CVE-2017-7513
https://notcve.org/view.php?id=CVE-2017-7513
It was found that Satellite 5 configured with SSL/TLS for the PostgreSQL backend failed to correctly validate X.509 server certificate host name fields. A man-in-the-middle attacker could use this flaw to spoof a PostgreSQL server using a specially crafted X.509 certificate. Se ha detectado que Satellite 5 configurado con SSL/TLS para el backend PostgreSQL no pudo validar correctamente los campos de nombre de host de certificado de servidor X.509. Un atacante Man-in-the-Middle (MitM) podría usar este fallo para falsificar un servidor PostgreSQL usando un certificado X.509 especialmente manipulado. • https://access.redhat.com/security/cve/cve-2017-7513 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7513 • CWE-295: Improper Certificate Validation •
CVE-2018-1517 – JDK: DoS in the java.math component
https://notcve.org/view.php?id=CVE-2018-1517
A flaw in the java.math component in IBM SDK, Java Technology Edition 6.0, 7.0, and 8.0 may allow an attacker to inflict a denial-of-service attack with specially crafted String data. IBM X-Force ID: 141681. Un fallo en el componente java.math en IBM SDK, Java Technology Edition 6.0, 7.0 y 8.0 podría permitir que un atacante inflija un ataque de denegación de servicio (DoS) con datos String especialmente manipulados. IBM X-Force ID: 141681. • http://www.ibm.com/support/docview.wss?uid=ibm10719653 http://www.securityfocus.com/bid/105117 https://access.redhat.com/errata/RHSA-2018:2568 https://access.redhat.com/errata/RHSA-2018:2569 https://access.redhat.com/errata/RHSA-2018:2575 https://access.redhat.com/errata/RHSA-2018:2576 https://access.redhat.com/errata/RHSA-2018:2712 https://access.redhat.com/errata/RHSA-2018:2713 https://exchange.xforce.ibmcloud.com/vulnerabilities/141681 https://access.redhat.com/security/cv • CWE-20: Improper Input Validation •
CVE-2018-1656 – JDK: path traversal flaw in the Diagnostic Tooling Framework
https://notcve.org/view.php?id=CVE-2018-1656
The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882. Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0, 7.0 y 8.0) de IBM Java Runtime Environment no protege contra ataques de salto de directorio cuando se extraen archivos de volcado comprimidos. IBM X-Force ID: 144882. • http://www.ibm.com/support/docview.wss?uid=ibm10719653 http://www.securityfocus.com/bid/105118 http://www.securitytracker.com/id/1041765 https://access.redhat.com/errata/RHSA-2018:2568 https://access.redhat.com/errata/RHSA-2018:2569 https://access.redhat.com/errata/RHSA-2018:2575 https://access.redhat.com/errata/RHSA-2018:2576 https://access.redhat.com/errata/RHSA-2018:2712 https://access.redhat.com/errata/RHSA-2018:2713 https://exchange.xforce.ibmcloud.com/vulnerabilities/14 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-10931 – cobbler: CobblerXMLRPCInterface exports all its methods over XMLRPC
https://notcve.org/view.php?id=CVE-2018-10931
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. Se ha descubierto que cobbler 2.6.x exponía todas las funciones desde su clase CobblerXMLRPCInterface mediante XMLRPC. Un atacante no autenticado remoto podría emplear este error para obtener privilegios elevados en cobbler o subir archivos a ubicaciones arbitrarias en el contexto del demonio. An API-exposure flaw was found in cobbler, where it exported CobblerXMLRPCInterface private functions over XMLRPC. • https://access.redhat.com/errata/RHSA-2018:2372 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10931 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P5Q4ACIVZ5D4KSUDLGRTOKGGB4U42SD https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMWK5KCCZXOGOYNR2H6BWDSABTQ5NYJA https://access.redhat.com/security/cve/CVE-2018-10931 https://bugzilla.redhat.com/show_bug.cgi?id=1613861 • CWE-749: Exposed Dangerous Method or Function •
CVE-2017-12175 – 6: XSS in discovery rule filter autocomplete functionality
https://notcve.org/view.php?id=CVE-2017-12175
Red Hat Satellite before 6.5 is vulnerable to a XSS in discovery rule when you are entering filter and you use autocomplete functionality. Red Hat Satellite en versiones anteriores a la 6.5 es vulnerable a Cross-Site Scripting (XSS) en la regla discovery cuando se introduce un filtro y se utiliza la funcionalidad de autocompletado. • http://www.securityfocus.com/bid/101245 https://access.redhat.com/errata/RHSA-2018:2927 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12175 https://projects.theforeman.org/issues/22042 https://access.redhat.com/security/cve/CVE-2017-12175 https://bugzilla.redhat.com/show_bug.cgi?id=1498976 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •