Weekly Vulnerabilities Reports > September 22 to 28, 2014
Overview
2 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 0 high severity vulnerabilities. This weekly summary report vulnerabilities in 74 products from 17 vendors including Apple, Debian, IBM, Oracle, and Opensuse. Vulnerabilities are notably categorized as and "OS Command Injection".
- 2 reported vulnerabilities are remotely exploitables.
- 16 reported vulnerabilities have public exploit available.
- 2 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 2 reported vulnerabilities are exploitable by an anonymous user.
- Apple has the most reported vulnerabilities, with 2 reported vulnerabilities.
- Apple has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
2 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2014-09-25 | CVE-2014-7169 | GNU Arista Oracle Qnap Mageia Redhat Suse Opensuse Debian IBM Canonical Novell Checkpoint F5 Citrix Apple Vmware | OS Command Injection vulnerability in multiple products GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. | 9.8 |
| 2014-09-24 | CVE-2014-6271 | GNU Arista Oracle Qnap Mageia Redhat Suse Opensuse Debian IBM Canonical Novell Checkpoint F5 Citrix Apple Vmware | OS Command Injection vulnerability in multiple products GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. | 9.8 |
0 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|
0 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|
0 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|