Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-3772
Publication date:
02/03/2022
A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2023

CVE-2021-3716
Publication date:
02/03/2022
A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2023

CVE-2021-3738
Publication date:
02/03/2022
In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2023

CVE-2021-23180
Publication date:
02/03/2022
A flaw was found in htmldoc in v1.9.12 and before. Null pointer dereference in file_extension(),in file.c may lead to execute arbitrary code and denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-23191
Publication date:
02/03/2022
A security issue was found in htmldoc v1.9.12 and before. A NULL pointer dereference in the function image_load_jpeg() in image.cxx may result in denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2022

CVE-2021-23206
Publication date:
02/03/2022
A flaw was found in htmldoc in v1.9.12 and prior. A stack buffer overflow in parse_table() in ps-pdf.cxx may lead to execute arbitrary code and denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2022

CVE-2021-3715
Publication date:
02/03/2022
A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2023

CVE-2021-23222
Publication date:
02/03/2022
A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-3677
Publication date:
02/03/2022
A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2023

CVE-2021-3667
Publication date:
02/03/2022
An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2025

CVE-2021-38266
Publication date:
02/03/2022
The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2022

CVE-2021-23192
Publication date:
02/03/2022
A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2023
Subscribe to Vulnerabilities