KB Article #179739
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2009 and earlier
List of possible security vulnerabilities reported against SecureTransport and corresponding analysis based on Axway's research.
NOTE: This KB lists only the vulnerabilities, tagged with the year 2009 and earlier. For CVEs from other years, refer to the following articles:
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2018
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2017
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2016
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2015
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2014
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2013
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2012
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2011
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2010
Additional lists of security vulnerabilities reported against SecureTransport application without formal CVE/CWE identifiers or against ST appliance platforms can be found at :
- Security vulnerabilities reported against SecureTransport, without formal CVE or CWE identifier
- Security vulnerabilities reported against ST appliances
| CVE Reference | CVSS v2 Base Score | Attack Vector | Version Reported | Version Fixed | KB Article |
| CWE-200 | 3.5 | depends on use case specifics | 5.2.x 5.1 |
N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
CWE-200 is a collective/generic vulnerability definition. Each separate reported issue would be treated per the specific use case, depending on issue assessment score.
Partial fix for the specific use case reported is present in ST 5.2.1 SP3.
A fix for the particular use case, that has been already reported ("cache-control" parameter presence and value), would be included in a future ST product release. |
|||||
| CWE-313 | 5.0 | depends on use case specifics | 5.2.x | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
CWE-313 is a collective/generic vulnerability definition. Each separate reported issue would be treated per the specific use case, depending on issue assessment score.
A fix for the particular use case, that has been already reported (Admind session cookie exposes username), would be included in a future version of ST. |
|||||
| CWE-89 | N/A | Network | 5.2.1 | 5.2.1 SP4 | - |
| Added: N/A | Last modified: N/A | ||||
|
The initially reported use case has been identified as a false positive.
Additional validations and fixes have been implemented in ST 5.2.1 SP4. |
|||||
| CWE-209 | N/A | Network | 5.2.x | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Fix will be included in a forthcoming 5.2.x Service Pack. |
|||||
| CVE-2009-4484 | 7.5 | Network | 5.1 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This issue is not applicable for ST as we do not use yaSSL. |
|||||
| CVE-2009-4028 | 6.8 | Network | 5.1 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This issue is not applicable for ST as we do not use SSL with MySQL. |
|||||
| CVE-2009-4019 | 4.0 | Network | 5.1 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This issue is not applicable for ST as we do not use GeomFromWKB. |
|||||
| CVE-2009-3720 | 5.0 | Network | 5.1 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This is not applicable for ST 5.1. |
|||||
| CVE-2009-3560 | 5.0 | Network | 5.1 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This is not applicable for ST 5.1. |
|||||
| CVE-2009-3095 | 7.5 | Network | 5.1 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This is not applicable for ST 5.1 as |
|||||
| CVE-2009-3094 | 2.6 | Network | 5.1 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This is not applicable for ST 5.1 as |
|||||
| CVE-2009-2412 | 10.0 | Network | 4.9.2 SP2 5.1 |
5.1.0 SP4 | - |
| Added: N/A | Last modified: N/A | ||||
|
Issue fixed in SecureTransport 5.1 SP4. |
|||||
| CVE-2009-1195 | 4.9 | Local | 4.9.2 SP2 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not applicable for ST. |
|||||
|
CVE-2008-1579 CWE-209 |
5.0 | Network | 5.1 | 5.2.1.x | - |
| Added: N/A | Last modified: N/A | ||||
|
ST 5.2.1.x is not affected. |
|||||
| CVE-2008-1678 | 5.0 | Network | 4.9.2 SP2 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not applicable for supported versions of SecureTransport. As of 3/30/2013, SecureTrasnport 4.9.x is End of Support. |
|||||
| CVE-2007-3008 | 4.3 | Network | N/A | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not applicable for supported versions of SecureTransport. As of 3/30/2013, SecureTrasnport 4.9.x is End of Support. |
|||||
| CVE-2007-5116 | 6.4 | Network | 5.0 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This is not applicable for ST. ST 5.0 comes with Perl 5.8.9-1.0.2, the CVE is addressed in Perl 5.8.8. |
|||||
| SA42097 | N/A | N/A | 5.1 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This is not applicable for ST as EXPLAIN and types of GeometryCollection are not used. |
|||||
| CVE-2005-4836 | 6.9 | Network | 5.0 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This is not applicable for ST. ST 5.0 comes with Apache Tomcat 6.0.20 the issue applies for 4.1.15 through 4.1.40. |
|||||
| CVE-2005-4278 | 6.4 | Local | 5.0 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This is not applicable for ST. SecureTransport 5.0 comes with Perl 5.8.9-1.0.2 (bundled), furthermore the issue is Gentoo specific (the same version of the Perl package is not affected on another platforms). |
|||||
| CVE-2004-2761 | 5.0 | Network | before 5.2.1 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
At the current stage ST genrates certificates (CA and child certs included) with the MD5 digest algorithm, and this cannot be changed. However, ST is completely capable of handling certs, which were hashed with SHA for example. |
|||||
| CVE-2004-2320 | 5.8 | Network | N/A | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not applicable for supported versions of SecureTransport. As of 3/30/2013, SecureTrasnport 4.9.x is End of Support. |
|||||
| CVE-2004-0230 | 5.0 | Network | 4.9.2 SP2 | N/A | KB160908 |
| Added: N/A | Last modified: N/A | ||||
|
Not applicable for supported versions of SecureTransport. As of 3/30/2013, SecureTrasnport 4.9.x is End of Support. |
|||||
| CVE-2004-2286 | 6.4 | Network | 5.0 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This is not applicable for ST. SecureTransport 5.0 does not come with ActivePerl. |
|||||
| CVE-2004-2286 | 6.4 | Network | 5.0 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
This is not applicable for ST. SecureTransport 5.0 5.0 does not come with ActivePerl. |
|||||