CVSS: 9.8EPSS: 1%CPEs: 16EXPL: 0CVE-2015-5739 – golang: HTTP request smuggling in net/http library
https://notcve.org/view.php?id=CVE-2015-5739
The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length." La biblioteca net/http en net/textproto/reader.go en Go en versiones anteriores a la 1.4.3 no analiza sintácticamente claves de cabecera HTTP correctamente, lo que permite que atacantes remotos lleven a cabo ataques de contrabando de peticiones HTTP mediante un espacio en lugar de un guión, tal y como se muestra en "Content Length", en lugar de "Content-Length". HTTP-request vulnerabilities have been found in the Golang net/http and net/textproto libraries. Request headers with double Content-Length fields do not generate a 400 error (the second field is ignored), and invalid fields are parsed as valid (for example, "Content Length:" with a space in the middle is accepted). A non-authenticated attacker could exploit these flaws to bypass security controls, perform web-cache poisoning, or alter the request/response map (denial of service). • http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168029.html http://rhn.redhat.com/errata/RHSA-2016-1538.html http://seclists.org/oss-sec/2015/q3/237 http://seclists.org/oss-sec/2015/q3/292 http://seclists.org/oss-sec/2015/q3/294 http://www.securityfocus.com/bid/76281 https://bugzilla.redhat.com/show_bug.cgi?id=1250352 https://github.com/golang/go/commit/117ddcb83d7f42d • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-12159 – keycloak: CSRF token fixation
https://notcve.org/view.php?id=CVE-2017-12159
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. Se ha descubierto que la cookie empleada para la prevención de CSRF en Keycloak no era única para cada sesión. Un atacante podría usar este fallo para obtener acceso a una sesión de un usuario autenticado, conduciendo a una posible divulgación de información o a más ataques. • http://www.securityfocus.com/bid/101601 https://access.redhat.com/errata/RHSA-2017:2904 https://access.redhat.com/errata/RHSA-2017:2905 https://access.redhat.com/errata/RHSA-2017:2906 https://bugzilla.redhat.com/show_bug.cgi?id=1484111 https://access.redhat.com/security/cve/CVE-2017-12159 • CWE-613: Insufficient Session Expiration •
CVSS: 5.4EPSS: 0%CPEs: 5EXPL: 0CVE-2017-12158 – keycloak: reflected XSS using HOST header
https://notcve.org/view.php?id=CVE-2017-12158
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. Se ha descubierto que Keycloak podría aceptar una URL de cabecera HOST en la consola de administración y emplearla para determinar localizaciones de recursos web. Un atacante podría usar este fallo contra un usuario autenticado para lograr un XSS reflejado mediante un servidor malicioso. It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. • http://www.securityfocus.com/bid/101618 https://access.redhat.com/errata/RHSA-2017:2904 https://access.redhat.com/errata/RHSA-2017:2905 https://access.redhat.com/errata/RHSA-2017:2906 https://bugzilla.redhat.com/show_bug.cgi?id=1489161 https://access.redhat.com/security/cve/CVE-2017-12158 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 10.0EPSS: 97%CPEs: 11EXPL: 2CVE-2017-12629 – Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-12629
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr. Ocurre una ejecución remota de código en Apache Solr en versiones anteriores a la 7.1 con Apache Lucene en versiones anteriores a la 7.1 explotando XXE junto con el uso de un comando add-listener de la API de configuración para alcanzar la clase RunExecutableListener. • https://www.exploit-db.com/exploits/43009 http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E http://openwall.com/lists/oss-security/2017/10/13/1 http://www.securityfocus.com/bid/101261 https://access.redhat.com/errata/RHSA-2017:3123 https://access.redhat.com/errata/RHSA-2017:3124 https://access.redhat.com/errata/RHSA-2017:3244 https://access.redhat.com/errata/RHSA-2017:3451 https:/ • CWE-138: Improper Neutralization of Special Elements CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 13%CPEs: 87EXPL: 0CVE-2017-0903 – rubygems: Unsafe object deserialization through YAML formatted gem specifications
https://notcve.org/view.php?id=CVE-2017-0903
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. Las versiones de RubyGems entre la 2.0.0 y la 2.6.13 son vulnerables a una posible vulnerabilidad de ejecución remota de código. La deserialización YAML de especificaciones de gemas puede omitir listas blancas de clases. • http://blog.rubygems.org/2017/10/09/2.6.14-released.html http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html http://www.securityfocus.com/bid/101275 https://access.redhat.com/errata/RHSA-2017:3485 https://access.redhat.com/errata/RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0585 https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49 https://hackerone.com/reports/27499 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •