Broadcom Brocade Sannav
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Broadcom Brocade Sannav.
By the Year
In 2025 there have been 0 vulnerabilities in Broadcom Brocade Sannav. Last year, in 2024 Brocade Sannav had 28 security vulnerabilities published. Right now, Brocade Sannav is on track to have less security vulnerabilities in 2025 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 28 | 6.61 |
| 2023 | 3 | 7.27 |
| 2022 | 3 | 7.83 |
| 2021 | 3 | 7.37 |
| 2020 | 0 | 0.00 |
| 2019 | 6 | 7.08 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Brocade Sannav vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Broadcom Brocade Sannav Security Vulnerabilities
Brocade SANnav: Information Exposure via Debug Logs
CVE-2022-43937
5.5 - Medium
- November 21, 2024
Possible information exposure through log file vulnerability where sensitive fields are recorded in the debug-enabled logs when debugging is turned on in Brocade SANnav before 2.3.0 and 2.2.2a
Insertion of Sensitive Information into Log File
Brocade SANnav Information Exposure Through Log Files
CVE-2022-43933
4.4 - Medium
- November 21, 2024
An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where configuration secrets are logged in supportsave. Supportsave file is generated by an admin user troubleshooting the switch. The Logged information may include usernames and passwords, and secret keys.
Insertion of Sensitive Information into Log File
Brocade SANnav Weak Key Exchange Algorithm Vulnerability
CVE-2022-43934
7.5 - High
- November 21, 2024
Brocade SANnav before Brocade SANnav 2.2.2 supports key exchange algorithms, which are considered weak on ports 24, 6514, 18023, 19094, and 19095.
Use of a Broken or Risky Cryptographic Algorithm
Brocade SANnav Information Exposure through Log Files
CVE-2022-43935
4.4 - Medium
- November 21, 2024
An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where Brocade Fabric OS Switch passwords and authorization IDs are printed in the embedded MLS DB file.
Insertion of Sensitive Information into Log File
Brocade SANnav Password Logging Vulnerability in Brocade Fabric OS
CVE-2022-43936
4.9 - Medium
- November 21, 2024
Brocade SANnav versions before 2.2.2 log Brocade Fabric OS switch passwords when debugging is enabled.
Insertion of Sensitive Information into Log File
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who
CVE-2024-3596
9 - Critical
- July 09, 2024
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.
Improper Validation of Integrity Check Value
The PostgreSQL implementation in Brocade SANnav versions before 2.3.0a is vulnerable to an incorrect local authentication flaw
CVE-2024-2860
7.8 - High
- May 08, 2024
The PostgreSQL implementation in Brocade SANnav versions before 2.3.0a is vulnerable to an incorrect local authentication flaw. An attacker accessing the VM where the Brocade SANnav is installed can gain access to sensitive data inside the PostgreSQL database.
Missing Authentication for Critical Function
A vulnerability in Brocade SANnav exposes Kafka in the wan interface
CVE-2024-4173
9.8 - Critical
- April 25, 2024
A vulnerability in Brocade SANnav exposes Kafka in the wan interface. The vulnerability could allow an unauthenticated attacker to perform various attacks, including DOS against the Brocade SANnav.
Brocade SANnav before v2.3.0a lacks protection mechanisms on port 2377/TCP and 7946/TCP, which could
CVE-2024-4159
5.3 - Medium
- April 25, 2024
Brocade SANnav before v2.3.0a lacks protection mechanisms on port 2377/TCP and 7946/TCP, which could allow an unauthenticated attacker to sniff the SANnav Docker information.
In Brocade SANnav, before Brocade SANnav v2.3.0, syslog traffic received
clear text
CVE-2024-4161
7.5 - High
- April 25, 2024
In Brocade SANnav, before Brocade SANnav v2.3.0, syslog traffic received clear text. This could allow an unauthenticated, remote attacker to capture sensitive information.
Cleartext Transmission of Sensitive Information
An information disclosure vulnerability exists in Brocade SANnav before v2.3.1 and v2.3.0a when Brocade SANnav instances are configured in disaster recovery mode
CVE-2024-29968
6.5 - Medium
- April 19, 2024
An information disclosure vulnerability exists in Brocade SANnav before v2.3.1 and v2.3.0a when Brocade SANnav instances are configured in disaster recovery mode. SQL Table names, column names, and SQL queries are collected in DR standby Supportsave. This could allow authenticated users to access the database structure and its contents.
Insecure Storage of Sensitive Information
When a Brocade SANnav installation is upgraded
CVE-2024-29969
7.5 - High
- April 19, 2024
When a Brocade SANnav installation is upgraded from Brocade SANnav v2.2.2 to Brocade SANnav 2.3.0, TLS/SSL weak message authentication code ciphers are added by default for port 18082.
Inadequate Encryption Strength
Brocade SANnav OVA before v2.3.1 and v2.3.0a have an insecure file permission setting that makes files world-readable
CVE-2024-29962
5.5 - Medium
- April 19, 2024
Brocade SANnav OVA before v2.3.1 and v2.3.0a have an insecure file permission setting that makes files world-readable. This could allow a local user without the required privileges to access sensitive information or a Java binary.
Incorrect Default Permissions
In Brocade SANnav before v2.3.1, and v2.3.0a, it is possible to back up the appliance
CVE-2024-29965
5.9 - Medium
- April 19, 2024
In Brocade SANnav before v2.3.1, and v2.3.0a, it is possible to back up the appliance from the web interface or the command line interface ("SSH"). The resulting backups are world-readable. A local attacker can recover backup files, restore them to a new malicious appliance, and retrieve the passwords of all the switches.
Insecure Storage of Sensitive Information
Brocade SANnav OVA before v2.3.1 and v2.3.0a contain hard-coded credentials in the documentation
CVE-2024-29966
9.8 - Critical
- April 19, 2024
Brocade SANnav OVA before v2.3.1 and v2.3.0a contain hard-coded credentials in the documentation that appear as the appliance's root password. The vulnerability could allow an unauthenticated attacker full access to the Brocade SANnav appliance.
Use of Hard-coded Credentials
In Brocade SANnav before Brocade SANnav v2.31 and v2.3.0a, it was observed
CVE-2024-29967
6 - Medium
- April 19, 2024
In Brocade SANnav before Brocade SANnav v2.31 and v2.3.0a, it was observed that Docker instances inside the appliance have insecure mount points, allowing reading and writing access to sensitive files. The vulnerability could allow a sudo privileged user on the host OS to read and write access to these files.
Incorrect Default Permissions
Brocade SANnav versions before v2.3.0a do not correctly set permissions on files, including docker files
CVE-2024-29964
6.5 - Medium
- April 19, 2024
Brocade SANnav versions before v2.3.0a do not correctly set permissions on files, including docker files. An unprivileged attacker who gains access to the server can read sensitive information from these files.
Incorrect Permission Assignment for Critical Resource
Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker
CVE-2024-29963
3.8 - Low
- April 19, 2024
Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker. Note: Brocade SANnav doesn't have access to remote Docker registries.
Use of Hard-coded Credentials
A vulnerability affects Brocade SANnav before v2.3.1 and v2.3.0a
CVE-2024-29961
8.2 - High
- April 19, 2024
A vulnerability affects Brocade SANnav before v2.3.1 and v2.3.0a. It allows a Brocade SANnav service to send ping commands in the background at regular intervals to gridgain.com to check if updates are available for the Component. This could make an unauthenticated, remote attacker aware of the behavior and launch a supply-chain attack against a Brocade SANnav appliance.
In Brocade SANnav server before v2.3.1 and v2.3.0a
CVE-2024-29960
7.5 - High
- April 19, 2024
In Brocade SANnav server before v2.3.1 and v2.3.0a, the SSH keys inside the OVA image are identical in the VM every time SANnav is installed. Any Brocade SAnnav VM based on the official OVA images is vulnerable to MITM over SSH. An attacker can decrypt and compromise the SSH traffic to the SANnav.
Use of Hard-coded Credentials
A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints Brocade Fabric OS switch encrypted passwords in the Brocade SANnav Standby node's support save.
CVE-2024-29959
8.6 - High
- April 19, 2024
A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints Brocade Fabric OS switch encrypted passwords in the Brocade SANnav Standby node's support save.
Insertion of Sensitive Information into Log File
A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints the encryption key in the console when a privileged user executes the script to replace the Brocade SANnav Management Portal standby node
CVE-2024-29958
6.5 - Medium
- April 19, 2024
A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints the encryption key in the console when a privileged user executes the script to replace the Brocade SANnav Management Portal standby node. This could provide attackers an additional, less protected path to acquiring the encryption key.
Insertion of Sensitive Information into Log File
When Brocade SANnav before v2.3.1 and v2.3.0a servers are configured in Disaster Recovery mode
CVE-2024-29957
7.5 - High
- April 19, 2024
When Brocade SANnav before v2.3.1 and v2.3.0a servers are configured in Disaster Recovery mode, the encryption key is stored in the DR log files. This could provide attackers with an additional, less-protected path to acquiring the encryption key.
Insertion of Sensitive Information into Log File
A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints the Brocade SANnav password in clear text in supportsave logs when a user schedules a switch Supportsave
CVE-2024-29956
6.5 - Medium
- April 18, 2024
A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints the Brocade SANnav password in clear text in supportsave logs when a user schedules a switch Supportsave from Brocade SANnav.
Cleartext Storage of Sensitive Information
A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could
CVE-2024-29952
5.5 - Medium
- April 17, 2024
A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could allow an authenticated user to print the Auth, Priv, and SSL key store passwords in unencrypted logs by manipulating command variables.
Cleartext Storage of Sensitive Information
A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could
CVE-2024-29955
5.5 - Medium
- April 17, 2024
A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could allow a privileged user to print the SANnav encrypted key in PostgreSQL startup logs. This could provide attackers with an additional, less-protected path to acquiring the encryption key.
Insertion of Sensitive Information into Log File
Brocade SANnav before v2.3.1 and v2.3.0a uses the SHA-1 hash in internal SSH ports
CVE-2024-29951
5.7 - Medium
- April 17, 2024
Brocade SANnav before v2.3.1 and v2.3.0a uses the SHA-1 hash in internal SSH ports that are not open to remote connection.
Inadequate Encryption Strength
The class FileTransfer implemented in Brocade SANnav before v2.3.1, v2.3.0a, uses the ssh-rsa signature scheme, which has a SHA-1 hash
CVE-2024-29950
5.9 - Medium
- April 17, 2024
The class FileTransfer implemented in Brocade SANnav before v2.3.1, v2.3.0a, uses the ssh-rsa signature scheme, which has a SHA-1 hash. The vulnerability could allow a remote, unauthenticated attacker to perform a man-in-the-middle attack.
Inadequate Encryption Strength
Brocade SANnav Web interface before Brocade SANnav v2.3.0 and v2.2.2a
CVE-2023-31424
9.8 - Critical
- August 31, 2023
Brocade SANnav Web interface before Brocade SANnav v2.3.0 and v2.2.2a allows remote unauthenticated users to bypass web authentication and authorization.
Brocade
SANnav before v2.3.0 and v2.2.2a stores SNMPv3 Authentication passwords
in plaintext
CVE-2023-31925
6.5 - Medium
- August 31, 2023
Brocade SANnav before v2.3.0 and v2.2.2a stores SNMPv3 Authentication passwords in plaintext. A privileged user could retrieve these credentials with knowledge and access to these log files. SNMP credentials could be seen in SANnav SupportSave if the capture is performed after an SNMP configuration failure causes an SNMP communication log dump.
Cleartext Storage of Sensitive Information
Possible
information exposure through log file vulnerability where sensitive
fields are recorded in the configuration log without masking on Brocade
SANnav before v2.3.0 and 2.2.2a
CVE-2023-31423
5.5 - Medium
- August 31, 2023
Possible information exposure through log file vulnerability where sensitive fields are recorded in the configuration log without masking on Brocade SANnav before v2.3.0 and 2.2.2a. Notes: To access the logs, the local attacker must have access to an already collected Brocade SANnav "supportsave" outputs.
Cleartext Storage of Sensitive Information
Brocade SANnav before v2.2.1 logs usernames and encoded passwords in debug-enabled logs
CVE-2022-33187
4.9 - Medium
- December 09, 2022
Brocade SANnav before v2.2.1 logs usernames and encoded passwords in debug-enabled logs. The vulnerability could allow an attacker with admin privilege to read sensitive information.
Insertion of Sensitive Information into Log File
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to
CVE-2022-23302
8.8 - High
- January 18, 2022
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Marshaling, Unmarshaling
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters
CVE-2022-23305
9.8 - Critical
- January 18, 2022
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
SQL Injection
The host SSH servers of Brocade Fabric OS before Brocade Fabric OS v7.4.2h, v8.2.1c, v8.2.2, v9.0.0, and Brocade SANnav before v2.1.1 utilize keys of less than 2048 bits
CVE-2020-15387
7.4 - High
- June 09, 2021
The host SSH servers of Brocade Fabric OS before Brocade Fabric OS v7.4.2h, v8.2.1c, v8.2.2, v9.0.0, and Brocade SANnav before v2.1.1 utilize keys of less than 2048 bits, which may be vulnerable to man-in-the-middle attacks and/or insecure SSH communications.
Inadequate Encryption Strength
Brocade SANnav before v.2.1.0a could
CVE-2020-15379
7.5 - High
- June 09, 2021
Brocade SANnav before v.2.1.0a could allow remote attackers cause a denial-of-service condition due to a lack of proper validation, of the length of user-supplied data as name for custom field name.
Improper Input Validation
Brocade SANnav before version 2.1.1 uses a hard-coded administrator account with the weak password passw0rd if a password is not provided for PostgreSQL at install-time.
CVE-2020-15382
7.2 - High
- June 09, 2021
Brocade SANnav before version 2.1.1 uses a hard-coded administrator account with the weak password passw0rd if a password is not provided for PostgreSQL at install-time.
Use of Hard-coded Credentials
A vulnerability, in Brocade SANnav versions before v2.0, could allow remote attackers to brute-force a valid session ID
CVE-2019-16205
8.8 - High
- November 08, 2019
A vulnerability, in Brocade SANnav versions before v2.0, could allow remote attackers to brute-force a valid session ID. The vulnerability is due to an insufficiently random session ID for several post-authentication actions in the SANnav portal.
Use of Insufficiently Random Values
Brocade SANnav versions before v2.0
CVE-2019-16210
5.5 - Medium
- November 08, 2019
Brocade SANnav versions before v2.0, logs plain text database connection password while triggering support save.
Insertion of Sensitive Information into Log File
A vulnerability, in The ReportsTrustManager class of Brocade SANnav versions before v2.0, could
CVE-2019-16209
7.4 - High
- November 08, 2019
A vulnerability, in The ReportsTrustManager class of Brocade SANnav versions before v2.0, could allow an attacker to perform a man-in-the-middle attack against Secure Sockets Layer(SSL)connections.
Improper Certificate Validation
Password-based encryption (PBE) algorithm, of Brocade SANnav versions before v2.0, has a weakness in generating cryptographic keys
CVE-2019-16208
7.5 - High
- November 08, 2019
Password-based encryption (PBE) algorithm, of Brocade SANnav versions before v2.0, has a weakness in generating cryptographic keys that may allow an attacker to decrypt passwords used with several services (Radius, TACAS, etc.).
Use of a Broken or Risky Cryptographic Algorithm
Brocade SANnav versions before v2.0 use a hard-coded password, which could
CVE-2019-16207
7.8 - High
- November 08, 2019
Brocade SANnav versions before v2.0 use a hard-coded password, which could allow local authenticated attackers to access a back-end database and gain privileges.
Use of Hard-coded Credentials
The authentication mechanism, in Brocade SANnav versions before v2.0, logs plaintext account credentials at the trace and the 'debug' logging level; which could
CVE-2019-16206
5.5 - Medium
- November 08, 2019
The authentication mechanism, in Brocade SANnav versions before v2.0, logs plaintext account credentials at the trace and the 'debug' logging level; which could allow a local authenticated attacker to access sensitive information.
Insertion of Sensitive Information into Log File
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Broadcom Brocade Sannav or by Broadcom? Click the Watch button to subscribe.
