Info-security-vs-IT-security
Share on linkedin
Share on facebook
Share on twitter
Share on email

April Security Vulnerabilities

We have compiled a list of Security Vulnerabilities that were discovered in April 2021. We are available to assist you if you need help applying or investigating these vulnerabilities. 

Contact for assistance solving Security Vulnerabilities

Google Chrome Vulnerabilities

CVE NumberDate of ReleaseSeverityDescription
CVE-2021-2119909/04/20216.8Use after free in Aura in Google Chrome on Linux prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-2119709/04/20216.8Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-2119509/04/20216.8Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-2119409/04/20216.8Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-2122626/04/20216.8Use after free in navigation in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2021-2122526/04/20216.8Out of bounds memory access in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-2122426/04/20216.8Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2021-2122326/04/20216.8Integer overflow in Mojo in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2021-2122026/04/20216.8Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-2121426/04/20216.8Use after free in Network API in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension.
CVE-2021-2121326/04/20216.8Use after free in WebMIDI in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-2120726/04/20216.8Use after free in IndexedDB in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.
CVE-2021-2120626/04/20216.8Use after free in Blink in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-2120326/04/20216.8Use after free in Blink in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-2120226/04/20216.8Use after free in extensions in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.
CVE-2021-2120126/04/20216.8Use after free in permissions in Google Chrome prior to 90.0.4430.72 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2021-2123230/04/20216.8Use after free in Dev Tools in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-2123030/04/20216.8Type confusion in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-2122730/04/20216.8Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

RedHat RHEL Vulnerabilities

CVE NumberDate of ReleaseSeverityDescription
CVE-2021-2029101/04/20217.1A deadlock vulnerability was found in ‘github.com/containers/storage’ in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).
CVE-2021-344808/04/20214.3A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.
CVE-2021-348715/04/20217.1There’s a flaw in the BFD library of binutils in versions before 2.36. An attacker who supplies a crafted file to an application linked with BFD, and using the DWARF functionality, could cause an impact to system availability by way of excessive memory consumption.
CVE-2021-2020819/04/20214.9A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2021-214420/04/20216.5Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.
CVE-2021-2022829/04/20215A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality.

Windows 10 Vulnerabilities

CVE NumberDate of ReleaseSeverityDescription
CVE-2021-2844513/04/20216.5Windows Network File System Remote Code Execution Vulnerability
CVE-2021-2844413/04/20214Windows Hyper-V Security Feature Bypass Vulnerability
CVE-2021-2844213/04/20214Windows TCP/IP Information Disclosure Vulnerability
CVE-2021-2844013/04/20214.6Windows Installer Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26415.
CVE-2021-2832613/04/20214.3Windows AppX Deployment Server Denial of Service Vulnerability
CVE-2021-2832013/04/20214.6Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability
CVE-2021-2831413/04/20214.6Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2021-2831213/04/20214.3Windows NTFS Denial of Service Vulnerability
CVE-2021-2831113/04/20214.3Windows Application Compatibility Cache Denial of Service Vulnerability
CVE-2021-2709613/04/20214.6NTFS Elevation of Privilege Vulnerability
CVE-2021-2709213/04/20217.5Azure AD Web Sign-in Security Feature Bypass Vulnerability
CVE-2021-2709013/04/20214.6Windows Secure Kernel Mode Elevation of Privilege Vulnerability
CVE-2021-2708913/04/20216.8Microsoft Internet Messaging API Remote Code Execution Vulnerability
CVE-2021-2708813/04/20214.6Windows Event Tracing Elevation of Privilege Vulnerability
CVE-2021-2708613/04/20214.6Windows Services and Controller App Elevation of Privilege Vulnerability
CVE-2021-2707913/04/20216.3Windows Media Photo Codec Information Disclosure Vulnerability
CVE-2021-2641613/04/20217.8Windows Hyper-V Denial of Service Vulnerability

Windows Server 2012 Vulnerabilities

CVE NumberDate of ReleaseSeverityDescription
CVE-2021-2844513/04/20216.5Windows Network File System Remote Code Execution Vulnerability
CVE-2021-2844413/04/20214Windows Hyper-V Security Feature Bypass Vulnerability
CVE-2021-2709613/04/20214.6NTFS Elevation of Privilege Vulnerability
CVE-2021-2709113/04/20214.6RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
CVE-2021-2708913/04/20216.8Microsoft Internet Messaging API Remote Code Execution Vulnerability

Windows Server 2016 Vulnerabilities

CVE NumberDate of ReleaseSeverityDescription
CVE-2021-2844513/04/20216.5Windows Network File System Remote Code Execution Vulnerability
CVE-2021-2844413/04/20214Windows Hyper-V Security Feature Bypass Vulnerability
CVE-2021-2844213/04/20214Windows TCP/IP Information Disclosure Vulnerability
CVE-2021-2832013/04/20214.6Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability
CVE-2021-2831413/04/20214.6Windows Hyper-V Elevation of Privilege Vulnerability

HPE Proliant Vulnerabilities

CVE NumberDate of ReleaseSeverityDescription
CVE-2021-2658001/04/20214.3A potential security vulnerability has been identified in HPE iLO Amplifier Pack. The vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS). HPE has provided the following software update to resolve the vulnerability in HPE iLO Amplifier Pack: HPE iLO Amplifier Pack 1.80 or later.

VMware vSphere Vulnerabilities

CVE NumberDate of ReleaseSeverityDescription
CVE-2021-2198119/04/20214.6VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.

For more information and pricing for any of our services either for yourself or for your customers you can contact us below