Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-40941
Publication date:
27/06/2022
In Bento4 1.6.0-638, there is an allocator is out of memory in the function AP4_Array::EnsureCapacity in Ap4Array.h:172, as demonstrated by GPAC. This can cause a denial of service (DOS).
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2022

CVE-2022-28168
Publication date:
27/06/2022
In Brocade SANnav before Brocade SANnav v2.2.0.2 and Brocade SANnav2.1.1.8, encoded scp-server passwords are stored using Base64 encoding, which could allow an attacker able to access log files to easily decode the passwords.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2022

CVE-2022-26477
Publication date:
27/06/2022
The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. As a fix, we added an upper bound and termination condition in the read and write logic. We classify it as a "low-priority but useful improvement". SystemDS is a distributed system and needs to serialize/deserialize data but in many code paths (e.g., on Spark broadcast/shuffle or writing to sequence files) the byte stream is anyway protected by additional CRC fingerprints. In this particular case though, the number of decoders is upper-bounded by twice the number of columns, which means an attacker would need to modify two entries in the byte stream in a consistent manner. By adding these checks robustness was strictly improved with almost zero overhead. These code changes are available in versions higher than 2.2.1.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2022

CVE-2022-28166
Publication date:
27/06/2022
In Brocade SANnav version before SANN2.2.0.2 and Brocade SANNav before 2.1.1.8, the implementation of TLS/SSL Server Supports the Use of Static Key Ciphers (ssl-static-key-ciphers) on ports 443 & 18082.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-28167
Publication date:
27/06/2022
Brocade SANnav before Brocade SANvav v. 2.2.0.2 and Brocade SANanv v.2.1.1.8 logs the Brocade Fabric OS switch password in plain text in asyncjobscheduler-manager.log
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2021-33654
Publication date:
27/06/2022
When performing the initialization operation of the Split operator, if a dimension in the input shape is 0, it will cause a division by 0 exception.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2022

CVE-2022-2140
Publication date:
27/06/2022
Elcomplus SmartICS v2.3.4.0 does not neutralize user-controllable input, which allows an authenticated user to inject arbitrary code into specific parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2022

CVE-2022-2088
Publication date:
27/06/2022
An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2023

CVE-2022-2106
Publication date:
27/06/2022
Elcomplus SmartICS v2.3.4.0 does not validate the filenames sufficiently, which enables authenticated administrator-level users to perform path traversal attacks and specify arbitrary files.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2023

CVE-2021-33647
Publication date:
27/06/2022
When performing the inference shape operation of the Tile operator, if the input data type is not int or int32, it will access data outside of bounds of heap allocated buffers.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2022

CVE-2021-33648
Publication date:
27/06/2022
When performing the inference shape operation of Affine, Concat, MatMul, ArgMinMax, EmbeddingLookup, and Gather operators, if the input shape size is 0, it will access data outside of bounds of shape which allocated from heap buffers.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2022

CVE-2021-33649
Publication date:
27/06/2022
When performing the inference shape operation of the Transpose operator, if the value in the perm element is greater than or equal to the size of the input_shape, it will access data outside of bounds of input_shape which allocated from heap buffers.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2022
Subscribe to Vulnerabilities