We have compiled a list of Security Vulnerabilities that were discovered in April 2021. We are available to assist you if you need help applying or investigating these vulnerabilities.
Google Chrome Vulnerabilities
| CVE Number | Date of Release | Severity | Description |
| CVE-2021-21199 | 09/04/2021 | 6.8 | Use after free in Aura in Google Chrome on Linux prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21197 | 09/04/2021 | 6.8 | Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21195 | 09/04/2021 | 6.8 | Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21194 | 09/04/2021 | 6.8 | Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21226 | 26/04/2021 | 6.8 | Use after free in navigation in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
| CVE-2021-21225 | 26/04/2021 | 6.8 | Out of bounds memory access in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21224 | 26/04/2021 | 6.8 | Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. |
| CVE-2021-21223 | 26/04/2021 | 6.8 | Integer overflow in Mojo in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
| CVE-2021-21220 | 26/04/2021 | 6.8 | Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21214 | 26/04/2021 | 6.8 | Use after free in Network API in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension. |
| CVE-2021-21213 | 26/04/2021 | 6.8 | Use after free in WebMIDI in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21207 | 26/04/2021 | 6.8 | Use after free in IndexedDB in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. |
| CVE-2021-21206 | 26/04/2021 | 6.8 | Use after free in Blink in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21203 | 26/04/2021 | 6.8 | Use after free in Blink in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21202 | 26/04/2021 | 6.8 | Use after free in extensions in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. |
| CVE-2021-21201 | 26/04/2021 | 6.8 | Use after free in permissions in Google Chrome prior to 90.0.4430.72 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
| CVE-2021-21232 | 30/04/2021 | 6.8 | Use after free in Dev Tools in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21230 | 30/04/2021 | 6.8 | Type confusion in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2021-21227 | 30/04/2021 | 6.8 | Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
RedHat RHEL Vulnerabilities
| CVE Number | Date of Release | Severity | Description |
| CVE-2021-20291 | 01/04/2021 | 7.1 | A deadlock vulnerability was found in ‘github.com/containers/storage’ in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS). |
| CVE-2021-3448 | 08/04/2021 | 4.3 | A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity. |
| CVE-2021-3487 | 15/04/2021 | 7.1 | There’s a flaw in the BFD library of binutils in versions before 2.36. An attacker who supplies a crafted file to an application linked with BFD, and using the DWARF functionality, could cause an impact to system availability by way of excessive memory consumption. |
| CVE-2021-20208 | 19/04/2021 | 4.9 | A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity. |
| CVE-2021-2144 | 20/04/2021 | 6.5 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. |
| CVE-2021-20228 | 29/04/2021 | 5 | A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality. |
Windows 10 Vulnerabilities
| CVE Number | Date of Release | Severity | Description |
| CVE-2021-28445 | 13/04/2021 | 6.5 | Windows Network File System Remote Code Execution Vulnerability |
| CVE-2021-28444 | 13/04/2021 | 4 | Windows Hyper-V Security Feature Bypass Vulnerability |
| CVE-2021-28442 | 13/04/2021 | 4 | Windows TCP/IP Information Disclosure Vulnerability |
| CVE-2021-28440 | 13/04/2021 | 4.6 | Windows Installer Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26415. |
| CVE-2021-28326 | 13/04/2021 | 4.3 | Windows AppX Deployment Server Denial of Service Vulnerability |
| CVE-2021-28320 | 13/04/2021 | 4.6 | Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability |
| CVE-2021-28314 | 13/04/2021 | 4.6 | Windows Hyper-V Elevation of Privilege Vulnerability |
| CVE-2021-28312 | 13/04/2021 | 4.3 | Windows NTFS Denial of Service Vulnerability |
| CVE-2021-28311 | 13/04/2021 | 4.3 | Windows Application Compatibility Cache Denial of Service Vulnerability |
| CVE-2021-27096 | 13/04/2021 | 4.6 | NTFS Elevation of Privilege Vulnerability |
| CVE-2021-27092 | 13/04/2021 | 7.5 | Azure AD Web Sign-in Security Feature Bypass Vulnerability |
| CVE-2021-27090 | 13/04/2021 | 4.6 | Windows Secure Kernel Mode Elevation of Privilege Vulnerability |
| CVE-2021-27089 | 13/04/2021 | 6.8 | Microsoft Internet Messaging API Remote Code Execution Vulnerability |
| CVE-2021-27088 | 13/04/2021 | 4.6 | Windows Event Tracing Elevation of Privilege Vulnerability |
| CVE-2021-27086 | 13/04/2021 | 4.6 | Windows Services and Controller App Elevation of Privilege Vulnerability |
| CVE-2021-27079 | 13/04/2021 | 6.3 | Windows Media Photo Codec Information Disclosure Vulnerability |
| CVE-2021-26416 | 13/04/2021 | 7.8 | Windows Hyper-V Denial of Service Vulnerability |
Windows Server 2012 Vulnerabilities
| CVE Number | Date of Release | Severity | Description |
| CVE-2021-28445 | 13/04/2021 | 6.5 | Windows Network File System Remote Code Execution Vulnerability |
| CVE-2021-28444 | 13/04/2021 | 4 | Windows Hyper-V Security Feature Bypass Vulnerability |
| CVE-2021-27096 | 13/04/2021 | 4.6 | NTFS Elevation of Privilege Vulnerability |
| CVE-2021-27091 | 13/04/2021 | 4.6 | RPC Endpoint Mapper Service Elevation of Privilege Vulnerability |
| CVE-2021-27089 | 13/04/2021 | 6.8 | Microsoft Internet Messaging API Remote Code Execution Vulnerability |
Windows Server 2016 Vulnerabilities
| CVE Number | Date of Release | Severity | Description |
| CVE-2021-28445 | 13/04/2021 | 6.5 | Windows Network File System Remote Code Execution Vulnerability |
| CVE-2021-28444 | 13/04/2021 | 4 | Windows Hyper-V Security Feature Bypass Vulnerability |
| CVE-2021-28442 | 13/04/2021 | 4 | Windows TCP/IP Information Disclosure Vulnerability |
| CVE-2021-28320 | 13/04/2021 | 4.6 | Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability |
| CVE-2021-28314 | 13/04/2021 | 4.6 | Windows Hyper-V Elevation of Privilege Vulnerability |
HPE Proliant Vulnerabilities
| CVE Number | Date of Release | Severity | Description |
| CVE-2021-26580 | 01/04/2021 | 4.3 | A potential security vulnerability has been identified in HPE iLO Amplifier Pack. The vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS). HPE has provided the following software update to resolve the vulnerability in HPE iLO Amplifier Pack: HPE iLO Amplifier Pack 1.80 or later. |
VMware vSphere Vulnerabilities
| CVE Number | Date of Release | Severity | Description |
| CVE-2021-21981 | 19/04/2021 | 4.6 | VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level. |