Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-42373
Publication date:
15/11/2021
A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-42375
Publication date:
15/11/2021
An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2021-42376
Publication date:
15/11/2021
A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-42377
Publication date:
15/11/2021
An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-42374
Publication date:
15/11/2021
An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2021-42378
Publication date:
15/11/2021
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2021-42379
Publication date:
15/11/2021
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2021-42380
Publication date:
15/11/2021
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2021-42381
Publication date:
15/11/2021
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2021-42382
Publication date:
15/11/2021
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2021-41263
Publication date:
15/11/2021
rails_multisite provides multi-db support for Rails applications. In affected versions this vulnerability impacts any Rails applications using `rails_multisite` alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker to re-use cookies on different 'sites' within a multi-site Rails application. The issue has been patched in v4 of the `rails_multisite` gem. Note that this upgrade will invalidate all previous signed/encrypted cookies. The impact of this invalidation will vary based on the application architecture.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2022

CVE-2021-41244
Publication date:
15/11/2021
Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2022
Subscribe to Vulnerabilities