Vulnerabilities > Netapp > Oncommand System Manager > High

DATE CVE VULNERABILITY TITLE RISK
2020-12-03 CVE-2020-17527 Information Exposure vulnerability in multiple products
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream.
network
low complexity
apache netapp debian oracle CWE-200
7.5
2020-07-14 CVE-2020-13935 Infinite Loop vulnerability in multiple products
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104.
7.5
2020-07-14 CVE-2020-13934 Memory Leak vulnerability in multiple products
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2.
7.5
2020-06-26 CVE-2020-11996 A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds.
network
low complexity
apache canonical oracle opensuse debian netapp
7.5
2020-01-31 CVE-2013-3322 OS Command Injection vulnerability in Netapp Oncommand System Manager 2.0.2/2.1
NetApp OnCommand System Manager 2.1 and earlier allows remote attackers to inject arbitrary commands in the Halt/Reboot interface.
network
low complexity
netapp CWE-78
7.2
2020-01-29 CVE-2013-3321 Inclusion of Functionality from Untrusted Control Sphere vulnerability in Netapp Oncommand System Manager 2.0.2/2.1
NetApp OnCommand System Manager 2.1 and earlier allows remote attackers to include arbitrary files through specially crafted requests to the "diagnostic" page using the SnapMirror log path parameter.
network
high complexity
netapp CWE-829
7.5
2019-12-23 CVE-2019-12418 When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface.
local
high complexity
apache debian oracle canonical opensuse netapp
7.0
2018-06-22 CVE-2018-12538 Session Fixation vulnerability in multiple products
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
network
low complexity
eclipse netapp CWE-384
8.8
2017-07-03 CVE-2016-5045 Information Exposure vulnerability in Netapp Oncommand System Manager 8.3/8.3.1/8.3.2
NetApp OnCommand System Manager before 9.0 allows remote attackers to obtain sensitive credentials via vectors related to cluster peering setup.
network
high complexity
netapp CWE-200
8.1
2017-02-07 CVE-2016-3063 Improper Encoding or Escaping of Output vulnerability in Netapp Oncommand System Manager
Multiple functions in NetApp OnCommand System Manager before 8.3.2 do not properly escape special characters, which allows remote authenticated users to execute arbitrary API calls via unspecified vectors.
network
high complexity
netapp CWE-116
7.5