CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-1002100 – kube-apiserver: DoS with crafted patch of type json-patch
https://notcve.org/view.php?id=CVE-2019-1002100
01 Apr 2019 — In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server. En todas las versiones de Kubernetes anteriores a las v1.11.8, v1.12.6 y v1.13.4, los usuarios autorizados para realizar peticio... • http://www.securityfocus.com/bid/107290 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1003041 – jenkins-plugin-workflow-cps: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
https://notcve.org/view.php?id=CVE-2019-1003041
28 Mar 2019 — A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. Una vulnerabilidad de omisión de sandbox en Jenkins Pipeline: el plugin "groovy", en sus versiones 2.64 y anteriores, permite a los atacantes invocar constructores arbitrarios en los scripts en "sandbox". A flaw was found in the Jenkins Workflow CPS plugin. Groovy Plugins could be circumvented through methods supporting type casts and type coercion allowi... • http://www.openwall.com/lists/oss-security/2019/03/28/2 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-704: Incorrect Type Conversion or Cast •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1003040 – jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
https://notcve.org/view.php?id=CVE-2019-1003040
28 Mar 2019 — A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. Una vulnerabilidad de omisión de sandbox en Jenkins Script Security Plugin, en sus versiones 1.55 y anteriores, permite a los atacantes invocar constructores arbitrarios en los scripts en "sandbox". A flaw was found in the Jenkins Script Security plugin. Groovy Plugins could be circumvented through methods supporting type casts and type coercion allowing a... • http://www.openwall.com/lists/oss-security/2019/03/28/2 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-704: Incorrect Type Conversion or Cast •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-3826
https://notcve.org/view.php?id=CVE-2019-3826
26 Mar 2019 — A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts. Se ha detectado un error de Cross-Site Scripting (XSS) almacenado basado en DOM en Prometheus, en versiones anteriores a la 2.7.1. Un atacante podría explotar esta vulnerabilidad convenciendo a un usuario autenticado para que v... • https://access.redhat.com/errata/RHBA-2019:0327 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 97%CPEs: 4EXPL: 12CVE-2019-7609 – Kibana Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2019-7609
25 Mar 2019 — Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. Las versiones anteriores a las 5.6.15 y 6.6.1 de Kibana contienen un error de ejecución de código arbitrario en el visualizador Timelion. Un atacante con ac... • https://packetstorm.news/files/id/174569 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 0CVE-2018-12022 – jackson-databind: improper polymorphic deserialization of types from Jodd-db library
https://notcve.org/view.php?id=CVE-2018-12022
17 Mar 2019 — An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. Se ha descubierto un problema en FasterXML jackson-databind, en versiones anteriores a la 2.7.9.4, 2.8.11.2 y 2.9.6. Cuando "Def... • http://www.securityfocus.com/bid/107585 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2018-12023 – jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
https://notcve.org/view.php?id=CVE-2018-12023
17 Mar 2019 — An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. Se ha descubierto un problema en FasterXML jackson-databind, en versiones anteriores a la 2.7.9.4, 2.8.11.2 y 2.9.6. Cuando "Default Typing" está habilitado (globalmente... • http://www.securityfocus.com/bid/105659 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.9EPSS: 1%CPEs: 2EXPL: 1CVE-2019-1003029 – Jenkins Script Security Plugin Sandbox Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2019-1003029
08 Mar 2019 — A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM. Existe una vulnerabilidad de omisión de sandbox en Jenkins Script Security Plugin, en la versión 1.53 y anteriores en src/main/java/org/jenk... • https://packetstorm.news/files/id/166778 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 9.9EPSS: 29%CPEs: 2EXPL: 2CVE-2019-1003030 – Jenkins Matrix Project Plugin Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-1003030
08 Mar 2019 — A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM. Existe una vulnerabilidad de omisión de sandbox en Jenkins Pipeline: Groovy Plugin, en versiones 2.63 y anteriores en pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java, permite a los atacantes capacitados ... • https://packetstorm.news/files/id/159603 • CWE-20: Improper Input Validation CWE-693: Protection Mechanism Failure •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1003031 – jenkins-matrix-project-plugin: sandbox bypass in matrix project plugin
https://notcve.org/view.php?id=CVE-2019-1003031
08 Mar 2019 — A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM. Existe una vulnerabilidad de omisión de sandbox en el plugin Jenkins Matrix Project, en versiones 1.13 y anteriores, en pom.xml, src/main/java/hudson/matrix/FilterScript.java, que permite a los atacantes con permisos de "Job/Configure" ejecutar código arbitrari... • http://www.securityfocus.com/bid/107476 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •