CVE-2020-10719 – undertow: invalid HTTP request with large chunk size
https://notcve.org/view.php?id=CVE-2020-10719
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling. Se detectó un fallo en Undertow en versiones anteriores a 2.1.1.Final, con respecto al procesamiento de peticiones HTTP no válidas con tamaños de fragmentos grandes. Este fallo permite a un atacante tomar ventaja del tráfico no autorizado de peticiones HTTP. A flaw was found in Undertow, regarding the processing of invalid HTTP requests with large chunk sizes. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719 https://security.netapp.com/advisory/ntap-20220210-0014 https://access.redhat.com/security/cve/CVE-2020-10719 https://bugzilla.redhat.com/show_bug.cgi?id=1828459 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2019-10174 – infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods
https://notcve.org/view.php?id=CVE-2019-10174
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application. Se encontró una vulnerabilidad en Infinispan, de modo que el método invokeAccessibly de la clase pública ReflectionUtil permite que cualquier clase de aplicación invoque métodos privados en cualquier clase con los privilegios de Infinispan. El atacante puede usar la reflexión para introducir un nuevo comportamiento malicioso en la aplicación. • https://access.redhat.com/errata/RHSA-2020:0481 https://access.redhat.com/errata/RHSA-2020:0727 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174 https://security.netapp.com/advisory/ntap-20220210-0018 https://access.redhat.com/security/cve/CVE-2019-10174 https://bugzilla.redhat.com/show_bug.cgi?id=1703469 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0445 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219 https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba0911 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-14860 – syndesis: default CORS configuration is allow all
https://notcve.org/view.php?id=CVE-2019-14860
It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information. Se detectó que la configuración de Syndesis para Cross-Origin Resource Sharing fue establecida para permitir todos los orígenes. Un atacante podría utilizar esta falta de protección para conducir ataques de phishing y acceder aún más a información no autorizada. • https://access.redhat.com/errata/RHSA-2019:3892 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14860 https://access.redhat.com/security/cve/CVE-2019-14860 https://bugzilla.redhat.com/show_bug.cgi?id=1761912 • CWE-942: Permissive Cross-domain Policy with Untrusted Domains •
CVE-2019-0201 – zookeeper: Information disclosure in Apache ZooKeeper
https://notcve.org/view.php?id=CVE-2019-0201
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users. Hay un problema presente en Apache ZooKeeper 1.0.0 a 3.4.13 y 3.5.0-alpha a 3.5.4-beta. • http://www.securityfocus.com/bid/108427 https://access.redhat.com/errata/RHSA-2019:3140 https://access.redhat.com/errata/RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:4352 https://issues.apache.org/jira/browse/ZOOKEEPER-1392 https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E https://lists.apache.org/thread.html • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-862: Missing Authorization •