CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1890
https://notcve.org/view.php?id=CVE-2018-1890
IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users. IBM X-Force ID: 152081. IBM SDK, Java Technology Edition, en su versión 8 en la plataforma AIX, utiliza RPATHS absolutas, lo que podría facilitar una inyección de código y un escalado de privilegios por usuarios locales. IBM X-Force ID: 152081. • http://www.securityfocus.com/bid/107448 https://exchange.xforce.ibmcloud.com/vulnerabilities/152081 https://www.ibm.com/support/docview.wss?uid=ibm10873042 https://www.ibm.com/support/docview.wss?uid=ibm10873332 https://www.ibm.com/support/docview.wss?uid=ibm10874750 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.4EPSS: 0%CPEs: 14EXPL: 0CVE-2018-1656 – JDK: path traversal flaw in the Diagnostic Tooling Framework
https://notcve.org/view.php?id=CVE-2018-1656
The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882. Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0, 7.0 y 8.0) de IBM Java Runtime Environment no protege contra ataques de salto de directorio cuando se extraen archivos de volcado comprimidos. IBM X-Force ID: 144882. • http://www.ibm.com/support/docview.wss?uid=ibm10719653 http://www.securityfocus.com/bid/105118 http://www.securitytracker.com/id/1041765 https://access.redhat.com/errata/RHSA-2018:2568 https://access.redhat.com/errata/RHSA-2018:2569 https://access.redhat.com/errata/RHSA-2018:2575 https://access.redhat.com/errata/RHSA-2018:2576 https://access.redhat.com/errata/RHSA-2018:2712 https://access.redhat.com/errata/RHSA-2018:2713 https://exchange.xforce.ibmcloud.com/vulnerabilities/14 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 1%CPEs: 5EXPL: 0CVE-2018-1417 – JDK: J9 JVM allows untrusted code running under a security manager to elevate its privileges
https://notcve.org/view.php?id=CVE-2018-1417
Under certain circumstances, a flaw in the J9 JVM (IBM SDK, Java Technology Edition 7.1 and 8.0) allows untrusted code running under a security manager to elevate its privileges. IBM X-Force ID: 138823. Bajo determinadas circunstancias, un fallo en J9 JVM (IBM SDK, Java Technology Edition 7.1 y 8.0) permite que se ejecute código no fiable bajo un gestor de seguridad para elevar sus privilegios. IBM X-Force ID: 138823. • http://www.ibm.com/support/docview.wss?uid=isg3T1027315 http://www.ibm.com/support/docview.wss?uid=swg22014937 http://www.securityfocus.com/bid/103216 http://www.securitytracker.com/id/1040403 https://access.redhat.com/errata/RHSA-2018:1463 https://exchange.xforce.ibmcloud.com/vulnerabilities/138823 https://www.ibm.com/support/docview.wss?uid=swg22012965 https://access.redhat.com/security/cve/CVE-2018-1417 https://bugzilla.redhat.com/show_bug.cgi?id=1568966 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.2EPSS: 0%CPEs: 5EXPL: 0CVE-2017-1289 – JDK: XML External Entity Injection (XXE) error when processing XML data
https://notcve.org/view.php?id=CVE-2017-1289
IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150. SDK de IBM, Java Technology Edition es vulnerable a un error de inyección XML External Entity (XXE) al procesar datos XML. Un atacante remoto podría explotar esta vulnerabilidad para exponer información altamente confidencial o consumir recursos de memoria. • http://www.securityfocus.com/bid/98401 https://access.redhat.com/errata/RHSA-2017:1220 https://access.redhat.com/errata/RHSA-2017:1221 https://access.redhat.com/errata/RHSA-2017:1222 https://access.redhat.com/errata/RHSA-2017:3453 https://www.ibm.com/support/docview.wss?uid=swg22002169 https://access.redhat.com/security/cve/CVE-2017-1289 https://bugzilla.redhat.com/show_bug.cgi?id=1449603 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 95EXPL: 0CVE-2016-3956
https://notcve.org/view.php?id=CVE-2016-3956
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers. La CLI en npm en versiones anteriores a 2.15.1 y 3.x en versiones anteriores a 3.8.3, tal como se utiliza en Node.js 0.10 en versiones anteriores a 0.10.44, 0.12 en versiones anteriores a 0.12.13, 4 en versiones anteriores a 4.4.2 y 5 en versiones anteriores a 5.10.0, incluye tokens portadores con peticiones arbitrarias, lo que permite a servidores HTTP remotos obtener información sensible leyendo cabeceras de autorización. • http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability http://www-01.ibm.com/support/docview.wss?uid=swg21980827 https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 https://github.com/npm/npm/issues/8380 https://nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •