![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-42854 – Directory Traversal Read/Write/Delete at PluginServlet
https://notcve.org/view.php?id=CVE-2021-42854
09 Mar 2022 — It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) PluginServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/plugin/pmx" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected. Se ha detectado que el PluginServlet del agente de muestreo dinámico (DSA) de SteelCentral AppInternals presenta vulnerabilidades de salto de directorio en la API "/api/appInternals/1.0/plugin/pmx". El ... • https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Read-Write-Delete-at-PluginServlet-CVE-2021-42854 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-42856 – Reflected Cross-site Scripting at DsaDataTest
https://notcve.org/view.php?id=CVE-2021-42856
09 Mar 2022 — It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. It was noted that the Metric parameter does not have any input checks on the user input that allows an attacker to craft its own malicious payload to trigger a XSS vulnerability. Se ha detectado que el endpoint /DsaDataTest es susceptible de sufrir un ataque de tipo cross-site scripting (XSS). Se ha detectado que el parámetro Metric no presenta ninguna comprobación de entrada en la entrada del usuario que p... • https://aternity.force.com/customersuccess/s/article/Reflected-Cross-site-Scripting-at-DsaDataTest-CVE-2021-42856 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-42787 – Directory Traversal Write/Delete/Partial Read at AgentConfigurationServlet
https://notcve.org/view.php?id=CVE-2021-42787
09 Mar 2022 — It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentConfigurationServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/configuration" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected. Se ha detectado que el agente de muestreo dinámico (DSA) AgentConfigurationServlet de SteelCentral AppInternals presenta vulnerabilidades salto de directorio en la API "/api/appInte... • https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Write-Delete-Partial-Read-at-AgentConfigurationServlet-CVE-2021-42787 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-42857 – Directory Traversal Partial Write at AgentDaServlet
https://notcve.org/view.php?id=CVE-2021-42857
09 Mar 2022 — It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentDaServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/da/pcf" API. The affected endpoint does not have any validation of the user's input that allows a malicious payload to be injected. Se ha detectado que el agente de muestreo dinámico (DSA) AgentDaServlet de SteelCentral AppInternals presenta vulnerabilidades de salto de directorio en la API "/api/appInternals/1.0/agent/da/pcf". El endp... • https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Partial-Write-at-AgentDaServlet-CVE-2021-42857 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-42855 – Local privilege escalation due to misconfigured write permission on .debug_command.config file
https://notcve.org/view.php?id=CVE-2021-42855
09 Mar 2022 — It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) uses the ".debug_command.config" file to store a json string that contains a list of IDs and pre-configured commands. The config file is subsequently used by the "/api/appInternals/1.0/agent/configuration" API to map the corresponding ID to a command to be executed. Se ha detectado que el agente de muestreo dinámico (DSA) de SteelCentral AppInternals usa el archivo ".debug_command.config" para almacenar una cadena json que con... • https://aternity.force.com/customersuccess/s/article/Local-privilege-escalation-due-to-misconfigured-write-permission-on-debug-command-config-file-CVE-2021-42855 • CWE-284: Improper Access Control CWE-732: Incorrect Permission Assignment for Critical Resource •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-42786 – Remote Code Execution at AgentControllerServlet
https://notcve.org/view.php?id=CVE-2021-42786
09 Mar 2022 — It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) has Remote Code Execution vulnerabilities in multiple instances of the API requests. The affected endpoints do not have any input validation of the user's input that allowed a malicious payload to be injected. Se ha detectado que el agente de muestreo dinámico (DSA) de SteelCentral AppInternals presenta vulnerabilidades de ejecución de código remota en varias instancias de las peticiones de la API. Los puntos finales afectados... • https://aternity.force.com/customersuccess/s/article/Remote-Code-Execution-at-AgentControllerServlet-CVE-2021-42786 • CWE-20: Improper Input Validation •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2021-42853 – Directory Traversal Delete/Read at AgentDiagnosticServlet
https://notcve.org/view.php?id=CVE-2021-42853
09 Mar 2022 — It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentDiagnosticServlet has directory traversal vulnerability at the "/api/appInternals/1.0/agent/diagnostic/logs" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected. Se ha detectado que el agente de muestreo dinámico (DSA) AgentDiagnosticServlet de SteelCentral AppInternals presenta una vulnerabilidad salto de directorio en la API "/api/appInternal... • https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Delete-Read-at-AgentDiagnosticServlet-CVE-2021-42853 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
![](/assets/img/cve_300x82_sin_bg.png)
CVE-2019-3800 – CF CLI writes the client id and secret to config file
https://notcve.org/view.php?id=CVE-2019-3800
05 Aug 2019 — CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials. La CLI de CF anterior a versión v6.45.0 (versión de lanzamiento bosh 1.16.0), escribe el id y el secreto del cliente hacia su archivo de configuración cuando el usuario se autentica con el flag --... • https://pivotal.io/security/cve-2019-3800 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •