cbcvebase.

Mcafee Web Gateway vulnerabilities

42 known vulnerabilities affecting mcafee/web_gateway.

Total CVEs
42
CISA KEV
1
actively exploited
Public exploits
4
Exploited in wild
1
Severity breakdown
CRITICAL6HIGH17MEDIUM19

Vulnerabilities

Page 1 of 3
CVE-2021-3156P1HIGHCVSS 7.8KEVPoCv8.2.17v9.2.8+1 more2021-01-26
CVE-2021-3156 [HIGH] CWE-193 CVE-2021-3156: Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, wh Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
nvd
CVE-2019-9515P3HIGHCVSS 7.5≥ 7.7.2.0, < 7.7.2.24≥ 7.8.2.0, < 7.8.2.13+1 more2019-08-13
CVE-2019-9515 [HIGH] CWE-400 CVE-2019-9515: Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of s Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently th
nvd
CVE-2019-9513P3HIGHCVSS 7.5≥ 7.7.2.0, < 7.7.2.24≥ 7.8.2.0, < 7.8.2.13+1 more2019-08-13
CVE-2019-9513 [HIGH] CWE-400 CVE-2019-9513: Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of ser Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
nvd
CVE-2019-9514P3HIGHCVSS 7.5≥ 7.7.2.0, < 7.7.2.24≥ 7.8.2.0, < 7.8.2.13+1 more2019-08-13
CVE-2019-9514 [HIGH] CWE-400 CVE-2019-9514: Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of serv Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both
nvd
CVE-2017-1000366P3HIGHCVSS 7.8PoC≤ 7.6.2.14≥ 7.7.0.0, ≤ 7.7.2.22017-06-19
CVE-2017-1000366 [HIGH] CWE-119 CVE-2017-1000366: glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate th glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploita
nvd
CVE-2019-9511P3HIGHCVSS 7.5≥ 7.7.2.0, < 7.7.2.24≥ 7.8.2.0, < 7.8.2.13+1 more2019-08-13
CVE-2019-9511 [HIGH] CWE-400 CVE-2019-9511: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization man Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. De
nvd
CVE-2018-6667P2CRITICALCVSS 9.8≥ 7.8.1.0, < unspecified≥ unspecified, ≤ 7.8.1.52018-06-26
CVE-2018-6667 [CRITICAL] CWE-287 CVE-2018-6667: Authentication Bypass vulnerability in the administrative user interface in McAfee Web Gateway 7.8.1 Authentication Bypass vulnerability in the administrative user interface in McAfee Web Gateway 7.8.1.0 through 7.8.1.5 allows remote attackers to execute arbitrary code via Java management extensions (JMX).
nvd
CVE-2021-3450P3HIGHCVSS 7.4v8.2.19v9.2.10+1 more2021-03-25
CVE-2021-3450 [HIGH] CWE-295 CVE-2021-3450: The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation
nvd
CVE-2021-3449P3MEDIUMCVSS 5.9v8.2.19v9.2.10+1 more2021-03-25
CVE-2021-3449 [MEDIUM] CWE-476 CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a cr
nvd
CVE-2018-18311P3CRITICALCVSS 9.8≥ 7.7.2, < 7.7.2.21≥ 7.8.2, < 7.8.2.8+1 more2018-12-07
CVE-2018-18311 [CRITICAL] CWE-190 CVE-2018-18311: Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression t Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
nvd
CVE-2019-9517P3HIGHCVSS 7.5≥ 7.7.2.0, < 7.7.2.24≥ 7.8.2.0, < 7.8.2.13+1 more2019-08-13
CVE-2019-9517 [HIGH] CWE-400 CVE-2019-9517: Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially lead Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requ
nvd
CVE-2019-9518P3HIGHCVSS 7.5≥ 7.7.2.0, < 7.7.2.24≥ 7.8.2.0, < 7.8.2.13+1 more2019-08-13
CVE-2019-9518 [HIGH] CWE-400 CVE-2019-9518: Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a deni Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandw
nvd
CVE-2019-9516P3MEDIUMCVSS 6.5≥ 7.7.2.0, < 7.7.2.24≥ 7.8.2.0, < 7.8.2.13+1 more2019-08-13
CVE-2019-9516 [MEDIUM] CWE-400 CVE-2019-9516: Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of serv Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the
nvd
CVE-2016-1839P4MEDIUMCVSS 5.5PoC≥ 7.5.0.0, ≤ 7.5.2.10≥ 7.6.0.0, ≤ 7.6.2.32016-05-20
CVE-2016-1839 [MEDIUM] CWE-125 CVE-2016-1839: The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X befor The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
nvd
CVE-2016-1838P4MEDIUMCVSS 5.5PoC≥ 7.5.0.0, ≤ 7.5.2.10≥ 7.6.0.0, ≤ 7.6.2.32016-05-20
CVE-2016-1838 [MEDIUM] CWE-125 CVE-2016-1838: The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4, as used in Apple iOS before The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
nvd
CVE-2021-23885P3HIGHCVSS 8.8fixed in 8.2.17≥ 9.2, < 9.2.8+1 more2021-02-17
CVE-2021-23885 [HIGH] CWE-269 CVE-2021-23885: Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8 allows an authenticate Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8 allows an authenticated user to gain elevated privileges through the User Interface and execute commands on the appliance via incorrect improper neutralization of user input in the troubleshooting page.
nvd
CVE-2016-4448P3CRITICALCVSS 9.8≤ 7.5.2.10≥ 7.6.0.0, ≤ 7.6.2.32016-06-09
CVE-2016-4448 [CRITICAL] CWE-134 CVE-2016-4448: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors.
nvd
CVE-2020-7293P3CRITICALCVSS 9.0≥ 7.8.0, < 7.8.2.23≥ 8.2.0, < 8.2.11+1 more2020-09-15
CVE-2020-7293 [CRITICAL] CWE-287 CVE-2020-7293: Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated u Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user with low permissions to change the system's root password via improper access controls in the user interface.
nvd
CVE-2019-3638P3CRITICALCVSS 9.6≥ 7.8.2, < 7.8.2.13≥ 8.0.0, < 8.2.0+1 more2019-09-12
CVE-2019-3638 [CRITICAL] CWE-79 CVE-2019-3638: Reflected Cross Site Scripting vulnerability in Administrators web console in McAfee Web Gateway (MW Reflected Cross Site Scripting vulnerability in Administrators web console in McAfee Web Gateway (MWG) 7.8.x prior to 7.8.2.13 allows remote attackers to collect sensitive information or execute commands with the MWG administrator's credentials via tricking the administrator to click on a carefully constructed malicious link.
nvd
CVE-2016-1834P3HIGHCVSS 7.8≥ 7.5.0.0, ≤ 7.5.2.10≥ 7.6.0.0, ≤ 7.6.2.32016-05-20
CVE-2016-1834 [HIGH] CWE-119 CVE-2016-1834: Heap-based buffer overflow in the xmlStrncat function in libxml2 before 2.9.4, as used in Apple iOS Heap-based buffer overflow in the xmlStrncat function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
nvd
Mcafee Web Gateway vulnerabilities | cvebase