CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28099
https://notcve.org/view.php?id=CVE-2021-28099
In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated. En Netflix OSS Hollow, dado que Files.exists(parent) se ejecuta antes de crear los directorios, un atacante puede crear previamente estos directorios con amplios permisos. Además, dado que se utiliza una fuente no segura de aleatoriedad, los nombres de archivo que se crearán se pueden calcular de forma determinista • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md • CWE-330: Use of Insufficiently Random Values •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28100
https://notcve.org/view.php?id=CVE-2021-28100
Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--. An attacker with read access to the local filesystem can read anything written there by the Priam process. Priam usa File.createTempFile, que otorga los permisos en ese archivo -rw-r--r--. Un atacante con acceso de lectura al sistema de archivos local puede leer cualquier cosa escrita allí por el proceso Priam • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2323
https://notcve.org/view.php?id=CVE-2020-2323
Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions. Jenkins Chaos Monkey Plugin versiones 0.4 y anteriores, no lleva a cabo comprobaciones de permisos en un endpoint HTTP, lo que permite a atacantes con permiso Overall/Read acceder a la página Chaos Monkey y visualizar el historial de acciones • http://www.openwall.com/lists/oss-security/2020/12/03/2 https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2109%20%282%29 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2322
https://notcve.org/view.php?id=CVE-2020-2322
Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks. Jenkins Chaos Monkey Plugin versiones 0.3 y anteriores, no llevan a cabo comprobaciones de permisos en varios endpoints HTTP, lo que permite a atacantes con permiso Overall/Read generar carga y generar pérdidas de memoria • http://www.openwall.com/lists/oss-security/2020/12/03/2 https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2109%20%281%29 • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9299
https://notcve.org/view.php?id=CVE-2020-9299
There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be exploited by an authenticated user. Se detectaron y reportaron vulnerabilidades de tipo XSS en la aplicación Dispatch, que afectaron los parámetros name y description de Incident Priority, Incident Type, Tag Type, e Incident Filter. Esta vulnerabilidad puede ser explotada por un usuario autenticado • https://github.com/Netflix/dispatch/releases/tag/v20201106 https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-004.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •