CVE-2012-6685 – rubygem-nokogiri: XML eXternal Entity (XXE) flaw
https://notcve.org/view.php?id=CVE-2012-6685
Nokogiri before 1.5.4 is vulnerable to XXE attacks Nokogiri versiones anteriores a 1.5.4, es vulnerable a ataques de tipo XXE. • https://bugzilla.redhat.com/show_bug.cgi?id=1178970 https://github.com/sparklemotion/nokogiri/issues/693 https://nokogiri.org/CHANGELOG.html#154-2012-06-12 https://access.redhat.com/security/cve/CVE-2012-6685 • CWE-611: Improper Restriction of XML External Entity Reference CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVE-2014-3602 – OpenShift: /proc/net/tcp information disclosure
https://notcve.org/view.php?id=CVE-2014-3602
Red Hat OpenShift Enterprise before 2.2 allows local users to obtain IP address and port number information for remote systems by reading /proc/net/tcp. Red Hat OpenShift Enterprise anterior a 2.2 permite a usuarios locales obtener direcciones IP y otra información para sistemas remotos mediante la lectura de /proc/net/tcp. It was found that OpenShift Enterprise did not restrict access to the /proc/net/tcp file in gears, which allowed local users to view all listening connections and connected sockets. This could result in remote system's IP or port numbers in use to be exposed, which may be useful for further targeted attacks. • http://rhn.redhat.com/errata/RHSA-2014-1796.html http://rhn.redhat.com/errata/RHSA-2014-1906.html https://access.redhat.com/security/cve/CVE-2014-3602 https://bugzilla.redhat.com/show_bug.cgi?id=1131680 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-3674 – Enterprise: gears fail to properly isolate network traffic
https://notcve.org/view.php?id=CVE-2014-3674
Red Hat OpenShift Enterprise before 2.2 does not properly restrict access to gears, which allows remote attackers to access the network resources of arbitrary gears via unspecified vectors. Red Hat OpenShift Enterprise anterior a 2.2 no restringe debidamente el acceso a gears, lo que permite a atacantes remotos acceder a los recursos de red de gears arbitrarios a través de vectores no especificados. It was found that OpenShift Enterprise 2.1 did not properly restrict access to services running on different gears. This could allow an attacker to access unprotected network resources running in another user's gear. • http://rhn.redhat.com/errata/RHSA-2014-1796.html http://rhn.redhat.com/errata/RHSA-2014-1906.html https://access.redhat.com/security/cve/CVE-2014-3674 https://bugzilla.redhat.com/show_bug.cgi?id=1148170 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVE-2014-3680 – jenkins: password exposure in DOM (SECURITY-138)
https://notcve.org/view.php?id=CVE-2014-3680
Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM. Jenkins en versiones anteriores a 1.583 y LTS en versiones anteriores a 1.565.3 permite a usuarios remotos autenticados con el permiso Job/READ obtener el valor por defecto para el campo password de un trabajo parametrizado leyendo el DOM. • https://access.redhat.com/errata/RHSA-2016:0070 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01 https://access.redhat.com/security/cve/CVE-2014-3680 https://bugzilla.redhat.com/show_bug.cgi?id=1148645 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-3667 – jenkins: plug-in code can be downloaded by anyone with read access (SECURITY-155)
https://notcve.org/view.php?id=CVE-2014-3667
Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code. Jenkins en versiones anteriores a 1.583 y LTS en versiones anteriores a 1.565.3 no previene adecuadamente la descarga de plugins, lo que permite a usuarios remotos autenticados con el permiso Overall/READ obtener información sensible leyendo el código del plugin. • https://access.redhat.com/errata/RHSA-2016:0070 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01 https://access.redhat.com/security/cve/CVE-2014-3667 https://bugzilla.redhat.com/show_bug.cgi?id=1147770 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •