Communications Cloud Native Core Policy

DATE	CVE	VULNERABILITY TITLE	RISK
2020-12-14	CVE-2020-8285	Uncontrolled Recursion vulnerability in multiple products curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. network low complexity haxx debian fedoraproject netapp apple oracle fujitsu siemens splunk CWE-674	7.5
2020-12-14	CVE-2020-8284	A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. network high complexity haxx fedoraproject debian netapp apple oracle fujitsu siemens splunk	3.7
2020-12-14	CVE-2020-8231	Use After Free vulnerability in multiple products Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. network low complexity haxx siemens debian oracle splunk CWE-416	7.5
2020-12-03	CVE-2020-17527	Information Exposure vulnerability in multiple products While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. network low complexity apache netapp debian oracle CWE-200	7.5
2020-11-20	CVE-2020-4788	IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. local high complexity ibm fedoraproject oracle	4.7
2020-11-06	CVE-2020-28196	Uncontrolled Recursion vulnerability in multiple products MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit. network low complexity mit fedoraproject netapp oracle CWE-674	7.5
2020-10-12	CVE-2020-15250	Incorrect Permission Assignment for Critical Resource vulnerability in multiple products In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. local low complexity junit debian apache oracle CWE-732	5.5
2020-09-17	CVE-2020-0404	Improper Privilege Management vulnerability in multiple products In uvc_scan_chain_forward of uvc_driver.c, there is a possible linked list corruption due to an unusual root cause. local low complexity google oracle CWE-269	5.5
2020-09-04	CVE-2019-20916	Path Traversal vulnerability in multiple products The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. network low complexity pypa opensuse debian oracle CWE-22	7.5
2020-09-02	CVE-2020-24553	Cross-site Scripting vulnerability in multiple products Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. network low complexity golang fedoraproject opensuse oracle CWE-79	6.1