OpenShift cluster to retrieve flows without authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2024
Subscribe to Vulnerabilities