Skip to main content
Support

KB Article #179739

Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2009 and earlier

List of possible security vulnerabilities reported against SecureTransport and corresponding analysis based on Axway's research.


NOTE: This KB lists only the vulnerabilities, tagged with the year 2009 and earlier. For CVEs from other years, refer to the following articles:
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2018
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2017
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2016
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2015
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2014
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2013
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2012
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2011
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2010


Additional lists of security vulnerabilities reported against SecureTransport application without formal CVE/CWE identifiers or against ST appliance platforms can be found at :



CVE Reference CVSS v2 Base Score Attack Vector Version Reported Version Fixed KB Article
CWE-200 3.5 depends on use case specifics 5.2.x
5.1
N/A -
Added: N/A Last modified: N/A

CWE-200 is a collective/generic vulnerability definition. Each separate reported issue would be treated per the specific use case, depending on issue assessment score.


Partial fix for the specific use case reported is present in ST 5.2.1 SP3.


A fix for the particular use case, that has been already reported ("cache-control" parameter presence and value), would be included in a future ST product release.

CWE-313 5.0 depends on use case specifics 5.2.x N/A -
Added: N/A Last modified: N/A

CWE-313 is a collective/generic vulnerability definition. Each separate reported issue would be treated per the specific use case, depending on issue assessment score.


A fix for the particular use case, that has been already reported (Admind session cookie exposes username), would be included in a future version of ST.

CWE-89 N/A Network 5.2.1 5.2.1 SP4 -
Added: N/A Last modified: N/A

The initially reported use case has been identified as a false positive.


Additional validations and fixes have been implemented in ST 5.2.1 SP4.

CWE-209 N/A Network 5.2.x N/A -
Added: N/A Last modified: N/A

Fix will be included in a forthcoming 5.2.x Service Pack.

CVE-2009-4484 7.5 Network 5.1 N/A -
Added: N/A Last modified: N/A

This issue is not applicable for ST as we do not use yaSSL.

CVE-2009-4028 6.8 Network 5.1 N/A -
Added: N/A Last modified: N/A

This issue is not applicable for ST as we do not use SSL with MySQL.

CVE-2009-4019 4.0 Network 5.1 N/A -
Added: N/A Last modified: N/A

This issue is not applicable for ST as we do not use GeomFromWKB.

CVE-2009-3720 5.0 Network 5.1 N/A -
Added: N/A Last modified: N/A

This is not applicable for ST 5.1.

CVE-2009-3560 5.0 Network 5.1 N/A -
Added: N/A Last modified: N/A

This is not applicable for ST 5.1.

CVE-2009-3095 7.5 Network 5.1 N/A -
Added: N/A Last modified: N/A

This is not applicable for ST 5.1 as mod_proxy_ftp module is not used.

CVE-2009-3094 2.6 Network 5.1 N/A -
Added: N/A Last modified: N/A

This is not applicable for ST 5.1 as mod_proxy_ftp module is not used.

CVE-2009-2412 10.0 Network 4.9.2 SP2
5.1
5.1.0 SP4 -
Added: N/A Last modified: N/A

Issue fixed in SecureTransport 5.1 SP4.

CVE-2009-1195 4.9 Local 4.9.2 SP2 N/A -
Added: N/A Last modified: N/A

Not applicable for ST. mod_include is not enabled neither in httpd nor in admind which effectively disables any SSI processing.

CVE-2008-1579
CWE-209
5.0 Network 5.1 5.2.1.x -
Added: N/A Last modified: N/A

ST 5.2.1.x is not affected.

CVE-2008-1678 5.0 Network 4.9.2 SP2 N/A -
Added: N/A Last modified: N/A

Not applicable for supported versions of SecureTransport. As of 3/30/2013, SecureTrasnport 4.9.x is End of Support.

CVE-2007-3008 4.3 Network N/A N/A -
Added: N/A Last modified: N/A

Not applicable for supported versions of SecureTransport. As of 3/30/2013, SecureTrasnport 4.9.x is End of Support.

CVE-2007-5116 6.4 Network 5.0 N/A -
Added: N/A Last modified: N/A

This is not applicable for ST. ST 5.0 comes with Perl 5.8.9-1.0.2, the CVE is addressed in Perl 5.8.8.

SA42097 N/A N/A 5.1 N/A -
Added: N/A Last modified: N/A

This is not applicable for ST as EXPLAIN and types of GeometryCollection are not used.

CVE-2005-4836 6.9 Network 5.0 N/A -
Added: N/A Last modified: N/A

This is not applicable for ST. ST 5.0 comes with Apache Tomcat 6.0.20 the issue applies for 4.1.15 through 4.1.40.

CVE-2005-4278 6.4 Local 5.0 N/A -
Added: N/A Last modified: N/A

This is not applicable for ST. SecureTransport 5.0 comes with Perl 5.8.9-1.0.2 (bundled), furthermore the issue is Gentoo specific (the same version of the Perl package is not affected on another platforms).

CVE-2004-2761 5.0 Network before 5.2.1 N/A -
Added: N/A Last modified: N/A

At the current stage ST genrates certificates (CA and child certs included) with the MD5 digest algorithm, and this cannot be changed. However, ST is completely capable of handling certs, which were hashed with SHA for example.

CVE-2004-2320 5.8 Network N/A N/A -
Added: N/A Last modified: N/A

Not applicable for supported versions of SecureTransport. As of 3/30/2013, SecureTrasnport 4.9.x is End of Support.

CVE-2004-0230 5.0 Network 4.9.2 SP2 N/A KB160908
Added: N/A Last modified: N/A

Not applicable for supported versions of SecureTransport. As of 3/30/2013, SecureTrasnport 4.9.x is End of Support.

CVE-2004-2286 6.4 Network 5.0 N/A -
Added: N/A Last modified: N/A

This is not applicable for ST. SecureTransport 5.0 does not come with ActivePerl.

CVE-2004-2286 6.4 Network 5.0 N/A -
Added: N/A Last modified: N/A

This is not applicable for ST. SecureTransport 5.0 5.0 does not come with ActivePerl.