Pivotal Application Security Team
Overview
The Pivotal Application Security Team provides a single point of contact for the reporting of security vulnerabilities in Pivotal products and coordinates the process of investigating any reported vulnerabilities.
If you would like to subscribe to updates to this page, the RSS feed for all vulnerability reports is available at https://tanzu.vmware.com/security/rss or https://tanzu.vmware.com/security/parsed/rss. The RSS feed for just the notable vulnerabilities in dependences is available at https://tanzu.vmware.com/security/dependencies/rss and the RSS feed for just Pivotal product vulnerabilities is available at https://tanzu.vmware.com/security/pivotal/rss.
Reporting a vulnerability
We strongly encourage people to report security vulnerabilities privately to our security team before disclosing them in a public forum.
Please note that the e-mail address below should only be used for reporting undisclosed security vulnerabilities in Pivotal products and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security related queries at this address.
The e-mail address to use to contact the Pivotal Application Security Team is security@pivotal.io.
The fingerprint is: AA8F D966 7001 70B7 087E B407 04A1 595B 8F19 137B
It can be obtained from a public key server such as pgp.mit.edu.
Pivotal Product Vulnerability Reports
| Date | CVE Reference | Description | ||
| 01 Juni 2020 | CVE-2020-5410 | Directory Traversal with spring-cloud-config-server | ||
| 26 Mai 2020 | CVE-2019-15605 | Node.js is vulnerable to request smuggling | ||
| 13 Mai 2020 | CVE-2020-5409 | Concourse Open Redirect in the /sky/login endpoint | ||
| 07 Mai 2020 | CVE-2020-5408 | Dictionary attack with Spring Security queryable text encryptor | ||
| 07 Mai 2020 | CVE-2020-5407 | Signature Wrapping Vulnerability with spring-security-saml2-service-provider | ||
| 14 Apr 2020 | CVE-2020-5402 | UAA fails to check the state parameter when authenticating with external IDPs | ||
| 09 Apr 2020 | CVE-2020-5406 | PCF Autoscaling logs its database credentials | ||
| 06 Apr 2020 | CVE-2019-11282 | UAA is vulnerable to a Blind SCIM injection leading to information disclosure | ||
| 06 Apr 2020 | CVE-2020-5400 | Cloud Controller logs environment variables from app manifests | ||
| 04 März 2020 | VARIOUS-JACKSON-CVES-UAA | Various CVEs UAA consumes vulnerable versions of FasterXML jackson-databind | ||
| 04 März 2020 | CVE-2019-11290 | UAA logs query parameters in tomcat access file | ||
| 03 März 2020 | CVE-2019-11253 | PKS is vulnerable to a YAML/JSON parsing "Billion Laughs" Attack | ||
| 27 Feb 2020 | CVE-2020-5403 | DoS Via Malformed URL with Reactor Netty HTTP Server | ||
| 27 Feb 2020 | CVE-2020-5404 | Authentication Leak On Redirect With Reactor Netty HttpClient | ||
| 26 Feb 2020 | CVE-2020-5405 | Directory Traversal with spring-cloud-config-server | ||
| 24 Feb 2020 | CVE-2020-5401 | GoRouter is vulnerable to a cache poisoning DoS | ||
| 12 Feb 2020 | CVE-2020-5399 | CredHub does not properly enable TLS for MySQL database connections | ||
| 11 Feb 2020 | CVE-2019-19604 | Git submodule loading vulnerability | ||
| 16 Jan 2020 | CVE-2020-5397 | CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux | ||
| 16 Jan 2020 | CVE-2020-5398 | RFD Attack via “Content-Disposition” Header Sourced from Request Input by Spring MVC or Spring WebFlux Application | ||
| 15 Jan 2020 | CVE-2019-11288 | tc Server JMX Socket Listener Registry Rebinding Local Privilege Escalation | ||
| 10 Jan 2020 | CVE-2019-18802 | CVE-2019-18801, CVE-2019-18838, MySQL for Pivotal Platform consumes a vulnerable version of Envoy | ||
| 08 Jan 2020 | CVE-2019-11292 | Ops Manager logs query parameters in tomcat access file | ||
| 04 Dez 2019 | CVE-2019-19029 | SQL Injection via user-groups in VMware Harbor Container Registry for Pivotal Platform | ||
| 04 Dez 2019 | CVE-2019-19023 | Privilege Escalation Vulnerability in VMware Harbor Container Registry for Pivotal Platform | ||
| 04 Dez 2019 | CVE-2019-19026 | SQL Injection via project quotas in VMware Harbor Container Registry for Pivotal Platform | ||
| 04 Dez 2019 | CVE-2019-3990 | User Enumeration Flaw in VMware Harbor Container Registry for Pivotal Platform | ||
| 04 Dez 2019 | CVE-2019-19025 | Cross-Site Request Forgery Vulnerability in VMware Harbor Container Registry for Pivotal Platform | ||
| 04 Dez 2019 | CVE-2019-9517 | CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9518, CVE-2019-9511, CVE-2019-9516, Some Pivotal products are impacted by HTTP/2 denial of service attacks | ||
| 03 Dez 2019 | CVE-2019-11293 | UAA logs all query parameters with debug logging level | ||
| 22 Nov 2019 | CVE-2019-11291 | RabbitMQ XSS attack via federation and shovel endpoints | ||
| 22 Nov 2019 | CVE-2019-11287 | RabbitMQ Web Management Plugin DoS via heap overflow | ||
| 18 Nov 2019 | CVE-2019-11289 | A forged route service request using an invalid nonce can cause the gorouter to panic and crash | ||
| 06 Nov 2019 | CVE-2019-9893 | libseccomp incorrectly generate 64-bit syscall argument comparisons | ||
| 28 Okt 2019 | CVE-2019-16869 | Reactor Netty Consumes a Vulnerable Version of Netty | ||
| 24 Okt 2019 | CVE-2019-11249 | PKS consumes a vulnerable version of kubectl | ||
| 23 Okt 2019 | CVE-2019-11283 | Password leak in smbdriver logs | ||
| 17 Okt 2019 | CVE-2019-16919 | Broken access control vulnerability in Harbor API | ||
| 15 Okt 2019 | CVE-2019-11278 | Privilege Escalation via Blind SCIM Injection in UAA | ||
| 15 Okt 2019 | CVE-2019-11279 | Privilege Escalation via Scope Manipulation in UAA | ||
| 15 Okt 2019 | CVE-2019-11247 | Kubernetes API Server Vulnerability | ||
| 15 Okt 2019 | CVE-2018-15664 | Docker Symlink Directory Traversal Vulnerability | ||
| 15 Okt 2019 | CVE-2019-13139 | Docker build code execution | ||
| 14 Okt 2019 | CVE-2019-11281 | RabbitMQ XSS attack | ||
| 11 Okt 2019 | CVE-2019-11284 | Reactor Netty authentication leak in redirects | ||
| 25 Sept 2019 | CVE-2019-11275 | CSV Injection in usage report downloaded from Pivotal Application Manager | ||
| 23 Sept 2019 | CVE-2019-11277 | Volume Services is vulnerable to an LDAP injection attack | ||
| 19 Sept 2019 | CVE-2019-11280 | Privilege escalation through the invitations service | ||
| 20 Aug 2019 | CVE-2019-3775 | UAA allows users to modify their own email address | ||
| 20 Aug 2019 | CVE-2019-3788 | UAA redirect-uri allows wildcards in the subdomain | ||
| 20 Aug 2018 | CVE-2019-3787 | UAA defaults email address to an insecure domain | ||
| 20 Aug 2019 | CVE-2019-10164 | Critical Security Issue in PostgreSQL | ||
| 19 Aug 2019 | CVE-2019-11276 | Apps Manager sends tokens to Spring apps via HTTP | ||
| 15 Aug 2019 | CVE-2017-15694 | Pivotal GemFire and Cloud Cache consume vulnerable versions of Apache Geode | ||
| 14 Aug 2019 | CVE-2019-13232 | ClamAV Add-on for PCF consumes a vulnerable version of ClamAV | ||
| 01 Aug 2019 | CVE-2019-11270 | UAA clients.write vulnerability | ||
| 25 Juli 2019 | CVE-2019-3800 | CF CLI writes the client id and secret to config file | ||
| 25 Juli 2019 | CVE-2019-3781 | CF CLI does not sanitize user's password in verbose/trace/debug | ||
| 23 Juli 2019 | CVE-2019-11273 | PKS Telemetry logs credentials | ||
| 22 Juli 2019 | VARIOUS-SQL | Various MySQL Security Updates from July 2018 through January 2019 | ||
| 22 Juli 2019 | USN-4017-1 | Linux kernel vulnerabilities | ||
| 18 Juli 2019 | CVE-2019-3786 | BBR could run arbitrary scripts on deployment VMs | ||
| 28 Juni 2019 | CVE-2019-11271 | Bosh Deployment logs leak sensitive information | ||
| 19 Juni 2019 | CVE-2019-11272 | PlaintextPasswordEncoder authenticates encoded passwords that are null | ||
| 30 Mai 2019 | CVE-2019-5021 | Tile generator affected by insecure default password | ||
| 30 Mai 2019 | CVE-2019-11269 | Open Redirector in spring-security-oauth2 | ||
| 24 Mai 2019 | CVE-2019-3790 | Ops Manager uaa client issues tokens after refresh token expiration | ||
| 13 Mai 2019 | CVE-2019-3802 | Additional information exposure with Spring Data JPA example matcher | ||
| 25 Apr 2019 | CVE-2019-3801 | Java Projects using HTTP to fetch dependencies | ||
| 24 Apr 2019 | CVE-2019-3798 | Escalation of Privileges in Cloud Controller | ||
| 24 Apr 2019 | CVE-2019-3789 | Gorouter allows space developer to hijack route services hosted outside the platform | ||
| 16 Apr 2019 | CVE-2019-3799 | Directory Traversal with spring-cloud-config-server | ||
| 12 Apr 2019 | CVE-2019-3793 | Invitations Service supports HTTP connections | ||
| 08 Apr 2019 | CVE-2019-3797 | Additional information exposure with Spring Data JPA derived queries | ||
| 04 Apr 2019 | CVE-2019-3795 | Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security | ||
| 01 Apr 2019 | CVE-2019-9946 | Kubernetes affecting certain network configurations with CNI | ||
| 01 Apr 2019 | CVE-2019-1002100 | Kubernetes API Server Patch Request Consumes Excess Resource Cause Denial of Service | ||
| 01 Apr 2019 | CVE-2019-1002101 | Kubernetes kubectl - potential directory traversal | ||
| 25 März 2019 | CVE-2019-3792 | Concourse 5.0.0 SQL Injection vulnerability | ||
| 07 März 2019 | CVE-2019-8331 | Bootstrap XSS | ||
| 28 Feb 2019 | CVE-2018-15754 | UAA issues tokens across identity providers if users with matching usernames exist | ||
| 26 Feb 2019 | CVE-2019-3777 | Apps Manager unverified SSL certs in Cloud Controller proxy | ||
| 21 Feb 2019 | CVE-2019-3778 | Open Redirector in spring-security-oauth2 | ||
| 19 Feb 2019 | CVE-2019-3776 | Reflected XSS in Pivotal Operations Manager | ||
| 14 Feb 2019 | CVE-2019-3780 | Cloud Foundry Container Runtime Leaks IAAS Credentials | ||
| 14 Feb 2019 | CVE-2019-3779 | Pivotal Container Service allows a user to bypass security policy when talking to ETCD | ||
| 14 Jan 2019 | CVE-2019-3772 | XML External Entity Injection (XXE) | ||
| 14 Jan 2019 | CVE-2019-3773 | XML External Entity Injection (XXE) | ||
| 14 Jan 2019 | CVE-2019-3774 | XML External Entity Injection (XXE) | ||
| 08 Jan 2019 | KUBERNETES-API-SERVER | Kubernetes API Server acts as proxy for internal and external IPs | ||
| 08 Jan 2019 | CVE-2019-3803 | Concourse includes token in CLI authentication callback | ||
| 04 Jan 2019 | CVE-2018-18264 | Kubernetes Dashboard TLS Certificate Leak | ||
| 18 Dez 2018 | CVE-2018-15801 | Authorization Bypass During JWT Issuer Validation with spring-security | ||
| 13 Dez 2018 | CVE-2018-15798 | Pivotal Concourse allows malicious redirect urls on login | ||
| 05 Dez 2018 | CVE-2018-1279 | RabbitMQ cluster compromise due to deterministically generated cookie | ||
| 15 Nov 2018 | CVE-2018-15759 | On Demand Services SDK Timing Attack Vulnerability | ||
| 09 Nov 2018 | CVE-2018-15795 | CredHub Service Broker uses guessable client secret | ||
| 29 Okt 2018 | CVE-2018-15762 | Pivotal Operations Manager gives all users heightened privileges | ||
| 16 Okt 2018 | CVE-2018-15758 | Privilege Escalation in spring-security-oauth2 | ||
| 16 Okt 2018 | CVE-2018-15756 | DoS Attack via Range Requests | ||
| 10 Okt 2018 | CVE-2018-11084 | Garden-runC prevents deletion of some app environments | ||
| 10 Okt 2018 | CVE-2018-15755 | CF networking internal policy server SQL injection | ||
| 03 Okt 2018 | CVE-2018-11083 | BOSH accepts refresh token as access token | ||
| 02 Okt 2018 | CVE-2018-15763 | PKS leaks IaaS credentials to application logs | ||
| 27 Sept 2018 | CVE-2018-11081 | Ops Manager writes UAA credentials to disk | ||
| 13 Sept 2018 | CVE-2018-1198 | PCC bosh deployment logs print a superuser password in plain text | ||
| 13 Sept 2018 | CVE-2018-11088 | CF admin credentials accessible to developers through Applications Manager | ||
| 13 Sept 2018 | CVE-2018-11086 | CF admin credentials accessible to developers through usage service | ||
| 11 Sept 2018 | CVE-2018-11087 | RabbitMQ (Spring-AMQP) Host name verification | ||
| 23 Juli 2018 | CVE-2018-11044 | Apps Manager allows unescaped content in invitation emails | ||
| 10 Juli 2018 | CVE-2018-11045 | Operations Manager image contains static LRNG seed file | ||
| 20 Juni 2018 | CVE-2018-11046 | Operations Manager includes outdated NGINX packages | ||
| 14 Juni 2018 | CVE-2018-11040 | JSONP enabled by default in MappingJackson2JsonView | ||
| 14 Juni 2018 | CVE-2018-11039 | Cross Site Tracing (XST) with Spring Framework | ||
| 11 Mai 2018 | CVE-2018-1263 | Unsafe Unzip with spring-integration-zip | ||
| 10 Mai 2018 | CVE-2018-1278 | Apps Manager allows unauthorized org invitations | ||
| 09 Mai 2018 | CVE-2018-1261 | Unsafe Unzip with spring-integration-zip | ||
| 09 Mai 2018 | CVE-2018-1260 | Remote Code Execution with spring-security-oauth2 | ||
| 09 Mai 2018 | CVE-2018-1259 | XXE with Spring Data’s XMLBeam integration | ||
| 09 Mai 2018 | CVE-2018-1258 | Unauthorized Access with Spring Security Method Security | ||
| 09 Mai 2018 | CVE-2018-1257 | ReDoS Attack with spring-messaging | ||
| 07 Mai 2018 | CVE-2018-1280 | Blind SQL injection in Pivotal Greenplum Command Center | ||
| 30 Apr 2018 | CVE-2018-1256 | Issuer validation regression in Spring Cloud SSO Connector | ||
| 10 Apr 2018 | CVE-2018-1274 | Denial of Service with Spring Data | ||
| 10 Apr 2018 | CVE-2018-1273 | RCE with Spring Data Commons | ||
| 09 Apr 2018 | CVE-2018-1275 | Address partial fix for CVE-2018-1270 | ||
| 05 Apr 2018 | CVE-2018-1272 | Multipart Content Pollution with Spring Framework | ||
| 05 Apr 2018 | CVE-2018-1271 | Directory Traversal with Spring MVC on Windows | ||
| 05 Apr 2018 | CVE-2018-1270 | Remote Code Execution with spring-messaging | ||
| 16 März 2018 | CVE-2018-1230 | Spring Batch Admin vulnerable to Cross Site Request Forgery | ||
| 16 März 2018 | CVE-2018-1229 | Stored XSS in file upload of Spring Batch Admin | ||
| 13 Feb 2018 | CVE-2018-1200 | Apps Manager File Access Vulnerability | ||
| 30 Jan 2018 | CVE-2018-1196 | Symlink privilege escalation attack via Spring Boot launch script | ||
| 29 Jan 2018 | CVE-2018-1199 | Security bypass with static resources | ||
| 16 Okt 2017 | CVE-2017-8028 | Spring-LDAP authentication with userSearch and STARTTLS allows authentication with arbitrary password | ||
| 21 Sept 2017 | CVE-2017-8046 | RCE in PATCH requests in Spring Data REST | ||
| 19 Sept 2017 | CVE-2017-8045 | Remote code execution in spring-amqp | ||
| 15 Sept 2017 | CVE-2017-8039 | Data Binding Expression Vulnerability in Spring Web Flow | ||
| 31 Aug 2017 | CVE-2017-8044 | XSS vulnerability in Single Sign-On for PCF via DOM-based query parameters | ||
| 31 Aug 2017 | CVE-2017-8041 | XSS vulnerability in org name in Single Sign-On for PCF | ||
| 31 Aug 2017 | CVE-2017-8040 | XXE Vulnerability in Single Sign-On for PCF | ||
| 08 Juni 2017 | CVE-2017-4995 | Jackson Configuration Allows Code Execution with Unknown “Serialization Gadgets” | ||
| 31 Mai 2017 | CVE-2017-4971 | Data Binding Expression Vulnerability in Spring Web Flow | ||
| 15 Mai 2017 | CVE-2017-4975 | Tile generator sets open security groups | ||
| 04 Mai 2017 | CVE-2017-4966 | RabbitMQ local storage of credentials | ||
| 04 Mai 2017 | CVE-2017-4965 | XSS vulnerabilities in RabbitMQ management UI | ||
| 27 März 2017 | CVE-2017-2773 | Unauthenticated JWT signing algorithm in multiple components | ||
| 24 März 2017 | CVE-2017-4955 | Credentials in Elastic Runtime Notifications errand log | ||
| 14 Feb 2017 | CVE-2017-4959 | Pivotal Cloud Foundry account authorization vulnerability | ||
| 09 Feb 2017 | CVE-2016-9880 | Unauthenticated access to GemFire for PCF broker endpoints | ||
| 04 Jan 2017 | CVE-2016-9885 | gfsh exposed over go router for GemFire for PCF | ||
| 28 Dez 2016 | CVE-2016-9879 | Encoded "/" in path variables | ||
| 28 Dez 2016 | CVE-2016-0898 | Service backups log AWS key | ||
| 21 Dez 2016 | CVE-2016-9878 | Directory Traversal in the Spring Framework ResourceServlet | ||
| 19 Dez 2016 | CVE-2016-9877 | RabbitMQ authentication vulnerability | ||
| 31 Okt 2016 | CVE-2016-6657 | PCF Open Redirects | ||
| 31 Okt 2016 | CVE-2016-6656 | Code injection vulnerability via GPHDFS in Greenplum database | ||
| 30 Sept 2016 | CVE-2016-6652 | Spring Data JPA Blind SQL Injection Vulnerability | ||
| 12 Sept 2016 | CVE-2016-0930 | Ops Manager Compilation VMs Vulnerability on vSphere and vCloud | ||
| 27 Juli 2016 | CVE-2016-0896 | IaaS Metadata Endpoint Accessible from Application Containers | ||
| 15 Juli 2016 | CVE-2016-0929 | RabbitMQ for PCF vulnerability | ||
| 07 Juli 2016 | CVE-2016-5007 | Spring Security / MVC Path Matching Inconsistency | ||
| 07 Juli 2016 | CVE-2016-0926 | Apps Manager XSS vulnerability | ||
| 05 Juli 2016 | CVE-2016-4977 | Remote Code Execution (RCE) in Spring Security OAuth | ||
| 29 Juni 2016 | CVE-2016-0928 | PCF Open Redirects | ||
| 24 Juni 2016 | CVE-2016-0897 | Ops Manager vSphere and vCloud vulnerability | ||
| 23 Juni 2016 | CVE-2016-0927 | Ops Manager XSS vulnerability | ||
| 11 Apr 2016 | CVE-2016-2173 | Remote Code Execution in Spring AMQP | ||
| 23 März 2016 | CVE-2016-0780 | Cloud Controller Disk Quota Enforcement | ||
| 23 März 2016 | CVE-2016-2165 | Loggregator Request URL Paths | ||
| 23 März 2016 | CVE-2016-0781 | UAA Persistent XSS Vulnerability | ||
| 03 Feb 2016 | CVE-2016-0883 | Pivotal Ops Manager Weak Authentication Scheme | ||
| 12 Nov 2015 | CVE-2015-5258 | Spring Social CSRF | ||
| 15 Okt 2015 | CVE-2015-5211 | RFD Attack in Spring Framework | ||
| 30 Juni 2015 | CVE-2015-3192 | DoS Attack with XML Input | ||
| 06 März 2015 | CVE-2015-0201 | Insufficiently random session id in Java SockJS client | ||
| 13 Jan 2015 | CVE-2014-3626 | Directory Traversal in Grails Resources Plugin | ||
| 11 Nov 2014 | CVE-2014-3625 | Directory Traversal in Spring Framework | ||
| 05 Sept 2014 | CVE-2014-3578 | Directory Traversal in Spring Framework | ||
| 15 Aug 2014 | CVE-2014-3527 | Access Control Bypass in Spring Security | ||
| 28 Mai 2014 | CVE-2014-0225 | Information Disclosure when using Spring MVC | ||
| 11 März 2014 | CVE-2014-1904 | XSS when using Spring MVC | ||
| 11 März 2014 | CVE-2014-0097 | Blank password may bypass user authentication | ||
| 11 März 2014 | CVE-2014-0054 | Incomplete fix for CVE-2013-7315 / CVE-2013-6429 (XXE) | ||
| 19 Feb 2014 | CVE-2014-0053 | Information Disclosure when using Grails | ||
| 14 Jan 2014 | CVE-2013-6430 | Possible XSS when using Spring MVC | ||
| 14 Jan 2014 | CVE-2013-6429 | Incomplete fix for CVE-2013-7315 (XXE) | ||
| 22 Aug 2013 | CVE-2013-7315 | XML External Entity (XXE) injection in Spring Framework | ||
| 22 Aug 2013 | CVE-2013-4152 | XML eXternal Entity (XXE) injection in Spring Framework |
Notable Vulnerabilities in Dependencies[1]
| Date | CVE Reference | Description | ||
| 14 Mai 2020 | USN-4318-1 | Linux kernel vulnerabilities | ||
| 23 Apr 2020 | USN-4305-1 | ICU vulnerability | ||
| 23 Apr 2020 | USN-4302-1 | Linux kernel vulnerabilities | ||
| 23 Apr 2020 | USN-4298-1 | SQLite vulnerabilities | ||
| 08 Apr 2020 | USN-4292-1 | rsync vulnerabilities | ||
| 02 März 2020 | USN-4293-1 | libarchive vulnerabilities | ||
| 18 Feb 2020 | USN-4287-1 | Linux kernel vulnerabilities | ||
| 10 Feb 2020 | USN-4274-1 | libxml2 vulnerabilities | ||
| 05 Feb 2020 | USN-4269-1 | systemd vulnerabilities | ||
| 03 Feb 2020 | USN-4263-1 | Sudo vulnerability | ||
| 28 Jan 2020 | USN-4255-2 | Linux kernel (HWE) vulnerabilities | ||
| 28 Jan 2020 | USN-4256-1 | Cyrus SASL vulnerability | ||
| 27 Jan 2020 | USN-4252-1 | tcpdump vulnerabilities | ||
| 23 Jan 2020 | USN-4233-2 | GnuTLS update | ||
| 23 Jan 2020 | USN-4249-1 | e2fsprogs vulnerability | ||
| 22 Jan 2020 | USN-4247-1 | python-apt vulnerabilities | ||
| 22 Jan 2020 | USN-4247-2 | python-apt regression | ||
| 22 Jan 2020 | USN-4246-1 | zlib vulnerabilities | ||
| 20 Jan 2020 | USN-4242-1 | Sysstat vulnerabilities | ||
| 20 Jan 2020 | USN-4243-1 | libbsd vulnerabilities | ||
| 19 Jan 2020 | CVE-2020-0601 | Windows Stemcells vulnerable to Windows CryptoAPI Spoofing Vulnerability | ||
| 15 Jan 2020 | USN-4205-1 | SQLite vulnerabilities | ||
| 15 Jan 2020 | USN-4215-1 | NSS vulnerability | ||
| 15 Jan 2020 | USN-4182-3 | Intel Microcode regression | ||
| 15 Jan 2020 | USN-4220-1 | Git vulnerabilities | ||
| 15 Jan 2020 | USN-4210-1 | Linux kernel vulnerabilities | ||
| 14 Jan 2020 | USN-4236-2 | Libgcrypt vulnerability | ||
| 13 Jan 2020 | USN-4235-1 | nginx vulnerability | ||
| 09 Jan 2020 | USN-4233-1 | GnuTLS update | ||
| 08 Jan 2020 | USN-4231-1 | NSS vulnerability | ||
| 07 Jan 2020 | USN-4227-1 | Linux kernel vulnerabilities | ||
| 18 Dez 2019 | USN-4194-1 | postgresql-common vulnerability | ||
| 18 Dez 2019 | USN-4185-1 | Linux kernel vulnerabilities | ||
| 18 Dez 2019 | USN-4162-1 | Linux kernel vulnerabilities | ||
| 18 Dez 2019 | USN-4191-1 | QEMU vulnerabilities | ||
| 18 Dez 2019 | USN-4164-1 | Libxslt vulnerabilities | ||
| 18 Dez 2019 | USN-4190-1 | libjpeg-turbo vulnerabilities | ||
| 18 Dez 2019 | USN-4176-1 | GNU cpio vulnerability | ||
| 18 Dez 2019 | USN-4172-1 | file vulnerability | ||
| 18 Dez 2019 | USN-4203-1 | NSS vulnerability | ||
| 18 Dez 2019 | USN-4169-1 | libarchive vulnerability | ||
| 18 Dez 2019 | USN-4182-1 | Intel Microcode update | ||
| 18 Dez 2019 | USN-4185-3 | Linux kernel vulnerability and regression | ||
| 18 Dez 2019 | USN-4199-1 | libvpx vulnerabilities | ||
| 11 Dez 2019 | USN-4221-1 | libpcap vulnerability | ||
| 25 Nov 2019 | CVE-2019-15587 | Ops Manager contains a vulnerable Loofah gem | ||
| 14 Nov 2019 | USN-4004-1 | Berkeley DB vulnerability | ||
| 14 Nov 2019 | USN-4038-1 | bzip2 vulnerabilities | ||
| 14 Nov 2019 | USN-3911-1 | file vulnerabilities | ||
| 14 Nov 2019 | USN-4015-1 | DBus vulnerability | ||
| 14 Nov 2019 | USN-4011-1 | Jinja2 vulnerabilities | ||
| 14 Nov 2019 | USN-4008-2 | AppArmor update | ||
| 14 Nov 2019 | USN-3999-1 | GnuTLS vulnerabilities | ||
| 14 Nov 2019 | USN-3967-1 | FFmpeg vulnerabilities | ||
| 14 Nov 2019 | USN-3990-1 | urllib3 vulnerabilities | ||
| 14 Nov 2019 | USN-4040-1 | Expat vulnerability | ||
| 14 Nov 2019 | USN-3885-2 | OpenSSH vulnerability | ||
| 14 Nov 2019 | USN-3993-1 | curl vulnerabilities | ||
| 14 Nov 2019 | USN-4012-1 | elfutils vulnerabilities | ||
| 14 Nov 2019 | USN-3968-1 | Sudo vulnerabilities | ||
| 14 Nov 2019 | USN-4016-1 | Vim vulnerabilities | ||
| 14 Nov 2019 | USN-4019-1 | SQLite vulnerabilities | ||
| 06 Nov 2019 | USN-4151-1 | Python vulnerabilities | ||
| 06 Nov 2019 | USN-4144-1 | Linux kernel vulnerabilities | ||
| 06 Nov 2019 | USN-4142-1 | e2fsprogs vulnerability | ||
| 06 Nov 2019 | USN-4132-1 | Expat vulnerability | ||
| 06 Nov 2019 | USN-4129-1 | curl vulnerabilities | ||
| 06 Nov 2019 | USN-4127-1 | Python vulnerabilities | ||
| 06 Nov 2019 | USN-4126-1 | FreeType vulnerability | ||
| 30 Sept 2019 | USN-4135-1 | Linux kernel vulnerabilities | ||
| 30 Sept 2019 | USN-4115-2 | Linux kernel regression | ||
| 30 Sept 2019 | USN-4115-1 | Linux kernel vulnerabilities | ||
| 30 Sept 2019 | USN-4094-1 | Linux kernel vulnerabilities | ||
| 30 Sept 2019 | USN-4071-1 | Patch vulnerabilities | ||
| 30 Sept 2019 | USN-4049-3 | GLib regression | ||
| 24 Sept 2019 | CVE-2019-16097 | Harbor Privilege Escalation | ||
| 05 Sept 2019 | USN-4099-1 | nginx vulnerabilities | ||
| 05 Sept 2019 | USN-4090-1 | PostgreSQL vulnerabilities | ||
| 05 Sept 2019 | USN-4068-2 | Linux kernel (HWE) vulnerabilities | ||
| 05 Sept 2019 | USN-4060-1 | NSS vulnerabilities | ||
| 05 Sept 2019 | USN-4058-1 | Bash vulnerability | ||
| 05 Sept 2019 | USN-4049-1 | GLib vulnerability | ||
| 05 Sept 2019 | USN-4038-3 | bzip2 regression | ||
| 06 Aug 2019 | USN-4041-1 | Linux kernel update | ||
| 05 Aug 2019 | USN-4014-1 | GLib vulnerability | ||
| 05 Aug 2019 | USN-4001-1 | libseccomp vulnerability | ||
| 05 Aug 2019 | USN-3977-3 | Intel Microcode update (AKA ZombieLoad Attack) | ||
| 19 Juni 2019 | USN-3981-2 | Linux kernel (HWE) vulnerabilities (AKA ZombieLoad Attack) | ||
| 19 Juni 2019 | USN-3977-2 | Intel Microcode update (AKA ZombieLoad Attack) | ||
| 19 Juni 2019 | USN-3977-1 | Intel Microcode update (AKA ZombieLoad Attack) | ||
| 21 Mai 2019 | USN-3972-1 | PostgreSQL vulnerabilities | ||
| 21 Mai 2019 | USN-3962-1 | libpng vulnerability | ||
| 21 Mai 2019 | USN-3960-1 | WavPack vulnerability | ||
| 21 Mai 2019 | USN-3947-1 | Libxslt vulnerability | ||
| 21 Mai 2019 | USN-3943-1 | Wget vulnerabilities | ||
| 21 Mai 2019 | USN-3932-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 21 Mai 2019 | USN-3931-2 | Linux kernel (HWE) vulnerabilities | ||
| 08 Mai 2019 | USN-3935-1 | BusyBox vulnerabilities | ||
| 25 Apr 2019 | USN-3945-1 | Ruby vulnerabilities | ||
| 25 Apr 2019 | USN-3910-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 25 Apr 2019 | USN-3906-1 | LibTIFF vulnerabilities | ||
| 25 Apr 2019 | USN-3901-2 | Linux kernel (HWE) vulnerabilities | ||
| 25 Apr 2019 | USN-3900-1 | GD vulnerabilities | ||
| 25 Apr 2019 | USN-3899-1 | OpenSSL vulnerability | ||
| 25 Apr 2019 | USN-3898-1 | NSS vulnerability | ||
| 25 Apr 2019 | USN-3891-1 | systemd vulnerability | ||
| 25 Apr 2019 | USN-3885-1 | OpenSSH vulnerabilities | ||
| 25 Apr 2019 | USN-3884-1 | libarchive vulnerabilities | ||
| 25 Apr 2019 | USN-3882-1 | curl vulnerabilities | ||
| 25 Apr 2019 | USN-3879-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 25 Apr 2019 | USN-3871-4 | Linux kernel (HWE) vulnerabilities | ||
| 25 Apr 2019 | USN-3864-1 | LibTIFF vulnerabilities | ||
| 25 Apr 2019 | USN-3859-1 | libarchive vulnerabilities | ||
| 25 Apr 2019 | USN-3848-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 25 Apr 2019 | USN-3847-2 | Linux kernel (HWE) vulnerabilities | ||
| 25 Apr 2019 | USN-3840-1 | OpenSSL vulnerabilities | ||
| 25 Apr 2019 | USN-3834-1 | Perl vulnerabilities | ||
| 25 Apr 2019 | USN-3816-3 | systemd regression | ||
| 25 Apr 2019 | USN-3855-1 | systemd vulnerabilities | ||
| 25 Apr 2019 | USN-3863-1 | APT vulnerability | ||
| 13 Feb 2019 | CVE-2019-5736 | runC container breakout | ||
| 06 Feb 2019 | USN-3836-2 | Linux kernel (HWE) vulnerabilities | ||
| 06 Feb 2019 | USN-3841-1 | lxml vulnerability | ||
| 06 Feb 2019 | USN-3850-1 | NSS vulnerabilities | ||
| 03 Jan 2019 | USN-3843-1 | pixman vulnerability | ||
| 03 Jan 2019 | USN-3816-2 | systemd vulnerability | ||
| 03 Jan 2019 | USN-3839-1 | WavPack vulnerabilities | ||
| 03 Jan 2019 | USN-3829-1 | Git vulnerabilities | ||
| 14 Dez 2018 | USN-3805-1 | curl vulnerabilities | ||
| 14 Dez 2018 | USN-3809-1 | OpenSSH vulnerabilities | ||
| 14 Dez 2018 | USN-3812-1 | nginx vulnerabilities | ||
| 14 Dez 2018 | USN-3815-1 | gettext vulnerability | ||
| 14 Dez 2018 | USN-3817-1 | Python vulnerabilities | ||
| 14 Dez 2018 | USN-3821-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 12 Dez 2018 | USN-3820-2 | Linux kernel (HWE) vulnerabilities | ||
| 12 Dez 2018 | USN-3816-1 | systemd vulnerabilities | ||
| 12 Dez 2018 | USN-3806-1 | systemd vulnerability | ||
| 12 Dez 2018 | USN-3808-1 | Ruby vulnerabilities | ||
| 03 Dez 2018 | CVE-2018-15797 | NFS Volume release errand leaks cf admin credentials in logs | ||
| 03 Dez 2018 | CVE-2018-1002105 | Proxy request handling in kube-apiserver can leave vulnerable TCP connections | ||
| 28 Nov 2018 | USN-3797-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 08 Nov 2018 | USN-3800-1 | audiofile vulnerabilities | ||
| 08 Nov 2018 | USN-3791-1 | Git vulnerability | ||
| 08 Nov 2018 | USN-3786-1 | libxkbcommon vulnerabilities | ||
| 08 Nov 2018 | USN-3785-1 | ImageMagick vulnerabilities | ||
| 06 Nov 2018 | CVE-2018-15761 | UAA Privilege Escalation | ||
| 26 Okt 2018 | USN-3790-1 | Requests vulnerability | ||
| 26 Okt 2018 | USN-3777-2 | Linux kernel (HWE) vulnerabilities | ||
| 26 Okt 2018 | USN-3762-2 | Linux kernel (HWE) vulnerabilities | ||
| 09 Okt 2018 | USN-3752-2 | Linux kernel (HWE) vulnerabilities | ||
| 09 Okt 2018 | USN-3765-1 | curl vulnerability | ||
| 09 Okt 2018 | USN-3767-1 | GLib vulnerabilities | ||
| 09 Okt 2018 | USN-3770-1 | Little CMS vulnerabilities | ||
| 27 Sept 2018 | USN-3759-1 | libtirpc vulnerabilities | ||
| 27 Sept 2018 | USN-3758-1 | libx11 vulnerabilities | ||
| 27 Sept 2018 | USN-3756-1 | Intel Microcode vulnerabilities | ||
| 27 Sept 2018 | USN-3755-1 | GD vulnerabilities | ||
| 27 Sept 2018 | USN-3753-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 27 Sept 2018 | USN-3744-1 | PostgreSQL vulnerabilities | ||
| 27 Sept 2018 | USN-3741-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 27 Sept 2018 | USN-3739-1 | libxml2 vulnerabilities | ||
| 27 Sept 2018 | USN-3736-1 | libarchive vulnerabilities | ||
| 27 Sept 2018 | USN-3733-1 | GnuPG vulnerability | ||
| 27 Sept 2018 | USN-3729-1 | libxcursor vulnerability | ||
| 27 Sept 2018 | USN-3712-1 | libpng vulnerabilities | ||
| 27 Sept 2018 | USN-3696-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 27 Sept 2018 | USN-3692-1 | OpenSSL vulnerabilities | ||
| 27 Sept 2018 | USN-3690-2 | AMD Microcode regression | ||
| 27 Sept 2018 | USN-3690-1 | AMD Microcode update | ||
| 27 Sept 2018 | USN-3689-1 | Libgcrypt vulnerability | ||
| 27 Sept 2018 | USN-3605-1 | Sharutils vulnerability | ||
| 27 Sept 2018 | USN-3589-1 | PostgreSQL vulnerability | ||
| 27 Sept 2018 | USN-3564-1 | PostgreSQL vulnerability | ||
| 27 Sept 2018 | USN-3532-1 | GDK-PixBuf vulnerabilities | ||
| 27 Sept 2018 | USN-3509-4 | Linux kernel (Xenial HWE) regression | ||
| 27 Sept 2018 | USN-3352-1 | nginx vulnerability | ||
| 09 Aug 2018 | CVE-2018-8037 | Apache Tomcat - NIO/NIO2 connectors user sessions can get mixed up | ||
| 09 Aug 2018 | CVE-2018-1336 | Apache Tomcat - UTF-8 decoder can lead to DoS | ||
| 02 Aug 2018 | USN-3711-1 | ImageMagick vulnerabilities | ||
| 02 Aug 2018 | USN-3707-1 | NTP vulnerabilities | ||
| 02 Aug 2018 | USN-3706-1 | libjpeg-turbo vulnerabilities | ||
| 23 Juli 2018 | CVE-2018-11047 | UAA accepts refresh token as access token on admin endpoints | ||
| 20 Juli 2018 | USN-3693-1 | JasPer vulnerabilities | ||
| 20 Juli 2018 | USN-3686-1 | file vulnerabilities | ||
| 20 Juli 2018 | USN-3684-1 | Perl vulnerability | ||
| 20 Juli 2018 | USN-3681-1 | ImageMagick vulnerabilities | ||
| 20 Juli 2018 | USN-3676-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 20 Juli 2018 | USN-3675-1 | GnuPG vulnerabilities | ||
| 20 Juli 2018 | USN-3658-1 | procps-ng vulnerabilities | ||
| 17 Juli 2018 | CVE-2018-11041 | UAA open redirect | ||
| 16 Juli 2018 | CVE-2018-1269 | Loggregator does not properly close some TCP connections | ||
| 16 Juli 2018 | CVE-2018-1268 | Loggregator lacks app GUID validation | ||
| 19 Juni 2018 | CVE-2018-1265 | Diego does not properly sanitize file paths in tar/zip files | ||
| 21 Juni 2018 | USN-3671-1 | Git vulnerabilities | ||
| 21 Juni 2018 | USN-3654-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 21 Juni 2018 | USN-3648-1 | curl vulnerabilities | ||
| 14 Juni 2018 | USN-3643-1 | Wget vulnerability | ||
| 14 Juni 2018 | USN-3641-1 | Linux kernel vulnerabilities | ||
| 14 Juni 2018 | USN-3631-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 14 Juni 2018 | USN-3628-1 | OpenSSL vulnerability | ||
| 14 Juni 2018 | USN-3625-1 | Perl vulnerabilities | ||
| 14 Juni 2018 | USN-3624-1 | Patch vulnerabilities | ||
| 14 Juni 2018 | USN-3622-1 | Wayland vulnerability | ||
| 21 Mai 2018 | CVE-2018-1277 | Garden does not correctly enforce Docker image disc quotas | ||
| 21 Mai 2018 | CVE-2018-1276 | Windows2012R2 stemcell exposes IaaS metadata on vSphere | ||
| 10 Mai 2018 | MS-ISAC-2018-046 | MS-ISAC 2018-046 Multiple Vulnerabilities in PHP | ||
| 08 Mai 2018 | CVE-2018-1191 | Garden may log Docker passwords | ||
| 02 Mai 2018 | USN-3619-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 02 Mai 2018 | USN-3611-1 | OpenSSL vulnerability | ||
| 02 Mai 2018 | USN-3610-1 | ICU vulnerability | ||
| 02 Mai 2018 | USN-3606-1 | LibTIFF vulnerabilities | ||
| 02 Mai 2018 | USN-3604-1 | libvorbis vulnerabilities | ||
| 02 Mai 2018 | USN-3602-1 | LibTIFF vulnerabilities | ||
| 02 Mai 2018 | USN-3598-1 | curl vulnerabilities | ||
| 02 Mai 2018 | USN-3586-1 | DHCP vulnerabilities | ||
| 02 Mai 2018 | USN-3584-1 | sensible-utils vulnerability | ||
| 02 Mai 2018 | USN-3569-1 | libvorbis vulnerabilities | ||
| 02 Mai 2018 | USN-3554-1 | curl vulnerabilities | ||
| 02 Mai 2018 | USN-3547-1 | Libtasn1 vulnerabilities | ||
| 02 Mai 2018 | USN-3543-1 | rsync vulnerabilities | ||
| 02 Mai 2018 | USN-3534-1 | GNU C Library vulnerabilities | ||
| 02 Mai 2018 | USN-3506-1 | rsync vulnerabilities | ||
| 02 Mai 2018 | USN-3501-1 | libxcursor vulnerability | ||
| 02 Mai 2018 | USN-3346-2 | Bind regression | ||
| 30 Apr 2018 | CVE-2018-1197 | GCP Metadata Endpoint Accessible from Application Containers on Windows | ||
| 05 Apr 2018 | CVE-2018-1266 | Cloud Controller file modification via malicious application | ||
| 05 Apr 2018 | CVE-2018-1231 | BOSH CLI does not restrict access to configuration file | ||
| 03 Apr 2018 | USN-3582-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 28 März 2018 | CVE-2018-1195 | Cloud Controller API will accept a refresh token for authentication | ||
| 28 März 2018 | CVE-2018-1192 | UAA SessionID present in Audit Event Logs | ||
| 28 März 2018 | CVE-2018-1190 | XSS on UAA OpenID Connect check session iframe endpoint | ||
| 09 März 2018 | CVE-2018-1227 | Concourse-dot-ci Domain Issue | ||
| 27 Feb 2018 | VU475445 | VU#475445 SAML Authentication Bypass | ||
| 27 Feb 2018 | CVE-2018-1221 | Gorouter websocket handling vulnerability | ||
| 01 Feb 2018 | USN-3540-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 01 Feb 2018 | USN-3538-1 | OpenSSH vulnerabilities | ||
| 01 Feb 2018 | USN-3535-1 | Bind vulnerability | ||
| 01 Feb 2018 | USN-3522-4 | Linux (Xenial HWE) vulnerability | ||
| 01 Feb 2018 | USN-3522-2 | Linux (Xenial HWE) vulnerability | ||
| 01 Feb 2018 | USN-3513-1 | libxml2 vulnerability | ||
| 01 Feb 2018 | USN-3504-1 | libxml2 vulnerability | ||
| 03 Jan 2018 | Meltdown and Spectre Attacks | Meltdown and Spectre Attacks | ||
| 19 Dez 2017 | CVE-2017-1000353 | Jenkins unauthenticated remote code execution | ||
| 15 Dez 2017 | USN-3509-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 15 Dez 2017 | USN-3505-1 | Linux firmware vulnerabilities | ||
| 15 Dez 2017 | USN-3498-1 | curl vulnerabilities | ||
| 15 Dez 2017 | USN-3496-3 | Python vulnerability | ||
| 15 Dez 2017 | USN-3496-1 | Python vulnerability | ||
| 15 Dez 2017 | USN-3489-1 | Berkeley DB vulnerability | ||
| 15 Dez 2017 | USN-3485-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 15 Dez 2017 | USN-3478-1 | Perl vulnerabilities | ||
| 15 Dez 2017 | USN-3475-1 | OpenSSL vulnerabilities | ||
| 15 Dez 2017 | USN-3469-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 15 Dez 2017 | USN-3464-1 | Wget vulnerabilities | ||
| 15 Dez 2017 | USN-3458-1 | ICU vulnerability | ||
| 15 Dez 2017 | USN-3457-1 | curl vulnerability | ||
| 21 Nov 2017 | USN-3454-1 | libffi vulnerability | ||
| 21 Nov 2017 | USN-3444-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 21 Nov 2017 | USN-3441-1 | curl vulnerabilities | ||
| 21 Nov 2017 | USN-3437-1 | OCaml vulnerability | ||
| 21 Nov 2017 | USN-3434-1 | Libidn vulnerability | ||
| 21 Nov 2017 | USN-3432-1 | ca-certificates update | ||
| 21 Nov 2017 | USN-3424-1 | libxml2 vulnerabilities | ||
| 21 Nov 2017 | USN-3387-1 | Git vulnerability | ||
| 16 Nov 2017 | CVE-2017-8031 | UAA Denial of Service through client token revocation endpoint | ||
| 15 Nov 2017 | CVE-2017-14388 | GrootFS doesn’t validate DiffIDs | ||
| 11 Okt 2017 | CVE-2017-8048 | Cloud Controller API regression | ||
| 10 Okt 2017 | CVE-2017-8047 | Cloud Foundry router open redirect | ||
| 28 Sept 2017 | USN-3420-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 28 Sept 2017 | USN-3418-1 | GDK-PixBuf vulnerabilities | ||
| 28 Sept 2017 | USN-3415-1 | tcpdump vulnerabilities | ||
| 28 Sept 2017 | USN-3411-1 | Bazaar vulnerability | ||
| 28 Sept 2017 | USN-3410-1 | GD library vulnerability | ||
| 28 Sept 2017 | USN-3405-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 28 Sept 2017 | USN-3398-1 | graphite2 vulnerabilities | ||
| 08 Sept 2017 | CVE-2017-9805 | Apache Struts Remote Code Execution | ||
| 28 Aug 2017 | USN-3392-2 | Linux kernel (Xenial HWE) regression | ||
| 21 Aug 2017 | USN-3385-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 14 Aug 2017 | USN-3378-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 14 Aug 2017 | USN-3367-1 | gdb vulnerabilities | ||
| 14 Aug 2017 | USN-3364-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 14 Aug 2017 | USN-3363-2 | ImageMagick regression References | ||
| 14 Aug 2017 | USN-3363-1 | ImageMagick vulnerabilities | ||
| 14 Aug 2017 | USN-3356-1 | Expat vulnerability | ||
| 14 Aug 2017 | USN-3353-1 | Heimdal vulnerability | ||
| 14 Aug 2017 | USN-3349-1 | NTP vulnerabilities | ||
| 14 Aug 2017 | USN-3347-1 | Libgcrypt vulnerabilities | ||
| 14 Aug 2017 | USN-3346-1 | bind9 vulnerabilities | ||
| 14 Aug 2017 | USN-3344-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 07 Aug 2017 | CVE-2017-8037 | Incomplete fix for Cloud Controller API access to CC VM contents | ||
| 02 Aug 2017 | CVE-2017-9022/CVE-2017-9023 | strongSwan DOS Vulnerabilities | ||
| 01 Aug 2017 | CVE-2017-8038 | Credentials readable from CredHub endpoint | ||
| 25 Juli 2017 | CVE-2017-8036 | Cloud Controller API regression | ||
| 25 Juli 2017 | CVE-2017-8035 | Cloud Controller API access to CC VM contents | ||
| 25 Juli 2017 | CVE-2017-8033 | Cloud Controller API filesystem traversal vulnerability | ||
| 24 Juli 2017 | CVE-2017-8032 | UAA Identity Zone Admin Privilege Escalation | ||
| 05 Juli 2017 | CVE-2017-7485 | PostgreSQL vulnerabilities | ||
| 26 Juni 2017 | CVE-2017-5946 | Directory Traversal in Rubyzip | ||
| 26 Juni 2017 | USN-3334-1 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 26 Juni 2017 | USN-3323-1 | GNU C Library vulnerability | ||
| 26 Juni 2017 | USN-3318-1 | GnuTLS vulnerabilities | ||
| 26 Juni 2017 | USN-3312-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 26 Juni 2017 | USN-3311-1 | libnl vulnerability | ||
| 26 Juni 2017 | USN-3309-1 | Libtasn1 vulnerability | ||
| 26 Juni 2017 | USN-3302-1 | ImageMagick vulnerabilities | ||
| 26 Juni 2017 | USN-3212-2 | LibTIFF regression | ||
| 22 Juni 2017 | USN-3304-1 | Sudo vulnerability | ||
| 08 Juni 2017 | CVE-2017-4994 | Forwarded Headers in UAA | ||
| 08 Juni 2017 | USN-3295-1 | JasPer vulnerabilities | ||
| 08 Juni 2017 | USN-3294-1 | Bash vulnerabilities | ||
| 08 Juni 2017 | USN-3291-3 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 08 Juni 2017 | USN-3287-1 | Git vulnerability | ||
| 08 Juni 2017 | USN-3283-1 | rtmpdump vulnerabilities | ||
| 08 Juni 2017 | USN-3282-1 | FreeType vulnerabilities | ||
| 08 Juni 2017 | USN-3276-2 | shadow regression | ||
| 08 Juni 2017 | USN-3263-1 | FreeType vulnerability | ||
| 08 Juni 2017 | USN-3259-1 | Bind vulnerabilities | ||
| 08 Juni 2017 | USN-3246-1 | Eject vulnerability | ||
| 08 Juni 2017 | USN-3181-1 | OpenSSL vulnerabilities | ||
| 19 Mai 2017 | CVE-2017-4992 | Privilege escalation with user invitations | ||
| 19 Mai 2017 | CVE-2017-4991 | UAA password reset vulnerability | ||
| 02 Mai 2017 | USN-3265-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 01 Mai 2017 | CVE-2017-4974 | Blind SQL Injection with privileged UAA endpoints | ||
| 20 Apr 2017 | CVE-2015-3281 | HAProxy vulnerabilities | ||
| 20 Apr 2017 | CVE-2017-4973 | Privilege Escalation in UAA | ||
| 20 Apr 2017 | CVE-2017-4972 | Blind SQL Injection in UAA | ||
| 13 Apr 2017 | CVE-2017-4969 | Bug in CC allows users to exceed quotas | ||
| 12 Apr 2017 | USN-3256-2 | Linux kernel (HWE) vulnerability | ||
| 10 Apr 2017 | CVE-2017-4970 | Staticfile buildpack ignores basic authentication when misconfigured | ||
| 06 Apr 2017 | USN-3243-1 | Git vulnerability | ||
| 06 Apr 2017 | USN-3241-1 | audiofile vulnerabilities | ||
| 06 Apr 2017 | USN-3239-2 | GNU C Library Regression | ||
| 06 Apr 2017 | USN-3237-1 | FreeType vulnerability | ||
| 06 Apr 2017 | USN-3235-1 | libxml2 vulnerabilities | ||
| 06 Apr 2017 | USN-3232-1 | ImageMagick vulnerabilities | ||
| 06 Apr 2017 | USN-3227-1 | ICU vulnerabilities | ||
| 06 Apr 2017 | USN-3225-1 | libarchive vulnerabilities | ||
| 06 Apr 2017 | USN-3183-2 | GnuTLS vulnerability | ||
| 05 Apr 2017 | CVE-2017-5649 | Apache Geode privilege escalation vulnerability | ||
| 04 Apr 2017 | USN-3201-1 | Bind vulnerabilities | ||
| 04 Apr 2017 | USN-3234-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 04 Apr 2017 | USN-3228-1 | libevent vulnerabilities | ||
| 04 Apr 2017 | USN-3247-1 | AppArmor vulnerability | ||
| 04 Apr 2017 | USN-3249-2 | Linux kernel (Xenial HWE) vulnerability | ||
| 31 März 2017 | USN-3222-1 | ImageMagick vulnerabilities | ||
| 31 März 2017 | USN-3213-1 | GD library vulnerabilities | ||
| 31 März 2017 | USN-3212-1 | LibTIFF vulnerabilities | ||
| 31 März 2017 | USN-3205-1 | tcpdump vulnerabilities | ||
| 31 März 2017 | USN-3142-2 | ImageMagick vulnerabilities | ||
| 29 März 2017 | CVE-2017-4963 | Session Fixation for UAA External Authentication | ||
| 17 März 2017 | USN-3196-1 | Multiple PHP vulnerabilities | ||
| 17 März 2017 | USN-3185-1 | libXpm vulnerability | ||
| 17 März 2017 | USN-3193-1 | Nettle vulnerability | ||
| 17 März 2017 | USN-3183-1 | GnuTLS vulnerabilities | ||
| 14 März 2017 | USN-3189-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 14 März 2017 | CVE-2017-5638 | Apache Struts Remote Code Execution | ||
| 13 März 2017 | USN-3220-2 | Linux kernel (Xenial HWE) vulnerability | ||
| 09 März 2017 | CVE-2017-4960 | UAA OAuth DOS via lockout feature | ||
| 01 März 2017 | USN-3208-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 31 Jan 2017 | USN-3172-1 | Bind vulnerabilities | ||
| 31 Jan 2017 | USN-3169-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 31 Jan 2017 | USN-3161-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 23 Jan 2017 | CVE-2016-6660 | Cloud Controller logs application environment variables | ||
| 19 Jan 2017 | USN-3024-1 | tomcat6, tomcat7 vulnerabilities | ||
| 12 Jan 2017 | RunC Exec | RunC Exec Vulnerability | ||
| 10 Jan 2017 | CVE-2016-9882 | Cloud Foundry Logs Service Credentials | ||
| 29 Dez 2016 | CVE-2016-3958 and CVE-2016-3959 | Golang vulnerabilities | ||
| 27 Dez 2016 | USN-3146-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 27 Dez 2016 | USN-3128-2 | Linux kernel (Xenial HWE) vulnerability | ||
| 27 Dez 2016 | USN-3142-1 | ImageMagick vulnerabilities | ||
| 19 Dez 2016 | CVE-2016-8219 | Space Auditor can restage apps | ||
| 21 Dez 2016 | Multiple CVEs | httpoxy vulnerabilities | ||
| 20 Dez 2016 | USN-3156-1 | APT vulnerability | ||
| 19 Dez 2016 | USN-3131-1 | ImageMagick vulnerabilities | ||
| 19 Dez 2016 | USN-3067-1 | HarfBuzz vulnerabilities | ||
| 19 Dez 2016 | USN-3117-1 | GD library vulnerabilities | ||
| 14 Dez 2016 | USN-3132-1 | tar vulnerability | ||
| 14 Dez 2016 | USN-3134-1 | Python vulnerabilities | ||
| 14 Dez 2016 | USN-3139-1 | Vim vulnerability | ||
| 14 Dez 2016 | CVE-2016-6659 | UAA Privilege Escalation | ||
| 14 Dez 2016 | USN-3116-1 | DBus vulnerabilities | ||
| 14 Dez 2016 | USN-3119-1 | Bind vulnerability | ||
| 13 Dez 2016 | USN-3123-1 | curl vulnerabilities | ||
| 13 Dez 2016 | USN-3088-1 | Bind vulnerability | ||
| 09 Dez 2016 | CVE-2016-8218 | Unauthenticated JWT signing algorithm in routing | ||
| 07 Dez 2016 | USN-3151-2 | Linux kernel (Xenial HWE) vulnerability | ||
| 17 Nov 2016 | CVE-2016-6663/CVE-2016-6664 | MariaDB Root Privilege Escalation | ||
| 17 Nov 2016 | Several | PCRE vulnerabilities prior to version 8.39 | ||
| 07 Nov 2016 | USN-3096-1 | NTP vulnerabilities | ||
| 07 Nov 2016 | USN-3095-1 | PHP vulnerabilities | ||
| 02 Nov 2016 | CVE-2016-6658 | Incomplete fix for Credential Vulnerability for Custom Buildpacks | ||
| 21 Okt 2016 | CVE-2016-5195 | Linux kernel vulnerability | ||
| 17 Okt 2016 | CVE-2016-6655 | Utility Script Command Injection | ||
| 17 Okt 2016 | USN-3099-2 | Linux kernel vulnerabilities | ||
| 29 Sept 2016 | CVE-2016-6653 | MySQL Audit logs sent to Syslog | ||
| 28 Sept 2016 | USN-3087-2 | OpenSSL Regression | ||
| 28 Sept 2016 | USN-3083-1 | Linux kernel vulnerabilities | ||
| 28 Sept 2016 | USN-3068-1 | Libidn vulnerabilities | ||
| 28 Sept 2016 | CVE-2016-6662 | Multiple MySQL Vulnerabilities | ||
| 28 Sept 2016 | USN-3085-1 | GDK-PixBuf vulnerabilities | ||
| 26 Sept 2016 | CVE-2016-6651 | Privilege Escalation in UAA | ||
| 26 Sept 2016 | CVE-2016-6636 | UAA Open Redirect Vulnerability for Subdomains | ||
| 26 Sept 2016 | CVE-2016-6637 | UAA CSRF Vulnerability for OAuth Approvals | ||
| 21 Sept 2016 | CVE-2014-9130 | LibYAML vulnerability | ||
| 09 Sept 2016 | CVE-2016-6639 | PHP Buildpack exposes .profile file | ||
| 09 Sept 2016 | USN-3045-1 | PHP vulnerabilities | ||
| 25 Aug 2016 | USN-3065-1 | Libgcrypt vulnerability | ||
| 25 Aug 2016 | USN-3064-1 | GnuPG vulnerability | ||
| 25 Aug 2016 | USN-3063-1 | Fontconfig vulnerability | ||
| 25 Aug 2016 | USN-3061-1 | OpenSSH vulnerability | ||
| 25 Aug 2016 | USN-3030-1/USN-3060-1 | GD library vulnerability | ||
| 25 Aug 2016 | USN-3053-1/USN-3037-1 | Linux kernel (Vivid HWE) vulnerability | ||
| 25 Aug 2016 | USN-3048-1 | curl vulnerability | ||
| 25 Aug 2016 | USN-3033-1 | libarchive vulnerability | ||
| 18 Aug 2016 | CVE-2016-5016 | UAA accepts expired certificates | ||
| 26 Juli 2016 | CVE-2016-5006 | Cloud Controller API logs user-provided service credentials | ||
| 13 Juli 2016 | USN-3010-1 | Expat vulnerabilities | ||
| 13 Juli 2016 | CVE-2016-4450 | Nginx Vulnerabilities | ||
| 13 Juli 2016 | USN-3012-1 | Wget vulnerability | ||
| 01 Juli 2016 | USN-3020-1 | Linux kernel (Vivid HWE) vulnerabilities | ||
| 30 Juni 2016 | CVE-2016-4468 | UAA SQL Injection | ||
| 15 Juni 2016 | USN-3001-1 | Linux kernel (Vivid HWE) vulnerabilities | ||
| 13 Juni 2016 | CVE-2016-4435 | BOSH Agent Anonymous Endpoint | ||
| 13 Juni 2016 | USN-2994-1 | libxml2 vulnerabilities | ||
| 13 Juni 2016 | USN-2991-1 | nginx vulnerability | ||
| 13 Juni 2016 | USN-2990-1 | ImageMagick vulnerability (a.k.a. ImageTragick) | ||
| 13 Juni 2016 | USN-2987-1 | GD library vulnerabilities | ||
| 13 Juni 2016 | USN-2985-2 | GNU C Library regression | ||
| 13 Juni 2016 | USN-2983-1 | Expat vulnerability | ||
| 13 Juni 2016 | USN-2981-1 | libarchive vulnerabilities | ||
| 13 Juni 2016 | USN-2966-1 | OpenSSH vulnerabilities | ||
| 13 Juni 2016 | USN-2961-1 | Little CMS vulnerability | ||
| 08 Juni 2016 | CVE-2013-7456 | PHP vulnerabilities | ||
| 03 Juni 2016 | USN-2970-1 | Linux kernel (Vivid HWE) vulnerabilities | ||
| 23 Mai 2016 | CVE-2016-3084 | UAA Password Reset Vulnerability | ||
| 19 Mai 2016 | USN-2977-1 | Linux kernel (Vivid HWE) vulnerabilities | ||
| 17 Mai 2016 | CVE-2016-3091 | Diego log encoding vulnerability | ||
| 06 Mai 2016 | USN-2959-1 | OpenSSL vulnerabilities | ||
| 06 Mai 2016 | USN-2957-1 | Libtasn1 vulnerability | ||
| 06 Mai 2016 | USN-2949-1 | Linux kernel (Vivid HWE) vulnerabilities | ||
| 06 Mai 2016 | USN-2943-1 | PCRE vulnerabilities | ||
| 06 Mai 2016 | USN-2935-2 | PAM regression | ||
| 02 Mai 2016 | CVE-2015-5170-5173 | UAA Vulnerabilities | ||
| 14 Apr 2016 | Badlock bug | Samba and Windows Vulnerabilities | ||
| 24 März 2016 | USN-2939-1 | LibTIFF vulnerabilities | ||
| 24 März 2016 | USN-2927-1 | Graphite2 vulnerabilities | ||
| 24 März 2016 | USN-2925-1 | Bind9 vulnerabilities | ||
| 24 März 2016 | USN-2919-1 | JasPer vulnerabilities | ||
| 24 März 2016 | USN-2918-1 | Pixman vulnerabilities | ||
| 24 März 2016 | USN-2916-1 | Perl vulnerabilities | ||
| 24 März 2016 | USN-2914-1 | OpenSSL vulnerabilities | ||
| 24 März 2016 | NPM Ownership Issue | Warning about NPM modules | ||
| 24 März 2016 | USN-2938-1 | Git vulnerabilities | ||
| 16 März 2016 | USN-2932-1 | Linux kernel vulnerabilities | ||
| 02 März 2016 | CVE-2016-0800 | OpenSSL vulnerabilities | ||
| 26 Feb 2016 | USN-2910-1 | Linux kernel vulnerability | ||
| 26 Feb 2016 | CVE-2016-0761 | Docker Image Host Files Corruption | ||
| 19 Feb 2016 | USN-2900-1 | GNU libc vulnerability | ||
| 02 Feb 2016 | CVE-2016-0732 | Privilege Escalation | ||
| 01 Feb 2016 | CVE-2016-0713 | Gorouter XSS | ||
| 22 Jan 2016 | USN-2871-1 | Linux kernel vulnerability | ||
| 20 Jan 2016 | CVE-2016-0715 | Remote Information Disclosure | ||
| 19 Jan 2016 | USN-2865-1 | GnuTLS vulnerability | ||
| 19 Jan 2016 | USN-2861-1 | libpng vulnerability | ||
| 19 Jan 2016 | USN-2868-1 | DHCP vulnerability | ||
| 19 Jan 2016 | USN-2869-1 | OpenSSH vulnerability | ||
| 18 Jan 2016 | CVE-2016-0708 | Remote Information Disclosure | ||
| 07 Jan 2016 | USN-2857-1 | Linux kernel vulnerability | ||
| 07 Jan 2016 | USN-2842-1/USN-2842-2 | Linux kernel vulnerability | ||
| 07 Jan 2016 | USN-2837-1 | bind9 vulnerability | ||
| 07 Jan 2016 | USN-2836-1 | grub2 vulnerability | ||
| 07 Jan 2016 | USN-2835-1 | git vulnerability | ||
| 07 Jan 2016 | USN-2834-1 | libxml2 vulnerability | ||
| 07 Jan 2016 | USN-2830-1 | OpenSSL vulnerability | ||
| 07 Jan 2016 | USN-2829-1 | Linux kernel vulnerability | ||
| 15 Dez 2015 | CVE-2015-5350 | Garden Nstar vulnerability | ||
| 04 Dez 2015 | USN-2821-1 | GnuTLS vulnerability | ||
| 04 Dez 2015 | USN-2820-1 | dpkg vulnerability | ||
| 02 Dez 2015 | USN-2815-1 | PNG vulnerability | ||
| 02 Dez 2015 | USN-2812-1 | libxml2 vulnerability | ||
| 02 Dez 2015 | USN-2810-1 | Kerberos vulnerability | ||
| 02 Dez 2015 | USN-2787-1 | audiofile vulnerability | ||
| 24 Nov 2015 | USN-2788-1/2788-2 | unzip vulnerability | ||
| 12 Nov 2015 | USN-2798-1 | Linux kernel vulnerability | ||
| 12 Nov 2015 | USN-2806-1 | Linux kernel vulnerability | ||
| 03 Nov 2015 | USN-2778-1 | Linux kernel vulnerabilities | ||
| 03 Nov 2015 | USN-2767-1 | GDK-Pixbuf library vulnerability | ||
| 07 Okt 2015 | Golang | Golang 1.4.3 CVE Fixes | ||
| 07 Okt 2015 | USN-2722-1 | GDK-PixBuf Vulnerabilities | ||
| 07 Okt 2015 | USN-2711-1 | Net-SNMP Vulnerabilities | ||
| 07 Okt 2015 | USN-2739-1 | FreeType Vulnerabilities | ||
| 07 Okt 2015 | USN-2740-1 | ICU Vulnerabilities | ||
| 07 Okt 2015 | USN-2751-1 | Linux Kernel (Vivid HWE) Vulnerability | ||
| 07 Okt 2015 | USN-2756-1 | rpcbind Vulnerability | ||
| 07 Okt 2015 | USN-2765-1 | Linux Kernel (Vivid HWE) Vulnerability | ||
| 08 Sept 2015 | USN-2710-1 | OpenSSH Vulnerabilities | ||
| 08 Sept 2015 | USN-2698-1 | SQLite Vulnerabilities | ||
| 08 Sept 2015 | USN-2694-1 | PCRE Vulnerabilities | ||
| 08 Sept 2015 | USN-2718-1 | Address Configuration Change Vulnerabilities | ||
| 06 Aug 2015 | USN-2696-1 | OpenJDK 7 Vulnerabilities | ||
| 29 Juli 2015 | CVE-2015-3290 | Linux Kernel NMI Vulnerability | ||
| 10 Juli 2015 | CVE-2015-1420 | file_handle size verification | ||
| 06 Juli 2015 | CVE-2015-1330 | Unattended-Upgrades Vulnerability | ||
| 25 Juni 2015 | CVE-2015-3189 | Expire old reset password links | ||
| 25 Juni 2015 | CVE-2015-3190 | Open redirect on Login | ||
| 25 Juni 2015 | CVE-2015-3191 | CSRF attack on change email | ||
| 12 Juni 2015 | USN-2639-1 | OpenSSL vulnerabilities | ||
| 12 Juni 2015 | CVE-2015-3636 | ipv4 use-after-free | ||
| 17 Juni 2015 | CVE-2015-1328 | overlayfs privilege escalation | ||
| 09 Juni 2015 | Redis LUA Sandbox | Redis LUA Exploit | ||
| 22 Mai 2015 | CVE-2015-1834 | Path Traversal Vulnerability | ||
| 22 Mai 2015 | USN-2617-1 | FUSE Vulnerability | ||
| 30 Apr 2015 | CVE-2015-1855 | Ruby OpenSSL Hostname Verification | ||
| 23 März 2015 | CVE-2015-0282 | Multiple GnuTLS Vulnerabilities | ||
| 21 März 2015 | USN-2537-1 | OpenSSL vulnerabilities | ||
| 13 März 2015 | CVE-2014-8159 | Linux Kernel Infiniband Vulnerability | ||
| 09 Feb 2015 | CVE-2014-0227 | Apache Tomcat Request Smuggling | ||
| 28 Jan 2015 | CVE-2015-0235 | GHOST | ||
| 10 Sept 2014 | CVE-2013-4444 | Remote Code Execution in Apache Tomcat | ||
| 16 Okt 2014 | CVE-2014-3566 | SSLV3 POODLE | ||
| 29 Sept 2014 | CVE-2014-7186 | Bash Out-of Bonds | ||
| 25 Sept 2014 | CVE-2014-6271 | Bash - ShellShock | ||
| 19 Sept 2014 | CVE-2014-5119 | glib_gconv_translit_find() exploit | ||
| 18 Aug 2014 | CVE-2014-3153 | Futex requeue exploit | ||
| 05 Juni 2014 | CVE-2014-0224 | SSL/TLS MITM Vulnerability | ||
| 10 Apr 2014 | CVE-2014-0160 | Heartbleed |
[1] This table is not yet a complete list of vulnerabilities in dependencies. Formulating such a list is an extensive undertaking which Pivotal is addressing systematically. When this table becomes a complete and comprehensive list, we will remove this footnote.
Thanks
Note: Reports of vulnerabilities in Pivotal products are listed in the credit section of the associated security announcement.