Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-34418
Publication date:
11/11/2021
The login routine of the web console in the Zoom On-Premise Meeting Connector before version 4.6.239.20200613, Zoom On-Premise Meeting Connector MMR before version 4.6.239.20200613, Zoom On-Premise Recording Connector before version 3.8.42.20200905, Zoom On-Premise Virtual Room Connector before version 4.4.6344.20200612, and Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5492.20200616 fails to validate that a NULL byte was sent while authenticating. This could lead to a crash of the login service.
Severity CVSS v4.0: Pending analysis
Last modification:
16/11/2021

CVE-2021-34419
Publication date:
11/11/2021
In the Zoom Client for Meetings for Ubuntu Linux before version 5.1.0, there is an HTML injection flaw when sending a remote control request to a user in the process of in-meeting screen sharing. This could allow meeting participants to be targeted for social engineering attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
16/11/2021

CVE-2021-34420
Publication date:
11/11/2021
The Zoom Client for Meetings for Windows installer before version 5.5.4 does not properly verify the signature of files with .msi, .ps1, and .bat extensions. This could lead to a malicious actor installing malicious software on a customer’s computer.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2021

CVE-2021-3911
Publication date:
11/11/2021
If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2022

CVE-2021-3912
Publication date:
11/11/2021
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2022

CVE-2021-3909
Publication date:
11/11/2021
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2022

CVE-2021-3910
Publication date:
11/11/2021
OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2022

CVE-2021-3907
Publication date:
11/11/2021
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
Severity CVSS v4.0: Pending analysis
Last modification:
01/02/2023

CVE-2021-3908
Publication date:
11/11/2021
OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2022

CVE-2002-20001
Publication date:
11/11/2021
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2021-43350
Publication date:
11/11/2021
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2022

CVE-2021-26558
Publication date:
11/11/2021
Deserialization of Untrusted Data vulnerability of Apache ShardingSphere-UI allows an attacker to inject outer link resources. This issue affects Apache ShardingSphere-UI Apache ShardingSphere-UI version 4.1.1 and later versions; Apache ShardingSphere-UI versions prior to 5.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
16/11/2021
Subscribe to Vulnerabilities