Pivotal Application Security Team
Overview
The Pivotal Application Security Team provides a single point of contact for the reporting of security vulnerabilities in Pivotal products and coordinates the process of investigating any reported vulnerabilities.
If you would like to subscribe to updates to this page, the RSS feed for all vulnerability reports is available at https://tanzu.vmware.com/security/rss or https://tanzu.vmware.com/security/parsed/rss. The RSS feed for just the notable vulnerabilities in dependences is available at https://tanzu.vmware.com/security/dependencies/rss and the RSS feed for just Pivotal product vulnerabilities is available at https://tanzu.vmware.com/security/pivotal/rss.
Reporting a vulnerability
We strongly encourage people to report security vulnerabilities privately to our security team before disclosing them in a public forum.
Please note that the e-mail address below should only be used for reporting undisclosed security vulnerabilities in Pivotal products and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security related queries at this address.
The e-mail address to use to contact the Pivotal Application Security Team is security@pivotal.io.
The fingerprint is: AA8F D966 7001 70B7 087E B407 04A1 595B 8F19 137B
It can be obtained from a public key server such as pgp.mit.edu.
Pivotal Product Vulnerability Reports
| Date | CVE Reference | Description | ||
| 01 Jun 2020 | CVE-2020-5410 | Directory Traversal with spring-cloud-config-server | ||
| 26 May 2020 | CVE-2019-15605 | Node.js is vulnerable to request smuggling | ||
| 13 May 2020 | CVE-2020-5409 | Concourse Open Redirect in the /sky/login endpoint | ||
| 07 May 2020 | CVE-2020-5408 | Dictionary attack with Spring Security queryable text encryptor | ||
| 07 May 2020 | CVE-2020-5407 | Signature Wrapping Vulnerability with spring-security-saml2-service-provider | ||
| 14 Apr 2020 | CVE-2020-5402 | UAA fails to check the state parameter when authenticating with external IDPs | ||
| 09 Apr 2020 | CVE-2020-5406 | PCF Autoscaling logs its database credentials | ||
| 06 Apr 2020 | CVE-2019-11282 | UAA is vulnerable to a Blind SCIM injection leading to information disclosure | ||
| 06 Apr 2020 | CVE-2020-5400 | Cloud Controller logs environment variables from app manifests | ||
| 04 Mar 2020 | CVE-2019-11290 | UAA logs query parameters in tomcat access file | ||
| 04 Mar 2020 | VARIOUS-JACKSON-CVES-UAA | Various CVEs UAA consumes vulnerable versions of FasterXML jackson-databind | ||
| 03 Mar 2020 | CVE-2019-11253 | PKS is vulnerable to a YAML/JSON parsing "Billion Laughs" Attack | ||
| 27 Feb 2020 | CVE-2020-5404 | Authentication Leak On Redirect With Reactor Netty HttpClient | ||
| 27 Feb 2020 | CVE-2020-5403 | DoS Via Malformed URL with Reactor Netty HTTP Server | ||
| 26 Feb 2020 | CVE-2020-5405 | Directory Traversal with spring-cloud-config-server | ||
| 24 Feb 2020 | CVE-2020-5401 | GoRouter is vulnerable to a cache poisoning DoS | ||
| 12 Feb 2020 | CVE-2020-5399 | CredHub does not properly enable TLS for MySQL database connections | ||
| 11 Feb 2020 | CVE-2019-19604 | Git submodule loading vulnerability | ||
| 16 Jan 2020 | CVE-2020-5398 | RFD Attack via “Content-Disposition” Header Sourced from Request Input by Spring MVC or Spring WebFlux Application | ||
| 16 Jan 2020 | CVE-2020-5397 | CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux | ||
| 15 Jan 2020 | CVE-2019-11288 | tc Server JMX Socket Listener Registry Rebinding Local Privilege Escalation | ||
| 10 Jan 2020 | CVE-2019-18802 | CVE-2019-18801, CVE-2019-18838, MySQL for Pivotal Platform consumes a vulnerable version of Envoy | ||
| 08 Jan 2020 | CVE-2019-11292 | Ops Manager logs query parameters in tomcat access file | ||
| 04 Dec 2019 | CVE-2019-9517 | CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9518, CVE-2019-9511, CVE-2019-9516, Some Pivotal products are impacted by HTTP/2 denial of service attacks | ||
| 04 Dec 2019 | CVE-2019-19029 | SQL Injection via user-groups in VMware Harbor Container Registry for Pivotal Platform | ||
| 04 Dec 2019 | CVE-2019-19026 | SQL Injection via project quotas in VMware Harbor Container Registry for Pivotal Platform | ||
| 04 Dec 2019 | CVE-2019-19025 | Cross-Site Request Forgery Vulnerability in VMware Harbor Container Registry for Pivotal Platform | ||
| 04 Dec 2019 | CVE-2019-19023 | Privilege Escalation Vulnerability in VMware Harbor Container Registry for Pivotal Platform | ||
| 04 Dec 2019 | CVE-2019-3990 | User Enumeration Flaw in VMware Harbor Container Registry for Pivotal Platform | ||
| 03 Dec 2019 | CVE-2019-11293 | UAA logs all query parameters with debug logging level | ||
| 22 Nov 2019 | CVE-2019-11287 | RabbitMQ Web Management Plugin DoS via heap overflow | ||
| 22 Nov 2019 | CVE-2019-11291 | RabbitMQ XSS attack via federation and shovel endpoints | ||
| 18 Nov 2019 | CVE-2019-11289 | A forged route service request using an invalid nonce can cause the gorouter to panic and crash | ||
| 06 Nov 2019 | CVE-2019-9893 | libseccomp incorrectly generate 64-bit syscall argument comparisons | ||
| 28 Oct 2019 | CVE-2019-16869 | Reactor Netty Consumes a Vulnerable Version of Netty | ||
| 24 Oct 2019 | CVE-2019-11249 | PKS consumes a vulnerable version of kubectl | ||
| 23 Oct 2019 | CVE-2019-11283 | Password leak in smbdriver logs | ||
| 17 Oct 2019 | CVE-2019-16919 | Broken access control vulnerability in Harbor API | ||
| 15 Oct 2019 | CVE-2019-11278 | Privilege Escalation via Blind SCIM Injection in UAA | ||
| 15 Oct 2019 | CVE-2019-11279 | Privilege Escalation via Scope Manipulation in UAA | ||
| 15 Oct 2019 | CVE-2019-11247 | Kubernetes API Server Vulnerability | ||
| 15 Oct 2019 | CVE-2018-15664 | Docker Symlink Directory Traversal Vulnerability | ||
| 15 Oct 2019 | CVE-2019-13139 | Docker build code execution | ||
| 14 Oct 2019 | CVE-2019-11281 | RabbitMQ XSS attack | ||
| 11 Oct 2019 | CVE-2019-11284 | Reactor Netty authentication leak in redirects | ||
| 25 Sep 2019 | CVE-2019-11275 | CSV Injection in usage report downloaded from Pivotal Application Manager | ||
| 23 Sep 2019 | CVE-2019-11277 | Volume Services is vulnerable to an LDAP injection attack | ||
| 19 Sep 2019 | CVE-2019-11280 | Privilege escalation through the invitations service | ||
| 20 Aug 2019 | CVE-2019-3775 | UAA allows users to modify their own email address | ||
| 20 Aug 2019 | CVE-2019-3788 | UAA redirect-uri allows wildcards in the subdomain | ||
| 20 Aug 2018 | CVE-2019-3787 | UAA defaults email address to an insecure domain | ||
| 20 Aug 2019 | CVE-2019-10164 | Critical Security Issue in PostgreSQL | ||
| 19 Aug 2019 | CVE-2019-11276 | Apps Manager sends tokens to Spring apps via HTTP | ||
| 15 Aug 2019 | CVE-2017-15694 | Pivotal GemFire and Cloud Cache consume vulnerable versions of Apache Geode | ||
| 14 Aug 2019 | CVE-2019-13232 | ClamAV Add-on for PCF consumes a vulnerable version of ClamAV | ||
| 01 Aug 2019 | CVE-2019-11270 | UAA clients.write vulnerability | ||
| 25 Jul 2019 | CVE-2019-3800 | CF CLI writes the client id and secret to config file | ||
| 25 Jul 2019 | CVE-2019-3781 | CF CLI does not sanitize user's password in verbose/trace/debug | ||
| 23 Jul 2019 | CVE-2019-11273 | PKS Telemetry logs credentials | ||
| 22 Jul 2019 | VARIOUS-SQL | Various MySQL Security Updates from July 2018 through January 2019 | ||
| 22 Jul 2019 | USN-4017-1 | Linux kernel vulnerabilities | ||
| 18 Jul 2019 | CVE-2019-3786 | BBR could run arbitrary scripts on deployment VMs | ||
| 28 Jun 2019 | CVE-2019-11271 | Bosh Deployment logs leak sensitive information | ||
| 19 Jun 2019 | CVE-2019-11272 | PlaintextPasswordEncoder authenticates encoded passwords that are null | ||
| 30 May 2019 | CVE-2019-5021 | Tile generator affected by insecure default password | ||
| 30 May 2019 | CVE-2019-11269 | Open Redirector in spring-security-oauth2 | ||
| 24 May 2019 | CVE-2019-3790 | Ops Manager uaa client issues tokens after refresh token expiration | ||
| 13 May 2019 | CVE-2019-3802 | Additional information exposure with Spring Data JPA example matcher | ||
| 25 Apr 2019 | CVE-2019-3801 | Java Projects using HTTP to fetch dependencies | ||
| 24 Apr 2019 | CVE-2019-3798 | Escalation of Privileges in Cloud Controller | ||
| 24 Apr 2019 | CVE-2019-3789 | Gorouter allows space developer to hijack route services hosted outside the platform | ||
| 16 Apr 2019 | CVE-2019-3799 | Directory Traversal with spring-cloud-config-server | ||
| 12 Apr 2019 | CVE-2019-3793 | Invitations Service supports HTTP connections | ||
| 08 Apr 2019 | CVE-2019-3797 | Additional information exposure with Spring Data JPA derived queries | ||
| 04 Apr 2019 | CVE-2019-3795 | Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security | ||
| 01 Apr 2019 | CVE-2019-9946 | Kubernetes affecting certain network configurations with CNI | ||
| 01 Apr 2019 | CVE-2019-1002100 | Kubernetes API Server Patch Request Consumes Excess Resource Cause Denial of Service | ||
| 01 Apr 2019 | CVE-2019-1002101 | Kubernetes kubectl - potential directory traversal | ||
| 25 Mar 2019 | CVE-2019-3792 | Concourse 5.0.0 SQL Injection vulnerability | ||
| 07 Mar 2019 | CVE-2019-8331 | Bootstrap XSS | ||
| 28 Feb 2019 | CVE-2018-15754 | UAA issues tokens across identity providers if users with matching usernames exist | ||
| 26 Feb 2019 | CVE-2019-3777 | Apps Manager unverified SSL certs in Cloud Controller proxy | ||
| 21 Feb 2019 | CVE-2019-3778 | Open Redirector in spring-security-oauth2 | ||
| 19 Feb 2019 | CVE-2019-3776 | Reflected XSS in Pivotal Operations Manager | ||
| 14 Feb 2019 | CVE-2019-3780 | Cloud Foundry Container Runtime Leaks IAAS Credentials | ||
| 14 Feb 2019 | CVE-2019-3779 | Pivotal Container Service allows a user to bypass security policy when talking to ETCD | ||
| 14 Jan 2019 | CVE-2019-3772 | XML External Entity Injection (XXE) | ||
| 14 Jan 2019 | CVE-2019-3773 | XML External Entity Injection (XXE) | ||
| 14 Jan 2019 | CVE-2019-3774 | XML External Entity Injection (XXE) | ||
| 08 Jan 2019 | KUBERNETES-API-SERVER | Kubernetes API Server acts as proxy for internal and external IPs | ||
| 08 Jan 2019 | CVE-2019-3803 | Concourse includes token in CLI authentication callback | ||
| 04 Jan 2019 | CVE-2018-18264 | Kubernetes Dashboard TLS Certificate Leak | ||
| 18 Dec 2018 | CVE-2018-15801 | Authorization Bypass During JWT Issuer Validation with spring-security | ||
| 13 Dec 2018 | CVE-2018-15798 | Pivotal Concourse allows malicious redirect urls on login | ||
| 05 Dec 2018 | CVE-2018-1279 | RabbitMQ cluster compromise due to deterministically generated cookie | ||
| 15 Nov 2018 | CVE-2018-15759 | On Demand Services SDK Timing Attack Vulnerability | ||
| 09 Nov 2018 | CVE-2018-15795 | CredHub Service Broker uses guessable client secret | ||
| 29 Oct 2018 | CVE-2018-15762 | Pivotal Operations Manager gives all users heightened privileges | ||
| 16 Oct 2018 | CVE-2018-15758 | Privilege Escalation in spring-security-oauth2 | ||
| 16 Oct 2018 | CVE-2018-15756 | DoS Attack via Range Requests | ||
| 10 Oct 2018 | CVE-2018-11084 | Garden-runC prevents deletion of some app environments | ||
| 10 Oct 2018 | CVE-2018-15755 | CF networking internal policy server SQL injection | ||
| 03 Oct 2018 | CVE-2018-11083 | BOSH accepts refresh token as access token | ||
| 02 Oct 2018 | CVE-2018-15763 | PKS leaks IaaS credentials to application logs | ||
| 27 Sep 2018 | CVE-2018-11081 | Ops Manager writes UAA credentials to disk | ||
| 13 Sep 2018 | CVE-2018-1198 | PCC bosh deployment logs print a superuser password in plain text | ||
| 13 Sep 2018 | CVE-2018-11088 | CF admin credentials accessible to developers through Applications Manager | ||
| 13 Sep 2018 | CVE-2018-11086 | CF admin credentials accessible to developers through usage service | ||
| 11 Sep 2018 | CVE-2018-11087 | RabbitMQ (Spring-AMQP) Host name verification | ||
| 23 Jul 2018 | CVE-2018-11044 | Apps Manager allows unescaped content in invitation emails | ||
| 10 Jul 2018 | CVE-2018-11045 | Operations Manager image contains static LRNG seed file | ||
| 20 Jun 2018 | CVE-2018-11046 | Operations Manager includes outdated NGINX packages | ||
| 14 Jun 2018 | CVE-2018-11040 | JSONP enabled by default in MappingJackson2JsonView | ||
| 14 Jun 2018 | CVE-2018-11039 | Cross Site Tracing (XST) with Spring Framework | ||
| 11 May 2018 | CVE-2018-1263 | Unsafe Unzip with spring-integration-zip | ||
| 10 May 2018 | CVE-2018-1278 | Apps Manager allows unauthorized org invitations | ||
| 09 May 2018 | CVE-2018-1261 | Unsafe Unzip with spring-integration-zip | ||
| 09 May 2018 | CVE-2018-1260 | Remote Code Execution with spring-security-oauth2 | ||
| 09 May 2018 | CVE-2018-1259 | XXE with Spring Data’s XMLBeam integration | ||
| 09 May 2018 | CVE-2018-1258 | Unauthorized Access with Spring Security Method Security | ||
| 09 May 2018 | CVE-2018-1257 | ReDoS Attack with spring-messaging | ||
| 07 May 2018 | CVE-2018-1280 | Blind SQL injection in Pivotal Greenplum Command Center | ||
| 30 Apr 2018 | CVE-2018-1256 | Issuer validation regression in Spring Cloud SSO Connector | ||
| 10 Apr 2018 | CVE-2018-1274 | Denial of Service with Spring Data | ||
| 10 Apr 2018 | CVE-2018-1273 | RCE with Spring Data Commons | ||
| 09 Apr 2018 | CVE-2018-1275 | Address partial fix for CVE-2018-1270 | ||
| 05 Apr 2018 | CVE-2018-1272 | Multipart Content Pollution with Spring Framework | ||
| 05 Apr 2018 | CVE-2018-1271 | Directory Traversal with Spring MVC on Windows | ||
| 05 Apr 2018 | CVE-2018-1270 | Remote Code Execution with spring-messaging | ||
| 16 Mar 2018 | CVE-2018-1230 | Spring Batch Admin vulnerable to Cross Site Request Forgery | ||
| 16 Mar 2018 | CVE-2018-1229 | Stored XSS in file upload of Spring Batch Admin | ||
| 13 Feb 2018 | CVE-2018-1200 | Apps Manager File Access Vulnerability | ||
| 30 Jan 2018 | CVE-2018-1196 | Symlink privilege escalation attack via Spring Boot launch script | ||
| 29 Jan 2018 | CVE-2018-1199 | Security bypass with static resources | ||
| 16 Oct 2017 | CVE-2017-8028 | Spring-LDAP authentication with userSearch and STARTTLS allows authentication with arbitrary password | ||
| 21 Sep 2017 | CVE-2017-8046 | RCE in PATCH requests in Spring Data REST | ||
| 19 Sep 2017 | CVE-2017-8045 | Remote code execution in spring-amqp | ||
| 15 Sep 2017 | CVE-2017-8039 | Data Binding Expression Vulnerability in Spring Web Flow | ||
| 31 Aug 2017 | CVE-2017-8044 | XSS vulnerability in Single Sign-On for PCF via DOM-based query parameters | ||
| 31 Aug 2017 | CVE-2017-8041 | XSS vulnerability in org name in Single Sign-On for PCF | ||
| 31 Aug 2017 | CVE-2017-8040 | XXE Vulnerability in Single Sign-On for PCF | ||
| 08 Jun 2017 | CVE-2017-4995 | Jackson Configuration Allows Code Execution with Unknown “Serialization Gadgets” | ||
| 31 May 2017 | CVE-2017-4971 | Data Binding Expression Vulnerability in Spring Web Flow | ||
| 15 May 2017 | CVE-2017-4975 | Tile generator sets open security groups | ||
| 04 May 2017 | CVE-2017-4966 | RabbitMQ local storage of credentials | ||
| 04 May 2017 | CVE-2017-4965 | XSS vulnerabilities in RabbitMQ management UI | ||
| 27 Mar 2017 | CVE-2017-2773 | Unauthenticated JWT signing algorithm in multiple components | ||
| 24 Mar 2017 | CVE-2017-4955 | Credentials in Elastic Runtime Notifications errand log | ||
| 14 Feb 2017 | CVE-2017-4959 | Pivotal Cloud Foundry account authorization vulnerability | ||
| 09 Feb 2017 | CVE-2016-9880 | Unauthenticated access to GemFire for PCF broker endpoints | ||
| 04 Jan 2017 | CVE-2016-9885 | gfsh exposed over go router for GemFire for PCF | ||
| 28 Dec 2016 | CVE-2016-9879 | Encoded "/" in path variables | ||
| 28 Dec 2016 | CVE-2016-0898 | Service backups log AWS key | ||
| 21 Dec 2016 | CVE-2016-9878 | Directory Traversal in the Spring Framework ResourceServlet | ||
| 19 Dec 2016 | CVE-2016-9877 | RabbitMQ authentication vulnerability | ||
| 31 Oct 2016 | CVE-2016-6657 | PCF Open Redirects | ||
| 31 Oct 2016 | CVE-2016-6656 | Code injection vulnerability via GPHDFS in Greenplum database | ||
| 30 Sep 2016 | CVE-2016-6652 | Spring Data JPA Blind SQL Injection Vulnerability | ||
| 12 Sep 2016 | CVE-2016-0930 | Ops Manager Compilation VMs Vulnerability on vSphere and vCloud | ||
| 27 Jul 2016 | CVE-2016-0896 | IaaS Metadata Endpoint Accessible from Application Containers | ||
| 15 Jul 2016 | CVE-2016-0929 | RabbitMQ for PCF vulnerability | ||
| 07 Jul 2016 | CVE-2016-5007 | Spring Security / MVC Path Matching Inconsistency | ||
| 07 Jul 2016 | CVE-2016-0926 | Apps Manager XSS vulnerability | ||
| 05 Jul 2016 | CVE-2016-4977 | Remote Code Execution (RCE) in Spring Security OAuth | ||
| 29 Jun 2016 | CVE-2016-0928 | PCF Open Redirects | ||
| 24 Jun 2016 | CVE-2016-0897 | Ops Manager vSphere and vCloud vulnerability | ||
| 23 Jun 2016 | CVE-2016-0927 | Ops Manager XSS vulnerability | ||
| 11 Apr 2016 | CVE-2016-2173 | Remote Code Execution in Spring AMQP | ||
| 23 Mar 2016 | CVE-2016-0780 | Cloud Controller Disk Quota Enforcement | ||
| 23 Mar 2016 | CVE-2016-2165 | Loggregator Request URL Paths | ||
| 23 Mar 2016 | CVE-2016-0781 | UAA Persistent XSS Vulnerability | ||
| 03 Feb 2016 | CVE-2016-0883 | Pivotal Ops Manager Weak Authentication Scheme | ||
| 12 Nov 2015 | CVE-2015-5258 | Spring Social CSRF | ||
| 15 Oct 2015 | CVE-2015-5211 | RFD Attack in Spring Framework | ||
| 30 Jun 2015 | CVE-2015-3192 | DoS Attack with XML Input | ||
| 06 Mar 2015 | CVE-2015-0201 | Insufficiently random session id in Java SockJS client | ||
| 13 Jan 2015 | CVE-2014-3626 | Directory Traversal in Grails Resources Plugin | ||
| 11 Nov 2014 | CVE-2014-3625 | Directory Traversal in Spring Framework | ||
| 05 Sep 2014 | CVE-2014-3578 | Directory Traversal in Spring Framework | ||
| 15 Aug 2014 | CVE-2014-3527 | Access Control Bypass in Spring Security | ||
| 28 May 2014 | CVE-2014-0225 | Information Disclosure when using Spring MVC | ||
| 11 Mar 2014 | CVE-2014-1904 | XSS when using Spring MVC | ||
| 11 Mar 2014 | CVE-2014-0097 | Blank password may bypass user authentication | ||
| 11 Mar 2014 | CVE-2014-0054 | Incomplete fix for CVE-2013-7315 / CVE-2013-6429 (XXE) | ||
| 19 Feb 2014 | CVE-2014-0053 | Information Disclosure when using Grails | ||
| 14 Jan 2014 | CVE-2013-6430 | Possible XSS when using Spring MVC | ||
| 14 Jan 2014 | CVE-2013-6429 | Incomplete fix for CVE-2013-7315 (XXE) | ||
| 22 Aug 2013 | CVE-2013-7315 | XML External Entity (XXE) injection in Spring Framework | ||
| 22 Aug 2013 | CVE-2013-4152 | XML eXternal Entity (XXE) injection in Spring Framework |
Notable Vulnerabilities in Dependencies[1]
| Date | CVE Reference | Description | ||
| 14 May 2020 | USN-4318-1 | Linux kernel vulnerabilities | ||
| 23 Apr 2020 | USN-4305-1 | ICU vulnerability | ||
| 23 Apr 2020 | USN-4302-1 | Linux kernel vulnerabilities | ||
| 23 Apr 2020 | USN-4298-1 | SQLite vulnerabilities | ||
| 08 Apr 2020 | USN-4292-1 | rsync vulnerabilities | ||
| 02 Mar 2020 | USN-4293-1 | libarchive vulnerabilities | ||
| 18 Feb 2020 | USN-4287-1 | Linux kernel vulnerabilities | ||
| 10 Feb 2020 | USN-4274-1 | libxml2 vulnerabilities | ||
| 05 Feb 2020 | USN-4269-1 | systemd vulnerabilities | ||
| 03 Feb 2020 | USN-4263-1 | Sudo vulnerability | ||
| 28 Jan 2020 | USN-4256-1 | Cyrus SASL vulnerability | ||
| 28 Jan 2020 | USN-4255-2 | Linux kernel (HWE) vulnerabilities | ||
| 27 Jan 2020 | USN-4252-1 | tcpdump vulnerabilities | ||
| 23 Jan 2020 | USN-4249-1 | e2fsprogs vulnerability | ||
| 23 Jan 2020 | USN-4233-2 | GnuTLS update | ||
| 22 Jan 2020 | USN-4247-2 | python-apt regression | ||
| 22 Jan 2020 | USN-4247-1 | python-apt vulnerabilities | ||
| 22 Jan 2020 | USN-4246-1 | zlib vulnerabilities | ||
| 20 Jan 2020 | USN-4243-1 | libbsd vulnerabilities | ||
| 20 Jan 2020 | USN-4242-1 | Sysstat vulnerabilities | ||
| 19 Jan 2020 | CVE-2020-0601 | Windows Stemcells vulnerable to Windows CryptoAPI Spoofing Vulnerability | ||
| 15 Jan 2020 | USN-4220-1 | Git vulnerabilities | ||
| 15 Jan 2020 | USN-4215-1 | NSS vulnerability | ||
| 15 Jan 2020 | USN-4210-1 | Linux kernel vulnerabilities | ||
| 15 Jan 2020 | USN-4205-1 | SQLite vulnerabilities | ||
| 15 Jan 2020 | USN-4182-3 | Intel Microcode regression | ||
| 14 Jan 2020 | USN-4236-2 | Libgcrypt vulnerability | ||
| 13 Jan 2020 | USN-4235-1 | nginx vulnerability | ||
| 09 Jan 2020 | USN-4233-1 | GnuTLS update | ||
| 08 Jan 2020 | USN-4231-1 | NSS vulnerability | ||
| 07 Jan 2020 | USN-4227-1 | Linux kernel vulnerabilities | ||
| 18 Dec 2019 | USN-4203-1 | NSS vulnerability | ||
| 18 Dec 2019 | USN-4199-1 | libvpx vulnerabilities | ||
| 18 Dec 2019 | USN-4194-1 | postgresql-common vulnerability | ||
| 18 Dec 2019 | USN-4191-1 | QEMU vulnerabilities | ||
| 18 Dec 2019 | USN-4190-1 | libjpeg-turbo vulnerabilities | ||
| 18 Dec 2019 | USN-4185-3 | Linux kernel vulnerability and regression | ||
| 18 Dec 2019 | USN-4185-1 | Linux kernel vulnerabilities | ||
| 18 Dec 2019 | USN-4182-1 | Intel Microcode update | ||
| 18 Dec 2019 | USN-4176-1 | GNU cpio vulnerability | ||
| 18 Dec 2019 | USN-4172-1 | file vulnerability | ||
| 18 Dec 2019 | USN-4169-1 | libarchive vulnerability | ||
| 18 Dec 2019 | USN-4164-1 | Libxslt vulnerabilities | ||
| 18 Dec 2019 | USN-4162-1 | Linux kernel vulnerabilities | ||
| 11 Dec 2019 | USN-4221-1 | libpcap vulnerability | ||
| 25 Nov 2019 | CVE-2019-15587 | Ops Manager contains a vulnerable Loofah gem | ||
| 14 Nov 2019 | USN-3885-2 | OpenSSH vulnerability | ||
| 14 Nov 2019 | USN-4040-1 | Expat vulnerability | ||
| 14 Nov 2019 | USN-4038-1 | bzip2 vulnerabilities | ||
| 14 Nov 2019 | USN-4019-1 | SQLite vulnerabilities | ||
| 14 Nov 2019 | USN-4016-1 | Vim vulnerabilities | ||
| 14 Nov 2019 | USN-4015-1 | DBus vulnerability | ||
| 14 Nov 2019 | USN-4012-1 | elfutils vulnerabilities | ||
| 14 Nov 2019 | USN-4011-1 | Jinja2 vulnerabilities | ||
| 14 Nov 2019 | USN-4008-2 | AppArmor update | ||
| 14 Nov 2019 | USN-4004-1 | Berkeley DB vulnerability | ||
| 14 Nov 2019 | USN-3999-1 | GnuTLS vulnerabilities | ||
| 14 Nov 2019 | USN-3993-1 | curl vulnerabilities | ||
| 14 Nov 2019 | USN-3990-1 | urllib3 vulnerabilities | ||
| 14 Nov 2019 | USN-3968-1 | Sudo vulnerabilities | ||
| 14 Nov 2019 | USN-3967-1 | FFmpeg vulnerabilities | ||
| 14 Nov 2019 | USN-3911-1 | file vulnerabilities | ||
| 06 Nov 2019 | USN-4151-1 | Python vulnerabilities | ||
| 06 Nov 2019 | USN-4144-1 | Linux kernel vulnerabilities | ||
| 06 Nov 2019 | USN-4142-1 | e2fsprogs vulnerability | ||
| 06 Nov 2019 | USN-4132-1 | Expat vulnerability | ||
| 06 Nov 2019 | USN-4129-1 | curl vulnerabilities | ||
| 06 Nov 2019 | USN-4127-1 | Python vulnerabilities | ||
| 06 Nov 2019 | USN-4126-1 | FreeType vulnerability | ||
| 30 Sep 2019 | USN-4135-1 | Linux kernel vulnerabilities | ||
| 30 Sep 2019 | USN-4115-2 | Linux kernel regression | ||
| 30 Sep 2019 | USN-4115-1 | Linux kernel vulnerabilities | ||
| 30 Sep 2019 | USN-4094-1 | Linux kernel vulnerabilities | ||
| 30 Sep 2019 | USN-4071-1 | Patch vulnerabilities | ||
| 30 Sep 2019 | USN-4049-3 | GLib regression | ||
| 24 Sep 2019 | CVE-2019-16097 | Harbor Privilege Escalation | ||
| 05 Sep 2019 | USN-4099-1 | nginx vulnerabilities | ||
| 05 Sep 2019 | USN-4090-1 | PostgreSQL vulnerabilities | ||
| 05 Sep 2019 | USN-4068-2 | Linux kernel (HWE) vulnerabilities | ||
| 05 Sep 2019 | USN-4060-1 | NSS vulnerabilities | ||
| 05 Sep 2019 | USN-4058-1 | Bash vulnerability | ||
| 05 Sep 2019 | USN-4049-1 | GLib vulnerability | ||
| 05 Sep 2019 | USN-4038-3 | bzip2 regression | ||
| 06 Aug 2019 | USN-4041-1 | Linux kernel update | ||
| 05 Aug 2019 | USN-4014-1 | GLib vulnerability | ||
| 05 Aug 2019 | USN-4001-1 | libseccomp vulnerability | ||
| 05 Aug 2019 | USN-3977-3 | Intel Microcode update (AKA ZombieLoad Attack) | ||
| 19 Jun 2019 | USN-3981-2 | Linux kernel (HWE) vulnerabilities (AKA ZombieLoad Attack) | ||
| 19 Jun 2019 | USN-3977-2 | Intel Microcode update (AKA ZombieLoad Attack) | ||
| 19 Jun 2019 | USN-3977-1 | Intel Microcode update (AKA ZombieLoad Attack) | ||
| 21 May 2019 | USN-3972-1 | PostgreSQL vulnerabilities | ||
| 21 May 2019 | USN-3962-1 | libpng vulnerability | ||
| 21 May 2019 | USN-3960-1 | WavPack vulnerability | ||
| 21 May 2019 | USN-3947-1 | Libxslt vulnerability | ||
| 21 May 2019 | USN-3943-1 | Wget vulnerabilities | ||
| 21 May 2019 | USN-3932-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 21 May 2019 | USN-3931-2 | Linux kernel (HWE) vulnerabilities | ||
| 08 May 2019 | USN-3935-1 | BusyBox vulnerabilities | ||
| 25 Apr 2019 | USN-3945-1 | Ruby vulnerabilities | ||
| 25 Apr 2019 | USN-3910-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 25 Apr 2019 | USN-3906-1 | LibTIFF vulnerabilities | ||
| 25 Apr 2019 | USN-3901-2 | Linux kernel (HWE) vulnerabilities | ||
| 25 Apr 2019 | USN-3900-1 | GD vulnerabilities | ||
| 25 Apr 2019 | USN-3899-1 | OpenSSL vulnerability | ||
| 25 Apr 2019 | USN-3898-1 | NSS vulnerability | ||
| 25 Apr 2019 | USN-3891-1 | systemd vulnerability | ||
| 25 Apr 2019 | USN-3885-1 | OpenSSH vulnerabilities | ||
| 25 Apr 2019 | USN-3884-1 | libarchive vulnerabilities | ||
| 25 Apr 2019 | USN-3882-1 | curl vulnerabilities | ||
| 25 Apr 2019 | USN-3879-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 25 Apr 2019 | USN-3871-4 | Linux kernel (HWE) vulnerabilities | ||
| 25 Apr 2019 | USN-3864-1 | LibTIFF vulnerabilities | ||
| 25 Apr 2019 | USN-3859-1 | libarchive vulnerabilities | ||
| 25 Apr 2019 | USN-3848-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 25 Apr 2019 | USN-3847-2 | Linux kernel (HWE) vulnerabilities | ||
| 25 Apr 2019 | USN-3840-1 | OpenSSL vulnerabilities | ||
| 25 Apr 2019 | USN-3834-1 | Perl vulnerabilities | ||
| 25 Apr 2019 | USN-3816-3 | systemd regression | ||
| 25 Apr 2019 | USN-3855-1 | systemd vulnerabilities | ||
| 25 Apr 2019 | USN-3863-1 | APT vulnerability | ||
| 13 Feb 2019 | CVE-2019-5736 | runC container breakout | ||
| 06 Feb 2019 | USN-3836-2 | Linux kernel (HWE) vulnerabilities | ||
| 06 Feb 2019 | USN-3841-1 | lxml vulnerability | ||
| 06 Feb 2019 | USN-3850-1 | NSS vulnerabilities | ||
| 03 Jan 2019 | USN-3843-1 | pixman vulnerability | ||
| 03 Jan 2019 | USN-3816-2 | systemd vulnerability | ||
| 03 Jan 2019 | USN-3839-1 | WavPack vulnerabilities | ||
| 03 Jan 2019 | USN-3829-1 | Git vulnerabilities | ||
| 14 Dec 2018 | USN-3805-1 | curl vulnerabilities | ||
| 14 Dec 2018 | USN-3809-1 | OpenSSH vulnerabilities | ||
| 14 Dec 2018 | USN-3812-1 | nginx vulnerabilities | ||
| 14 Dec 2018 | USN-3815-1 | gettext vulnerability | ||
| 14 Dec 2018 | USN-3817-1 | Python vulnerabilities | ||
| 14 Dec 2018 | USN-3821-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 12 Dec 2018 | USN-3820-2 | Linux kernel (HWE) vulnerabilities | ||
| 12 Dec 2018 | USN-3816-1 | systemd vulnerabilities | ||
| 12 Dec 2018 | USN-3806-1 | systemd vulnerability | ||
| 12 Dec 2018 | USN-3808-1 | Ruby vulnerabilities | ||
| 03 Dec 2018 | CVE-2018-15797 | NFS Volume release errand leaks cf admin credentials in logs | ||
| 03 Dec 2018 | CVE-2018-1002105 | Proxy request handling in kube-apiserver can leave vulnerable TCP connections | ||
| 28 Nov 2018 | USN-3797-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 08 Nov 2018 | USN-3800-1 | audiofile vulnerabilities | ||
| 08 Nov 2018 | USN-3791-1 | Git vulnerability | ||
| 08 Nov 2018 | USN-3786-1 | libxkbcommon vulnerabilities | ||
| 08 Nov 2018 | USN-3785-1 | ImageMagick vulnerabilities | ||
| 06 Nov 2018 | CVE-2018-15761 | UAA Privilege Escalation | ||
| 26 Oct 2018 | USN-3790-1 | Requests vulnerability | ||
| 26 Oct 2018 | USN-3777-2 | Linux kernel (HWE) vulnerabilities | ||
| 26 Oct 2018 | USN-3762-2 | Linux kernel (HWE) vulnerabilities | ||
| 09 Oct 2018 | USN-3752-2 | Linux kernel (HWE) vulnerabilities | ||
| 09 Oct 2018 | USN-3765-1 | curl vulnerability | ||
| 09 Oct 2018 | USN-3767-1 | GLib vulnerabilities | ||
| 09 Oct 2018 | USN-3770-1 | Little CMS vulnerabilities | ||
| 27 Sep 2018 | USN-3759-1 | libtirpc vulnerabilities | ||
| 27 Sep 2018 | USN-3758-1 | libx11 vulnerabilities | ||
| 27 Sep 2018 | USN-3756-1 | Intel Microcode vulnerabilities | ||
| 27 Sep 2018 | USN-3755-1 | GD vulnerabilities | ||
| 27 Sep 2018 | USN-3753-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 27 Sep 2018 | USN-3744-1 | PostgreSQL vulnerabilities | ||
| 27 Sep 2018 | USN-3741-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 27 Sep 2018 | USN-3739-1 | libxml2 vulnerabilities | ||
| 27 Sep 2018 | USN-3736-1 | libarchive vulnerabilities | ||
| 27 Sep 2018 | USN-3733-1 | GnuPG vulnerability | ||
| 27 Sep 2018 | USN-3729-1 | libxcursor vulnerability | ||
| 27 Sep 2018 | USN-3712-1 | libpng vulnerabilities | ||
| 27 Sep 2018 | USN-3696-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 27 Sep 2018 | USN-3692-1 | OpenSSL vulnerabilities | ||
| 27 Sep 2018 | USN-3690-2 | AMD Microcode regression | ||
| 27 Sep 2018 | USN-3690-1 | AMD Microcode update | ||
| 27 Sep 2018 | USN-3689-1 | Libgcrypt vulnerability | ||
| 27 Sep 2018 | USN-3605-1 | Sharutils vulnerability | ||
| 27 Sep 2018 | USN-3589-1 | PostgreSQL vulnerability | ||
| 27 Sep 2018 | USN-3564-1 | PostgreSQL vulnerability | ||
| 27 Sep 2018 | USN-3532-1 | GDK-PixBuf vulnerabilities | ||
| 27 Sep 2018 | USN-3509-4 | Linux kernel (Xenial HWE) regression | ||
| 27 Sep 2018 | USN-3352-1 | nginx vulnerability | ||
| 09 Aug 2018 | CVE-2018-8037 | Apache Tomcat - NIO/NIO2 connectors user sessions can get mixed up | ||
| 09 Aug 2018 | CVE-2018-1336 | Apache Tomcat - UTF-8 decoder can lead to DoS | ||
| 02 Aug 2018 | USN-3711-1 | ImageMagick vulnerabilities | ||
| 02 Aug 2018 | USN-3707-1 | NTP vulnerabilities | ||
| 02 Aug 2018 | USN-3706-1 | libjpeg-turbo vulnerabilities | ||
| 23 Jul 2018 | CVE-2018-11047 | UAA accepts refresh token as access token on admin endpoints | ||
| 20 Jul 2018 | USN-3693-1 | JasPer vulnerabilities | ||
| 20 Jul 2018 | USN-3686-1 | file vulnerabilities | ||
| 20 Jul 2018 | USN-3684-1 | Perl vulnerability | ||
| 20 Jul 2018 | USN-3681-1 | ImageMagick vulnerabilities | ||
| 20 Jul 2018 | USN-3676-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 20 Jul 2018 | USN-3675-1 | GnuPG vulnerabilities | ||
| 20 Jul 2018 | USN-3658-1 | procps-ng vulnerabilities | ||
| 17 Jul 2018 | CVE-2018-11041 | UAA open redirect | ||
| 16 Jul 2018 | CVE-2018-1269 | Loggregator does not properly close some TCP connections | ||
| 16 Jul 2018 | CVE-2018-1268 | Loggregator lacks app GUID validation | ||
| 19 Jun 2018 | CVE-2018-1265 | Diego does not properly sanitize file paths in tar/zip files | ||
| 21 Jun 2018 | USN-3671-1 | Git vulnerabilities | ||
| 21 Jun 2018 | USN-3654-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 21 Jun 2018 | USN-3648-1 | curl vulnerabilities | ||
| 14 Jun 2018 | USN-3643-1 | Wget vulnerability | ||
| 14 Jun 2018 | USN-3641-1 | Linux kernel vulnerabilities | ||
| 14 Jun 2018 | USN-3631-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 14 Jun 2018 | USN-3628-1 | OpenSSL vulnerability | ||
| 14 Jun 2018 | USN-3625-1 | Perl vulnerabilities | ||
| 14 Jun 2018 | USN-3624-1 | Patch vulnerabilities | ||
| 14 Jun 2018 | USN-3622-1 | Wayland vulnerability | ||
| 21 May 2018 | CVE-2018-1277 | Garden does not correctly enforce Docker image disc quotas | ||
| 21 May 2018 | CVE-2018-1276 | Windows2012R2 stemcell exposes IaaS metadata on vSphere | ||
| 10 May 2018 | MS-ISAC-2018-046 | MS-ISAC 2018-046 Multiple Vulnerabilities in PHP | ||
| 08 May 2018 | CVE-2018-1191 | Garden may log Docker passwords | ||
| 02 May 2018 | USN-3619-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 02 May 2018 | USN-3611-1 | OpenSSL vulnerability | ||
| 02 May 2018 | USN-3610-1 | ICU vulnerability | ||
| 02 May 2018 | USN-3606-1 | LibTIFF vulnerabilities | ||
| 02 May 2018 | USN-3604-1 | libvorbis vulnerabilities | ||
| 02 May 2018 | USN-3602-1 | LibTIFF vulnerabilities | ||
| 02 May 2018 | USN-3598-1 | curl vulnerabilities | ||
| 02 May 2018 | USN-3586-1 | DHCP vulnerabilities | ||
| 02 May 2018 | USN-3584-1 | sensible-utils vulnerability | ||
| 02 May 2018 | USN-3569-1 | libvorbis vulnerabilities | ||
| 02 May 2018 | USN-3554-1 | curl vulnerabilities | ||
| 02 May 2018 | USN-3547-1 | Libtasn1 vulnerabilities | ||
| 02 May 2018 | USN-3543-1 | rsync vulnerabilities | ||
| 02 May 2018 | USN-3534-1 | GNU C Library vulnerabilities | ||
| 02 May 2018 | USN-3506-1 | rsync vulnerabilities | ||
| 02 May 2018 | USN-3501-1 | libxcursor vulnerability | ||
| 02 May 2018 | USN-3346-2 | Bind regression | ||
| 30 Apr 2018 | CVE-2018-1197 | GCP Metadata Endpoint Accessible from Application Containers on Windows | ||
| 05 Apr 2018 | CVE-2018-1266 | Cloud Controller file modification via malicious application | ||
| 05 Apr 2018 | CVE-2018-1231 | BOSH CLI does not restrict access to configuration file | ||
| 03 Apr 2018 | USN-3582-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 28 Mar 2018 | CVE-2018-1195 | Cloud Controller API will accept a refresh token for authentication | ||
| 28 Mar 2018 | CVE-2018-1192 | UAA SessionID present in Audit Event Logs | ||
| 28 Mar 2018 | CVE-2018-1190 | XSS on UAA OpenID Connect check session iframe endpoint | ||
| 09 Mar 2018 | CVE-2018-1227 | Concourse-dot-ci Domain Issue | ||
| 27 Feb 2018 | VU475445 | VU#475445 SAML Authentication Bypass | ||
| 27 Feb 2018 | CVE-2018-1221 | Gorouter websocket handling vulnerability | ||
| 01 Feb 2018 | USN-3540-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 01 Feb 2018 | USN-3538-1 | OpenSSH vulnerabilities | ||
| 01 Feb 2018 | USN-3535-1 | Bind vulnerability | ||
| 01 Feb 2018 | USN-3522-4 | Linux (Xenial HWE) vulnerability | ||
| 01 Feb 2018 | USN-3522-2 | Linux (Xenial HWE) vulnerability | ||
| 01 Feb 2018 | USN-3513-1 | libxml2 vulnerability | ||
| 01 Feb 2018 | USN-3504-1 | libxml2 vulnerability | ||
| 03 Jan 2018 | Meltdown and Spectre Attacks | Meltdown and Spectre Attacks | ||
| 19 Dec 2017 | CVE-2017-1000353 | Jenkins unauthenticated remote code execution | ||
| 15 Dec 2017 | USN-3509-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 15 Dec 2017 | USN-3505-1 | Linux firmware vulnerabilities | ||
| 15 Dec 2017 | USN-3498-1 | curl vulnerabilities | ||
| 15 Dec 2017 | USN-3496-3 | Python vulnerability | ||
| 15 Dec 2017 | USN-3496-1 | Python vulnerability | ||
| 15 Dec 2017 | USN-3489-1 | Berkeley DB vulnerability | ||
| 15 Dec 2017 | USN-3485-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 15 Dec 2017 | USN-3478-1 | Perl vulnerabilities | ||
| 15 Dec 2017 | USN-3475-1 | OpenSSL vulnerabilities | ||
| 15 Dec 2017 | USN-3469-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 15 Dec 2017 | USN-3464-1 | Wget vulnerabilities | ||
| 15 Dec 2017 | USN-3458-1 | ICU vulnerability | ||
| 15 Dec 2017 | USN-3457-1 | curl vulnerability | ||
| 21 Nov 2017 | USN-3454-1 | libffi vulnerability | ||
| 21 Nov 2017 | USN-3444-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 21 Nov 2017 | USN-3441-1 | curl vulnerabilities | ||
| 21 Nov 2017 | USN-3437-1 | OCaml vulnerability | ||
| 21 Nov 2017 | USN-3434-1 | Libidn vulnerability | ||
| 21 Nov 2017 | USN-3432-1 | ca-certificates update | ||
| 21 Nov 2017 | USN-3424-1 | libxml2 vulnerabilities | ||
| 21 Nov 2017 | USN-3387-1 | Git vulnerability | ||
| 16 Nov 2017 | CVE-2017-8031 | UAA Denial of Service through client token revocation endpoint | ||
| 15 Nov 2017 | CVE-2017-14388 | GrootFS doesn’t validate DiffIDs | ||
| 11 Oct 2017 | CVE-2017-8048 | Cloud Controller API regression | ||
| 10 Oct 2017 | CVE-2017-8047 | Cloud Foundry router open redirect | ||
| 28 Sep 2017 | USN-3420-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 28 Sep 2017 | USN-3418-1 | GDK-PixBuf vulnerabilities | ||
| 28 Sep 2017 | USN-3415-1 | tcpdump vulnerabilities | ||
| 28 Sep 2017 | USN-3411-1 | Bazaar vulnerability | ||
| 28 Sep 2017 | USN-3410-1 | GD library vulnerability | ||
| 28 Sep 2017 | USN-3405-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 28 Sep 2017 | USN-3398-1 | graphite2 vulnerabilities | ||
| 08 Sep 2017 | CVE-2017-9805 | Apache Struts Remote Code Execution | ||
| 28 Aug 2017 | USN-3392-2 | Linux kernel (Xenial HWE) regression | ||
| 21 Aug 2017 | USN-3385-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 14 Aug 2017 | USN-3378-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 14 Aug 2017 | USN-3367-1 | gdb vulnerabilities | ||
| 14 Aug 2017 | USN-3364-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 14 Aug 2017 | USN-3363-2 | ImageMagick regression References | ||
| 14 Aug 2017 | USN-3363-1 | ImageMagick vulnerabilities | ||
| 14 Aug 2017 | USN-3356-1 | Expat vulnerability | ||
| 14 Aug 2017 | USN-3353-1 | Heimdal vulnerability | ||
| 14 Aug 2017 | USN-3349-1 | NTP vulnerabilities | ||
| 14 Aug 2017 | USN-3347-1 | Libgcrypt vulnerabilities | ||
| 14 Aug 2017 | USN-3346-1 | bind9 vulnerabilities | ||
| 14 Aug 2017 | USN-3344-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 07 Aug 2017 | CVE-2017-8037 | Incomplete fix for Cloud Controller API access to CC VM contents | ||
| 02 Aug 2017 | CVE-2017-9022/CVE-2017-9023 | strongSwan DOS Vulnerabilities | ||
| 01 Aug 2017 | CVE-2017-8038 | Credentials readable from CredHub endpoint | ||
| 25 Jul 2017 | CVE-2017-8036 | Cloud Controller API regression | ||
| 25 Jul 2017 | CVE-2017-8035 | Cloud Controller API access to CC VM contents | ||
| 25 Jul 2017 | CVE-2017-8033 | Cloud Controller API filesystem traversal vulnerability | ||
| 24 Jul 2017 | CVE-2017-8032 | UAA Identity Zone Admin Privilege Escalation | ||
| 05 Jul 2017 | CVE-2017-7485 | PostgreSQL vulnerabilities | ||
| 26 Jun 2017 | CVE-2017-5946 | Directory Traversal in Rubyzip | ||
| 26 Jun 2017 | USN-3334-1 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 26 Jun 2017 | USN-3323-1 | GNU C Library vulnerability | ||
| 26 Jun 2017 | USN-3318-1 | GnuTLS vulnerabilities | ||
| 26 Jun 2017 | USN-3312-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 26 Jun 2017 | USN-3311-1 | libnl vulnerability | ||
| 26 Jun 2017 | USN-3309-1 | Libtasn1 vulnerability | ||
| 26 Jun 2017 | USN-3302-1 | ImageMagick vulnerabilities | ||
| 26 Jun 2017 | USN-3212-2 | LibTIFF regression | ||
| 22 Jun 2017 | USN-3304-1 | Sudo vulnerability | ||
| 08 Jun 2017 | CVE-2017-4994 | Forwarded Headers in UAA | ||
| 08 Jun 2017 | USN-3295-1 | JasPer vulnerabilities | ||
| 08 Jun 2017 | USN-3294-1 | Bash vulnerabilities | ||
| 08 Jun 2017 | USN-3291-3 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 08 Jun 2017 | USN-3287-1 | Git vulnerability | ||
| 08 Jun 2017 | USN-3283-1 | rtmpdump vulnerabilities | ||
| 08 Jun 2017 | USN-3282-1 | FreeType vulnerabilities | ||
| 08 Jun 2017 | USN-3276-2 | shadow regression | ||
| 08 Jun 2017 | USN-3263-1 | FreeType vulnerability | ||
| 08 Jun 2017 | USN-3259-1 | Bind vulnerabilities | ||
| 08 Jun 2017 | USN-3246-1 | Eject vulnerability | ||
| 08 Jun 2017 | USN-3181-1 | OpenSSL vulnerabilities | ||
| 19 May 2017 | CVE-2017-4992 | Privilege escalation with user invitations | ||
| 19 May 2017 | CVE-2017-4991 | UAA password reset vulnerability | ||
| 02 May 2017 | USN-3265-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 01 May 2017 | CVE-2017-4974 | Blind SQL Injection with privileged UAA endpoints | ||
| 20 Apr 2017 | CVE-2015-3281 | HAProxy vulnerabilities | ||
| 20 Apr 2017 | CVE-2017-4973 | Privilege Escalation in UAA | ||
| 20 Apr 2017 | CVE-2017-4972 | Blind SQL Injection in UAA | ||
| 13 Apr 2017 | CVE-2017-4969 | Bug in CC allows users to exceed quotas | ||
| 12 Apr 2017 | USN-3256-2 | Linux kernel (HWE) vulnerability | ||
| 10 Apr 2017 | CVE-2017-4970 | Staticfile buildpack ignores basic authentication when misconfigured | ||
| 06 Apr 2017 | USN-3243-1 | Git vulnerability | ||
| 06 Apr 2017 | USN-3241-1 | audiofile vulnerabilities | ||
| 06 Apr 2017 | USN-3239-2 | GNU C Library Regression | ||
| 06 Apr 2017 | USN-3237-1 | FreeType vulnerability | ||
| 06 Apr 2017 | USN-3235-1 | libxml2 vulnerabilities | ||
| 06 Apr 2017 | USN-3232-1 | ImageMagick vulnerabilities | ||
| 06 Apr 2017 | USN-3227-1 | ICU vulnerabilities | ||
| 06 Apr 2017 | USN-3225-1 | libarchive vulnerabilities | ||
| 06 Apr 2017 | USN-3183-2 | GnuTLS vulnerability | ||
| 05 Apr 2017 | CVE-2017-5649 | Apache Geode privilege escalation vulnerability | ||
| 04 Apr 2017 | USN-3201-1 | Bind vulnerabilities | ||
| 04 Apr 2017 | USN-3234-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 04 Apr 2017 | USN-3228-1 | libevent vulnerabilities | ||
| 04 Apr 2017 | USN-3247-1 | AppArmor vulnerability | ||
| 04 Apr 2017 | USN-3249-2 | Linux kernel (Xenial HWE) vulnerability | ||
| 31 Mar 2017 | USN-3222-1 | ImageMagick vulnerabilities | ||
| 31 Mar 2017 | USN-3213-1 | GD library vulnerabilities | ||
| 31 Mar 2017 | USN-3212-1 | LibTIFF vulnerabilities | ||
| 31 Mar 2017 | USN-3205-1 | tcpdump vulnerabilities | ||
| 31 Mar 2017 | USN-3142-2 | ImageMagick vulnerabilities | ||
| 29 Mar 2017 | CVE-2017-4963 | Session Fixation for UAA External Authentication | ||
| 17 Mar 2017 | USN-3196-1 | Multiple PHP vulnerabilities | ||
| 17 Mar 2017 | USN-3185-1 | libXpm vulnerability | ||
| 17 Mar 2017 | USN-3193-1 | Nettle vulnerability | ||
| 17 Mar 2017 | USN-3183-1 | GnuTLS vulnerabilities | ||
| 14 Mar 2017 | USN-3189-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 14 Mar 2017 | CVE-2017-5638 | Apache Struts Remote Code Execution | ||
| 13 Mar 2017 | USN-3220-2 | Linux kernel (Xenial HWE) vulnerability | ||
| 09 Mar 2017 | CVE-2017-4960 | UAA OAuth DOS via lockout feature | ||
| 01 Mar 2017 | USN-3208-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 31 Jan 2017 | USN-3172-1 | Bind vulnerabilities | ||
| 31 Jan 2017 | USN-3169-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 31 Jan 2017 | USN-3161-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 23 Jan 2017 | CVE-2016-6660 | Cloud Controller logs application environment variables | ||
| 19 Jan 2017 | USN-3024-1 | tomcat6, tomcat7 vulnerabilities | ||
| 12 Jan 2017 | RunC Exec | RunC Exec Vulnerability | ||
| 10 Jan 2017 | CVE-2016-9882 | Cloud Foundry Logs Service Credentials | ||
| 29 Dec 2016 | CVE-2016-3958 and CVE-2016-3959 | Golang vulnerabilities | ||
| 27 Dec 2016 | USN-3146-2 | Linux kernel (Xenial HWE) vulnerabilities | ||
| 27 Dec 2016 | USN-3128-2 | Linux kernel (Xenial HWE) vulnerability | ||
| 27 Dec 2016 | USN-3142-1 | ImageMagick vulnerabilities | ||
| 19 Dec 2016 | CVE-2016-8219 | Space Auditor can restage apps | ||
| 21 Dec 2016 | Multiple CVEs | httpoxy vulnerabilities | ||
| 20 Dec 2016 | USN-3156-1 | APT vulnerability | ||
| 19 Dec 2016 | USN-3131-1 | ImageMagick vulnerabilities | ||
| 19 Dec 2016 | USN-3067-1 | HarfBuzz vulnerabilities | ||
| 19 Dec 2016 | USN-3117-1 | GD library vulnerabilities | ||
| 14 Dec 2016 | USN-3132-1 | tar vulnerability | ||
| 14 Dec 2016 | USN-3134-1 | Python vulnerabilities | ||
| 14 Dec 2016 | USN-3139-1 | Vim vulnerability | ||
| 14 Dec 2016 | CVE-2016-6659 | UAA Privilege Escalation | ||
| 14 Dec 2016 | USN-3116-1 | DBus vulnerabilities | ||
| 14 Dec 2016 | USN-3119-1 | Bind vulnerability | ||
| 13 Dec 2016 | USN-3123-1 | curl vulnerabilities | ||
| 13 Dec 2016 | USN-3088-1 | Bind vulnerability | ||
| 09 Dec 2016 | CVE-2016-8218 | Unauthenticated JWT signing algorithm in routing | ||
| 07 Dec 2016 | USN-3151-2 | Linux kernel (Xenial HWE) vulnerability | ||
| 17 Nov 2016 | CVE-2016-6663/CVE-2016-6664 | MariaDB Root Privilege Escalation | ||
| 17 Nov 2016 | Several | PCRE vulnerabilities prior to version 8.39 | ||
| 07 Nov 2016 | USN-3096-1 | NTP vulnerabilities | ||
| 07 Nov 2016 | USN-3095-1 | PHP vulnerabilities | ||
| 02 Nov 2016 | CVE-2016-6658 | Incomplete fix for Credential Vulnerability for Custom Buildpacks | ||
| 21 Oct 2016 | CVE-2016-5195 | Linux kernel vulnerability | ||
| 17 Oct 2016 | CVE-2016-6655 | Utility Script Command Injection | ||
| 17 Oct 2016 | USN-3099-2 | Linux kernel vulnerabilities | ||
| 29 Sep 2016 | CVE-2016-6653 | MySQL Audit logs sent to Syslog | ||
| 28 Sep 2016 | USN-3087-2 | OpenSSL Regression | ||
| 28 Sep 2016 | USN-3083-1 | Linux kernel vulnerabilities | ||
| 28 Sep 2016 | USN-3068-1 | Libidn vulnerabilities | ||
| 28 Sep 2016 | CVE-2016-6662 | Multiple MySQL Vulnerabilities | ||
| 28 Sep 2016 | USN-3085-1 | GDK-PixBuf vulnerabilities | ||
| 26 Sep 2016 | CVE-2016-6651 | Privilege Escalation in UAA | ||
| 26 Sep 2016 | CVE-2016-6636 | UAA Open Redirect Vulnerability for Subdomains | ||
| 26 Sep 2016 | CVE-2016-6637 | UAA CSRF Vulnerability for OAuth Approvals | ||
| 21 Sep 2016 | CVE-2014-9130 | LibYAML vulnerability | ||
| 09 Sep 2016 | CVE-2016-6639 | PHP Buildpack exposes .profile file | ||
| 09 Sep 2016 | USN-3045-1 | PHP vulnerabilities | ||
| 25 Aug 2016 | USN-3065-1 | Libgcrypt vulnerability | ||
| 25 Aug 2016 | USN-3064-1 | GnuPG vulnerability | ||
| 25 Aug 2016 | USN-3063-1 | Fontconfig vulnerability | ||
| 25 Aug 2016 | USN-3061-1 | OpenSSH vulnerability | ||
| 25 Aug 2016 | USN-3030-1/USN-3060-1 | GD library vulnerability | ||
| 25 Aug 2016 | USN-3053-1/USN-3037-1 | Linux kernel (Vivid HWE) vulnerability | ||
| 25 Aug 2016 | USN-3048-1 | curl vulnerability | ||
| 25 Aug 2016 | USN-3033-1 | libarchive vulnerability | ||
| 18 Aug 2016 | CVE-2016-5016 | UAA accepts expired certificates | ||
| 26 Jul 2016 | CVE-2016-5006 | Cloud Controller API logs user-provided service credentials | ||
| 13 Jul 2016 | USN-3010-1 | Expat vulnerabilities | ||
| 13 Jul 2016 | CVE-2016-4450 | Nginx Vulnerabilities | ||
| 13 Jul 2016 | USN-3012-1 | Wget vulnerability | ||
| 01 Jul 2016 | USN-3020-1 | Linux kernel (Vivid HWE) vulnerabilities | ||
| 30 Jun 2016 | CVE-2016-4468 | UAA SQL Injection | ||
| 15 Jun 2016 | USN-3001-1 | Linux kernel (Vivid HWE) vulnerabilities | ||
| 13 Jun 2016 | CVE-2016-4435 | BOSH Agent Anonymous Endpoint | ||
| 13 Jun 2016 | USN-2994-1 | libxml2 vulnerabilities | ||
| 13 Jun 2016 | USN-2991-1 | nginx vulnerability | ||
| 13 Jun 2016 | USN-2990-1 | ImageMagick vulnerability (a.k.a. ImageTragick) | ||
| 13 Jun 2016 | USN-2987-1 | GD library vulnerabilities | ||
| 13 Jun 2016 | USN-2985-2 | GNU C Library regression | ||
| 13 Jun 2016 | USN-2983-1 | Expat vulnerability | ||
| 13 Jun 2016 | USN-2981-1 | libarchive vulnerabilities | ||
| 13 Jun 2016 | USN-2966-1 | OpenSSH vulnerabilities | ||
| 13 Jun 2016 | USN-2961-1 | Little CMS vulnerability | ||
| 08 Jun 2016 | CVE-2013-7456 | PHP vulnerabilities | ||
| 03 Jun 2016 | USN-2970-1 | Linux kernel (Vivid HWE) vulnerabilities | ||
| 23 May 2016 | CVE-2016-3084 | UAA Password Reset Vulnerability | ||
| 19 May 2016 | USN-2977-1 | Linux kernel (Vivid HWE) vulnerabilities | ||
| 17 May 2016 | CVE-2016-3091 | Diego log encoding vulnerability | ||
| 06 May 2016 | USN-2959-1 | OpenSSL vulnerabilities | ||
| 06 May 2016 | USN-2957-1 | Libtasn1 vulnerability | ||
| 06 May 2016 | USN-2949-1 | Linux kernel (Vivid HWE) vulnerabilities | ||
| 06 May 2016 | USN-2943-1 | PCRE vulnerabilities | ||
| 06 May 2016 | USN-2935-2 | PAM regression | ||
| 02 May 2016 | CVE-2015-5170-5173 | UAA Vulnerabilities | ||
| 14 Apr 2016 | Badlock bug | Samba and Windows Vulnerabilities | ||
| 24 Mar 2016 | USN-2939-1 | LibTIFF vulnerabilities | ||
| 24 Mar 2016 | USN-2927-1 | Graphite2 vulnerabilities | ||
| 24 Mar 2016 | USN-2925-1 | Bind9 vulnerabilities | ||
| 24 Mar 2016 | USN-2919-1 | JasPer vulnerabilities | ||
| 24 Mar 2016 | USN-2918-1 | Pixman vulnerabilities | ||
| 24 Mar 2016 | USN-2916-1 | Perl vulnerabilities | ||
| 24 Mar 2016 | USN-2914-1 | OpenSSL vulnerabilities | ||
| 24 Mar 2016 | NPM Ownership Issue | Warning about NPM modules | ||
| 24 Mar 2016 | USN-2938-1 | Git vulnerabilities | ||
| 16 Mar 2016 | USN-2932-1 | Linux kernel vulnerabilities | ||
| 02 Mar 2016 | CVE-2016-0800 | OpenSSL vulnerabilities | ||
| 26 Feb 2016 | USN-2910-1 | Linux kernel vulnerability | ||
| 26 Feb 2016 | CVE-2016-0761 | Docker Image Host Files Corruption | ||
| 19 Feb 2016 | USN-2900-1 | GNU libc vulnerability | ||
| 02 Feb 2016 | CVE-2016-0732 | Privilege Escalation | ||
| 01 Feb 2016 | CVE-2016-0713 | Gorouter XSS | ||
| 22 Jan 2016 | USN-2871-1 | Linux kernel vulnerability | ||
| 20 Jan 2016 | CVE-2016-0715 | Remote Information Disclosure | ||
| 19 Jan 2016 | USN-2865-1 | GnuTLS vulnerability | ||
| 19 Jan 2016 | USN-2861-1 | libpng vulnerability | ||
| 19 Jan 2016 | USN-2868-1 | DHCP vulnerability | ||
| 19 Jan 2016 | USN-2869-1 | OpenSSH vulnerability | ||
| 18 Jan 2016 | CVE-2016-0708 | Remote Information Disclosure | ||
| 07 Jan 2016 | USN-2857-1 | Linux kernel vulnerability | ||
| 07 Jan 2016 | USN-2842-1/USN-2842-2 | Linux kernel vulnerability | ||
| 07 Jan 2016 | USN-2837-1 | bind9 vulnerability | ||
| 07 Jan 2016 | USN-2836-1 | grub2 vulnerability | ||
| 07 Jan 2016 | USN-2835-1 | git vulnerability | ||
| 07 Jan 2016 | USN-2834-1 | libxml2 vulnerability | ||
| 07 Jan 2016 | USN-2830-1 | OpenSSL vulnerability | ||
| 07 Jan 2016 | USN-2829-1 | Linux kernel vulnerability | ||
| 15 Dec 2015 | CVE-2015-5350 | Garden Nstar vulnerability | ||
| 04 Dec 2015 | USN-2821-1 | GnuTLS vulnerability | ||
| 04 Dec 2015 | USN-2820-1 | dpkg vulnerability | ||
| 02 Dec 2015 | USN-2815-1 | PNG vulnerability | ||
| 02 Dec 2015 | USN-2812-1 | libxml2 vulnerability | ||
| 02 Dec 2015 | USN-2810-1 | Kerberos vulnerability | ||
| 02 Dec 2015 | USN-2787-1 | audiofile vulnerability | ||
| 24 Nov 2015 | USN-2788-1/2788-2 | unzip vulnerability | ||
| 12 Nov 2015 | USN-2798-1 | Linux kernel vulnerability | ||
| 12 Nov 2015 | USN-2806-1 | Linux kernel vulnerability | ||
| 03 Nov 2015 | USN-2778-1 | Linux kernel vulnerabilities | ||
| 03 Nov 2015 | USN-2767-1 | GDK-Pixbuf library vulnerability | ||
| 07 Oct 2015 | Golang | Golang 1.4.3 CVE Fixes | ||
| 07 Oct 2015 | USN-2722-1 | GDK-PixBuf Vulnerabilities | ||
| 07 Oct 2015 | USN-2711-1 | Net-SNMP Vulnerabilities | ||
| 07 Oct 2015 | USN-2739-1 | FreeType Vulnerabilities | ||
| 07 Oct 2015 | USN-2740-1 | ICU Vulnerabilities | ||
| 07 Oct 2015 | USN-2751-1 | Linux Kernel (Vivid HWE) Vulnerability | ||
| 07 Oct 2015 | USN-2756-1 | rpcbind Vulnerability | ||
| 07 Oct 2015 | USN-2765-1 | Linux Kernel (Vivid HWE) Vulnerability | ||
| 08 Sep 2015 | USN-2710-1 | OpenSSH Vulnerabilities | ||
| 08 Sep 2015 | USN-2698-1 | SQLite Vulnerabilities | ||
| 08 Sep 2015 | USN-2694-1 | PCRE Vulnerabilities | ||
| 08 Sep 2015 | USN-2718-1 | Address Configuration Change Vulnerabilities | ||
| 06 Aug 2015 | USN-2696-1 | OpenJDK 7 Vulnerabilities | ||
| 29 Jul 2015 | CVE-2015-3290 | Linux Kernel NMI Vulnerability | ||
| 10 Jul 2015 | CVE-2015-1420 | file_handle size verification | ||
| 06 Jul 2015 | CVE-2015-1330 | Unattended-Upgrades Vulnerability | ||
| 25 Jun 2015 | CVE-2015-3189 | Expire old reset password links | ||
| 25 Jun 2015 | CVE-2015-3190 | Open redirect on Login | ||
| 25 Jun 2015 | CVE-2015-3191 | CSRF attack on change email | ||
| 12 Jun 2015 | USN-2639-1 | OpenSSL vulnerabilities | ||
| 12 Jun 2015 | CVE-2015-3636 | ipv4 use-after-free | ||
| 17 Jun 2015 | CVE-2015-1328 | overlayfs privilege escalation | ||
| 09 Jun 2015 | Redis LUA Sandbox | Redis LUA Exploit | ||
| 22 May 2015 | CVE-2015-1834 | Path Traversal Vulnerability | ||
| 22 May 2015 | USN-2617-1 | FUSE Vulnerability | ||
| 30 Apr 2015 | CVE-2015-1855 | Ruby OpenSSL Hostname Verification | ||
| 23 Mar 2015 | CVE-2015-0282 | Multiple GnuTLS Vulnerabilities | ||
| 21 Mar 2015 | USN-2537-1 | OpenSSL vulnerabilities | ||
| 13 Mar 2015 | CVE-2014-8159 | Linux Kernel Infiniband Vulnerability | ||
| 09 Feb 2015 | CVE-2014-0227 | Apache Tomcat Request Smuggling | ||
| 28 Jan 2015 | CVE-2015-0235 | GHOST | ||
| 10 Sep 2014 | CVE-2013-4444 | Remote Code Execution in Apache Tomcat | ||
| 16 Oct 2014 | CVE-2014-3566 | SSLV3 POODLE | ||
| 29 Sep 2014 | CVE-2014-7186 | Bash Out-of Bonds | ||
| 25 Sep 2014 | CVE-2014-6271 | Bash - ShellShock | ||
| 19 Sep 2014 | CVE-2014-5119 | glib_gconv_translit_find() exploit | ||
| 18 Aug 2014 | CVE-2014-3153 | Futex requeue exploit | ||
| 05 Jun 2014 | CVE-2014-0224 | SSL/TLS MITM Vulnerability | ||
| 10 Apr 2014 | CVE-2014-0160 | Heartbleed |
[1] This table is not yet a complete list of vulnerabilities in dependencies. Formulating such a list is an extensive undertaking which Pivotal is addressing systematically. When this table becomes a complete and comprehensive list, we will remove this footnote.
Thanks
Note: Reports of vulnerabilities in Pivotal products are listed in the credit section of the associated security announcement.