CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-3802 – Additional information exposure with Spring Data JPA example matcher
https://notcve.org/view.php?id=CVE-2019-3802
03 Jun 2019 — This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied. Esto afecta a Spring Data JPA en versiones hasta 2.1.6, 2.0.14 y 1.11.20 inclusive. ExampleMatcher utilizando ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING o E... • https://pivotal.io/security/cve-2019-3802 • CWE-155: Improper Neutralization of Wildcards or Matching Symbols CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-3797 – Additional information exposure with Spring Data JPA derived queries
https://notcve.org/view.php?id=CVE-2019-3797
06 May 2019 — This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly. Esto afecta a Spring Data JPA en versiones hasta 2.1.5, 2.0.13 y 1... • https://pivotal.io/security/cve-2019-3797 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-3793 – Invitations Service supports HTTP connections
https://notcve.org/view.php?id=CVE-2019-3793
24 Apr 2019 — Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials used to make the invitation requests. Pivotal Apps Manager Release, versiones 665.0.x anteriores a 665.0.28, versiones 666.0.x anteriores a 666.0.21, versiones 667.0.x anteriores a 667.0.7, presentan un servicio de ... • https://pivotal.io/security/cve-2019-3793 • CWE-300: Channel Accessible by Non-Endpoint CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-3792 – Concourse 5.0.0 SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2019-3792
01 Apr 2019 — Pivotal Concourse version 5.0.0, contains an API that is vulnerable to SQL injection. An Concourse resource can craft a version identifier that can carry a SQL injection payload to the Concourse server, allowing the attacker to read privileged data. Pivotal Concourse versión 5.0.0, contiene una API que es vulnerable a la inyección SQL. Un recurso Concourse puede diseñar un identificador de versión que puede llevar una carga de inyección SQL al servidor Concourse, lo que permite al atacante leer datos privil... • https://pivotal.io/security/cve-2019-3792 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2019-3776 – Reflected XSS in Pivotal Operations Manager
https://notcve.org/view.php?id=CVE-2019-3776
07 Mar 2019 — Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user's browser. Pivotal Operations Manager, en las versiones 2.1.x anteriores a la 2.1.20, en las 2.2.x anteriores a la 2.2.16, en las 2.3.x anteriores a la ... • http://www.securityfocus.com/bid/107344 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-3777 – Apps Manager unverified SSL certs in Cloud Controller proxy
https://notcve.org/view.php?id=CVE-2019-3777
07 Mar 2019 — Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller Pivotal Application Service (PAS), en las versiones 2.2.x anteriores a la 2.2.12, en las ... • http://www.securityfocus.com/bid/107214 • CWE-295: Improper Certificate Validation •
CVSS: 6.5EPSS: 14%CPEs: 7EXPL: 3CVE-2019-3778 – Open Redirect in spring-security-oauth2
https://notcve.org/view.php?id=CVE-2019-3778
07 Mar 2019 — Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner us... • https://packetstorm.news/files/id/153299 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 2%CPEs: 3EXPL: 0CVE-2019-3774 – Spring Batch XML External Entity Injection (XXE)
https://notcve.org/view.php?id=CVE-2019-3774
18 Jan 2019 — Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources. Spring Batch, en sus versiones 3.0.9, 4.0.1, 4.1.0 y anteriores no suportadas, era susceptible a inyecciones de XEE (XML External Entity) cuando recibía datos XML de fuentes no fiables. This release of Red Hat Fuse 7.8.0 serves as a replacement for Red Hat Fuse 7.7, and includes bug fixes and enhancements, which are documented in t... • https://lists.apache.org/thread.html/r01292194daa9ed3117b34dabec0c26929f6db13b9613fc144f720d52%40%3Cissues.servicemix.apache.org%3E • CWE-20: Improper Input Validation CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2019-3773 – Spring Web Services XML External Entity Injection (XXE)
https://notcve.org/view.php?id=CVE-2019-3773
18 Jan 2019 — Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources. Spring Web Services, en sus versiones 2.4.3, 3.0.4 y anteriores no soportadas de los tres proyectos, era susceptible a inyecciones XEE (XML External Entity) cuando recibía datos XML de fuentes no fiables. This release of Red Hat Fuse 7.8.0 serves as a replacement for Red Hat Fuse 7.7, and includes bug fixes a... • https://pivotal.io/security/cve-2019-3773 • CWE-20: Improper Input Validation CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-3803 – Concourse includes token in CLI authentication callback
https://notcve.org/view.php?id=CVE-2019-3803
12 Jan 2019 — Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user. Pivotal Concourse, en todas las versiones anteriores a la 4.2.2, coloca el token de acceso del usuario en una URL durante el flujo de inicio de sesión. Un atacante remoto que consiga acceder al historial de navegación de un usuario podría obtener el token de acceso y empl... • https://pivotal.io/security/cve-2019-3803 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •