CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9301
https://notcve.org/view.php?id=CVE-2024-9301
27 Sep 2024 — A path traversal issue in E2Nest prior to commit 8a41948e553c89c56b14410c6ed395e9cfb9250a • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-004.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7093 – Server-Side Template Injection in Dispatch Message Templates
https://notcve.org/view.php?id=CVE-2024-7093
01 Aug 2024 — Dispatch's notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message templates, which are then executed whenever these notifications are rendered and sent out. • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-003.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5023 – Arbitrary File Read Vulnerability in ConsoleMe via Limited Git command RCE
https://notcve.org/view.php?id=CVE-2024-5023
16 May 2024 — Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Netflix ConsoleMe allows Command Injection.This issue affects ConsoleMe: before 1.4.0. La neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando ("Inyección de comando") en Netflix ConsoleMe permite la inyección de comando. Este problema afecta a ConsoleMe: versiones anteriores a 1.4.0. • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-002.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4701 – Path Traversal vulnerability via File Uploads in Genie
https://notcve.org/view.php?id=CVE-2024-4701
10 May 2024 — A path traversal issue potentially leading to remote code execution in Genie for all versions prior to 4.3.18 Un problema de Path Traversal que podría provocar la ejecución remota de código en Genie para todas las versiones anteriores a la 4.3.18 • https://github.com/JoeBeeton/CVE-2024-4701-POC • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40171 – Dispatch writes JWT tokens in error message
https://notcve.org/view.php?id=CVE-2023-40171
17 Aug 2023 — Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the `Dispatch Plugin - Basic Authentication Provider` plugin encounters an error when attempting to decode a JWT token. Any Dispatch users who own their instance and rely on the `Dispatch Plugin - Basic Authentication Provider` plugin for authentication may be impacted, allowing for any account to be taken over within their own instance. This could b... • https://github.com/Netflix/dispatch/commit/b1942a4319f0de820d86b84a58ebc85398b97c70 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30797 – Insecure Random Generation in Netflix Lemur
https://notcve.org/view.php?id=CVE-2023-30797
19 Apr 2023 — Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur. • https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238 • CWE-330: Use of Insufficiently Random Values •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27177
https://notcve.org/view.php?id=CVE-2022-27177
01 Apr 2022 — A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2 Un problema de cadena de formato de Python que conllevaba a una divulgación de información y una posible ejecución de código remota en ConsoleMe para todas las versiones anteriores a 1.2.2 • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2022-001.md • CWE-134: Use of Externally-Controlled Format String •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28099
https://notcve.org/view.php?id=CVE-2021-28099
23 Mar 2021 — In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated. En Netflix OSS Hollow, dado que Files.exists(parent) se ejecuta antes de crear los directorios, un atacante puede crear previamente estos directorios con amplios permisos. Además, dado que se utiliza una fuente no seg... • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md • CWE-330: Use of Insufficiently Random Values •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28100
https://notcve.org/view.php?id=CVE-2021-28100
23 Mar 2021 — Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--. An attacker with read access to the local filesystem can read anything written there by the Priam process. Priam usa File.createTempFile, que otorga los permisos en ese archivo -rw-r--r--. Un atacante con acceso de lectura al sistema de archivos local puede leer cualquier cosa escrita allí por el proceso Priam • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2323
https://notcve.org/view.php?id=CVE-2020-2323
03 Dec 2020 — Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions. Jenkins Chaos Monkey Plugin versiones 0.4 y anteriores, no lleva a cabo comprobaciones de permisos en un endpoint HTTP, lo que permite a atacantes con permiso Overall/Read acceder a la página Chaos Monkey y visualizar el historial de acciones • http://www.openwall.com/lists/oss-security/2020/12/03/2 • CWE-862: Missing Authorization •