Page 121 of 5554 results (0.008 seconds)

CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0

CVE-2021-4189 – python: ftplib should not use the host from the PASV response

https://notcve.org/view.php?id=CVE-2021-4189

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible. Se ha encontrado un fallo en Python, concretamente en la biblioteca del cliente FTP (File Transfer Protocol) en modo PASV (pasivo). • https://access.redhat.com/security/cve/CVE-2021-4189 https://bugs.python.org/issue43285 https://bugzilla.redhat.com/show_bug.cgi?id=2036020 https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html https://python-security.readthedocs.io/vuln/ftplib-pasv.html https://security-tracker.debian.org/tracker/CVE-2021-4189 https://security.netapp • CWE-252: Unchecked Return Value •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-0759 – kubeclient: kubeconfig parsing error can lead to MITM attacks

https://notcve.org/view.php?id=CVE-2022-0759

A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate (it wrongly returns VERIFY_NONE). Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM). Se ha encontrado un fallo en todas las versiones de kubeclient hasta (pero sin incluir) la v4.9.3, el cliente Ruby para la API REST de Kubernetes, en la forma en que analiza los archivos kubeconfig. Cuando el archivo kubeconfig no configura la CA personalizada para verificar los certificados, kubeclient acaba aceptando cualquier certificado (devuelve erróneamente VERIFY_NONE). • https://github.com/ManageIQ/kubeclient/issues/554 https://github.com/ManageIQ/kubeclient/issues/555 https://access.redhat.com/security/cve/CVE-2022-0759 https://bugzilla.redhat.com/show_bug.cgi?id=2058404 • CWE-295: Improper Certificate Validation •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3

CVE-2021-20323 – keycloak-services: POST based reflected Cross Site Scripting vulnerability

https://notcve.org/view.php?id=CVE-2021-20323

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. Se ha identificado una vulnerabilidad de tipo Cross Site Scripting reflejado basada en POST en Keycloak A flaw has been found in Keycloak. The clients-registrations endpoint allows execution of javascript code on the client-side, which makes it vulnerable to a Cross-Site Scripting attack. • https://github.com/ndmalc/CVE-2021-20323 https://github.com/Cappricio-Securities/CVE-2021-20323 https://github.com/cscpwn0sec/CVE-2021-20323 https://bugzilla.redhat.com/show_bug.cgi?id=2013577 https://access.redhat.com/security/cve/CVE-2021-20323 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-3814 – 3scale: missing validation of access token

https://notcve.org/view.php?id=CVE-2021-3814

It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth instead. This conceivably bypasses access controls and permits unauthorized information disclosure. Se ha detectado que la APIdocs de 3scale no comprueba el token de acceso, en el caso de un token inválido, usa en su lugar el auth de sesión. Esto podría omitir los controles de acceso y permitir una divulgación de información no autorizada A flaw was found in 3scale's API docs, where it does not validate the access token. In the case of an invalid token, it uses session auth instead. • https://bugzilla.redhat.com/show_bug.cgi?id=2004322 https://access.redhat.com/security/cve/CVE-2021-3814 • CWE-862: Missing Authorization •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

CVE-2021-4147

https://notcve.org/view.php?id=CVE-2021-4147

A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition. Se ha encontrado un fallo en el controlador libvirt libxl. Un huésped malicioso podría reiniciarse continuamente y causar que libvirtd en el host cerrarse o bloquearse, resultando en una condición de denegación de servicio • https://bugzilla.redhat.com/show_bug.cgi?id=2034195 https://lists.debian.org/debian-lts-announce/2024/04/msg00000.html https://security.netapp.com/advisory/ntap-20220513-0004 • CWE-667: Improper Locking •