Latest Stormshield Vulnerabilities

CVE-2023-28616
An issue was discovered in Stormshield Network Security (SNS) before 4.3.17, 4.4.x through 4.6.x before 4.6.4, and 4.7.x before 4.7.1. It affects user accounts for which the password has an equals sig...
Stormshield Network Security>=2.7.0<4.3.17
Stormshield Network Security>=4.4.0<4.6.4
Stormshield Network Security=4.7.0
CVE-2023-47091
An issue was discovered in Stormshield Network Security (SNS) SNS 4.3.13 through 4.3.22 before 4.3.23, SNS 4.6.0 through 4.6.9 before 4.6.10, and SNS 4.7.0 through 4.7.1 before 4.7.2. An attacker can ...
>=4.3.13<4.3.23
>=4.6.0<4.6.10
>=4.7.0<4.7.2
CVE-2023-41166
An issue was discovered in Stormshield Network Security (SNS) 3.7.0 through 3.7.39, 3.11.0 through 3.11.27, 4.3.0 through 4.3.22, 4.6.0 through 4.6.9, and 4.7.0 through 4.7.1. It's possible to know if...
Stormshield Stormshield Network Security>=3.7.0<=3.7.39
Stormshield Stormshield Network Security>=3.11.0<=3.11.27
Stormshield Stormshield Network Security>=4.3.0<4.3.23
Stormshield Stormshield Network Security>=4.6.0<4.6.10
Stormshield Stormshield Network Security>=4.7.0<4.7.2
CVE-2023-47093
An issue was discovered in Stormshield Network Security (SNS) 4.0.0 through 4.3.21, 4.4.0 through 4.6.8, and 4.7.0. Sending a crafted ICMP packet may lead to a crash of the ASQ engine.
Stormshield Stormshield Network Security>=4.0.0<4.3.22
Stormshield Stormshield Network Security>=4.4.0<4.6.9
Stormshield Stormshield Network Security=4.7.0
CVE-2022-46783
An issue was discovered in Stormshield SSL VPN Client before 3.2.0. If multiple address books are used, an attacker may be able to access the other encrypted address book.
Stormshield SSL VPN Client<3.2.0
CVE-2023-26095
ASQ in Stormshield Network Security (SNS) 4.3.15 before 4.3.16 and 4.6.x before 4.6.3 allows a crash when analysing a crafted SIP packet.
Stormshield Network Security>=4.6.0<4.6.3
Stormshield Network Security=4.3.15
CVE-2021-27932
Stormshield Network Security (SNS) VPN SSL Client 2.1.0 through 2.8.0 has Insecure Permissions.
Stormshield SSL VPN Client>=2.1.0<=3.0.0
CVE-2020-11711
An issue was discovered in Stormshield SNS 3.8.0. Authenticated Stored XSS in the admin login panel leads to SSL VPN credential theft. A malicious disclaimer file can be uploaded from the admin panel....
Stormshield Stormshield Network Security>=3.6.0<3.7.13
Stormshield Stormshield Network Security>=3.8.0<3.11.0
Stormshield Stormshield Network Security>=4.0.0<4.1.1
CVE-2022-46782
An issue was discovered in Stormshield SSL VPN Client before 3.2.0. A logged-in user, able to only launch the VPNSSL Client, can use the OpenVPN instance to execute malicious code as administrator on ...
Stormshield SSL VPN Client<3.2.0
CVE-2023-35799
Stormshield Endpoint Security Evolution 2.0.0 through 2.3.2 has Insecure Permissions. An interactive user can use the SES Evolution agent to create arbitrary files with local system privileges.
Stormshield Endpoint Security>=2.0.0<=2.3.2
CVE-2023-35800
Stormshield Endpoint Security Evolution 2.0.0 through 2.4.2 has Insecure Permissions. An ACL entry on the SES Evolution agent directory that contains the agent logs displayed in the GUI allows interac...
Stormshield Endpoint Security>=2.0.0<=2.4.2
CVE-2023-23562
Stormshield Endpoint Security 2.3.0 through 2.3.2 has Incorrect Access Control that allows an authenticated user can update global parameters.
Stormshield Endpoint Security>=2.3.0<2.4.1
CVE-2023-23561
Stormshield Endpoint Security 2.3.0 through 2.3.2 has Incorrect Access Control: authenticated users can read sensitive information.
Stormshield Endpoint Security>=2.3.0<2.4.1
CVE-2023-20052
On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0....
Cisco Secure Endpoint<1.20.2
Cisco Secure Endpoint<1.21.1
Cisco Secure Endpoint<7.5.9
Cisco Secure Endpoint>=8.0.1.21160<8.1.5
Cisco Secure Endpoint Private Cloud<3.6.0
Clamav Clamav<=0.103.7
and 8 more
CVE-2023-20032
On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the HFS+ partition file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earl...
Cisco Secure Endpoint<1.20.2
Cisco Secure Endpoint<1.21.1
Cisco Secure Endpoint<7.5.9
Cisco Secure Endpoint>=8.0.1.21160<8.1.5
Cisco Secure Endpoint Private Cloud<3.6.0
Cisco Web Security Appliance<12.5.6
and 12 more
CVE-2023-0401
NULL dereference during PKCS7 data verification
redhat/openssl<1:3.0.1-47.el9_1
redhat/openssl<1:3.0.1-46.el9_0
OpenSSL OpenSSL>=3.0.0<=3.0.7
Stormshield Stormshield Management Center<3.3.3
ubuntu/nodejs<12.22.9~dfsg-1ubuntu3.3
ubuntu/openssl<3.0.8
and 6 more
CVE-2023-0216
Invalid pointer dereference in d2i_PKCS7 functions
redhat/openssl<1:3.0.1-47.el9_1
redhat/openssl<1:3.0.1-46.el9_0
OpenSSL OpenSSL>=3.0.0<=3.0.7
Stormshield Stormshield Management Center<3.3.3
ubuntu/openssl<3.0.8-1ubuntu1
ubuntu/openssl<3.0.8
and 5 more
CVE-2022-4450
Double free after calling PEM_read_bio_ex
redhat/jbcs-httpd24-openssl<1:1.1.1k-14.el8
redhat/jbcs-httpd24-openssl<1:1.1.1k-14.el7
redhat/edk2<0:20220126gitbb1bba3d77-4.el8
redhat/openssl<1:1.1.1k-9.el8_7
redhat/openssl<1:1.1.1k-9.el8_6
redhat/openssl<1:3.0.1-47.el9_1
and 24 more
CVE-2023-0215
Use-after-free following BIO_new_NDEF
redhat/jbcs-httpd24-openssl<1:1.1.1k-14.el8
redhat/jbcs-httpd24-openssl<1:1.1.1k-14.el7
redhat/edk2<0:20220126gitbb1bba3d77-4.el8
redhat/openssl<1:1.1.1k-9.el8_7
redhat/edk2<0:20220126gitbb1bba3d77-2.el8_6.1
redhat/openssl<1:1.1.1k-9.el8_6
and 28 more
CVE-2022-4304
Timing Oracle in RSA Decryption
redhat/jbcs-httpd24-openssl<1:1.1.1k-14.el8
redhat/jbcs-httpd24-openssl<1:1.1.1k-14.el7
redhat/edk2<0:20220126gitbb1bba3d77-4.el8
redhat/openssl<1:1.1.1k-9.el8_7
redhat/edk2<0:20220126gitbb1bba3d77-2.el8_6.1
redhat/openssl<1:1.1.1k-9.el8_6
and 31 more
CVE-2023-0286
X.400 address type confusion in X.509 GeneralName
redhat/jbcs-httpd24-openssl<1:1.1.1k-14.el8
redhat/jbcs-httpd24-openssl<1:1.1.1k-14.el7
redhat/openssl<0:1.0.1e-61.el6_10
redhat/openssl<1:1.0.2k-26.el7_9
redhat/edk2<0:20220126gitbb1bba3d77-4.el8
redhat/openssl<1:1.1.1k-9.el8_7
and 40 more
CVE-2022-40617
strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL tha...
Strongswan Strongswan<5.9.8
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
Canonical Ubuntu Linux=20.04
Canonical Ubuntu Linux=22.04
and 6 more
CVE-2022-27812
Flooding SNS firewall versions 3.7.0 to 3.7.29, 3.11.0 to 3.11.17, 4.2.0 to 4.2.10, and 4.3.0 to 4.3.6 with specific forged traffic, can lead to SNS DoS.
Stormshield Network Security>=3.7.0<3.7.30
Stormshield Network Security>=3.11.0<3.11.18
Stormshield Network Security>=4.2.0<4.2.11
Stormshield Network Security>=4.3.0<4.3.7
CVE-2022-37434
A security vulnerability was found in zlib. The flaw triggered a heap-based buffer in inflate in the inflate.c function via a large gzip header extra field. This flaw is only applicable in the call in...
redhat/zlib<0:1.2.7-21.el7_9
redhat/zlib<0:1.2.11-19.el8_6
redhat/rsync<0:3.1.3-19.el8
redhat/zlib<0:1.2.11-32.el9_0
redhat/rsync<0:3.2.3-18.el9
debian/zlib<=1:1.2.11.dfsg-1<=1:1.2.11.dfsg-4<=1:1.2.11.dfsg-2+deb11u1
and 63 more
CVE-2022-32213
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
Llhttp Llhttp<2.1.5
Llhttp Llhttp>=6.0.0<6.0.7
Nodejs Node.js>=14.0.0<=14.14.0
Nodejs Node.js>=14.15.0<14.20.1
Nodejs Node.js>=16.0.0<=16.12.0
Nodejs Node.js>=16.13.0<16.17.1
and 15 more
CVE-2022-32214
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
Llhttp Llhttp<2.1.5
Llhttp Llhttp>=6.0.0<6.0.7
Nodejs Node.js>=14.0.0<=14.14.0
Nodejs Node.js>=14.15.0<14.20.0
Nodejs Node.js>=16.0.0<=16.12.0
Nodejs Node.js>=16.13.0<16.16.0
and 9 more
CVE-2022-32215
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
Llhttp Llhttp>=14.0.0<14.20.1
Llhttp Llhttp>=16.0.0<16.17.1
Llhttp Llhttp>=18.0.0<18.9.1
Nodejs Node.js>=14.0.0<=14.14.0
Nodejs Node.js>=14.15.0<14.20.0
Nodejs Node.js>=16.0.0<=16.12.0
and 16 more
CVE-2022-30279
An issue was discovered in Stormshield Network Security (SNS) 4.3.x before 4.3.8. The event logging of the ASQ sofbus lacbus plugin triggers the dereferencing of a NULL pointer, leading to a crash of ...
Stormshield Network Security>=4.3.3<4.3.8
CVE-2022-23989
In Stormshield Network Security (SNS) before 3.7.25, 3.8.x through 3.11.x before 3.11.13, 4.x before 4.2.10, and 4.3.x before 4.3.5, a flood of connections to the SSLVPN service might lead to saturati...
Stormshield Network Security>=3.0.0<3.7.25
Stormshield Network Security>=3.8.0<3.11.13
Stormshield Network Security>=4.0.0<4.2.10
Stormshield Network Security>=4.3.0<4.3.5
CVE-2021-3398
Stormshield Network Security (SNS) 3.x has an Integer Overflow in the high-availability component.
Stormshield Stormshield Network Security>=3.0.0<=3.7.24
Stormshield Stormshield Network Security>=3.8.0<=3.11.12
CVE-2021-31814
In Stormshield 1.1.0, and 2.1.0 through 2.9.0, an attacker can block a client from accessing the VPN and can obtain sensitive information through the SN VPN SSL Client.
Stormshield Stormshield Network Security>=2.1.0<=2.9.0
Stormshield Stormshield Network Security=1.1.0
CVE-2021-37613
Stormshield Network Security (SNS) 1.0.0 through 4.2.3 allows a Denial of Service.
Stormshield Stormshield Network Security>=1.0.0<=1.6.1
Stormshield Stormshield Network Security>=2.0.0<=2.7.8
Stormshield Stormshield Network Security>=2.8.0<=2.16.0
Stormshield Stormshield Network Security>=3.0.0<=3.7.24
Stormshield Stormshield Network Security>3.8.0<=3.11.12
Stormshield Stormshield Network Security>4.0.0<=4.2.7
CVE-2021-31617
In ASQ in Stormshield Network Security (SNS) 1.0.0 through 2.7.8, 2.8.0 through 2.16.0, 3.0.0 through 3.7.20, 3.8.0 through 3.11.8, and 4.0.1 through 4.2.2, mishandling of memory management can lead t...
Stormshield Network Security>=1.0.0<2.7.9
Stormshield Network Security>=2.8.0<3.7.21
Stormshield Network Security>=3.8.0<3.11.9
Stormshield Network Security>=4.0.1<4.2.3
CVE-2021-28962
Stormshield Network Security (SNS) before 4.2.2 allows a read-only administrator to gain privileges via CLI commands.
Stormshield Network Security>=2.5.0<2.7.9
Stormshield Network Security>=2.8.0<3.7.21
Stormshield Network Security>=3.8.0<3.11.9
Stormshield Network Security>=4.0.0<4.2.2
CVE-2022-22703
In Stormshield SSO Agent 2.x before 2.1.1 and 3.x before 3.0.2, the cleartext user password and PSK are contained in the log file of the .exe installer.
Stormshield Network Security>=2.0.0<2.1.1
Stormshield Network Security>=3.0.0<3.0.2
Microsoft Windows
CVE-2021-45885
An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear th...
Stormshield Network Security>=4.2.2<4.2.8
CVE-2021-45091
Stormshield Endpoint Security from 2.1.0 to 2.1.1 has Incorrect Access Control.
Stormshield Endpoint Security=2.1.0
Stormshield Endpoint Security=2.1.1
CVE-2021-45090
Stormshield Endpoint Security before 2.1.2 allows remote code execution.
Stormshield Endpoint Security>=2.0.0<2.1.2
CVE-2002-20001
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-expo...
Balasys Dheater
SUSE Linux Enterprise Server=15
SUSE Linux Enterprise Server=11
SUSE Linux Enterprise Server=12
F5 BIG-IQ Centralized Management=7.1.0
F5 BIG-IQ Centralized Management>=8.0.0<=8.2.0
and 80 more
CVE-2021-31220
SES Evolution before 2.1.0 allows modifying security policies by leveraging access of a user having read-only access to security policies.
Stormshield Endpoint Security>=2.0.0<=2.0.2
CVE-2021-31224
SES Evolution before 2.1.0 allows duplicating an existing security policy by leveraging access of a user having read-only access to security policies.
Stormshield Endpoint Security>=2.0.0<=2.0.2
CVE-2021-31221
SES Evolution before 2.1.0 allows deleting some parts of a security policy by leveraging access to a computer having the administration console installed.
Stormshield Endpoint Security>=2.0.0<=2.0.2
CVE-2021-35957
Stormshield Endpoint Security Evolution 2.0.0 through 2.0.2 does not accomplish the intended defense against local administrators who can replace the Visual C++ runtime DLLs (in %WINDIR%\system32) wit...
Stormshield Endpoint Security>=2.0.0<=2.0.2
CVE-2021-31222
SES Evolution before 2.1.0 allows updating some parts of a security policy by leveraging access to a computer having the administration console installed.
Stormshield Endpoint Security>=2.0.0<=2.0.2
CVE-2021-31223
SES Evolution before 2.1.0 allows reading some parts of a security policy by leveraging access to a computer having the administration console installed.
Stormshield Endpoint Security>=2.0.0<=2.0.2
CVE-2021-28127
Stormshield Stormshield Network Security>=2.0.0<=2.7.9
Stormshield Stormshield Network Security>=2.8.0<=2.16.0
Stormshield Stormshield Network Security>=3.0.0<=3.7.19
Stormshield Stormshield Network Security>=3.8.0<=3.11.7
Stormshield Stormshield Network Security>=4.0.0<=4.1.5
Stormshield Stormshield Network Security=4.2.1
CVE-2021-28665
Stormshield SNS with versions before 3.7.18, 3.11.6 and 4.1.6 has a memory-management defect in the SNMP plugin that can lead to excessive consumption of memory and CPU resources, and possibly a denia...
Stormshield Network Security>=3.0.0<3.7.18
Stormshield Network Security>=3.8.0<3.11.5
Stormshield Network Security>=4.0.0<4.1.5
CVE-2021-27506
The ClamAV Engine (version 0.103.1 and below) component embedded in Storsmshield Network Security (SNS) is subject to DoS in case of parsing of malformed png files. This affect Netasq versions 9.1.0 t...
Netasq Project Netasq>=9.1.0<=9.1.11
Stormshield Network Security>=1.0<=4.2.0
Clamav Clamav<=0.103.1
CVE-2021-3384
A vulnerability in Stormshield Network Security could allow an attacker to trigger a protection related to ARP/NDP tables management, which would temporarily prevent the system to contact new hosts vi...
Stormshield Network Security>=2.0.0<2.7.8
Stormshield Network Security>=2.8.0<=2.16.0
Stormshield Network Security>=3.0.0<=3.7.17
Stormshield Network Security>=3.8.0<=3.11.5
Stormshield Network Security>=4.0.0<4.1.5
CVE-2020-7466
The PPP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted PPP authentication message to cause the daemon to read beyond allocated memory buffer, which would r...
Mpd Project Mpd<5.9
Stormshield Stormshield Network Security>=4.0.0<4.3.17
Stormshield Stormshield Network Security=4.4.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203