CVSS: 7.5EPSS: 0%CPEs: 55EXPL: 1CVE-2020-17527 – Apache Tomcat: Request header mix-up between HTTP/2 streams
https://notcve.org/view.php?id=CVE-2020-17527
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. Al investigar el error 64830, se detectó que Apache Tomcat versiones 10.0.0-M1 hasta 10.0.0-M9, versiones 9.0.0-M1 hasta 9.0.39 y versiones 8.5.0 hasta 8.5.59, podría reutilizar un valor de encabezado de petición HTTP de la transmisión anterior recibida en una conexión HTTP/2 para la petición asociada con la transmisión posterior. Si bien esto probablemente conllevaría a un error y al cierre de la conexión HTTP/2, es posible que la información podría filtrarse entre peticiones • https://github.com/forse01/CVE-2020-17527-Tomcat http://www.openwall.com/lists/oss-security/2020/12/03/3 https://lists.apache.org/thread.html/r26a2a66339087fc37db3caf201e446d3e83b5cce314371e235ff1784%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r2d6e05c5ff96f8068a59dfdb3800e9ee8d4e36ce1971783c6e5f9b20%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r5a285242737ddef4d338236328aaaf3237183e1465a5efafd16b99ed%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r8a227ac6a755a6406c1cc47dd48800e973d4cf13fe7f • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.1EPSS: 0%CPEs: 15EXPL: 0CVE-2020-4788 – kernel: speculation on incompletely validated data on IBM Power9
https://notcve.org/view.php?id=CVE-2020-4788
IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296. Los procesadores IBM Power9 (AIX versiones 7.1, 7.2 y VIOS versión 3.1), podrían permitir a un usuario local obtener información confidencial de los datos en la caché L1 en circunstancias atenuantes. IBM X-Force ID: 189296 A flaw was found in the Linux kernel. IBM Power9 processors can speculatively operate on data stored in the L1 cache before it has been completely validated. • http://www.openwall.com/lists/oss-security/2020/11/20/3 http://www.openwall.com/lists/oss-security/2020/11/23/1 https://exchange.xforce.ibmcloud.com/vulnerabilities/189296 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TITJQPYDWZ4NB2ONJWUXW75KSQIPF35T https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZF4OGZPKTAJJXWHPIFP3LHEWWEMR5LPT https://www.ibm.com/support/pages/node/6370729 https://www.oracle.com/security-alerts/cpujul • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-0404 – kernel: avoid cyclic entity chains due to malformed USB descriptors
https://notcve.org/view.php?id=CVE-2020-0404
In uvc_scan_chain_forward of uvc_driver.c, there is a possible linked list corruption due to an unusual root cause. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-111893654References: Upstream kernel En la función uvc_scan_chain_forward del archivo uvc_driver.c, se presenta una posible corrupción de la lista enlazada debido a una causa raíz inusual. Esto podría conllevar a una escalada de privilegios local en el kernel sin ser necesarios privilegios de ejecución adicionales. No es requerida una interacción del usuario para su explotación. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00021.html https://source.android.com/security/bulletin/2020-09-01 https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2020-0404 https://bugzilla.redhat.com/show_bug.cgi?id=1919791 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 7.0EPSS: 91%CPEs: 77EXPL: 12CVE-2020-9484 – tomcat: deserialization flaw in session persistence storage leading to RCE
https://notcve.org/view.php?id=CVE-2020-9484
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. Cuando se usa Apache Tomcat versiones 10.0.0-M1 hasta 10.0.0-M4, 9.0.0.M1 hasta 9.0.34, 8.5.0 hasta 8.5.54 y 7.0.0 hasta 7.0. 103, si a) un atacante es capaz de controlar el contenido y el nombre de un archivo en el servidor; y b) el servidor está configurado para usar el PersistenceManager con un FileStore; y c) el PersistenceManager está configurado con sessionAttributeValueClassNameFilter="null" (el valor predeterminado a menos que se utilice un SecurityManager) o un filtro lo suficientemente laxo como para permitir que el objeto proporcionado por el atacante sea deserializado; y d) el atacante conoce la ruta relativa del archivo desde la ubicación de almacenamiento usada por FileStore hasta el archivo sobre el que el atacante presenta control; entonces, mediante una petición específicamente diseñada, el atacante podrá ser capaz de desencadenar una ejecución de código remota mediante la deserialización del archivo bajo su control. Tome en cuenta que todas las condiciones desde la a) hasta la d) deben cumplirse para que el ataque tenga éxito. A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. • https://github.com/masahiro331/CVE-2020-9484 https://github.com/IdealDreamLast/CVE-2020-9484 https://github.com/osamahamad/CVE-2020-9484-Mass-Scan https://github.com/PenTestical/CVE-2020-9484 https://github.com/AssassinUKG/CVE-2020-9484 https://github.com/RepublicR0K/CVE-2020-9484 https://github.com/anjai94/CVE-2020-9484-exploit https://github.com/ColdFusionX/CVE-2020-9484 https://github.com/VICXOR/CVE-2020-9484 https://github.com/seanachao/CVE-2020-9484 https://github& • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 429EXPL: 0CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0445 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219 https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba0911 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •