CVSS: 6.2EPSS: 0%CPEs: 6EXPL: 1CVE-2020-12458 – grafana: information disclosure through world-readable /var/lib/grafana/grafana.db
https://notcve.org/view.php?id=CVE-2020-12458
29 Apr 2020 — An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords). Se encontró un fallo de divulgación de información en Grafana versiones hasta 6.7.3. El directorio de base de datos /var/lib/grafana y el archivo de base de datos /var/lib/grafana/grafana.db son de tipo world readable. • https://access.redhat.com/security/cve/CVE-2020-12458 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2020-1760 – ceph: header-splitting in RGW GetObject has a possible XSS
https://notcve.org/view.php?id=CVE-2020-1760
23 Apr 2020 — A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input. Se encontró un fallo en Ceph Object Gateway, donde admite peticiones enviadas por un usuario anónimo en Amazon S3. Este fallo podría conllevar a posibles ataques de tipo XSS debido a una falta de neutralización apropiada de una entrada no segura. Adam Mohammed discovered that Ceph incorrectly ... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1760 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 13EXPL: 0CVE-2020-10685 – Ansible: modules which use files encrypted with vault are not properly cleaned up
https://notcve.org/view.php?id=CVE-2020-10685
22 Apr 2020 — A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only clear... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10685 • CWE-459: Incomplete Cleanup •
CVSS: 7.3EPSS: 0%CPEs: 10EXPL: 0CVE-2019-14905 – Ansible: malicious code could craft filename in nxos_file_copy module
https://notcve.org/view.php?id=CVE-2019-14905
23 Jan 2020 — A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues. Se detectó una vulnerabilidad en Ansible Engine versiones 2.9.x anteriores a 2.9.3, versiones 2.8.x anteriores a ... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html • CWE-20: Improper Input Validation CWE-73: External Control of File Name or Path CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.5EPSS: 1%CPEs: 12EXPL: 1CVE-2019-14864 – Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs
https://notcve.org/view.php?id=CVE-2019-14864
20 Nov 2019 — Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data. Ansible, versiones 2.9.x anteriores a la versión 2.9.1, versiones 2.8.x anteriores a la versión 2.8.7 y Ansible versiones 2.7.x anteriores a la versión 2.7.15, no respeta el flag no_log, configurado en True cuando los... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 2CVE-2019-14859 – python-ecdsa: DER encoding is not being verified in signatures
https://notcve.org/view.php?id=CVE-2019-14859
18 Nov 2019 — A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions. Se encontró un fallo en todas las versiones de python-ecdsa anteriores a la versión 0.13.3, donde no se comprobaba correctamente si las firmas usaban codificación DER. Sin esta... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.5EPSS: 3%CPEs: 5EXPL: 0CVE-2019-10222 – ceph: Unauthenticated clients can crash ceph RGW configured with beast as frontend
https://notcve.org/view.php?id=CVE-2019-10222
28 Aug 2019 — A flaw was found in the Ceph RGW configuration with Beast as the front end handling client requests. An unauthenticated attacker could crash the Ceph RGW server by sending valid HTTP headers and terminating the connection, resulting in a remote denial of service for Ceph RGW clients. Se detectó un fallo en la configuración de Ceph RGW con Beast como el front-end que maneja las peticiones de clientes. Un atacante no autenticado podría bloquear el servidor Ceph RGW mediante el envío de encabezados HTTP válido... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10222 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 5.7EPSS: 0%CPEs: 10EXPL: 0CVE-2018-14662 – ceph: authenticated user with read only permissions can steal dm-crypt / LUKS key
https://notcve.org/view.php?id=CVE-2018-14662
15 Jan 2019 — It was found Ceph versions before 13.2.4 that authenticated ceph users with read only permissions could steal dm-crypt encryption keys used in ceph disk encryption. En Ceph en versiones anteriores a la 13.2.4, se ha detectado que los usuarios ceph autenticados con permisos de solo lectura podrían robar las claves de cifrado dm-crypt empleadas durante el cifrado de disco ceph. It was found that authenticated ceph user with read only permissions could steal dm-crypt encryption keys used in ceph disk encryptio... • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00100.html • CWE-285: Improper Authorization CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 4%CPEs: 10EXPL: 0CVE-2018-16846 – ceph: ListBucket max-keys has no defined limit in the RGW codebase
https://notcve.org/view.php?id=CVE-2018-16846
15 Jan 2019 — It was found in Ceph versions before 13.2.4 that authenticated ceph RGW users can cause a denial of service against OMAPs holding bucket indices. Se ha detectado en Ceph, en versiones anteriores a la 13.2.4, que los usuarios ceph RGW autenticados pueden provocar una denegación de servicio (DoS) contra los índices OMAP de depósito de retención. A flaw was found in the way the ListBucket function max-keys has no defined limit in the RGW codebase. An authenticated ceph RGW user can cause a denial of service at... • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00100.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 12%CPEs: 8EXPL: 0CVE-2018-19039 – grafana: File exfiltration
https://notcve.org/view.php?id=CVE-2018-19039
13 Dec 2018 — Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions. Grafana en versiones anteriores a la 4.6.5 y versiones 5.x anteriores a la 5.3.3 permite que usuarios autenticados remotos lean archivos arbitrarios aprovechando los permisos Editor o Admin. A security issue was found that could allow any users with Editor or Admin permissions in Grafana to read any file that the Grafana process can read from the filesystem. However,... • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •