CVE-2018-18506 – Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied
https://notcve.org/view.php?id=CVE-2018-18506
When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attacks on services and tools that bind to the localhost for networked behavior if they are accessed through browsing. This vulnerability affects Firefox < 65. Cuando la autodetección del proxy está habilitada, si un servidor web proporciona un archivo de autoconfiguración de proxy (PAC) o si dicho archivo se carga localmente, este último puede especificar peticiones al host local que están destinadas a enviarse a través del proxy hacia otro servidor. Este comportamiento está prohibido por defecto cuando un proxy se configura manualmente. • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00043.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.html http://www.securityfocus.com/bid/106773 https://access.redhat.com/errata/RHSA-2019:0622 https://access.redhat.com/errata/RHSA-2019:0623 https://access.redhat.com/errata/RHSA-2019:0680 https:/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-2481 – mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019)
https://notcve.org/view.php?id=CVE-2019-2481
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). • http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html http://www.securityfocus.com/bid/106619 https://access.redhat.com/errata/RHSA-2019:2484 https://access.redhat.com/errata/RHSA-2019:2511 https://security.netapp.com/advisory/ntap-20190118-0002 https://usn.ubuntu.com/3867-1 https://access.redhat.com/security/cve/CVE-2019-2481 https://bugzilla.redhat.com/show_bug.cgi?id=1666743 •
CVE-2019-2533 – mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2019)
https://notcve.org/view.php?id=CVE-2019-2533
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Integrity impacts). • http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html https://access.redhat.com/errata/RHSA-2019:2484 https://access.redhat.com/errata/RHSA-2019:2511 https://security.netapp.com/advisory/ntap-20190118-0002 https://access.redhat.com/security/cve/CVE-2019-2533 https://bugzilla.redhat.com/show_bug.cgi?id=1666759 •
CVE-2019-2422 – OpenJDK: memory disclosure in FileChannelImpl (Libraries, 8206290)
https://notcve.org/view.php?id=CVE-2019-2422
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html http://www.securityfocus.com/bid/106596 https://access.redhat.com/errata/RHSA-2019:0416 https://access.redhat.com/errata/RHSA-2019:0435 https://access.redhat.com/errata/RHSA-2019:0436 https://a • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-2535 – mysql: Server: Options unspecified vulnerability (CPU Jan 2019)
https://notcve.org/view.php?id=CVE-2019-2535
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 8.0.13 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.1 (Availability impacts). • http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html http://www.securityfocus.com/bid/106622 https://access.redhat.com/errata/RHSA-2019:2484 https://access.redhat.com/errata/RHSA-2019:2511 https://security.netapp.com/advisory/ntap-20190118-0002 https://access.redhat.com/security/cve/CVE-2019-2535 https://bugzilla.redhat.com/show_bug.cgi?id=1666761 •