CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-14299 – picketbox: JBoss EAP reload to admin-only mode allows authentication bypass
https://notcve.org/view.php?id=CVE-2020-14299
A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability. Se encontró un fallo en JBoss EAP, donde la configuración de autenticación se configura usando un SecurityRealm heredado, para delegarlo en un SecurityDomain PicketBox heredado, y luego se vuelve a cargar al modo de solo administrador. Este fallo permite a un atacante llevar a cabo una omisión de autenticación completa mediante el uso de un usuario y una contraseña arbitrarios. • https://bugzilla.redhat.com/show_bug.cgi?id=1848533 https://access.redhat.com/security/cve/CVE-2020-14299 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2020-25644 – wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
https://notcve.org/view.php?id=CVE-2020-25644
A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability. Se encontró un fallo de pérdida de memoria en WildFly OpenSSL en versiones anteriores a 1.1.3.Final, donde se elimina una sesión HTTP. Puede permitir a un atacante causar OOM conllevando a una denegación de servicio. • https://bugzilla.redhat.com/show_bug.cgi?id=1885485 https://github.com/wildfly-security/wildfly-openssl-natives/pull/4/files https://issues.redhat.com/browse/WFSSL-51 https://security.netapp.com/advisory/ntap-20201016-0004 https://access.redhat.com/security/cve/CVE-2020-25644 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-10763 – heketi: gluster-block volume password details available in logs
https://notcve.org/view.php?id=CVE-2020-10763
An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords. Se encontró un fallo en la divulgación de información en la forma en que Heketi versiones anteriores a 10.1.0 registra información confidencial. Este fallo permite a un atacante con acceso local al servidor de Heketi leer información potencialmente confidencial, tal y como contraseñas de gluster-block An information-disclosure flaw was found in the way Heketi logs sensitive information. This flaw allows an attacker with local access to the Heketi server, to read potentially sensitive information, such as gluster-block passwords. • https://bugzilla.redhat.com/show_bug.cgi?id=1845387 https://github.com/heketi/heketi/releases/tag/v10.1.0 https://access.redhat.com/security/cve/CVE-2020-10763 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2020-14370 – podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API
https://notcve.org/view.php?id=CVE-2020-14370
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables. Se encontró una vulnerabilidad de divulgación de información en containers/podman en versiones anteriores a 2.0.5. Cuando se usa la API Varlink obsoleta o la API REST compatible con Docker, si son creados varios contenedores en un período corto, las variables de entorno desde el primer contenedor son filtradas hacia los contenedores posteriores. • https://bugzilla.redhat.com/show_bug.cgi?id=1874268 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6BPCZX4ASKNONL3MSCK564IVXNYSKLP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y74V7HGQBNLT6XECCSNZNFZIB7G7XSAR https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z4Y2FSGQWP4AFT5AZ6UBN6RKHVXUBRFV https://access.redhat.com/security/cve/CVE-2020-14370 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-10743 – kibana: X-Frame-Option not set by default might lead to clickjacking
https://notcve.org/view.php?id=CVE-2020-10743
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking. Se detectó que la distribución Kibana OpenShift Container Platform (OCP) podía abrirse en un iframe, lo que permitía interceptar y manipular las peticiones. Este fallo permite a un atacante engañar a un usuario para llevar a cabo acciones arbitrarias en la distribución de Kibana de OCP, como el clickjacking • https://bugzilla.redhat.com/show_bug.cgi?id=1834550 https://access.redhat.com/security/cve/CVE-2020-10743 • CWE-358: Improperly Implemented Security Check for Standard CWE-1021: Improper Restriction of Rendered UI Layers or Frames •