CVE-2020-5411 – Jackson Configuration Allows Code Execution with Unknown "Serialization Gadgets"
https://notcve.org/view.php?id=CVE-2020-5411
When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means that through the previous exploit, arbitrary code could be executed if all of the following is true: * Spring Batch's Jackson support is being leveraged to serialize a job's ExecutionContext. * A malicious user gains write access to the data store used by the JobRepository (where the data to be deserialized is stored). In order to protect against this type of attack, Jackson prevents a set of untrusted gadget classes from being deserialized. Spring Batch should be proactive against blocking unknown "deserialization gadgets" when enabling default typing. • https://tanzu.vmware.com/security/cve-2020-5411 • CWE-502: Deserialization of Untrusted Data •
CVE-2020-5408 – Dictionary attack with Spring Security queryable text encryptor
https://notcve.org/view.php?id=CVE-2020-5408
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack. Spring Security versiones 5.3.x anteriores a 5.3.2, versiones 5.2.x anteriores a 5.2.4, versiones 5.1.x anteriores a 5.1.10, versiones 5.0.x anteriores a 5.0.16 y versiones 4.2.x anteriores a 4.2.16, utilizan un vector de inicialización de null corregido con el Modo CBC en la implementación del encriptador de texto consultable. Un usuario malicioso con acceso a los datos que han sido encriptados, al usar dicho encriptador pueden ser capaces de obtener los valores no encriptados mediante un ataque de diccionario. • https://tanzu.vmware.com/security/cve-2020-5408 https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpuoct2020.html • CWE-329: Generation of Predictable IV with CBC Mode CWE-330: Use of Insufficiently Random Values •
CVE-2020-5409 – Concourse Open Redirect in the /sky/login endpoint
https://notcve.org/view.php?id=CVE-2020-5409
Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow. A remote unauthenticated attacker could convince a user to click on a link using the OAuth redirect link with an untrusted website and gain access to that user's access token in Concourse. (This issue is similar to, but distinct from, CVE-2018-15798.) En Pivotal Concourse, la mayoría de las versiones anteriores a 6.0.0, permiten redireccionamientos hacia sitios web no confiables en su flujo de inicio de sesión. Un atacante remoto no autenticado podría convencer a un usuario de hacer clic sobre un enlace utilizando el enlace de redireccionamiento OAuth con un sitio web no confiable y conseguir acceso al token de acceso de ese usuario en Concourse. • https://tanzu.vmware.com/security/cve-2020-5409 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2020-5407 – Signature Wrapping Vulnerability with spring-security-saml2-service-provider
https://notcve.org/view.php?id=CVE-2020-5407
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid. Spring Security versiones 5.2.x anteriores a 5.2.4 y versiones 5.3.x anteriores a 5.3.2, contienen una vulnerabilidad de empaquetado de firma durante la comprobación de respuesta SAML. Cuando se usa el componente spring-security-saml2-service-provider, un usuario malicioso puede modificar cuidadosamente una respuesta SAML válida y agregar una afirmación arbitraria que Spring Security aceptará como válida. • https://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7%40%3Cissues.servicemix.apache.org%3E https://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a%40%3Cdev.geode.apache.org%3E https://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c%40%3Cdev.geode.apache.org%3E https://tanzu.vmware.com/security/cve-2020-5407 https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle • CWE-347: Improper Verification of Cryptographic Signature •
CVE-2019-19023
https://notcve.org/view.php?id=CVE-2019-19023
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform. Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, presenta una Vulnerabilidad de Escalada de Privilegios en el VMware Harbor Container Registry para la Pivotal Platform. • https://github.com/goharbor/harbor/security/advisories https://tanzu.vmware.com/security/cve-2019-19023 •