彙總 perforce 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 路徑處理缺陷、輸入驗證問題、XXE與跨站腳本,在 生產負載與軟體部署 使用場景中可能帶來 異常行為、檔案覆寫與工作階段劫持 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-6043 | P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the built-in 'remote' user. These default settings, taken together, can lead to unauthorized access to source code repositories and other managed assets. The 2026.1 release, expected in May 2026, enforces se | [email protected] | 8.8 | 0.46% | 2026-04-24 | 2026-06-17 |
| CVE-2025-14591 | In Delphix Continuous Compliance version 2025.3.0 and later, following a recent bug fix to correctly handle CR+LF (Windows and DOS) End-of-Record (EOR) characters in delimited files, an issue was identified: using an incorrect EOR configuration can cause inaccurate parsing and leave personally identifiable information (PII) unmasked. | [email protected] | 5.3 | 0.24% | 2025-12-19 | 2026-06-17 |
| CVE-2024-5250 | In versions of Akana API Platform prior to 2024.1.0 overly verbose errors can be found in SAML integrations | [email protected] | 3.5 | 0.29% | 2024-07-30 | 2026-06-17 |
| CVE-2024-5249 | In versions of Akana API Platform prior to 2024.1.0, SAML tokens can be replayed. | [email protected] | 5.4 | 0.22% | 2024-07-30 | 2026-06-17 |
| CVE-2024-3930 | In versions of Akana API Platform prior to 2024.1.0 a flaw resulting in XML External Entity (XXE) was discovered. | [email protected] | 6.3 | 0.31% | 2024-07-30 | 2026-06-17 |
| CVE-2024-0325 | In Helix Sync versions prior to 2024.1, a local command injection was identified. Reported by Bryan Riggins. | [email protected] | 3.6 | 0.75% | 2024-02-01 | 2026-06-17 |
| CVE-2023-5759 | In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the buffer was identified. Reported by Jason Geffner. | [email protected] | 7.5 | 0.95% | 2023-11-08 | 2026-06-17 |
| CVE-2023-45849 | An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. Reported by Jason Geffner. | [email protected] | 9.0 | 1.11% | 2023-11-08 | 2026-06-17 |
| CVE-2023-45319 | In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the commit function was identified. Reported by Jason Geffner. | [email protected] | 7.5 | 0.95% | 2023-11-08 | 2026-06-17 |
| CVE-2023-35767 | In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the shutdown function was identified. Reported by Jason Geffner. | [email protected] | 7.5 | 0.95% | 2023-11-08 | 2026-06-17 |
| CVE-2022-2394 | Puppet Bolt prior to version 3.24.0 will print sensitive parameters when planning a run resulting in them potentially being logged when run programmatically, such as via Puppet Enterprise. | [email protected] | 4.1 | 0.43% | 2022-07-19 | 2026-06-17 |
| CVE-2021-28973 | The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks. | [email protected] | 4.9 | 0.89% | 2021-04-13 | 2026-06-16 |
| CVE-2013-1410 | Perforce P4web 2011.1 and 2012.1 has multiple XSS vulnerabilities | [email protected] | 6.1 | 1.50% | 2020-02-12 | 2026-06-16 |
| CVE-2018-1000147 | An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with insufficient permission to obtain Perforce passwords configured in jobs to obtain them | [email protected] | 6.5 | 0.86% | 2018-04-05 | 2026-06-16 |
| CVE-2015-8965 | Rogue Wave JViews before 8.8 patch 21 and 8.9 before patch 1 allows remote attackers to execute arbitrary Java code that exists in the classpath, such as test code or administration code. The issue exists because the ilog.views.faces.IlvFacesController servlet in jviews-framework-all.jar does not require explicit configuration of servlets that can be called. | [email protected] | 9.8 | 2.75% | 2017-04-06 | 2026-06-16 |
| CVE-2010-0935 | Perforce Server 2009.2 and earlier, when the protection table is empty, allows remote authenticated users to obtain super privileges via a "p4 protect" command. | [email protected] | 4.6 | 1.57% | 2010-03-05 | 2026-06-16 |
| CVE-2010-0934 | The triggers functionality in Perforce Server 2008.1 allows remote authenticated users with super privileges to execute arbitrary operating-system commands by using a "p4 client" command in conjunction with the form-in trigger script. | [email protected] | 7.1 | 2.00% | 2010-03-05 | 2026-06-16 |
| CVE-2010-0933 | Directory traversal vulnerability in Perforce Server 2008.1 allows remote authenticated users to create arbitrary files via a .. (dot dot) in the argument to the "p4 add" command. | [email protected] | 6.8 | 1.79% | 2010-03-05 | 2026-06-16 |
| CVE-2010-0932 | The FTP server in Perforce Server 2008.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a certain MKD command. | [email protected] | 5.0 | 1.67% | 2010-03-05 | 2026-06-16 |
| CVE-2010-0931 | The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote attackers to cause a denial of service (daemon crash) via crafted data, possibly involving a large sndbuf value. | [email protected] | 5.0 | 1.14% | 2010-03-05 | 2026-06-16 |