KB Article #179737

Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2010

List of possible security vulnerabilities reported against SecureTransport and corresponding analysis based on Axway's research.

Additional lists of security vulnerabilities reported against SecureTransport application without formal CVE/CWE identifiers or against ST appliance platforms can be found at :

CVE Reference	CVSS v2 Base Score	Attack Vector	Version Reported	Version Fixed	KB Article

CVE-2010-4411	4.3	Network	5.2.1 SP4	5.2.1 SP5	-
Added: N/A			Last modified: N/A
Fixed with an update of the affected Perl modules in ST 5.2.1 SP5.

CVE-2010-4410	4.3	Network	5.2.1 SP4	5.2.1 SP5	-
Added: N/A			Last modified: N/A
Fixed with an update of the affected Perl modules in ST 5.2.1 SP5.

CVE-2010-2761	4.3	Network	5.2.1 SP4	5.2.1 SP5	-
Added: N/A			Last modified: N/A
Fixed with an update of the affected Perl modules in ST 5.2.1 SP5.

CVE-2010-2253	6.8	Network	5.2.1 SP4	5.2.1 SP5	-
Added: N/A			Last modified: N/A
Fixed with an update of the affected Perl modules in ST 5.2.1 SP5.

CVE-2010-4172	4.3	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST 5.1 as `sessionsList.jsp` and `sessionDetail.jsp` are not deployed and thus are not used.

CVE-2010-5298	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
Not vulnerable. Mode `SSL_MODE_RELEASE_BUFFERS` is not enabled.

CVE-2010-3840	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST as the function `PolyFromWKB` is not used.

CVE-2010-3839	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST as remote users cannot execute arbitrary code and ST does not execute prepared statements/stored procedures with the described behaviour.

CVE-2010-3838	5.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable because ST does not use such queries.

CVE-2010-3837	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST as such prepared statements are not used.

CVE-2010-3835	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST as remote users cannot execute arbitrary code.

CVE-2010-3834	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST as remote users cannot execute arbitrary code.

CVE-2010-3833	5.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST. Remote users cannot execute arbitrary code and ST does not use the described scenario.

CVE-2010-3718	1.2	Local	5.1	N/A	-
Added: N/A			Last modified: N/A
This issue is not applicable for ST as users cannot plug in custom applications.

CVE-2010-3683	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This issue is not applicable for ST.

CVE-2010-3682	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST. Remote users cannot execute EXPLAIN.

CVE-2010-3681	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST as remote users cannot use the HANDLER interface.

CVE-2010-3680	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST as remote users should not be able to execute arbitrary code.

CVE-2010-3679	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST as remote users should not have access to the database.

CVE-2010-3678	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST as the WITH ROLLUP modifier is not used.

CVE-2010-3677	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST as there are no SET columns.

CVE-2010-3676	4.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST as remote users cannot execute DDL statements.

CVE-2010-2227	6.4	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST.

CVE-2010-2068	5.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
The module `mod_proxy_http` is not enabled by default by ST but comes as part of the Apache distribution.

CVE-2010-2008	3.5	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST. Remote users cannot alter the db tables.

CVE-2010-1850	6.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST. Remote users cannot execute arbitrary code.

CVE-2010-1849	5.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST as remote access to the database is not allowed.

CVE-2010-1848	6.5	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST because direct access to the database is not allowed.

CVE-2010-1626	3.6	Local	5.1	N/A	-
Added: N/A			Last modified: N/A
Not applicable for ST. We use MyISAM only for the table `st_version`.

CVE-2010-1623	5.0	Network	5.1	N/A<	-
Added: N/A			Last modified: N/A
This is not applicable for ST 5.1.

CVE-2010-1621	5.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This issue is not applicable for ST as mysql and mysql plugins cannot be installed remotely.

CVE-2010-1157	2.6	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
This is not applicable for ST. Admin UI does not use basic authentication. When using basic authentication for end user UI the server name and port are not sent.

CVE-2010-0434	4.3	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
ST uses multithreaded MPMs only for the Admin ui on Windows. In all other cases are use non-threaded MPMs (the vulnerability is for multithreaded MPMs).

CVE-2010-0425	10.0	Network	5.1	N/A	-
Added: N/A			Last modified: N/A
The module `mod_isapi` is not enabled by default by ST but comes as part of the Apache distribution.

CVE-2010-0408	5.0	Network	4.9.2 SP2	N/A	-
Added: N/A			Last modified: N/A
Not applicable for ST. ST comes with neither `mod_proxy_ajp` nor `mod_proxy` enabled.

Still need help?