CVE-2015-5305 – Kubernetes: Missing name validation allows path traversal in etcd
https://notcve.org/view.php?id=CVE-2015-5305
Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd. Vulnerabilidad de salto de directorio en Kubernetes, tal como se utiliza en Red Hat OpenShift Enterprise 3.0, permite a atacantes escribir a archivos arbitrarios a través de un nombre de tipo objeto manipulado, que no es manejado correctamente antes de pasarlo a etcd. Kubernetes fails to validate object name types before passing the data to etcd. As the etcd service generates keys based on the object name type this can lead to a directory path traversal. • https://access.redhat.com/errata/RHSA-2015:1945 https://bugzilla.redhat.com/show_bug.cgi?id=1273969 https://access.redhat.com/security/cve/CVE-2015-5305 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2015-1808 – jenkins: update center metadata retrieval DoS attack (SECURITY-163)
https://notcve.org/view.php?id=CVE-2015-1808
Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data. Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 permite a usuarios remotos autenticados provocar una denegación de servicio (plug-in indebido e instalación de herramienta) a través del centro de datos actualizado manipulado. A denial of service flaw was found in the way Jenkins handled certain update center data. An authenticated user could provide specially crafted update center data to Jenkins, causing plug-in and tool installation to not work properly. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205623 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 https://access.redhat.com/security/cve/CVE-2015-1808 • CWE-20: Improper Input Validation •
CVE-2015-1806 – jenkins: Combination filter Groovy script unsecured (SECURITY-125)
https://notcve.org/view.php?id=CVE-2015-1806
The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors. La secuencia de comandos del filtro de combinación Groovy en Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 permite a usuarios remotos autenticados con permisos de configuración de trabajo obtener privilegios y ejecutar código arbitrario en el maestro a través de vectores no especificados. It was found that the combination filter Groovy script could allow a remote attacker to potentially execute arbitrary code on a Jenkins master. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205620 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 https://access.redhat.com/security/cve/CVE-2015-1806 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2015-1814 – jenkins: forced API token change (SECURITY-180)
https://notcve.org/view.php?id=CVE-2015-1814
The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users. El servicio de emisión de token de API en Jenkins en versiones anteriores a 1.606 y LTS en versiones anteriores a 1.596.2 permite a atacantes remotos obtener privilegios a través de un "cambio forzado de token de API" involucrando a usuarios anónimos. A flaw was found in the Jenkins API token-issuing service. The service was not properly protected against anonymous users, potentially allowing remote attackers to escalate privileges. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205616 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 https://access.redhat.com/security/cve/CVE-2015-1814 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVE-2015-1812 – jenkins: Reflective XSS vulnerability (SECURITY-171, SECURITY-177)
https://notcve.org/view.php?id=CVE-2015-1812
Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813. Vulnerabilidad de XSS en Jenkins en versiones anteriores a 1.606 y LTS en versiones anteriores a 1.596.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados, una vulnerabilidad diferente a CVE-2015-1813. Two cross-site scripting (XSS) flaws were found in Jenkins. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Jenkins. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205615 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 https://access.redhat.com/security/cve/CVE-2015-1812 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •