Netapp Ontap Tools vulnerabilities

CVE-2025-27820 [HIGH] CWE-295 CVE-2025-27820: A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie ma A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

CVE-2025-0167 [LOW] CVE-2025-0167: When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.

CVE-2024-52533 [CRITICAL] CWE-120 CVE-2024-52533: gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflo gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.

CVE-2024-38286 [HIGH] CWE-770 CVE-2024-38286: Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue aff Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through

CVE-2024-49761 [MEDIUM] CWE-1333 CVE-2024-49761: REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parse REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the v

CVE-2024-47554 [MEDIUM] CWE-400 CVE-2024-47554: Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.inp Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the iss

CVE-2024-7254 [HIGH] CWE-400 CVE-2024-7254: Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested gro Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions t

CVE-2024-8096 [MEDIUM] CWE-295 CVE-2024-8096: When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP sta When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not

CVE-2024-6119 [HIGH] CWE-843 CVE-2024-6119: Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server ce Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name chec

CVE-2024-39689 [HIGH] CWE-345 CVE-2024-39689: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certi Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the

CVE-2024-39884 [MEDIUM] CWE-668 CVE-2024-39884: A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type ba A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users

CVE-2024-34750 [HIGH] CWE-400 CVE-2024-34750: Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apac Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections

CVE-2024-6387 [HIGH] CWE-364 CVE-2024-6387: A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race con A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

CVE-2024-34397 [MEDIUM] CWE-290 CVE-2024-34397: An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDB An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by

CVE-2023-38709 [HIGH] CWE-1284 CVE-2023-38709: Faulty input validation in the core of Apache allows malicious or exploitable backend/content genera Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.

CVE-2024-24795 [MEDIUM] CWE-113 CVE-2024-24795: HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.

CVE-2024-29131 [HIGH] CWE-787 CVE-2024-29131: Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.

CVE-2024-26633 [MEDIUM] CVE-2024-26633: In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMEN In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytes to skb->head. Currently we might access garbage. [1] BUG: KMSAN: uninit-value in ip6_tnl_

CVE-2024-28752 [CRITICAL] CWE-918 CVE-2024-28752: A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3 A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

CVE-2024-28757 [HIGH] CWE-776 CVE-2024-28757: libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).