CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1726 – podman: incorrectly allows existing files in volumes to be overwritten by a container when it is created
https://notcve.org/view.php?id=CVE-2020-1726
11 Feb 2020 — A flaw was discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. When a user runs a malicious container or a container based on a malicious image with an attached volume that is used for the first time, it is possible to trigger the flaw and overwrite files in the volume.This issue was introduced in version 1.6.0. Se detectó un fallo en Podman donde permite incorrectamente que los contenedores cuando se crean s... • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00097.html • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 0CVE-2020-1708 – openshift/mysql-apb: /etc/passwd is given incorrect privileges
https://notcve.org/view.php?id=CVE-2020-1708
07 Feb 2020 — It has been found in openshift-enterprise version 3.11 and all openshift-enterprise versions from 4.1 to, including 4.3, that multiple containers modify the permissions of /etc/passwd to make them modifiable by users other than root. An attacker with access to the running container can exploit this to modify /etc/passwd to add a user and escalate their privileges. This CVE is specific to the openshift/mysql-apb. Se ha encontrado en openshift-enterprise versión 3.11 y en todas las versiones de openshift-ente... • https://access.redhat.com/errata/RHSA-2020:0617 • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2019-14892 – jackson-databind: Serialization gadgets in classes of the commons-configuration package
https://notcve.org/view.php?id=CVE-2019-14892
20 Jan 2020 — A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. Se detectó un fallo en jackson-databind en las versiones anteriores a 2.9.10, 2.8.11.5 y 2.6.7.3, donde permitiría una deserialización polimórfica de un objeto malicioso utilizando las clases JNDI de commons-configuration 1 y 2. Un atacante... • https://access.redhat.com/errata/RHSA-2020:0729 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 14%CPEs: 58EXPL: 0CVE-2018-14718 – jackson-databind: arbitrary code execution in slf4j-ext class
https://notcve.org/view.php?id=CVE-2018-14718
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos ejecutar código arbitrario aprovechando un fallo para bloquear la clase slf4j-ext de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malic... • http://www.securityfocus.com/bid/106601 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 3%CPEs: 55EXPL: 0CVE-2018-14719 – jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
https://notcve.org/view.php?id=CVE-2018-14719
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos ejecutar código arbitrario aprovechando un fallo para bloquear las clases blaze-ds-opt y blaze-ds-core de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would p... • https://access.redhat.com/errata/RHBA-2019:0959 • CWE-502: Deserialization of Untrusted Data •