Support Content Notification - Support Portal

Brocade SANnav Vulnerability Disclosures

Product/Component

Brocade SANnav

1 more products

Notification Id

24999

Last Updated

19 February 2026

Initial Publication Date

15 October 2024

Status

OPEN

Severity

HIGH

CVSS Base Score

Varies

WorkAround

Affected CVE

Multiple

Brocade Security Advisories posted on February 19, 2026

CVEs addressed in SANnav 9.x OS OVA patch

CVE-2025-15467
OpenSSL Stack buffer overflow in CMS AuthEnvelopedData parsing
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36980

CVE-2025-61985
OpenSSH security update (CVE-2025-61985)
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36979

=======================================

Brocade Security Advisories posted on January 27, 2026

CVEs addressed in SANnav v3.0.0 and v2.4.0b

CVE-2025-12680
SANnav DataBase password in plain text is logged in failover logs
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36844

CVE-2025-12679
Plain text pbe key visible in audit log during migration from 2.4.0a to 3.0.0
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36845

CVE-2025-12772
Plaintext Switch admin login password is seen in Brocade SANnav support save 3.0.0
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36846

CVE-2025-12773
Plain password is logged in the audit logs while executing 'update-reports-purge-settings.sh' script
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36847

CVE-2025-21991
Nessus detected vulnerability in the Brocade SANnav OVA base image (CVE-2025-21991)
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36804

CVE-2024-3661, CVE-2024-11187, CVE-2024-12797
Rocky Linux Updates applied to SANnav
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36805

CVE-2025-26465
Vulnerability in OpenSSH when the VerifyHostKeyDNS option is enabled
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36806

CVE-2025-32728
The DisableForwarding directive does not fully adhere to the intended functionality as documented
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36639

CVE-2025-4207
PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36807

CVE-2024-7264
libcurl's ASN1 parser code has the GTime2str() function, used for parsing an ASN.1
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36808

CVE-2025-8713, CVE-2025-8714, CVE-2025-8715
Postgres vulnerabilities (CVE-2025-8713, CVE-2025-8714, CVE-2025-8715)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36809

CVE-2023-25194, CVE-2025-27819, CVE-2025-27818, CVE-2022-34917, CVE-2024-31141, CVE-2024-56128
Multiple Vulnerabilities in Apache Kafka
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36810

CVE-2024-9143
Low-level invalid GF(2^m) parameters lead to OOB memory access
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36811

CVE-2025-23165, CVE-2025-23166, CVE-2025-23167
Multiple Vulnerabilities in Node.js (Wednesday, May 14, 2025 Security Releases). Nessus Plugin ID 236766
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36812

CVE-2025-50059, CVE-2025-30749, CVE-2025-50106, CVE-2025-23166, CVE-2025-30754
Oracle Java SE Updates (July 2025)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36813

CVEs addressed in SANnav v3.0.0

CVE-2025-12774
SQL queries with sensitive information printed in logs
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36848

CVE-2024-38808, CVE-2024-38809 and CVE-2024-22262
Spring Framework DoS (CVE-2024-38808, CVE-2024-38809 and CVE-2024-22262)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36814

CVE-2024-24549
DoS due to improper input validation vulnerability in Apache Tomcat
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36815

CVE-2025-4947, CVE-2025-5025
Curl vulnerabilities detected in SANnav images (CVE-2025-4947, CVE-2025-5025)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36816

=======================================

Brocade Security Advisories posted on October 14, 2025

CVE addressed in SANnav v2.4.0a

CVE-2024-12243
A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/36219

=======================================

Brocade Security Advisories posted on July 8, 2025

CVE addressed in SANnav v2.4.0a

CVE-2025-4662
Plaintext security passwords are logged in the audit logs while executing openssl cmd
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35908

CVE-2025-6390
Cleartext storage of sensitive information in Brocade SANnav server audit logs
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35909

CVE-2025-6392
Daily Data Dump Collector logs database password in cleartext when running docker exec commands
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35910

Multiple Rocky Linux updates applied to Brocade SANnav OVA 2.4.0a
OVA base image related vulnerabilities
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35918

CVE-2025-0395
GNU Glibc Vulnerable to Memory Corruption via Heap Buffer Overflow during 'assert()' Failure
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35919

CVE-2025-23083, CVE-2024-54534, CVE-2024-47606, CVE-2025-21587, CVE-2025-30698, CVE-2025-30691
Oracle Java SE Multiple Vulnerabilities (April 2025)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35911

CVE-2025-0509, CVE-2025-21502
Oracle Java SE Multiple Vulnerabilities (January 2025)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35912

CVE-2024-36138, CVE-2023-42950, CVE-2024-25062, CVE-2024-21235, CVE-2024-21210, CVE-2024-21211, CVE-2024-21208, CVE-2024-21217
Oracle Java SE Multiple Vulnerabilities (October 2025)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35913

CVE-2025-0509, CVE-2025-21502
Azul Zulu Java Multiple Vulnerabilities (January 2025)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35914

CVE-2024-36138, CVE-2023-42950, CVE-2024-25062, CVE-2024-21235, CVE-2024-21210, CVE-2024-21211, CVE-2024-21208, CVE-2024-21217
Azul Zulu Java Multiple Vulnerabilities (October 2025)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35915

CVE-2025-1094, CVE-2024-10979, CVE-2024-10978, CVE-2024-10977, CVE-2024-10976, CVE-2024-7348, CVE-2024-1597
Multiple vulnerabilities detected in PostgreSQL
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35916

CVE-2024-47561
Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35917

CVE addressed in SANnav v2.4.0a and v2.3.1b

CVE-2022-48687
Linux Kernel IPv6 Segment Routing Vulnerable to Out-of-Bounds Read via Crafted Netlink Message in SRv6 Layer
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35920

=======================================

Brocade Security Advisories posted on February 27, 2025

CVEs addressed in SANnav v2.3.1b and v2.4.0

CVE-2024-32487
less Vulnerable to Arbitrary Code Execution via OS Command Execution via newline Character in Filename
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25432

CVE-2024-38428
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent
(PSIRT Risk: Low for SANnav)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25430

=======================================

Brocade Security Advisories posted on February 13, 2025

CVEs addressed in SANnav v2.3.1b and v2.4.0

ROCKY LINUX Upgrade for RLSA-2024:5530, RLSA-2024:5101, RLSA-2024:4583, RLSA-2024:3501, RLSA-2024:3513, RLSA-2024:3619, RLSA-2024:4349, RLSA-2024:4078, RLSA-2024:2758, RLSA-2024:2758
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25398

CVE-2025-1053
Encryption key is logged in the debug logs
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25399

CVE-2024-4282
Weak TLS Ciphers on Brocade OVA SSH port 22
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25400

CVE-2024-2240
Docker implementation in Brocade SANnav is missing audit rules
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25401

CVE-2024-10405
Weak TLS Ciphers on port 443 and 18082
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25402

CVE-2024-10404
Clear text password seen in switch-asset-collectors-mw for supportsave
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25403

CVE-2024-4317
PostgreSQL Vulnerable to Privilege Escalation via Improper Checks in 'pg_stats_ext' and 'pg_stats_ext_exprs' Functions
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25404

CVE-2024-2398, CVE-2024-2466, CVE-2024-2004, CVE-2024-0853
Multiple CURL vulnerabilities in Brocade SANnav OVA deployments before SANnav 2.3.1b
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25405

CVE-2024-0985
PostgreSQL Vulnerable to Privileged Execution of Arbitrary SQL due to Late Privilege Drop in 'REFRESH MATERIALIZED VIEW CONCURRENTLY'
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25406

CVE-2023-5870
PostgreSQL Vulnerable to Denial-of-Service (DoS) in 'pg_signal_backend()'
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25407

CVE-2022-38178
ISC BIND 9 Vulnerable to Denial-of-Service (DoS) via Memory Leaks in EdDSA DNSSEC Verification
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25408

AZUL Zulu Java -- July 2024 Update
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25409

Oracle Critical Patch Update Advisory -- July 2024
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25410

CVE-2024-25710, CVE-2024-26308
Apache Commons Vulnerabilities
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25411

CVE-2024-1597
PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25412

CVE-2023-34455
snappy-java Vulnerable to Denial-of-Service (DoS) due to Improper Input Validation in File 'SnappyInputStream.java'
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25413

CVE-2022-48174
Stack overflow vulnerability in ash.c:6030 in busybox before 1.35 can be executed from command to arbitrary code execution.
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25414

CVE-2022-28391
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25415

=======================================

Previously Disclosed Security Advisories

Rocky Linux OVA updates: kernel (RLSA-2024:8856) expat (RLSA-2024:9502, RLSA-2024-6989) bzip2 (RLSA-2024:8922) krb5 (RLSA-2024:8860) and python3 (RLSA-2024:6975)
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25416

CVE-2024-29018
By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25073

CVE-2024-26923
Linux Kernel Vulnerable to Dangling Pointer via Garbage Collector Racing Against Connect() in AF_UNIX Module
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35818

CVE-2023-0394
Linux Kernel Vulnerable to Denial-of-Service (DoS) via NULL Pointer Dereference in 'rawv6_push_pending_frames()' Function in 'raw.c' File
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/35817

CVE-2022-48624
close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE
(PSIRT Risk for SANnav: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/24994

CVE-2024-6387
Remote Unauthorized Code Execution Vulnerability in openSSH server (regreSSHion)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/24691

CVE-2022-2068
openssl file names of certificates being hashed were possibly passed to a command executed through the shell
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22396

CVE-2024-2860
The Postgres implementation in Brocade SANnav versions before 2.3.0a is vulnerable to an incorrect local authentication
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/24260

CVE-2023-51385
OpenSSH is vulnerable to an OS command injection issue due to how user name and host name values are processed and referenced by expansion tokens.
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25238

CVE-2023-42795
Apache Tomcat - Information disclosure
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25158

CVE-2023-5869
Buffer overrun from integer overflow in array modification
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25092

CVE-2023-5868
PostgreSQL Memory disclosure in aggregate function calls
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25093

CVE-2024-20952, CVE-2024-20945, CVE-2024-20926, CVE-2024-20921, CVE-2024-20919, CVE-2024-20918
Oracle Critical Patch Update Advisory - January 2024
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25160

CVE-2023-22025, CVE-2023-22067, CVE-2023-22081
Azul Zulu Java Multiple Vulnerabilities (2023-10-17)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25159

CVE-2024-23653, CVE-2024-21626
Container vulnerabilities in Brocade SANnav docker containers
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/25074

CVE-2023-52160
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/24987

CVE-2024-29969
TLS/SSL weak message authentication code ciphers are added by default for port 18082
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23251

CVE-2024-29968
SQL Table names, column names, and SQL queries are collected in DR standby Supportsave
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23253

CVE-2024-29966
hard-coded credential in the documentation that appear as the root password
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23255

CVE-2024-29961
Ping at regular intervals
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23246

CVE-2024-29959
Brocade Fabric OS switch encrypted passwords in the Brocade SANnav Standby node support save
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23243

CVE-2024-29958
Encryption key in the console
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23242

CVE-2024-29957
The encryption key is stored in the DR log files
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23241

CVE-2023-39417
Extension script @substitutions@ within quoting allow SQL injection
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23259

CVE-2024-29965
A local attacker can recover backup files, restore them to a new malicious appliance, and retrieve the passwords of all the switches
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23250

CVE-2024-29964
Brocade SANnav versions before v2.3.0a do not correctly set permissions on files, including docker files
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23249

CVE-2024-29962
Insecure file permission setting that makes files world-readable
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23248

CVE-2024-29960
Identical SSH keys utilized inside the OVA image
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23244

CVE-2024-29956
cleartext password in supportsave logs when a user schedules a switch Supportsave from Brocade SANnav
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23240

CVE-2024-29955
SANnav encrypted key in PostgreSQL startup logs
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23239

CVE-2024-29952
plaintext passwords storage in logs by manipulating command variables
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23238

CVE-2024-29951
SHA-1 hash in internal SSH ports that are not open to remote connection
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23237

CVE-2024-29950
The class FileTransfer implemented uses the ssh-rsa signature scheme
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23236

CVE-2024-4159
SANnav before v2.3.0a lacks protection mechanisms on port 2377/TCP and 7946/TCP
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23282

CVE-2023-34478
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23256

CVE-2023-39410
Apache Avro Java SDK vulnerable to Improper Input Validation
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23262

CVE-2023-22006, CVE-2023-22036, CVE-2023-22041, CVE-2023-22043, CVE-2023-22044, CVE-2023-22045, CVE-2023-22049
Azul Zulu Java Multiple Vulnerabilities (July 2023 update)
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23263

CVE-2023-22041, CVE-2023-25193, CVE-2023-22045, CVE-2023-22049, CVE-2023-22036, CVE-2023-22006
Oracle Java SE Multiple Vulnerabilities (July 2023 CPU)
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23260

CVE-2023-20863
Spring Expression DoS Vulnerability
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23257

CVE-2023-20861
Spring Expression DoS Vulnerability
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23261

CVE-2024-29967
Docker instances inside the appliance have insecure mount points, allowing reading and writing access to sensitive files
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23254

CVE-2024-29963
Hardcoded TLS keys used by Docker
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23247

CVE-2024-4161
Syslog traffic sent in clear-text
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23284

CVE-2023-31424
Web authentication and authorization bypass
(PSIRT Risk: High)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22507

CVE-2024-2859
By default, SANnav OVA is shipped with root user login enabled
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/23245

CVE-2023-31925
Storage of clear text password in Brocade SANnav
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22506

CVE-2023-31423
Possible information exposure through log file vulnerability
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22508

CVE-2023-21830, CVE-2023-21835, CVE-2023-21843
Oracle Java SE Multiple Vulnerabilities (Jan 2023 CPU update)
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22454

CVE-2022-43937
Sensitive fields are recorded in the debug-enabled logs
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22509

CVE-2022-41946
Vulnerable postgresql component found in SANnav RPM package
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22502

CVE-2022-40664
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22449

CVE-2022-25647
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22450

CVE-2022-21618, CVE-2022-21619, CVE-2022-21624, CVE-2022-21626, CVE-2022-21628, CVE-2022-39399
Azul Zulu Java Multiple Vulnerabilities (Oct 2022 update)
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22461

CVE-2022-21540, CVE-2022-21541, CVE-2022-21549, CVE-2022-25647, CVE-2022-34169
Oracle Java SE Multiple Vulnerabilities (July 2022 CPU update)
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22463

CVE-2022-2625
PostgreSQL vulnerability in SANnav 2.2.0.2
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22465

CVE-2016-1000027
Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data
(PSIRT Risk: Medium)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22456

CVE-2022-33980
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22448

CVE-2022-22950
Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22503

CVE-2022-21449, CVE-2022-21476, CVE-2022-21426
Oracle Java SE Multiple Vulnerabilities (Apr 2022 CPU update)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22462

CVE-2022-21248 CVE-2022-21277 CVE-2022-21366 CVE-2022-21282 CVE-2022-21296 CVE-2022-21283 CVE-2022-21291 CVE-2022-21305 CVE-2022-21293 CVE-2022-21294 CVE-2022-21340 CVE-2022-21299 CVE-2022-21341 CVE-2022-21349 CVE-2022-21360 CVE-2022-21365
Azul Zulu Java Multiple Vulnerabilities (Jan 2022 Java update)
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22464

CVE-2018-17190
An improper access control vulnerability has been discovered in Apache Spark
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22460

CVE-2018-1273
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22459

CVE-2017-7657
A remote attacker can supply specially crafted transfer-encoding chunks to Eclipse Jetty that may bypass the authorization checks of an intermediary caching proxy
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22458

CVE-2015-1315
Buffer overflow in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string
(PSIRT Risk: Low)
https://support.broadcom.com/external/content/SecurityAdvisories/0/22457

Revision History

Version	Change	Date
1.0	Initial Publication	October 14, 2024
1.1	Additional BSAs for security vulnerabilities posted on November 2nd, 2024 for SANnav 2.3.1a and 2.3.0a	November 12, 2024
1.2	Updated with CVE-2023-51385 posting	January 7, 2025
2.0	Brocade SANnav 2.3.1b and 2.4.0 security postings	February 13, 2025
2.1	Updated with CVE-2024-32487, CVE-2024-38428, CVE-2024-29018 postings	February 27, 2025
2.2	Two BSA updates for SANnav Base OS (OVA deployment) releases	June 10, 2025
2.3	Update SANnav 2.4.0a security postings	July 8, 2025
3.0	Brocade SANnav 3.0.0 and 2.4.0b security postings	January 27, 2026

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.