CWE-1395
Allowed-with-ReviewDependency on Vulnerable Third-Party Component
Abstraction: Class · Status: Incomplete
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
110 vulnerabilities reference this CWE, most recent first.
CVE-2024-32753 (GCVE-0-2024-32753)
Vulnerability from cvelistv5 – Published: 2024-07-11 15:30 – Updated: 2024-08-16 14:50- CWE-1395 - Dependency on Vulnerable Third-Party Component
| Vendor | Product | Version | |
|---|---|---|---|
| Johnson Controls | TYCO Illustra Pro4 Fixed cameras |
Affected:
0 , ≤ Illustra.SS016.05.03.01.0007
(custom)
|
|
| Johnson Controls | TYCO Illustra Pro4 PTZ cameras |
Affected:
0 , ≤ Illustra.SS010.24.03.00.0005
(custom)
|
|
| Johnson Controls | TYCO Illustra Flex4 Fixed & PTZ cameras |
Affected:
0 , ≤ Illustra.SS018.24.03.00.0010
(custom)
|
|
| Johnson Controls | TYCO Illustra Pro4 MultiSensor Cameras |
Affected:
0 , ≤ Illustra.SS017.24.03.00.0009
(custom)
|
|
| Johnson Controls | TYCO Illustra Flex4 DualSensor Cameras |
Affected:
0 , ≤ Illustra.SS022.24.03.00.0008
(custom)
|
|
| johnsoncontrols | illustra_flex4_dualsensor_firmware |
Affected:
0 , ≤ Illustra.SS022.24.03.00.0008
(custom)
cpe:2.3:o:johnsoncontrols:illustra_flex4_dualsensor_firmware:*:*:*:*:*:*:*:* |
|
| johnsoncontrols | illustra_pro4_multisensor_firmware |
Affected:
0 , ≤ Illustra.SS017.24.03.00.0009
(custom)
cpe:2.3:o:johnsoncontrols:illustra_pro4_multisensor_firmware:*:*:*:*:*:*:*:* |
|
| johnsoncontrols | illustra_flex4_fixed_firmware |
Affected:
0 , ≤ Illustra.SS018.24.03.00.0010
(custom)
cpe:2.3:o:johnsoncontrols:illustra_flex4_fixed_firmware:*:*:*:*:*:*:*:* |
|
| johnsoncontrols | illustra_flex4_ptz_firmware |
Affected:
0 , ≤ Illustra.SS018.24.03.00.0010
(custom)
cpe:2.3:o:johnsoncontrols:illustra_flex4_ptz_firmware:*:*:*:*:*:*:*:* |
|
| johnsoncontrols | illustra_pro4_ptz_firmware |
Affected:
0 , ≤ Illustra.SS010.24.03.00.0005
(custom)
cpe:2.3:o:johnsoncontrols:illustra_pro4_ptz_firmware:*:*:*:*:*:*:*:* |
|
| johnsoncontrols | illustra_pro_gen_4_firmware |
Affected:
0 , ≤ Illustra.SS016.05.03.01.0007
(custom)
cpe:2.3:o:johnsoncontrols:illustra_pro_gen_4_firmware:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:johnsoncontrols:illustra_flex4_dualsensor_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "illustra_flex4_dualsensor_firmware",
"vendor": "johnsoncontrols",
"versions": [
{
"lessThanOrEqual": "Illustra.SS022.24.03.00.0008",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:johnsoncontrols:illustra_pro4_multisensor_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "illustra_pro4_multisensor_firmware",
"vendor": "johnsoncontrols",
"versions": [
{
"lessThanOrEqual": "Illustra.SS017.24.03.00.0009",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:johnsoncontrols:illustra_flex4_fixed_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "illustra_flex4_fixed_firmware",
"vendor": "johnsoncontrols",
"versions": [
{
"lessThanOrEqual": "Illustra.SS018.24.03.00.0010",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:johnsoncontrols:illustra_flex4_ptz_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "illustra_flex4_ptz_firmware",
"vendor": "johnsoncontrols",
"versions": [
{
"lessThanOrEqual": "Illustra.SS018.24.03.00.0010",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:johnsoncontrols:illustra_pro4_ptz_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "illustra_pro4_ptz_firmware",
"vendor": "johnsoncontrols",
"versions": [
{
"lessThanOrEqual": "Illustra.SS010.24.03.00.0005",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:johnsoncontrols:illustra_pro_gen_4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "illustra_pro_gen_4_firmware",
"vendor": "johnsoncontrols",
"versions": [
{
"lessThanOrEqual": "Illustra.SS016.05.03.01.0007",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T19:41:41.470969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T14:23:41.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.268Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TYCO Illustra Pro4 Fixed cameras",
"vendor": "Johnson Controls",
"versions": [
{
"lessThanOrEqual": "Illustra.SS016.05.03.01.0007",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TYCO Illustra Pro4 PTZ cameras",
"vendor": "Johnson Controls",
"versions": [
{
"lessThanOrEqual": "Illustra.SS010.24.03.00.0005",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TYCO Illustra Flex4 Fixed \u0026 PTZ cameras",
"vendor": "Johnson Controls",
"versions": [
{
"lessThanOrEqual": "Illustra.SS018.24.03.00.0010",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TYCO Illustra Pro4 MultiSensor Cameras",
"vendor": "Johnson Controls",
"versions": [
{
"lessThanOrEqual": "Illustra.SS017.24.03.00.0009",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TYCO Illustra Flex4 DualSensor Cameras",
"vendor": "Johnson Controls",
"versions": [
{
"lessThanOrEqual": "Illustra.SS022.24.03.00.0008",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-07-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUnder certain circumstances the camera may be susceptible to known vulnerabilities associated with the JQuery versions prior to 3.5.0 third-party component\u003c/span\u003e"
}
],
"value": "Under certain circumstances the camera may be susceptible to known vulnerabilities associated with the JQuery versions prior to 3.5.0 third-party component"
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-588: DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T14:50:34.077Z",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-03"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003e\u003cp\u003eUpdate firmware of \u003cstrong\u003ePro4 Fixed\u003c/strong\u003e cameras to \u003cstrong\u003eIllustra.SS016.24.03.00.0007\u003c/strong\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eUpdate firmware of \u003cstrong\u003ePro4 PTZ\u003c/strong\u003e cameras to\u003cstrong\u003e Illustra.SS010.24.03.00.0005\u003c/strong\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eUpdate firmware of \u003cstrong\u003eFlex4 Fixed \u0026amp; PTZ\u003c/strong\u003e cameras to \u003cstrong\u003eIllustra.SS018.24.03.00.0010\u003c/strong\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eUpdate firmware of \u003cstrong\u003ePro4 MultiSensor \u003c/strong\u003ecameras to \u003cstrong\u003eIllustra.SS017.24.03.00.0009\u003c/strong\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eUpdate firmware of \u003cstrong\u003eFlex4 DualSensor \u003c/strong\u003ecameras to \u003cstrong\u003eIllustra.SS022.24.03.00.0008\u003c/strong\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "* Update firmware of Pro4 Fixed cameras to Illustra.SS016.24.03.00.0007\n\n\n * Update firmware of Pro4 PTZ cameras to Illustra.SS010.24.03.00.0005\n\n\n * Update firmware of Flex4 Fixed \u0026 PTZ cameras to Illustra.SS018.24.03.00.0010\n\n\n * Update firmware of Pro4 MultiSensor cameras to Illustra.SS017.24.03.00.0009\n\n\n * Update firmware of Flex4 DualSensor cameras to Illustra.SS022.24.03.00.0008"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TYCO Illustra Pro Gen 4 - JQuery version",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2024-32753",
"datePublished": "2024-07-11T15:30:39.367Z",
"dateReserved": "2024-04-17T17:26:35.180Z",
"dateUpdated": "2024-08-16T14:50:34.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26293 (GCVE-0-2024-26293)
Vulnerability from cvelistv5 – Published: 2025-07-14 09:18 – Updated: 2025-07-14 14:40- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://resources.avid.com/SupportFiles/attach/Av… | vendor-advisory |
| https://raeph123.github.io/BlogPosts/Avid_Nexis/A… | third-party-advisorytechnical-description |
| https://www.genivia.com/changelog.html | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Avid | Avid NEXIS E-series |
Affected:
0 , < 2025.5.1
(custom)
|
|
| Avid | Avid NEXIS F-series |
Affected:
0 , < 2025.5.1
(custom)
|
|
| Avid | Avid NEXIS PRO+ |
Affected:
0 , < 2025.5.1
(custom)
|
|
| Avid | System Director Appliance (SDA+) |
Affected:
0 , < 2025.5.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26293",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T14:37:19.883688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T14:40:41.420Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"Windows"
],
"product": "Avid NEXIS E-series",
"vendor": "Avid",
"versions": [
{
"lessThan": "2025.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"Windows"
],
"product": "Avid NEXIS F-series",
"vendor": "Avid",
"versions": [
{
"lessThan": "2025.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"windows"
],
"product": "Avid NEXIS PRO+",
"vendor": "Avid",
"versions": [
{
"lessThan": "2025.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"Windows"
],
"product": "System Director Appliance (SDA+)",
"vendor": "Avid",
"versions": [
{
"lessThan": "2025.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "DriveByte"
},
{
"lang": "en",
"type": "coordinator",
"value": "CERT-Bund"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Avid Nexis Agent uses a vulnerable gSOAP\nversion. An undocumented vulnerability impacting gSOAP v2.8 makes the application vulnerable to an Unauthenticated Path Traversal vulnerability.\u003cbr\u003e\u003cp\u003eThis issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.\u003c/p\u003e"
}
],
"value": "The Avid Nexis Agent uses a vulnerable gSOAP\nversion. An undocumented vulnerability impacting gSOAP v2.8 makes the application vulnerable to an Unauthenticated Path Traversal vulnerability.\nThis issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T09:18:18.045Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://resources.avid.com/SupportFiles/attach/AvidNEXIS/AvidNEXIS_2025_5_1_ReadMe.pdf"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://raeph123.github.io/BlogPosts/Avid_Nexis/Advisory_Avid_Nexus_Agent_Multiple_Vulnerabilities_en.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.genivia.com/changelog.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Path Traversal affecting Avid NEXIS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2024-26293",
"datePublished": "2025-07-14T09:18:18.045Z",
"dateReserved": "2024-02-16T16:12:43.383Z",
"dateUpdated": "2025-07-14T14:40:41.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21421 (GCVE-0-2024-21421)
Vulnerability from cvelistv5 – Published: 2024-03-12 16:57 – Updated: 2025-05-03 00:46- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:20:40.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Azure SDK Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21421"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T19:21:36.716605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:16:37.921Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure SDK",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "1.29.5",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:azure_sdk:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.29.5",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2024-03-12T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Azure SDK Spoofing Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-03T00:46:37.963Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure SDK Spoofing Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21421"
}
],
"title": "Azure SDK Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2024-21421",
"datePublished": "2024-03-12T16:57:43.762Z",
"dateReserved": "2023-12-08T22:45:21.301Z",
"dateUpdated": "2025-05-03T00:46:37.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-14031 (GCVE-0-2024-14031)
Vulnerability from cvelistv5 – Published: 2026-03-31 11:31 – Updated: 2026-04-01 16:30- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://github.com/advisories/GHSA-w77f-wv46-4vcx | vendor-advisory |
| https://www.cve.org/CVERecord?id=CVE-2019-11922 | vendor-advisory |
| https://metacpan.org/release/YVES/Sereal-Encoder-… | release-notes |
| Vendor | Product | Version | |
|---|---|---|---|
| YVES | Sereal::Encoder |
Affected:
4.000 , ≤ 4.009_002
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-14031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:19:21.141997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:19:27.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Sereal-Encoder",
"product": "Sereal::Encoder",
"repo": "https://github.com/Sereal/Sereal",
"vendor": "YVES",
"versions": [
{
"lessThanOrEqual": "4.009_002",
"status": "affected",
"version": "4.000",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.\n\nSereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:30:00.649Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/advisories/GHSA-w77f-wv46-4vcx"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11922"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/YVES/Sereal-Encoder-4.010/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Sereal::Encoder version 4.010 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2017-02-06T00:00:00.000Z",
"value": "Sereal::Encoder version 4.001_001 released."
},
{
"lang": "en",
"time": "2018-12-27T00:00:00.000Z",
"value": "Zstandard 1.3.8 released."
},
{
"lang": "en",
"time": "2019-07-25T00:00:00.000Z",
"value": "CVE-2019-11922 for Zstandard published"
},
{
"lang": "en",
"time": "2020-02-04T00:00:00.000Z",
"value": "Sereal::Encoder version 4.010 released."
},
{
"lang": "en",
"time": "2023-02-09T00:00:00.000Z",
"value": "Advisory added to the CPANSA database."
},
{
"lang": "en",
"time": "2024-02-17T00:00:00.000Z",
"value": "Advisory updated in the CPANSA database."
}
],
"title": "Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-14031",
"datePublished": "2026-03-31T11:31:28.100Z",
"dateReserved": "2026-03-29T15:12:06.674Z",
"dateUpdated": "2026-04-01T16:30:00.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-14030 (GCVE-0-2024-14030)
Vulnerability from cvelistv5 – Published: 2026-03-31 11:31 – Updated: 2026-04-01 16:29- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://github.com/advisories/GHSA-w77f-wv46-4vcx | vendor-advisory |
| https://www.cve.org/CVERecord?id=CVE-2019-11922 | vendor-advisory |
| https://metacpan.org/release/YVES/Sereal-Decoder-… | release-notes |
| Vendor | Product | Version | |
|---|---|---|---|
| YVES | Sereal::Decoder |
Affected:
4.000 , ≤ 4.009_002
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-14030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:18:18.323057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:18:55.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Sereal-Decoder",
"product": "Sereal::Decoder",
"repo": "https://github.com/Sereal/Sereal",
"vendor": "YVES",
"versions": [
{
"lessThanOrEqual": "4.009_002",
"status": "affected",
"version": "4.000",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.\n\nSereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:29:33.903Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/advisories/GHSA-w77f-wv46-4vcx"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11922"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/YVES/Sereal-Decoder-4.010/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Sereal::Decoder version 4.010 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2017-02-06T00:00:00.000Z",
"value": "Sereal::Decoder version 4.001_001 released."
},
{
"lang": "en",
"time": "2018-12-27T00:00:00.000Z",
"value": "Zstandard 1.3.8 released."
},
{
"lang": "en",
"time": "2019-07-25T00:00:00.000Z",
"value": "CVE-2019-11922 for Zstandard published"
},
{
"lang": "en",
"time": "2020-02-04T00:00:00.000Z",
"value": "Sereal::Decoder version 4.010 released."
},
{
"lang": "en",
"time": "2023-02-09T00:00:00.000Z",
"value": "Advisory added to the CPANSA database."
},
{
"lang": "en",
"time": "2024-02-17T00:00:00.000Z",
"value": "Advisory updated in the CPANSA database."
}
],
"title": "Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-14030",
"datePublished": "2026-03-31T11:31:08.541Z",
"dateReserved": "2026-03-28T19:49:07.023Z",
"dateUpdated": "2026-04-01T16:29:33.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12740 (GCVE-0-2024-12740)
Vulnerability from cvelistv5 – Published: 2025-01-27 17:17 – Updated: 2025-01-27 18:52- CWE-1395 - Dependency on Vulnerable Third-Party Component
| Vendor | Product | Version | |
|---|---|---|---|
| NI | Vision Development Module |
Affected:
0 , ≤ 24.1
(semver)
|
|
| NI | FlexRIO |
Affected:
0 , < 25.0
(semver)
|
|
| NI | NI-IMAQdx |
Affected:
0 , ≤ 23.1
(semver)
|
|
| NI | Vision Acquisition Software |
Affected:
0 , ≤ 23.1
(sem)
|
|
| NI | Vision Builder for Automated Inspection |
Affected:
0 , ≤ 23.*
(semver)
|
|
| NI | Data Record AD |
Affected:
0 , ≤ 2.0
(semver)
|
|
| NI | FRC Game Tools |
Affected:
0 , ≤ 25.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T18:52:49.924917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T18:52:58.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vision Development Module",
"vendor": "NI",
"versions": [
{
"lessThanOrEqual": "24.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "FlexRIO",
"vendor": "NI",
"versions": [
{
"lessThan": "25.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "NI-IMAQdx",
"vendor": "NI",
"versions": [
{
"lessThanOrEqual": "23.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Vision Acquisition Software",
"vendor": "NI",
"versions": [
{
"lessThanOrEqual": "23.1",
"status": "affected",
"version": "0",
"versionType": "sem"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Vision Builder for Automated Inspection",
"vendor": "NI",
"versions": [
{
"lessThanOrEqual": "23.*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Data Record AD",
"vendor": "NI",
"versions": [
{
"lessThanOrEqual": "2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "FRC Game Tools",
"vendor": "NI",
"versions": [
{
"lessThanOrEqual": "25.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kimiya working with Trend Micro Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVision related software from NI used a third-party library for image processing that exposes several vulnerabilities. These vulnerabilities may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted file.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Vision related software from NI used a third-party library for image processing that exposes several vulnerabilities. These vulnerabilities may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted file."
}
],
"impacts": [
{
"capecId": "CAPEC-23",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-23 File Content Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T17:17:28.308Z",
"orgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4",
"shortName": "NI"
},
"references": [
{
"url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/dependency-on-vulnerable-third-party-component-exposes-vulnerabi.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Dependency on Vulnerable Third-Party Component exposes Vulnerabilities in NI Vision Software",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4",
"assignerShortName": "NI",
"cveId": "CVE-2024-12740",
"datePublished": "2025-01-27T17:17:28.308Z",
"dateReserved": "2024-12-17T20:42:45.704Z",
"dateUpdated": "2025-01-27T18:52:58.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11948 (GCVE-0-2024-11948)
Vulnerability from cvelistv5 – Published: 2024-12-11 21:55 – Updated: 2024-12-12 15:47- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T15:46:50.107404Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T15:47:00.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Archiver",
"vendor": "GFI",
"versions": [
{
"status": "affected",
"version": "15.6"
}
]
}
],
"dateAssigned": "2024-11-27T23:38:31.799Z",
"datePublic": "2024-12-11T17:27:20.803Z",
"descriptions": [
{
"lang": "en",
"value": "GFI Archiver Telerik Web UI Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the product installer. The issue results from the use of a vulnerable version of Telerik Web UI. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-24041."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T21:55:03.698Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-24-1671",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1671/"
}
],
"source": {
"lang": "en",
"value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)"
},
"title": "GFI Archiver Telerik Web UI Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2024-11948",
"datePublished": "2024-12-11T21:55:03.698Z",
"dateReserved": "2024-11-27T23:38:31.773Z",
"dateUpdated": "2024-12-12T15:47:00.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6121 (GCVE-0-2024-6121)
Vulnerability from cvelistv5 – Published: 2024-07-22 19:46 – Updated: 2024-08-01 21:33- CWE-1395 - Dependency on Vulnerable Third-Party Component
| Vendor | Product | Version | |
|---|---|---|---|
| NI | SystemLink Server |
Affected:
0 , ≤ 24.1
(semver)
|
|
| NI | FlexLogger |
Affected:
0 , ≤ 23.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T16:55:03.521839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T16:55:16.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:33:05.149Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/ni-systemlink-server-ships-out-of-date-redis-version.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "SystemLink Server",
"vendor": "NI",
"versions": [
{
"lessThanOrEqual": "24.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "FlexLogger",
"vendor": "NI",
"versions": [
{
"lessThanOrEqual": "23.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Micro Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn out-of-date version of Redis shipped with NI SystemLink Server is susceptible to multiple vulnerabilities, including CVE-2022-24834. This affects NI SystemLink Server 2024 Q1 and prior versions. It also affects NI FlexLogger 2023 Q2 and prior versions which installed this shared service. \u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An out-of-date version of Redis shipped with NI SystemLink Server is susceptible to multiple vulnerabilities, including CVE-2022-24834. This affects NI SystemLink Server 2024 Q1 and prior versions. It also affects NI FlexLogger 2023 Q2 and prior versions which installed this shared service."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T19:46:11.685Z",
"orgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4",
"shortName": "NI"
},
"references": [
{
"url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/ni-systemlink-server-ships-out-of-date-redis-version.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "NI SystemLink Server Ships Out of Date Redis Version",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4",
"assignerShortName": "NI",
"cveId": "CVE-2024-6121",
"datePublished": "2024-07-22T19:46:11.685Z",
"dateReserved": "2024-06-18T11:41:52.912Z",
"dateUpdated": "2024-08-01T21:33:05.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5246 (GCVE-0-2024-5246)
Vulnerability from cvelistv5 – Published: 2024-05-23 22:07 – Updated: 2024-08-01 21:03- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| https://kb.netgear.com/000066164/Security-Advisor… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| NETGEAR | ProSAFE Network Management System |
Affected:
1.7.0.34 x64
|
|
| netgear | prosafe_network_management_system |
Affected:
1.7.0.34 x64
cpe:2.3:a:netgear:prosafe_network_management_system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:netgear:prosafe_network_management_system:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "prosafe_network_management_system",
"vendor": "netgear",
"versions": [
{
"status": "affected",
"version": "1.7.0.34 x64"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-5246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-24T19:21:20.249999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:02:38.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:11.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-24-497",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-497/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://kb.netgear.com/000066164/Security-Advisory-for-Multiple-Vulnerabilities-on-the-NMS300-PSV-2024-0003-PSV-2024-0004"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ProSAFE Network Management System",
"vendor": "NETGEAR",
"versions": [
{
"status": "affected",
"version": "1.7.0.34 x64"
}
]
}
],
"dateAssigned": "2024-05-22T21:06:59.239Z",
"datePublic": "2024-05-22T23:32:36.807Z",
"descriptions": [
{
"lang": "en",
"value": "NETGEAR ProSAFE Network Management System Tomcat Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the product installer. The issue results from the use of a vulnerable version of Apache Tomcat. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22868."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-23T22:07:15.475Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-24-497",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-497/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://kb.netgear.com/000066164/Security-Advisory-for-Multiple-Vulnerabilities-on-the-NMS300-PSV-2024-0003-PSV-2024-0004"
}
],
"source": {
"lang": "en",
"value": "191bb9f9c7b3a89d5a586e15299e24417a4aca4d"
},
"title": "NETGEAR ProSAFE Network Management System Tomcat Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2024-5246",
"datePublished": "2024-05-23T22:07:15.475Z",
"dateReserved": "2024-05-22T21:06:59.213Z",
"dateUpdated": "2024-08-01T21:03:11.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0552 (GCVE-0-2024-0552)
Vulnerability from cvelistv5 – Published: 2024-01-15 04:03 – Updated: 2024-10-14 06:11- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-7662-41d50-1.html | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Intumit inc. | SmartRobot |
Affected:
0 , ≤ v6.0.0-202012tw
(custom)
|
|
| intumit | smartrobot |
Affected:
v6.0.0-202012tw
cpe:2.3:h:intumit:smartrobot:-:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:h:intumit:smartrobot:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "smartrobot",
"vendor": "intumit",
"versions": [
{
"status": "affected",
"version": "v6.0.0-202012tw"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0552",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T16:20:10.789210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:58:39.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:11:35.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7662-41d50-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SmartRobot",
"vendor": "Intumit inc.",
"versions": [
{
"lessThanOrEqual": "v6.0.0-202012tw",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-01-15T04:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Intumit inc. SmartRobot\u0027s web framwork has a remote code execution vulnerability. An unauthorized remote attacker can exploit this vulnerability to execute arbitrary commands on the remote server."
}
],
"value": "Intumit inc. SmartRobot\u0027s web framwork has a remote code execution vulnerability. An unauthorized remote attacker can exploit this vulnerability to execute arbitrary commands on the remote server."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T06:11:21.141Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7662-41d50-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to latest version"
}
],
"value": "Update to latest version"
}
],
"source": {
"advisory": "TVN-202401001",
"discovery": "EXTERNAL"
},
"title": "Intumit inc. SmartRobot - Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-0552",
"datePublished": "2024-01-15T04:03:07.044Z",
"dateReserved": "2024-01-15T02:07:52.690Z",
"dateUpdated": "2024-10-14T06:11:21.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
Mitigation
Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Mitigation
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Mitigation
Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Mitigation
Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
No CAPEC attack patterns related to this CWE.