Web Gateway McAfee Web Gateway

stack.watch can email you when security vulnerabilities are reported in McAfee Web Gateway. You can add multiple products that you use with Web Gateway to create your own personal software stack watcher.

By the Year

In 2021 there have been 1 vulnerability in McAfee Web Gateway with an average score of 8.8 out of ten. Last year Web Gateway had 6 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2021 is greater by 3.15.

Year Vulnerabilities Average Score
2021 1 8.80
2020 6 5.65
2019 8 7.03
2018 1 9.80

It may take a day or so for new Web Gateway vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest McAfee Web Gateway Security Vulnerabilities

Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8

CVE-2021-23885 8.8 - High - February 17, 2021

Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8 allows an authenticated user to gain elevated privileges through the User Interface and execute commands on the appliance via incorrect improper neutralization of user input in the troubleshooting page.

CVE-2021-23885 can be explotited with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Improper Privilege Management

Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1

CVE-2020-7297 5.7 - Medium - September 16, 2020

Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user to access protected dashboard data via improper access control in the user interface.

authentification

Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1

CVE-2020-7293 9 - Critical - September 15, 2020

Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user with low permissions to change the system's root password via improper access controls in the user interface.

authentification

Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1

CVE-2020-7294 4.6 - Medium - September 15, 2020

Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user to delete or download protected files via improper access controls in the REST interface.

authentification

Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1

CVE-2020-7295 4.6 - Medium - September 15, 2020

Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user to delete or download protected log data via improper access controls in the user interface.

authentification

Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1

CVE-2020-7296 5.7 - Medium - September 15, 2020

Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user to access protected configuration files via improper access control in the user interface.

authentification

Inappropriate Encoding for output context vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1

CVE-2020-7292 4.3 - Medium - July 15, 2020

Inappropriate Encoding for output context vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows a remote attacker to cause MWG to return an ambiguous redirect response via getting a user to click on a malicious URL.

CVE-2020-7292 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Inappropriate Encoding for Output Context

Reflected Cross Site Scripting vulnerability in Administrators web console in McAfee Web Gateway (MWG) 7.8.x prior to 7.8.2.13

CVE-2019-3638 6.1 - Medium - September 12, 2019

Reflected Cross Site Scripting vulnerability in Administrators web console in McAfee Web Gateway (MWG) 7.8.x prior to 7.8.2.13 allows remote attackers to collect sensitive information or execute commands with the MWG administrator's credentials via tricking the administrator to click on a carefully constructed malicious link.

CVE-2019-3638 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

McAfee Web Gateway (MWG) earlier than 7.8.2.13 is vulnerable to a remote attacker exploiting CVE-2019-9511

CVE-2019-3643 7.5 - High - September 11, 2019

McAfee Web Gateway (MWG) earlier than 7.8.2.13 is vulnerable to a remote attacker exploiting CVE-2019-9511, potentially leading to a denial of service. This affects the scanning proxies.

CVE-2019-3643 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Improper Input Validation

McAfee Web Gateway (MWG) earlier than 7.8.2.13 is vulnerable to a remote attacker exploiting CVE-2019-9517

CVE-2019-3644 7.5 - High - September 11, 2019

McAfee Web Gateway (MWG) earlier than 7.8.2.13 is vulnerable to a remote attacker exploiting CVE-2019-9517, potentially leading to a denial of service. This affects the scanning proxies.

CVE-2019-3644 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Improper Input Validation

Exfiltration of Data in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows attackers to obtain sensitive data via crafting a complex webpage

CVE-2019-3635 6.5 - Medium - August 14, 2019

Exfiltration of Data in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows attackers to obtain sensitive data via crafting a complex webpage that will trigger the Web Gateway to block the user accessing an iframe.

CVE-2019-3635 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Information Leak

Clickjack vulnerability in Adminstrator web console in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows remote attackers to conduct clickjacking attacks via a crafted web page

CVE-2019-3639 7.1 - High - August 14, 2019

Clickjack vulnerability in Adminstrator web console in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows remote attackers to conduct clickjacking attacks via a crafted web page that contains an iframe via does not send an X-Frame-Options HTTP header.

CVE-2019-3639 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

1021

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation

CVE-2019-9511 7.5 - High - August 13, 2019

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

CVE-2019-9511 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Allocation of Resources Without Limits or Throttling

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service

CVE-2019-9513 7.5 - High - August 13, 2019

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

CVE-2019-9513 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service

CVE-2019-9516 6.5 - Medium - August 13, 2019

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

CVE-2019-9516 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Allocation of Resources Without Limits or Throttling

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression

CVE-2018-18311 9.8 - Critical - December 07, 2018

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Out-of-bounds Write