Page 36 of 184 results (0.016 seconds)

CVSS: 7.5EPSS: 0%CPEs: 17EXPL: 0

CVE-2017-9735

https://notcve.org/view.php?id=CVE-2017-9735

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. Jetty hasta la versión 9.4.x es propenso a una sincronización de canal en util/security/Password.java, lo que facilita que atacantes remotos obtengan acceso observando el tiempo transcurrido antes de rechazar contraseñas incorrectas. SR 760 Feeder Protection Relay, en versiones de firmware anteriores a la 7.47; SR 469 Motor Protection Relay, en versiones de firmware anteriores a la 5.23; SR 489 Generator Protection Relay, en versiones de firmware anteriores a la 4.06; SR 745 Transformer Protection Relay, en versiones de firmware anteriores a la 5.23; SR 369 Motor Protection Relay, en todas las versiones de firmware; Multilin Universal Relay, en versiones de firmware 6.0 y anteriores; y Multilin URplus (D90, C90, B95), en todas las versiones. Las versiones en texto cifrado de contraseñas de usuario fueron creadas con un vector de inicialización no aleatorio, dejándolas expuestas a ataques de diccionario. El texto cifrado de las contraseñas de usuario se pueden obtener del panel LCD de los productos afectados y a través de los comandos Modbus enviados. • http://www.securityfocus.com/bid/99104 https://bugs.debian.org/864631 https://github.com/eclipse/jetty.project/issues/1556 https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559%40%3Ccommon-dev.hadoop.apache.org%3E https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E https://lists.apache.org/thread.html/f887a5978f5e • CWE-203: Observable Discrepancy •

CVSS: 6.5EPSS: 22%CPEs: 2EXPL: 1

CVE-2017-7650

https://notcve.org/view.php?id=CVE-2017-7650

In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto. En Mosquitto en versiones anteriores a la 1.4.12, las listas de control de acceso (ACL) basadas en patrones pueden ser omitidas por clientes que establecen su ID de nombre de usuario/cliente como '#' o '+'. Esto permite que los clientes conectados de forma local o remota accedan a temas MQTT a los que no tienen derecho de acceso. • http://mosquitto.org/2017/05/security-advisory-cve-2017-7650 http://www.debian.org/security/2017/dsa-3865 http://www.securityfocus.com/bid/98741 https://bugs.eclipse.org/bugs/show_bug.cgi?id=516765 • CWE-287: Improper Authentication •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2017-7243

https://notcve.org/view.php?id=CVE-2017-7243

Eclipse tinydtls 0.8.2 for Eclipse IoT allows remote attackers to cause a denial of service (DTLS peer crash) by sending a "Change cipher spec" packet without pre-handshake. Eclipse tinydtls 0.8.2 para Eclipse IoT permite que atacantes remotos causen una denegación de servicio (caída de pares de DTLS) enviando un paquete "Cambiar especificación de cifrado" sin pre-apretón de manos. • http://www.securityfocus.com/bid/97193 https://gist.github.com/k1rh4/25dcb124aef2a8a2a5f4677d64d1998b https://github.com/k1rh4/CVE/blob/master/tinydtls • CWE-476: NULL Pointer Dereference •

CVSS: 9.8EPSS: 2%CPEs: 20EXPL: 0

CVE-2016-4800 – Eclipse Jetty Protected Resource Bypass Vulnerability

https://notcve.org/view.php?id=CVE-2016-4800

The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes. El mecanismo de normalización de ruta en la clase PathResource en Eclipse Jetty 9.3.x en versiones anteriores a 9.3.9 en Windows permite a los atacantes remotos evitar las restricciones de recursos protegidos y otras restricciones de seguridad a través de una URL con ciertos caracteres de escape relacionados con las barras invertidas. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eclipse Jetty. Authentication is not required to exploit this vulnerability. The specific flaw exists within the way the ContextHandler class restricts access to protected resources. By issuing a crafted request, an attacker can gain access to the code of a web application deployed in Jetty. • http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.html http://www.ocert.org/advisories/ocert-2016-001.html http://www.securityfocus.com/bid/90945 http://www.zerodayinitiative.com/advisories/ZDI-16-362 https://security.netapp.com/advisory/ntap-20190307-0006 https://www.oracle.com/security-alerts/cpuoct2020.html • CWE-284: Improper Access Control •

CVSS: 7.5EPSS: 94%CPEs: 9EXPL: 5

CVE-2015-2080 – Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers

https://notcve.org/view.php?id=CVE-2015-2080

The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak. El código de manipulación de excepciones en Eclipse Jetty en versiones anteriores a 9.2.9.v20150224 permite a atacantes remotos obtener información sensible de memoria de procesos a través de caracteres no válidos en una cabecera HTTP, vulnerabilidad también conocida como JetLeak. Remote unauthenticated attackers are able to read arbitrary data from other HTTP sessions because Ignition uses a vulnerable Jetty server. When the Jetty web server receives a HTTP request, the below code is used to parse through the HTTP headers and their associated values. Inductive Automation versions 7.8.1 (b2016012216) and 7.8.0 (b2015101414) are affected. • https://www.exploit-db.com/exploits/39455 http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.html http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html http://seclists.org/fulldisclosure/2015/Mar/12 http://www.securityfocus.com/archive/1/534755/100/1600/threaded http://www.securityfocus.com/bid/72768 http • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •