Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-25501
Publication date:
05/11/2021
An improper access control vulnerability in SCloudBnRReceiver in SecTelephonyProvider prior to SMR Nov-2021 Release 1 allows untrusted application to call some protected providers.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2022

CVE-2021-25500
Publication date:
05/11/2021
A missing input validation in HDCP LDFW prior to SMR Nov-2021 Release 1 allows attackers to overwrite TZASC allowing TEE compromise.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2022

CVE-2021-39907
Publication date:
05/11/2021
A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2021

CVE-2021-39912
Publication date:
05/11/2021
A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2021

CVE-2021-39909
Publication date:
05/11/2021
Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2022

CVE-2021-39911
Publication date:
05/11/2021
An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2022

CVE-2021-39913
Publication date:
05/11/2021
Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system root-level privileges
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2022

CVE-2021-39901
Publication date:
05/11/2021
In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2021

CVE-2021-39895
Publication date:
05/11/2021
In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2021

CVE-2021-39906
Publication date:
05/11/2021
Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2021

CVE-2021-39905
Publication date:
05/11/2021
An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2021

CVE-2021-39897
Publication date:
05/11/2021
Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2021
Subscribe to Vulnerabilities