CVE-2019-17076
https://notcve.org/view.php?id=CVE-2019-17076
An issue was discovered in Jamf Pro 9.x and 10.x before 10.15.1. Deserialization of untrusted data when parsing JSON in several APIs may cause Denial of Service (DoS), remote code execution (RCE), and/or deletion of files on the Jamf Pro server. Se descubrió un problema en Jamf Pro versiones 9.x y versiones 10.x anteriores a la versión 10.15.1. Una deserialización de datos no seguros cuando se analiza JSON en varias API puede causar una Denegación de Servicio (DoS), ejecución de código remota (RCE) y/o eliminación de archivos en el servidor de Jamf Pro. • https://resources.jamf.com/documents/products/security-disclosure-notice-jamf-pro-10.15.1.pdf • CWE-502: Deserialization of Untrusted Data •
CVE-2018-10465
https://notcve.org/view.php?id=CVE-2018-10465
Jamf Pro 10.x before 10.3.0 has Incorrect Access Control. Jamf Pro user accounts and groups with access to log in to Jamf Pro had full access to endpoints in the Universal API (UAPI), regardless of account privileges or privilege sets. An authenticated Jamf Pro account without required privileges could be used to perform CRUD actions (GET, POST, PUT, DELETE) on UAPI endpoints, which could result in unauthorized information disclosure, compromised data integrity, and data loss. For a full listing of available UAPI endpoints and associated CRUD actions you can navigate to /uapi/doc in your instance of Jamf Pro. Jamf Pro versiones 10.x anteriores a la versión 10.3.0, tiene un Control de Acceso Incorrecto. • https://docs.jamf.com/10.3.0/jamf-pro/release-notes/Bug_Fixes_and_Enhancements.html •