3 results (0.027 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign. Cuando era usado Apache Knox SSO versiones anteriores a 1.6.1, una petición podía ser diseñada para redirigir a un usuario a una página maliciosa debido a un análisis incorrecto de la URL. Una petición que incluyera un parámetro de petición especialmente diseñado podría ser usada para redirigir al usuario a una página controlada por un atacante. • http://www.openwall.com/lists/oss-security/2022/01/17/2 https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0

For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release. Para versiones de Apache Knox desde 0.2.0 hasta 0.11.0, un usuario autenticado puede usar una URL especialmente diseñada para suplantar a otro usuario mientras accede a WebHDFS por medio de Apache Knox. • http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E http://www.securityfocus.com/bid/98739 https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E • CWE-346: Origin Validation Error •

CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1

Samsung KNOX 1.0 uses a weak eCryptFS Key generation algorithm, which makes it easier for local users to obtain sensitive information by leveraging knowledge of the TIMA key and a brute-force attack. Samsung KNOX 1.0 utiliza un algoritmo de generación eCryptFS Key débil, lo que hace más fácil a usuarios locales obtener información sensible aprovechando el conocimiento de la clave TIMA y un ataque de fuerza bruta. Samsung KNOX version 1.0 suffers from a weak eCryptFS implementation. • http://lists.openwall.net/bugtraq/2016/01/17/2 http://packetstormsecurity.com/files/135303/Samsung-KNOX-1.0-Weak-eCryptFS-Key-Generation.html http://www.securityfocus.com/archive/1/537319/100/0/threaded http://www.securityfocus.com/archive/1/537340/100/0/threaded • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-310: Cryptographic Issues •