Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-46328 |
Description: snowflake-connector-nodejs is a NodeJS driver for Snowflake. Versions starting from 1.10.0 to before 2.0.4, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location. This issue has been patched in version 2.0.4.
CVSS: LOW (3.3) EPSS Score: 0.01%
April 28th, 2025 (about 1 month ago)
|
|
CVE-2025-46327 |
Description: gosnowflake is the Snowflake Golang driver. Versions starting from 1.7.0 to before 1.13.3, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location. This issue has been patched in version 1.13.3.
CVSS: LOW (3.3) EPSS Score: 0.01%
April 28th, 2025 (about 1 month ago)
|
|
CVE-2025-46326 |
Description: snowflake-connector-net is the Snowflake Connector for .NET. Versions starting from 2.1.2 to before 4.4.1, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Connector reads logging configuration from a user-provided file. On Linux and macOS, the Connector verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Connector. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location. This issue has been patched in version 4.4.1.
CVSS: LOW (3.3) EPSS Score: 0.01%
April 28th, 2025 (about 1 month ago)
|
|
CVE-2025-0049 |
Description: When a Web User without Create permission on subfolders attempts to upload a file to a non-existent directory, the error message includes the absolute server path which may allow Fuzzing for application mapping.
This issue affects GoAnywhere: before 7.8.0.
CVSS: LOW (3.5) EPSS Score: 0.03%
April 28th, 2025 (about 1 month ago)
|
|
CVE-2025-4032 |
Description: A vulnerability was found in inclusionAI AWorld up to 8c257626e648d98d793dd9a1a950c2af4dd84c4e. It has been rated as critical. This issue affects the function subprocess.run/subprocess.Popen of the file AWorld/aworld/virtual_environments/terminals/shell_tool.py. The manipulation leads to os command injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Eine Schwachstelle wurde in inclusionAI AWorld bis 8c257626e648d98d793dd9a1a950c2af4dd84c4e ausgemacht. Sie wurde als kritisch eingestuft. Davon betroffen ist die Funktion subprocess.run/subprocess.Popen der Datei AWorld/aworld/virtual_environments/terminals/shell_tool.py. Dank Manipulation mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Die Komplexität eines Angriffs ist eher hoch. Die Ausnutzbarkeit gilt als schwierig. Der Exploit steht zur öffentlichen Verfügung. Dieses Produkt setzt Rolling Releases ein. Aus diesem Grund sind Details zu betroffenen oder zu aktualisierende Versionen nicht verfügbar.
CVSS: LOW (2.3) EPSS Score: 0.33% SSVC Exploitation: poc
April 28th, 2025 (about 1 month ago)
|
|
CVE-2024-12706 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OpenText™ Digital Asset Management. T
he vulnerability could allow an authenticated user to run arbitrary SQL commands on the underlying database.
This issue affects Digital Asset Management.: through 24.4.
CVSS: LOW (2.1) EPSS Score: 0.02% SSVC Exploitation: none
April 28th, 2025 (about 1 month ago)
|
|
CVE-2025-46675 |
Description: In NASA CryptoLib before 1.3.2, the key state is not checked before use, potentially leading to spacecraft hijacking.
CVSS: LOW (3.5) EPSS Score: 0.03% SSVC Exploitation: poc
April 28th, 2025 (about 1 month ago)
|
|
CVE-2025-46674 |
Description: NASA CryptoLib before 1.3.2 uses Extended Procedures that are a Work in Progress (not intended for use during flight), potentially leading to a keystream oracle.
CVSS: LOW (3.5) EPSS Score: 0.03% SSVC Exploitation: poc
April 28th, 2025 (about 1 month ago)
|
|
CVE-2025-46614 |
Description: In Snowflake ODBC Driver before 3.7.0, in certain code paths, the Driver logged the whole SQL query at the INFO level, aka Insertion of Sensitive Information into a Log File.
CVSS: LOW (3.3) EPSS Score: 0.01% SSVC Exploitation: none
April 28th, 2025 (about 1 month ago)
|
|
CVE-2025-43854 |
Description: DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. This issue has been fixed in version 1.3.0.
CVSS: LOW (2.3) EPSS Score: 0.03%
April 28th, 2025 (about 1 month ago)
|