CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-10690 – puppet: Environment leakage in puppet-agent
https://notcve.org/view.php?id=CVE-2017-10690
In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4 En versiones anteriores de Puppet Agent, era posible que el agente recuperase hechos de un entorno para el que no estaba clasificado. Esto se solucionó en Puppet Agent 5.3.4, incluido en Puppet Enterprise 2017.3.4. • https://access.redhat.com/errata/RHSA-2018:2927 https://puppet.com/security/cve/CVE-2017-10690 https://access.redhat.com/security/cve/CVE-2017-10690 https://bugzilla.redhat.com/show_bug.cgi?id=1566764 • CWE-203: Observable Discrepancy CWE-269: Improper Privilege Management •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2017-10689 – puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions
https://notcve.org/view.php?id=CVE-2017-10689
In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability. En versiones anteriores de Puppet Agent, era posible instalar un módulo con permisos de modificación para cualquier usuario. Puppet Agent 5.3.4 y 1.10.10 incluían una solución para esta vulnerabilidad. • https://access.redhat.com/errata/RHSA-2018:2927 https://puppet.com/security/cve/CVE-2017-10689 https://usn.ubuntu.com/3567-1 https://access.redhat.com/security/cve/CVE-2017-10689 https://bugzilla.redhat.com/show_bug.cgi?id=1542850 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 8.3EPSS: 0%CPEs: 34EXPL: 0CVE-2018-2638 – JDK: unspecified vulnerability fixed in 8u161 and 9.0.4 (Deployment)
https://notcve.org/view.php?id=CVE-2018-2638
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.securityfocus.com/bid/102546 http://www.securitytracker.com/id/1040203 https://access.redhat.com/errata/RHSA-2018:0099 https://access.redhat.com/errata/RHSA-2018:0351 https://access.redhat.com/errata/RHSA-2018:0352 https://access.redhat.com/errata/RHSA-2018:1463 https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 https://security.netapp.com/ •
CVSS: 7.5EPSS: 0%CPEs: 27EXPL: 0CVE-2018-2627 – JDK: unspecified vulnerability fixed in 8u161 and 9.0.4 (Installer)
https://notcve.org/view.php?id=CVE-2018-2627
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Installer). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.securityfocus.com/bid/102584 http://www.securitytracker.com/id/1040203 https://access.redhat.com/errata/RHSA-2018:0099 https://access.redhat.com/errata/RHSA-2018:1463 https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 https://security.netapp.com/advisory/ntap-20180117-0001 https://access.redhat.com/security/cve/CVE-2018-2627 https://bugzilla.re •
CVSS: 6.5EPSS: 0%CPEs: 19EXPL: 0CVE-2018-2582 – OpenJDK: insufficient validation of the invokeinterface instruction (Hotspot, 8174962)
https://notcve.org/view.php?id=CVE-2018-2582
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 8u152 and 9.0.1; Java SE Embedded: 8u151. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.securityfocus.com/bid/102597 http://www.securitytracker.com/id/1040203 https://access.redhat.com/errata/RHSA-2018:0095 https://access.redhat.com/errata/RHSA-2018:0099 https://access.redhat.com/errata/RHSA-2018:0351 https://access.redhat.com/errata/RHSA-2018:0352 https://access.redhat.com/errata/RHSA-2018:0458 https://access.redhat.com/errata/RHSA-2018:0521 https://access.redhat.com/errata/ •