CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4314
https://notcve.org/view.php?id=CVE-2021-4314
It is possible to manipulate the JWT token without the knowledge of the JWT secret and authenticate without valid JWT token as any user. This is happening only in the situation when zOSMF doesn’t have the APAR PH12143 applied. This issue affects: 1.16 versions to 1.19. What happens is that the services using the ZAAS client or the API ML API to query will be deceived into believing the information in the JWT token is valid when it isn’t. It’s possible to use this to persuade the southbound service that different user is authenticated. • https://github.com/zowe/api-layer • CWE-269: Improper Privilege Management CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 5%CPEs: 1EXPL: 2CVE-2022-46463
https://notcve.org/view.php?id=CVE-2022-46463
An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor's position is that this "is clearly described in the documentation as a feature." Un problema de control de acceso en Harbor v1.XX a v2.5.3 permite a los atacantes acceder a repositorios de imágenes públicos y privados sin autenticación. NOTA: la posición del proveedor es que esto "se describe claramente en la documentación como una característica". • https://github.com/nu0l/CVE-2022-46463 https://github.com/404tk/CVE-2022-46463 https://github.com/Vad1mo https://github.com/lanqingaa/123/blob/main/README.md https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4875 – fossology cross site scripting
https://notcve.org/view.php?id=CVE-2022-4875
A vulnerability has been found in fossology and classified as problematic. This vulnerability affects unknown code. The manipulation of the argument sql/VarValue leads to cross site scripting. The attack can be initiated remotely. The patch is identified as 8e0eba001662c7eb35f045b70dd458a4643b4553. • https://github.com/fossology/fossology/commit/8e0eba001662c7eb35f045b70dd458a4643b4553 https://github.com/fossology/fossology/pull/2356 https://vuldb.com/?ctiid.217426 https://vuldb.com/?id.217426 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-23506 – Spinnaker's Rosco microservice vulnerable to improper log masking on AWS Packer builds
https://notcve.org/view.php?id=CVE-2022-23506
Spinnaker is an open source, multi-cloud continuous delivery platform for releasing software changes, and Spinnaker's Rosco microservice produces machine images. Rosco prior to versions 1.29.2, 1.28.4, and 1.27.3 does not property mask secrets generated via packer builds. This can lead to exposure of sensitive AWS credentials in packer log files. Versions 1.29.2, 1.28.4, and 1.27.3 of Rosco contain fixes for this issue. A workaround is available. It's recommended to use short lived credentials via role assumption and IAM profiles. • https://github.com/spinnaker/rosco/commit/e80cfaa1abfb3a0e9026d45d6027291bfb815daf https://github.com/spinnaker/spinnaker/security/advisories/GHSA-2233-cqj8-j2q5 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2019-19030
https://notcve.org/view.php?id=CVE-2019-19030
Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists. Cloud Native Computing Foundation Harbor anterior a 1.10.3 y 2.x anterior a 2.0.1 permite la enumeración de recursos porque las llamadas API no autenticadas revelan (a través del código de estado HTTP) si existe un recurso. • https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j •