CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2014-3578 – Framework: Directory traversal
https://notcve.org/view.php?id=CVE-2014-3578
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. Vulnerabilidad de salto de directorio en Pivotal Spring Framework 3.x anterior a 3.2.9 y 4.0 anterior a 4.0.5 permite a atacantes remotos leer ficheros arbitrarios a través de una URL arbitraria. A directory traversal flaw was found in the Spring Framework. A remote attacker could use this flaw to access arbitrary files on a server, and bypassing security restrictions that are otherwise in place. • http://jvn.jp/en/jp/JVN49154900/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000054 http://pivotal.io/security/cve-2014-3578 http://rhn.redhat.com/errata/RHSA-2015-0720.html http://www.securityfocus.com/bid/68042 https://bugzilla.redhat.com/show_bug.cgi?id=1131882 https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html https://rhn.redhat.com/errata/RHSA-2015-0234.html https://rhn.redhat.com/errata/RHSA-2015-0235.html https://access.redhat.com&#x • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-9494
https://notcve.org/view.php?id=CVE-2014-9494
RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header. RabbitMQ anterior a 3.4.0 permite a atacantes remotos evadir la restricción loopback_users a través de una cabecera X-Forwareded-For manipulada. • http://seclists.org/oss-sec/2015/q1/30 http://www.rabbitmq.com/release-notes/README-3.4.0.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/99685 https://groups.google.com/forum/#%21topic/rabbitmq-users/DMkypbSvIyM • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-0862
https://notcve.org/view.php?id=CVE-2015-0862
Multiple cross-site scripting (XSS) vulnerabilities in the management web UI in the RabbitMQ management plugin before 3.4.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) message details when a message is unqueued, such as headers or arguments; (2) policy names, which are not properly handled when viewing policies; (3) details for AMQP network clients, such as the version; allow remote authenticated administrators to inject arbitrary web script or HTML via (4) user names, (5) the cluster name; or allow RabbitMQ cluster administrators to (6) modify unspecified content. Múltiples vulnerabilidades de XSS en la UI web de gestión en el plugin RabbitMQ management anterior a 3.4.3 permiten a usarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de (1) los detalles de mensajes cuando un mensaje se saca de la cola, tales como cabeceras o argumentos; (2) los nombres de políticas, los cuales no se manejan correctamente cuando se visualizan las políticas; (3) los detalles para clientes de la red AMQP, tales como la versión; permiten a administradores remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de (4) los nombres de usuarios, (5) el nombre cluster; o permiten a administradores del cluster RabbitMQ (6) modificar contenidos no especificados. • http://www.rabbitmq.com/news.html#2015-01-08T10:14:05+0100 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2014-3625 – Framework: directory traversal flaw
https://notcve.org/view.php?id=CVE-2014-3625
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. Vulnerabilidad de salto de directorio (Directory Traversal) en Pivotal Spring Framework versión 3.0.4 hasta 3.2.x anterior a 3.2.12, versión 4.0.x anterior a 4.0.8 y versión 4.1.x anterior a 4.1.2, permite a atacantes remotos leer archivos arbitrarios por medio de vectores no especificados, relacionados al manejo de recurso estático. A directory traversal flaw was found in the way the Spring Framework sanitized certain URLs. A remote attacker could use this flaw to obtain any file on the file system that was also accessible to the process in which the Spring web application was running. • http://rhn.redhat.com/errata/RHSA-2015-0236.html http://rhn.redhat.com/errata/RHSA-2015-0720.html http://www.pivotal.io/security/cve-2014-3625 https://jira.spring.io/browse/SPR-12354 https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html https://access.redhat.com/security/cve/CVE-2014-3625 https://bugzilla.redhat.com/show_bug.cgi?id=1165936 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 34EXPL: 0CVE-2014-0225 – Framework: Information disclosure via SSRF
https://notcve.org/view.php?id=CVE-2014-0225
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. Al procesar un documento XML proporcionado por el usuario, el Framework Spring, versiones de la 4.0.0 a la 4.0.4 y de la 3.0.0 a la 3.2.8 y otras versiones anteriores ya no soportadas, no desactiva por defecto la resolución de las referencias URI en una declaración DTD, lo que habilita ataques de tipo XXE. It was found that the Spring Framework did not, by default, disable the resolution of URI references in a DTD declaration when processing user-provided XML documents. By observing differences in response times, an attacker could identify valid IP addresses on the internal network with functioning web servers. • https://pivotal.io/security/cve-2014-0225 https://access.redhat.com/security/cve/CVE-2014-0225 https://bugzilla.redhat.com/show_bug.cgi?id=1110110 • CWE-611: Improper Restriction of XML External Entity Reference •