Perforce
Products by Perforce Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 1 vulnerability in Perforce with an average score of 7.8 out of ten. Last year Perforce had 4 security vulnerabilities published. Right now, Perforce is on track to have less security vulnerabilities in 2024 than it did last year. Last year, the average CVE base score was greater by 0.28
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 1 | 7.80 |
2023 | 4 | 8.08 |
2022 | 1 | 3.50 |
2021 | 2 | 5.10 |
2020 | 0 | 0.00 |
2019 | 0 | 0.00 |
2018 | 1 | 6.50 |
It may take a day or so for new Perforce vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Perforce Security Vulnerabilities
In Helix Sync versions prior to 2024.1, a local command injection was identified
CVE-2024-0325
7.8 - High
- February 01, 2024
In Helix Sync versions prior to 2024.1, a local command injection was identified. Reported by Bryan Riggins.
Command Injection
In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the shutdown function was identified
CVE-2023-35767
7.5 - High
- November 08, 2023
In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the shutdown function was identified. Reported by Jason Geffner.
Resource Exhaustion
An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2
CVE-2023-45849
9.8 - Critical
- November 08, 2023
An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. Reported by Jason Geffner.
Code Injection
In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the commit function was identified
CVE-2023-45319
7.5 - High
- November 08, 2023
In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the commit function was identified. Reported by Jason Geffner.
In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the buffer was identified
CVE-2023-5759
7.5 - High
- November 08, 2023
In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the buffer was identified. Reported by Jason Geffner.
Puppet Bolt prior to version 3.24.0 will print sensitive parameters when planning a run resulting in them potentially being logged when run programmatically, such as
CVE-2022-2394
3.5 - Low
- July 19, 2022
Puppet Bolt prior to version 3.24.0 will print sensitive parameters when planning a run resulting in them potentially being logged when run programmatically, such as via Puppet Enterprise.
Insertion of Sensitive Information into Log File
An issue was discovered in Wind River VxWorks 7 before 21.03
CVE-2021-29997
5.3 - Medium
- April 13, 2021
An issue was discovered in Wind River VxWorks 7 before 21.03. A specially crafted packet may lead to buffer over-read on IKE.
Out-of-bounds Read
The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data
CVE-2021-28973
4.9 - Medium
- April 13, 2021
The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.
XXE
An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java
CVE-2018-1000147
6.5 - Medium
- April 05, 2018
An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with insufficient permission to obtain Perforce passwords configured in jobs to obtain them
Information Disclosure
Rogue Wave JViews before 8.8 patch 21 and 8.9 before patch 1 allows remote attackers to execute arbitrary Java code
CVE-2015-8965
9.8 - Critical
- April 06, 2017
Rogue Wave JViews before 8.8 patch 21 and 8.9 before patch 1 allows remote attackers to execute arbitrary Java code that exists in the classpath, such as test code or administration code. The issue exists because the ilog.views.faces.IlvFacesController servlet in jviews-framework-all.jar does not require explicit configuration of servlets that can be called.
Permissions, Privileges, and Access Controls