Skip to content

Latest commit

Β 

History

History
Β 
Β 

2014

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
CVE-2014-3120.json
CVE-2014-3120.json
Β 
Β 
CVE-2014-4078.json
CVE-2014-4078.json
Β 
Β 
CVE-2014-6271.json
CVE-2014-6271.json
Β 
Β 
README.md
README.md
Β 
Β 
metadata.json
metadata.json
Β 
Β 

README.md

2014 List

CVE-2014-6271 (2014-09-24T18:48:00)

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

CVE-2014-4078 (2014-11-11T22:55:00)

The IP Security feature in Microsoft Internet Information Services (IIS) 8.0 and 8.5 does not properly process wildcard allow and deny rules for domains within the "IP Address and Domain Restrictions" list, which makes it easier for remote attackers to bypass an intended rule set via an HTTP request, aka "IIS Security Feature Bypass Vulnerability."

CVE-2014-3120 (2014-07-28T19:55:00)

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.