Page 18 of 125 results (0.015 seconds)

CVSS: 7.8EPSS: 0%CPEs: 26EXPL: 1

CVE-2012-5575 – apache-cxf: XML encryption backwards compatibility attacks

https://notcve.org/view.php?id=CVE-2012-5575

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack." Apache CXF en versiones 2.5.x anteriores a la 2.5.10, 2.6.x anteriores a CXF 2.6.7 y 2.7.x anteriores a CXF 2.7.4 no verifica que un algoritmo criptográfico específico esté permitido por la definición de WS-SecurityPolicy AlgorithmSuite antes del descifrado, lo que permite a los atacantes remotos forzar a CXF a usar algoritmos criptográficos más débiles que los previstos y facilita el descifrado de las comunicaciones. Esto también se conoce como "XML Encryption backwards compatibility attack". • https://github.com/tafamace/CVE-2012-5575 http://cxf.apache.org/cve-2012-5575.html http://rhn.redhat.com/errata/RHSA-2013-0833.html http://rhn.redhat.com/errata/RHSA-2013-0834.html http://rhn.redhat.com/errata/RHSA-2013-0839.html http://rhn.redhat.com/errata/RHSA-2013-0873.html http://rhn.redhat.com/errata/RHSA-2013-0874.html http://rhn.redhat.com/errata/RHSA-2013-0875.html http://rhn.redhat.com/errata/RHSA-2013-0876.html http://rhn.redhat.com/errata • CWE-310: Cryptographic Issues CWE-327: Use of a Broken or Risky Cryptographic Algorithm •

CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0

CVE-2012-4529 – Web: jsessionid exposed via encoded url when using cookie based session tracking

https://notcve.org/view.php?id=CVE-2012-4529

The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log. El método org.apache.catalina.connector.Response.encodeURL en Red Hat JBoss Web 7.1.x y anteriores, cuando el modo de traceo está fijado a COOKIE, envia el parámetro jsessionid en la URL de la primera respuesta de una sesion, lo que permite a atacantes remotos obtener el id de sesion a treves de un ataque man-in-the-middle o leyendo un log • http://ocpsoft.org/support/topic/session-id-is-appended-as-url-path-parameter-in-very-first-request http://rhn.redhat.com/errata/RHSA-2013-0833.html http://rhn.redhat.com/errata/RHSA-2013-0834.html http://rhn.redhat.com/errata/RHSA-2013-0839.html http://rhn.redhat.com/errata/RHSA-2013-1437.html https://issues.jboss.org/browse/JBWEB-249 https://access.redhat.com/security/cve/CVE-2012-4529 https://bugzilla.redhat.com/show_bug.cgi?id=868202 •

CVSS: 5.1EPSS: 20%CPEs: 27EXPL: 0

CVE-2013-1862 – httpd: mod_rewrite allows terminal escape sequences to be written to the log file

https://notcve.org/view.php?id=CVE-2013-1862

mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator. mod_rewrite.c en el modulo mod_rewrite en Apache HTTP Server v2.2.x anterior a v2.2.25 escribe datos en un archivo de log sin eliminar caracteres no imprimibles, lo que podría permitir a un atacante remotos ejecutar comandos arbitrarios a través de una petición HTTP que contiene una secuencia de escape para un emulador de terminal. • http://lists.opensuse.org/opensuse-updates/2013-08/msg00026.html http://lists.opensuse.org/opensuse-updates/2013-08/msg00029.html http://lists.opensuse.org/opensuse-updates/2013-08/msg00030.html http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch http://rhn.redhat.com/errata/RHSA-2013-0815.html http://rhn.redhat.com/errata/RHSA-2013-1207.html http://rhn.redhat.com/errata/RHSA-2013-1208.html http://rhn.redhat.com/errata/RHSA-2013-1209.html http://secunia. •

CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0

CVE-2012-5629 – JBoss: allows empty password to authenticate against LDAP

https://notcve.org/view.php?id=CVE-2012-5629

The default configuration of the (1) LdapLoginModule and (2) LdapExtLoginModule modules in JBoss Enterprise Application Platform (EAP) 4.3.0 CP10, 5.2.0, and 6.0.1, and Enterprise Web Platform (EWP) 5.2.0 allow remote attackers to bypass authentication via an empty password. La configuración por defecto de los módulos (1) LdapLoginModule y (2) LdapExtLoginModule en JBoss Enterprise Application Platform (EAP)v 4.3.0 CP10, v5.2.0 y v6.0.1 6.0.1, y Enterprise Web Platform (EWP) v5.2.0, permite a atacantes remotos la autenticación sin contraseña. • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=885569 http://rhn.redhat.com/errata/RHSA-2013-0229.html http://rhn.redhat.com/errata/RHSA-2013-0230.html http://rhn.redhat.com/errata/RHSA-2013-0231.html http://rhn.redhat.com/errata/RHSA-2013-0232.html http://rhn.redhat.com/errata/RHSA-2013-0233.html http://rhn.redhat.com/errata/RHSA-2013-0234.html http://rhn.redhat.com/errata/RHSA-2013-0248.html http://rhn.redhat.com/errata/RHSA-2013-0533.html http: • CWE-264: Permissions, Privileges, and Access Controls CWE-305: Authentication Bypass by Primary Weakness •

CVSS: 2.1EPSS: 0%CPEs: 4EXPL: 0

CVE-2013-0218 – Installer: Generated auto-install xml is world readable

https://notcve.org/view.php?id=CVE-2013-0218

The GUI installer in JBoss Enterprise Application Platform (EAP) and Enterprise Web Platform (EWP) 5.2.0 and possibly 5.1.2 uses world-readable permissions for the auto-install XML file, which allows local users to obtain the administrator password and the sucker password by reading this file. El instalador GUI en JBoss Enterprise Application Platform (EAP) y Enterprise Web Platform (EWP) v5.2.0 y posiblemente v5.1.2 usa permisos de lectura para todos los usuarios en el fichero XML auto-install, lo que permite a usuarios locales obtener el password del administrador mediante la lecutra de dicho fichero. • http://rhn.redhat.com/errata/RHSA-2013-0206.html http://rhn.redhat.com/errata/RHSA-2013-0207.html http://rhn.redhat.com/errata/RHSA-2013-0833.html http://secunia.com/advisories/52041 http://www.osvdb.org/89698 http://www.securityfocus.com/bid/57652 https://bugzilla.redhat.com/show_bug.cgi?id=903073 https://exchange.xforce.ibmcloud.com/vulnerabilities/81725 https://access.redhat.com/security/cve/CVE-2013-0218 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •