본문 바로가기

취약점 정보2

금주 취약점 정리

728x90

ID: CVE-2016-9244 
Title: F5 BIG-IP SSL Information Disclosure Vulnerability 
Vendor: F5 
Description: A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well. 
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 

ID: CVE-2017-3823 Title: Cisco WebEx Google Chrome Extension Remote Code Execution Vulnerability Vendor: Cisco Description: An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Container before 106 on Mozilla Firefox, the GpcContainer Class ActiveX control plugin before 10031.6.2017.0126 on Internet Explorer, and the Download Manager ActiveX control plugin before 2.1.0.10 on Internet Explorer. A vulnerability in these Cisco WebEx browser extensions could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center) when they are running on Microsoft Windows. The vulnerability is a design defect in an application programing interface (API) response parser within the extension. An attacker that can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser. CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) ID: CVE-2016-7200 Title: Microsoft Edge Scripting Engine Memory Corruption Code Execution Vulnerability Vendor: Microsoft Description: The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7201, CVE-2016-7202, CVE-2016-7203, CVE-2016-7208, CVE-2016-7240, CVE-2016-7242, and CVE-2016-7243. CVSS v2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 

ID: CVE-2016-7892 
Title: Adobe Flash Player Use-After-Free Code Execution Vulnerability 
Vendor: Adobe 
Description: Remote exploitation of a use-after-free vulnerability in Adobe's Flash Player could allow attackers to execute arbitrary code. Adobe is aware of a report that an exploit for CVE-2016-7892 exists in the wild, and is being used in limited targeted attacks. 
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 

ID: CVE-2016-6366 
Title: Cisco Adaptive Security Appliance SNMP Buffer Overflow Code Execution Vulnerability 
Vendor: Cisco 
Description: Buffer overflow in Cisco Adaptive Security Appliance (ASA) Software through 9.4.2.3 on ASA 5500, ASA 5500-X, ASA Services Module, ASA 1000V, ASAv, Firepower 9300 ASA Security Module, PIX, and FWSM devices allows remote authenticated users to execute arbitrary code via crafted IPv4 SNMP packets, aka Bug ID CSCva92151 or EXTRABACON. 
CVSS v2 Base Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) 

ID: CVE-2016-1017 
Title: Adobe Flash Player "AS2 LoadVars" Use-after-free Code Execution Vulnerability (APSA16-10) 
Vendor: Adobe 
Description: Use-after-free vulnerability in the LoadVars.decode function in Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, and CVE-2016-1031. 
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 

ID: CVE-2016-0189 
Title: Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability 
Vendor: Microsoft 
Description: The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0187. 
CVSS v2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 

728x90