NetApp Ontap

PHP <8.1.32/8.2.28/8.3.19/8.4.5: Invalid Headers Treated as Valid
CVE-2025-1734 - March 30, 2025

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

Improper Input Validation

PHP Header Injection via Insufficient EOL Validation (<=8.1.32, <=8.2.28, <=8.3.19, <=8.4.5)
CVE-2025-1736 - March 30, 2025

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.

Improper Input Validation

PHP 8.1-8.4 Lim. on HTTP Redirect Location Buffer (CVE-2025-1861)
CVE-2025-1861 - March 30, 2025

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

Incorrect Calculation of Buffer Size

OpenSSH VerifyHostKeyDNS DoS via Host Key Verification Error
CVE-2025-26465 6.8 - Medium - February 18, 2025

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Detection of Error Condition Without Action

curl Leaks Netrc Password to Redirected Host
CVE-2025-0167 - February 05, 2025

When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.

curl: Authentication Credential Leakage via HTTP Redirects
CVE-2024-11053 3.4 - Low - December 11, 2024

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

PHP ldap_escape() Integer Overflow Vulnerability on 32-bit Systems
CVE-2024-8932 9.8 - Critical - November 22, 2024

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

Memory Corruption

Apache 2.4.59 mod_proxy URL Encoding Flaw Auth Bypass
CVE-2024-38473 - July 01, 2024

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Output Sanitization

Null Pointer deref on WebSocket over HTTP/2 upgrade in Jetty
CVE-2024-36387 - July 01, 2024

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.

NULL Pointer Dereference

Apache HTTP Server <2.4.60 SSRF on Windows leaks NTLM Hashes
CVE-2024-38472 - July 01, 2024

SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue.  Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.

Apache HTTP Server mod_rewrite SSRF before 2.4.60 via mod_proxy
CVE-2024-39573 7.5 - High - July 01, 2024

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Improper Input Validation

Apache HTTP Server Response Splitting via Faulty Input Validation < 2.4.58
CVE-2023-38709 7.3 - High - April 04, 2024

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.

Improper Validation of Specified Quantity in Input

Apache HTTP Server 2.4.59 Resolved HTTP Response Splitting in Modules
CVE-2024-24795 - April 04, 2024

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.

nghttp2 Memory Exhaustion via HTTP/2 Header Buffer Overflow
CVE-2024-27316 7.5 - High - April 04, 2024

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Allocation of Resources Without Limits or Throttling

curl: Misprocessing of --proto Disable All Leads to Plaintext Exposure
CVE-2024-2004 - March 27, 2024

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

XML Entity Expansion in libexpat <2.6.1 via XML_ExternalEntityParserCreate
CVE-2024-28757 7.5 - High - March 10, 2024

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

XEE

BIND 9 DNS Parsing Complexity DoS (v9.0.0-9.19.19)
CVE-2023-4408 7.5 - High - February 13, 2024

The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

Privilege Escalation via REST API in NetApp ONTAP 9.x (pre-9.9.1P18)
CVE-2024-21985 7.6 - High - January 26, 2024

ONTAP 9 versions prior to 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10 and 9.13.1P4 are susceptible to a vulnerability which could allow an authenticated user with multiple remote accounts with differing roles to perform actions via REST API beyond their intended privilege. Possible actions include viewing limited configuration details and metrics or modifying limited settings, some of which could result in a Denial of Service (DoS).

NetApp ONTAP 9.4+ Object-Store Profiler Sensitive Info Disclosure
CVE-2024-21982 6.5 - Medium - January 12, 2024

ONTAP versions 9.4 and higher are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information to unprivileged attackers when the object-store profiler command is being run by an administrative user.

ONTAP 9 SAS FIPS 140-2 Drives Unlock on Reboot CVE-2023-27317
CVE-2023-27317 4.6 - Medium - December 15, 2023

ONTAP 9 versions 9.12.1P8, 9.13.1P4, and 9.13.1P5 are susceptible to a vulnerability which will cause all SAS-attached FIPS 140-2 drives to become unlocked after a system reboot or power cycle or a single SAS-attached FIPS 140-2 drive to become unlocked after reinsertion. This could lead to disclosure of sensitive information to an attacker with physical access to the unlocked drives.

NetApp ONTAP 9 Remote Unauth HTTP Crash before 9.8P19/9.9.1P16 (CVE-2023-27314)
CVE-2023-27314 7.5 - High - October 12, 2023

ONTAP 9 versions prior to 9.8P19, 9.9.1P16, 9.10.1P12, 9.11.1P8, 9.12.1P2 and 9.13.1 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to cause a crash of the HTTP service.

CVE-2023-27536: Auth Bypass in libcurl <8.0.0 via GSSAPI Delegation
CVE-2023-27536 5.9 - Medium - March 30, 2023

An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.

authentification

Authenticated Remote Modify/Delete WORM Data in NetApp ONTAP 9.11.1P2 FlexGroups
CVE-2022-23241 8.1 - High - October 19, 2022

Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock configured FlexGroups are susceptible to a vulnerability which could allow an authenticated remote attacker to arbitrarily modify or delete WORM data prior to the end of the retention period.