Security CERT Global

    • CVE-2021-21251
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip slip" vulnerability. This issue ... read more
    • CVE-2021-21246
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to ... read more
    • CVE-2021-21248
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint ... read more
    • CVE-2021-21250
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to ... read more
    • CVE-2021-21242
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to ... read more
    • CVE-2021-21245
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a ... read more
    • CVE-2021-21249
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can ... read more
    • CVE-2021-21247
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior`) ... read more
    • CVE-2021-3162
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation. ... read more
    • CVE-2020-25533
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action ... read more
    • CVE-2021-0208
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** An improper input validation vulnerability in the Routing Protocol Daemon (RPD) service of Juniper Networks Junos OS allows an attacker ... read more
    • CVE-2021-0206
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to send a specific packet causing the ... read more
    • CVE-2020-16255
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.' ... read more
    • CVE-2021-0207
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** An improper interpretation conflict of certain data between certain software components within the Juniper Networks Junos OS devices does not ... read more
    • CVE-2021-0210
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** An Information Exposure vulnerability in J-Web of Juniper Networks Junos OS allows an unauthenticated attacker to elevate their privileges over ... read more
    • CVE-2021-0205
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** When the "Intrusion Detection Service" (IDS) feature is configured on Juniper Networks MX series with a dynamic firewall filter using ... read more
    • CVE-2021-0202
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** On Juniper Networks MX Series and EX9200 Series platforms with Trio-based MPC (Modular Port Concentrator) where Integrated Routing and Bridging ... read more
    • CVE-2021-0209
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** In Juniper Networks Junos OS Evolved an attacker sending certain valid BGP update packets may cause Junos OS Evolved to ... read more
    • CVE-2021-0203
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** On Juniper Networks EX and QFX5K Series platforms configured with Redundant Trunk Group (RTG), Storm Control profile applied on the ... read more
    • CVE-2021-0204
      Gravedad: NonePublicado: 15/01/2021Last revised: 15/01/2021Descripción: *** Pendiente de traducción *** A sensitive information disclosure vulnerability in delta-export configuration utility (dexp) of Juniper Networks Junos OS may allow a locally authenticated ... read more
    • CVE-2021-21246
      OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However ... read more
    • CVE-2021-21250
      OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, ... read more
    • CVE-2021-21242
      OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the ... read more
    • CVE-2020-25533
      An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated ... read more
    • CVE-2021-3162
      Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation. ... read more
    • CVE-2021-21249
      OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse ... read more
    • CVE-2021-21247
      OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior`) in all pages other than the login page. This listener ... read more
    • CVE-2021-21245
      OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary ... read more
    • CVE-2021-21248
      OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build ... read more
    • CVE-2021-21251
      OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip slip" vulnerability. This issue may lead to arbitrary file write. The KubernetesResource REST endpoint ... read more
    • CVE-2021-21244
      OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in ... read more
    • CVE-2020-24640
      There is a vulnerability caused by insufficient input validation that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete ... read more
    • CVE-2020-24638
      Multiple authenticated remote command executions are possible in Airwave Glass before 1.3.3 via the glassadmin cli. These allow for a user with glassadmin privileges to execute arbitrary code as root ... read more
    • CVE-2020-24641
      In Aruba AirWave Glass before 1.3.3, there is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive information. This can ... read more
    • CVE-2020-24639
      There is a vulnerability caused by unsafe Java deserialization that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete ... read more
    • CVE-2021-21243
      OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not ... read more
    • CVE-2021-1213 (application_extension_platform, rv110w_firmware, rv130_vpn_router_firmware, rv130w_firmware, rv215w_wireless-n_vpn_router_firmware)
      Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an ... read more
    • CVE-2021-1206 (application_extension_platform, rv110w_firmware, rv130_vpn_router_firmware, rv130w_firmware, rv215w_wireless-n_vpn_router_firmware)
      Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an ... read more
    • CVE-2021-1211 (application_extension_platform, rv110w_firmware, rv130_vpn_router_firmware, rv130w_firmware, rv215w_wireless-n_vpn_router_firmware)
      Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an ... read more
    • CVE-2021-1207 (application_extension_platform, rv110w_firmware, rv130_vpn_router_firmware, rv130w_firmware, rv215w_wireless-n_vpn_router_firmware)
      Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an ... read more
    • CVE-2021-1212 (application_extension_platform, rv110w_firmware, rv130_vpn_router_firmware, rv130w_firmware, rv215w_wireless-n_vpn_router_firmware)
      Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an ... read more
    • CVE-2021-1199 (application_extension_platform, rv110w_firmware, rv130_vpn_router_firmware, rv130w_firmware, rv215w_wireless-n_vpn_router_firmware)
      Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an ... read more
    • CVE-2021-1214 (application_extension_platform, rv110w_firmware, rv130_vpn_router_firmware, rv130w_firmware, rv215w_wireless-n_vpn_router_firmware)
      Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an ... read more
    • CVE-2021-1209 (application_extension_platform, rv110w_firmware, rv130_vpn_router_firmware, rv130w_firmware, rv215w_wireless-n_vpn_router_firmware)
      Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an ... read more
    • CVE-2021-1210 (application_extension_platform, rv110w_firmware, rv130_vpn_router_firmware, rv130w_firmware, rv215w_wireless-n_vpn_router_firmware)
      Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an ... read more
    • CVE-2021-1208 (application_extension_platform, rv110w_firmware, rv130_vpn_router_firmware, rv130w_firmware, rv215w_wireless-n_vpn_router_firmware)
      Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an ... read more
    • NSA Releases Guidance on Encrypted DNS in Enterprise Environments  
      Original release date: January 15, 2021The National Security Agency (NSA) has released an information sheet with guidance on adopting encrypted Domain Name System (DNS) over Hypertext Transfer Protocol over Transport ... read more
    • CVE-2021-0219
      A command injection vulnerability in install package validation subsystem of Juniper Networks Junos OS that may allow a locally authenticated attacker with privileges to execute commands with root privilege. To ... read more
    • CVE-2021-0212
      An Information Exposure vulnerability in Juniper Networks Contrail Networking allows a locally authenticated attacker able to read files to retrieve administrator credentials stored in plaintext thereby elevating their privileges over ... read more
    • CVE-2021-0206
      A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to send a specific packet causing the packet forwarding engine (PFE) to crash and restart, resulting in ... read more

IT-OT collaboration needs context and increased visibility –

IT-OT collaboration needs context and increased visibility – Information technology (IT) and operational technology (OT) are continuing the process of […]

Secure design principles: Guides for the design of Cyber Secure systems: Security design principles and virtualisation

Secure design principles:Guides for the design of Cyber Secure systems:Security design principles and virtualisationhttps://www.ncsc.gov.uk/collection/cyber-security-design-principles/examples/study-virtualisationicssecurity, infosec, cybersecurity, criticalinfrastructure, IndustrialControlSystems, virtualisation

Secure design principles: Guides for the design of Cyber Secure systems: Design principles and Operational Technology

Secure design principles:Guides for the design of Cyber Secure systems:Design principles and Operational Technologyhttps://www.ncsc.gov.uk/collection/cyber-security-design-principles/examples/study-operational-techicssecurity, infosec, cybersecurity, criticalinfrastructure, IndustrialControlSystems, OT

Cybersecurity Capability Maturity Model (C2M2) Program

Cybersecurity Capability Maturity Model (C2M2) Programhttps://www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0 icssecurity, infosec, cybersecurity, criticalinfrastructure, IndustrialControlSystems

Strategic Efficiency Consortium Security Intelligence Data Platform: Work Flow + Content Map – Jan 2019

SEC Industrial Security Intelligence Data Platform Work Flow SEC Industrial Security Intelligence Data Platform Content Map Updated Jan 2019 Document: […]

SEC Industrial Security Intelligence Data Platform 2019 Document

Strategic Efficiency Consortium Platform Work Flow Content Map Updated for 2019. SEC Industrial Security Intelligence Data Platform 2019 Document Document: […]

Strategic Efficiency Consortium Security Intelligence Reading and References – SEC Report

  Reading and References     Competitive Intelligence – CI For Beginners Part 1: Insight Work “Intelligence is a set […]

SEC Threat Intelligence as a Critical Organizational Need – SEC Report

  The critical need for an evidence based, automated, holistic approach of the threat landscape.   These are challenging times […]

SEC Security Data Services – SEC Report

    This service is specifically designed to deliver well defined deliverables into critical intelligence demands of our client. These […]