PerforceCVEs & Vulnerabilities

25 CVEs affecting Perforce products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

perforce server 47p4web 4helix core 4akana api 3jviews 2helix sync 1perforce 1perforce client 1
CVE-2023-45849KEVCRITICALin the wild

An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. Reported by Jason Geffner.

11 Apr 2026
9.8
CVSS
CVE-2024-5250MEDIUM

In versions of Akana API Platform prior to 2024.1.0 overly verbose errors can be found in SAML integrations

30 Jul 2024
5.3
CVSS
CVE-2024-5249HIGH

In versions of Akana API Platform prior to 2024.1.0, SAML tokens can be replayed.

30 Jul 2024
7.5
CVSS
CVE-2024-3930CRITICAL

In versions of Akana API Platform prior to 2024.1.0 a flaw resulting in XML External Entity (XXE) was discovered.

30 Jul 2024
9.8
CVSS
CVE-2024-0325HIGH

In Helix Sync versions prior to 2024.1, a local command injection was identified. Reported by Bryan Riggins.  

2 Feb 2024
7.8
CVSS
CVE-2023-5759HIGH

In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the buffer was identified. Reported by Jason Geffner.  

8 Nov 2023
7.5
CVSS
CVE-2023-45319HIGH

In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the commit function was identified. Reported by Jason Geffner. 

8 Nov 2023
7.5
CVSS
CVE-2023-35767HIGH

In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the shutdown function was identified. Reported by Jason Geffner.  

8 Nov 2023
7.5
CVSS
CVE-2022-2394LOW

Puppet Bolt prior to version 3.24.0 will print sensitive parameters when planning a run resulting in them potentially being logged when run programmatically, such as via Puppet Enterprise.

19 Jul 2022
3.5
CVSS
CVE-2021-28973MEDIUM

The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.

13 Apr 2021
4.9
CVSS
CVE-2013-1410MEDIUMpoc

Perforce P4web 2011.1 and 2012.1 has multiple XSS vulnerabilities

12 Feb 2020
6.1
CVSS
CVE-2018-1000147MEDIUM

An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with insufficient permission to obtain Perforce passwords configured in jobs to obtain them

5 Apr 2018
6.5
CVSS
CVE-2015-8965CRITICAL

Rogue Wave JViews before 8.8 patch 21 and 8.9 before patch 1 allows remote attackers to execute arbitrary Java code that exists in the classpath, such as test code or administration code. The issue exists because the ilog.views.faces.IlvFacesController servlet in jviews-framework-all.jar does not require explicit configuration of servlets that can be called.

7 Apr 2017
9.8
CVSS
CVE-2010-0935MEDIUM

Perforce Server 2009.2 and earlier, when the protection table is empty, allows remote authenticated users to obtain super privileges via a "p4 protect" command.

5 Mar 2010
4.6
CVSS
CVE-2010-0934HIGH

The triggers functionality in Perforce Server 2008.1 allows remote authenticated users with super privileges to execute arbitrary operating-system commands by using a "p4 client" command in conjunction with the form-in trigger script.

5 Mar 2010
7.1
CVSS
CVE-2010-0933MEDIUM

Directory traversal vulnerability in Perforce Server 2008.1 allows remote authenticated users to create arbitrary files via a .. (dot dot) in the argument to the "p4 add" command.

5 Mar 2010
6.8
CVSS
CVE-2010-0932MEDIUM

The FTP server in Perforce Server 2008.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a certain MKD command.

5 Mar 2010
5.0
CVSS
CVE-2010-0931MEDIUM

The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote attackers to cause a denial of service (daemon crash) via crafted data, possibly involving a large sndbuf value.

5 Mar 2010
5.0
CVSS
CVE-2010-0930MEDIUM

The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote attackers to cause a denial of service (infinite loop) via crafted data that includes a byte sequence of 0xdc, 0xff, 0xff, and 0xff immediately before the client protocol version number.

5 Mar 2010
5.0
CVSS
CVE-2010-0929MEDIUM

The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote attackers to cause a denial of service (daemon crash) via crafted data beginning with a byte sequence of 0x4c, 0xb3, 0xff, 0xff, and 0xff.

5 Mar 2010
5.0
CVSS
CVE-2008-1338HIGH

The Perforce service (p4s.exe) in Perforce Server 2007.3/143793 and earlier allows remote attackers to cause a denial of service (daemon crash) via a server-DiffFile command with an integer value within a certain range, which causes a loop until all memory is exhausted.

14 Mar 2008
7.8
CVSS
CVE-2008-1302MEDIUM

The Perforce service (p4s.exe) in Perforce Server 2007.3/143793 and earlier allows remote attackers to cause a denial of service (daemon crash) via a (1) server-DiffFile or (2) server-ReleaseFile command with a large integer value, which is used in an array initialization calculation, and leads to invalid memory access.

12 Mar 2008
5.0
CVSS
CVE-2008-1303MEDIUMpoc

The Perforce service (p4s.exe) in Perforce Server 2007.3/143793 and earlier allows remote attackers to cause a denial of service (daemon crash) via a missing parameter to the (1) dm-FaultFile, (2) dm-LazyCheck, (3) dm-ResolvedFile, (4) dm-OpenFile, (5) crypto, and possibly unspecified other commands, which triggers a NULL pointer dereference.

12 Mar 2008
5.0
CVSS
CVE-2007-6349HIGH

P4Webs.exe in Perforce P4Web 2006.2 and earlier, when running on Windows, allows remote attackers to cause a denial of service (CPU consumption) via an HTTP request with an empty body and a Content-Length greater than 0.

21 Dec 2007
7.8
CVSS
CVE-2007-0100CRITICAL

The Perforce client does not restrict the set of files that it overwrites upon receiving a request from the server, which allows remote attackers to overwrite arbitrary files by modifying the client config file on the server, or by operating a malicious server.

8 Jan 2007
10.0
CVSS
← PrevPage 1 / 1Next →