Page 25 of 160 results (0.014 seconds)

CVSS: 4.9EPSS: 0%CPEs: 29EXPL: 0

An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.) Se detectó un problema en el servidor en OpenLDAP anterior a versión 2.4.48. Cuando el administrador del servidor delega los privilegios de tipo rootDN (administrador de base de datos) para ciertas bases de datos, pero quiere mantener el aislamiento (por ejemplo, para implementaciones de múltiples inquilinos), slapd no detiene apropiadamente un rootDN de solicitar una autorización como una identidad de otra base de datos durante un enlace SASL o con un control proxyAuthz (RFC 4370). • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html http://seclists.org/fulldisclosure/2019/Dec/26 https://kc.mcafee.com/corporate/index?page=content&id=SB10365 https://lists.debian.org/debian-lts-announce/2019/08/msg00024.html https://seclists.org/bugtraq/2019/Dec/23 https://security.netapp.com/advisory/ntap-20190822-0004 https://support.apple.com/kb/HT210788 https://usn.ubuntu.com/4 •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: HTTP data path subsystems). The supported version that is affected is 8.8.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance Kit (AK). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Sun ZFS Storage Appliance Kit (AK), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Sun ZFS Storage Appliance Kit (AK) accessible data as well as unauthorized read access to a subset of Sun ZFS Storage Appliance Kit (AK) accessible data. • http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html •

CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0

mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL. mod_auth_mellon hasta versión 0.14.2, presenta un problema de Redireccionamiento Abierto por medio de la subcadena login?ReturnTo=, como es demostrado al omitir el // después de http: en la URL de destino. • https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885 https://lists.debian.org/debian-lts-announce/2023/03/msg00010.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5E3JVHURJJNDP63CKVX5O5MJAGCQV4K https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XU5GVFZW3C2M4ZBL4F7UP7N24FNUCX4E https://usn.ubuntu.com/4291-1 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE- • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 2

In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF. En las versiones anteriores a 19.2.1. de Twisted, twisted.web no validó ni saneó los URIs o los métodos HTTP, permitiendo que un atacante inyecte caracteres no válidos tales como CRLF. • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00030.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00042.html https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2 https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html https://usn.ubuntu.com/4308-1 htt • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •

CVSS: 9.8EPSS: 1%CPEs: 41EXPL: 0

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html http://www.securityfocus.com/bid/107400 https://access. • CWE-172: Encoding Error •