Vendor CVEs
Northern.tech
All CVEs
30 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-37019 | Cri | 0.64 | 9.8 | 0.01 | Jun 3, 2024 | Northern.tech Mender Enterprise before 3.6.4 and 3.7.x before 3.7.4 has Weak Authentication. | ||
| CVE-2025-49603 | Cri | 0.59 | 9.1 | 0.00 | Jun 26, 2025 | Northern.tech Mender Server before 3.7.11 and 4.x before 4.0.1 has Incorrect Access Control. | ||
| CVE-2024-55959 | Cri | 0.59 | 9.1 | 0.01 | Jan 21, 2025 | Northern.tech Mender Client 4.x before 4.0.5 has Insecure Permissions. | ||
| CVE-2022-45929 | Hig | 0.57 | 8.8 | 0.00 | Jun 20, 2024 | Northern.tech Mender 3.3.x before 3.3.2, 3.5.x before 3.5.0, and 3.6.x before 3.6.0 has Incorrect Access Control and allows users to change their roles and could allow privilege escalation from a low-privileged read-only user to a high-privileged user. | ||
| CVE-2026-24712 | Hig | 0.47 | 7.3 | 0.01 | May 14, 2026 | Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection. | ||
| CVE-2024-46947 | Med | 0.42 | 6.5 | 0.00 | Nov 8, 2024 | Northern.tech Mender before 3.6.6 and 3.7.x before 3.7.7 allows SSRF. | ||
| CVE-2022-41324 | Med | 0.42 | 6.5 | 0.00 | Jun 20, 2024 | Northern.tech Mender 3.3.x before 3.3.2 and 3.4.x before 3.4.0 has Incorrect Access Control and allows low-privileged users default read access to some sensitive device information. | ||
| CVE-2026-33553 | Med | 0.40 | 6.1 | 0.00 | Jun 2, 2026 | Northern.tech CFEngine Enterprise 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1 allows XSS. | ||
| CVE-2026-24710 | Med | 0.40 | 6.1 | 0.00 | May 14, 2026 | Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 allows XSS. | ||
| CVE-2025-67903 | Med | 0.34 | 5.3 | 0.00 | May 27, 2026 | Northern.tech Mender Client 5 before 5.0.4 allows a Cryptographic signature verification bypass. | ||
| CVE-2026-24711 | Med | 0.34 | 5.3 | 0.00 | May 14, 2026 | Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control. | ||
| CVE-2024-55958 | Med | 0.31 | 4.8 | 0.00 | Jan 21, 2025 | Northern.tech CFEngine Enterprise Mission Portal 3.24.0, 3.21.5, and below allows XSS. The fixed versions are 3.24.1 and 3.21.6. | ||
| CVE-2026-33552 | Low | 0.24 | 3.7 | 0.00 | May 27, 2026 | Northern.tech Mender Enterprise Server before 4.1.1 has Incorrect Access Control. | ||
| CVE-2026-49009 | Low | 0.20 | 3.1 | 0.01 | May 27, 2026 | Northern.tech Mender Server v4.1.0, v4.0.1 and below, and fixed in v4.1.1 and v4.0.2 allows Directory Traversal. | ||
| CVE-2024-47190 | Low | 0.18 | 2.7 | 0.00 | Nov 8, 2024 | Northern.tech Hosted Mender before 2024.07.11 allows SSRF. | ||
| CVE-2003-0849 | 0.04 | — | 0.11 | Nov 17, 2003 | Buffer overflow in net.c for cfengine 2.x before 2.0.8 allows remote attackers to execute arbitrary code via certain packets with modified length values, which is trusted by the ReceiveTransaction function when using a buffer provided by the BusyWithConnection function. | |||
| CVE-2024-46948 | 0.00 | — | 0.00 | Nov 8, 2024 | Northern.tech Mender before 3.6.5 and 3.7.x before 3.7.5 has Incorrect Access Control. | |||
| CVE-2023-45684 | 0.00 | — | 0.01 | Nov 14, 2023 | Northern.tech CFEngine Enterprise before 3.21.3 allows SQL Injection. The fixed versions are 3.18.6 and 3.21.3. The earliest affected version is 3.6.0. The issue is in the Mission Portal login page in the CFEngine hub. | |||
| CVE-2023-26560 | 0.00 | — | 0.01 | Apr 25, 2023 | Northern.tech CFEngine Enterprise before 3.21.1 allows a subset of authenticated users to leverage the Scheduled Reports feature to read arbitrary files and potentially discover credentials. | |||
| CVE-2022-32290 | 0.00 | — | 0.00 | Jul 6, 2022 | The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. It listens on a random, unprivileged TCP port and exposes an HTTP proxy to facilitate API calls from additional client components running on the device. However, it listens on all network… | |||
| CVE-2022-29556 | 0.00 | — | 0.01 | Apr 28, 2022 | The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints. | |||
| CVE-2022-29555 | 0.00 | — | 0.00 | Apr 28, 2022 | The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. allows Cross-Origin Websocket Hijacking. | |||
| CVE-2021-44215 | 0.00 | — | 0.00 | Mar 7, 2022 | Northern.tech CFEngine Enterprise 3.15.4 before 3.15.5 has Insecure Permissions that may allow unauthorized local users to have an unspecified impact. | |||
| CVE-2021-44216 | 0.00 | — | 0.00 | Mar 7, 2022 | Northern.tech CFEngine Enterprise before 3.15.5 and 3.18.x before 3.18.1 has Insecure Permissions that may allow unauthorized local users to access the Apache and Mission Portal log files. | |||
| CVE-2021-36756 | 0.00 | — | 0.00 | Oct 27, 2021 | CFEngine Enterprise 3.15.0 through 3.15.4 has Missing SSL Certificate Validation. | |||
| CVE-2021-38379 | 0.00 | — | 0.00 | Oct 27, 2021 | The Hub in CFEngine Enterprise 3.6.7 through 3.18.0 has Insecure Permissions that allow local Information Disclosure. | |||
| CVE-2021-35342 | 0.00 | — | 0.01 | Aug 27, 2021 | The useradm service 1.14.0 (in Northern.tech Mender Enterprise 2.7.x before 2.7.1) and 1.13.0 (in Northern.tech Mender Enterprise 2.6.x before 2.6.1) allows users to access the system with their JWT token after logout, because of missing invalidation (if the JWT verification… | |||
| CVE-2019-19394 | 0.00 | — | 0.01 | Apr 16, 2020 | Northern.tech CFEngine Enterprise before 3.10.7, 3.11.x and 3.12.x before 3.12.3, 3.13.x, and 3.14.x allows XSS. This is fixed in 3.10.7, 3.12.3, and 3.15.0. | |||
| CVE-2019-9929 | 0.00 | — | 0.02 | Jun 6, 2019 | Northern.tech CFEngine Enterprise 3.12.1 has Insecure Permissions. | |||
| CVE-2005-3137 | 0.00 | — | 0.00 | Oct 5, 2005 | The (1) cfmailfilter and (2) cfcron.in files for cfengine 1.6.5 allow local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2005-2960. |
- risk 0.64cvss 9.8epss 0.01
Northern.tech Mender Enterprise before 3.6.4 and 3.7.x before 3.7.4 has Weak Authentication.
- risk 0.59cvss 9.1epss 0.00
Northern.tech Mender Server before 3.7.11 and 4.x before 4.0.1 has Incorrect Access Control.
- risk 0.59cvss 9.1epss 0.01
Northern.tech Mender Client 4.x before 4.0.5 has Insecure Permissions.
- risk 0.57cvss 8.8epss 0.00
Northern.tech Mender 3.3.x before 3.3.2, 3.5.x before 3.5.0, and 3.6.x before 3.6.0 has Incorrect Access Control and allows users to change their roles and could allow privilege escalation from a low-privileged read-only user to a high-privileged user.
- risk 0.47cvss 7.3epss 0.01
Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection.
- risk 0.42cvss 6.5epss 0.00
Northern.tech Mender before 3.6.6 and 3.7.x before 3.7.7 allows SSRF.
- risk 0.42cvss 6.5epss 0.00
Northern.tech Mender 3.3.x before 3.3.2 and 3.4.x before 3.4.0 has Incorrect Access Control and allows low-privileged users default read access to some sensitive device information.
- risk 0.40cvss 6.1epss 0.00
Northern.tech CFEngine Enterprise 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1 allows XSS.
- risk 0.40cvss 6.1epss 0.00
Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 allows XSS.
- risk 0.34cvss 5.3epss 0.00
Northern.tech Mender Client 5 before 5.0.4 allows a Cryptographic signature verification bypass.
- risk 0.34cvss 5.3epss 0.00
Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control.
- risk 0.31cvss 4.8epss 0.00
Northern.tech CFEngine Enterprise Mission Portal 3.24.0, 3.21.5, and below allows XSS. The fixed versions are 3.24.1 and 3.21.6.
- risk 0.24cvss 3.7epss 0.00
Northern.tech Mender Enterprise Server before 4.1.1 has Incorrect Access Control.
- risk 0.20cvss 3.1epss 0.01
Northern.tech Mender Server v4.1.0, v4.0.1 and below, and fixed in v4.1.1 and v4.0.2 allows Directory Traversal.
- risk 0.18cvss 2.7epss 0.00
Northern.tech Hosted Mender before 2024.07.11 allows SSRF.
- CVE-2003-0849Nov 17, 2003risk 0.04cvss —epss 0.11
Buffer overflow in net.c for cfengine 2.x before 2.0.8 allows remote attackers to execute arbitrary code via certain packets with modified length values, which is trusted by the ReceiveTransaction function when using a buffer provided by the BusyWithConnection function.
- CVE-2024-46948Nov 8, 2024risk 0.00cvss —epss 0.00
Northern.tech Mender before 3.6.5 and 3.7.x before 3.7.5 has Incorrect Access Control.
- CVE-2023-45684Nov 14, 2023risk 0.00cvss —epss 0.01
Northern.tech CFEngine Enterprise before 3.21.3 allows SQL Injection. The fixed versions are 3.18.6 and 3.21.3. The earliest affected version is 3.6.0. The issue is in the Mission Portal login page in the CFEngine hub.
- CVE-2023-26560Apr 25, 2023risk 0.00cvss —epss 0.01
Northern.tech CFEngine Enterprise before 3.21.1 allows a subset of authenticated users to leverage the Scheduled Reports feature to read arbitrary files and potentially discover credentials.
- CVE-2022-32290Jul 6, 2022risk 0.00cvss —epss 0.00
The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. It listens on a random, unprivileged TCP port and exposes an HTTP proxy to facilitate API calls from additional client components running on the device. However, it listens on all network…
- CVE-2022-29556Apr 28, 2022risk 0.00cvss —epss 0.01
The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints.
- CVE-2022-29555Apr 28, 2022risk 0.00cvss —epss 0.00
The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. allows Cross-Origin Websocket Hijacking.
- CVE-2021-44215Mar 7, 2022risk 0.00cvss —epss 0.00
Northern.tech CFEngine Enterprise 3.15.4 before 3.15.5 has Insecure Permissions that may allow unauthorized local users to have an unspecified impact.
- CVE-2021-44216Mar 7, 2022risk 0.00cvss —epss 0.00
Northern.tech CFEngine Enterprise before 3.15.5 and 3.18.x before 3.18.1 has Insecure Permissions that may allow unauthorized local users to access the Apache and Mission Portal log files.
- CVE-2021-36756Oct 27, 2021risk 0.00cvss —epss 0.00
CFEngine Enterprise 3.15.0 through 3.15.4 has Missing SSL Certificate Validation.
- CVE-2021-38379Oct 27, 2021risk 0.00cvss —epss 0.00
The Hub in CFEngine Enterprise 3.6.7 through 3.18.0 has Insecure Permissions that allow local Information Disclosure.
- CVE-2021-35342Aug 27, 2021risk 0.00cvss —epss 0.01
The useradm service 1.14.0 (in Northern.tech Mender Enterprise 2.7.x before 2.7.1) and 1.13.0 (in Northern.tech Mender Enterprise 2.6.x before 2.6.1) allows users to access the system with their JWT token after logout, because of missing invalidation (if the JWT verification…
- CVE-2019-19394Apr 16, 2020risk 0.00cvss —epss 0.01
Northern.tech CFEngine Enterprise before 3.10.7, 3.11.x and 3.12.x before 3.12.3, 3.13.x, and 3.14.x allows XSS. This is fixed in 3.10.7, 3.12.3, and 3.15.0.
- CVE-2019-9929Jun 6, 2019risk 0.00cvss —epss 0.02
Northern.tech CFEngine Enterprise 3.12.1 has Insecure Permissions.
- CVE-2005-3137Oct 5, 2005risk 0.00cvss —epss 0.00
The (1) cfmailfilter and (2) cfcron.in files for cfengine 1.6.5 allow local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2005-2960.