CVSS: 7.8EPSS: 0%CPEs: 19EXPL: 4CVE-2019-18276 – bash: when effective UID is not equal to its real UID the saved UID is not dropped
https://notcve.org/view.php?id=CVE-2019-18276
An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. • https://github.com/M-ensimag/CVE-2019-18276 https://github.com/SABI-Ensimag/CVE-2019-18276 http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E https://security.gentoo.org/glsa/202105-34 https://security.netapp.com/advisory/ntap-20200430-0003 https://www.oracle.com/security-alerts/cp • CWE-271: Privilege Dropping / Lowering Errors CWE-273: Improper Check for Dropped Privileges •
CVSS: 6.5EPSS: 0%CPEs: 429EXPL: 0CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0445 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219 https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba0911 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 18EXPL: 0CVE-2019-17195 – nimbus-jose-jwt: Uncaught exceptions while parsing a JWT
https://notcve.org/view.php?id=CVE-2019-17195
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. Connect2id Nimbus JOSE+JWT versiones anteriores a v7.9, puede arrojar varias excepciones no captadas al analizar un JWT, lo que podría resultar en un bloqueo de la aplicación (potencial divulgación de información) o una posible omisión de autenticación. A flaw was found in Connect2id Nimbus JOSE+JWT prior to version 7.9. While processing JSON web tokens (JWT), nimbus-jose-jwt can throw various uncaught exceptions resulting in an application crash, information disclosure, or authentication bypass. The highest threat from this vulnerability is to data confidentiality and system availability. • https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt https://connect2id.com/blog/nimbus-jose-jwt-7-9 https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d%40%3Ccommon-dev.hadoop.apache.org%3E https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41%40%3Ccommon-issues.hadoop.apache.org%3E https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.ht • CWE-248: Uncaught Exception CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 110EXPL: 0CVE-2019-10086 – apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
https://notcve.org/view.php?id=CVE-2019-10086
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. En Apache Commons Beanutils 1.9.2, se agregó una clase especial BeanIntrospector que permite suprimir la capacidad de un atacante para acceder al cargador de clases a través de la propiedad de clase disponible en todos los objetos Java. Sin embargo, no se esta usando esta característica por defecto de PropertyUtilsBean. A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4%40apache.org%3e https://access.redhat.com/errata/RHSA-2019:4317 https://access.redhat.com/errata/RHSA-2020:0057 https://access.redhat.com/errata/RHSA-2020:0194 https://access.redhat.com/errata/RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0806 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 2%CPEs: 4EXPL: 2CVE-2019-3799 – Directory Traversal with spring-cloud-config-server
https://notcve.org/view.php?id=CVE-2019-3799
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack. Spring Cloud Config, versiones 2.1.x anteriores a 2.1.2, versiones 2.0.x anteriores a 2.0.4, versiones 1.4.x anteriores a 1.4.6, y versiones anteriores no compatibles, permiten que aplicaciones entreguen archivos de configuración arbitrarios por medio del Módulo spring-cloud-config-server. Un usuario malicioso, o un atacante, puede enviar una petición usando una URL especialmente creada que puede provocar un ataque transversal a un directorio. • https://www.exploit-db.com/exploits/46772 https://github.com/mpgn/CVE-2019-3799 https://pivotal.io/security/cve-2019-3799 https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •