CVSS: 10.0EPSS: 97%CPEs: 11EXPL: 2CVE-2017-12629 – Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-12629
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr. Ocurre una ejecución remota de código en Apache Solr en versiones anteriores a la 7.1 con Apache Lucene en versiones anteriores a la 7.1 explotando XXE junto con el uso de un comando add-listener de la API de configuración para alcanzar la clase RunExecutableListener. • https://www.exploit-db.com/exploits/43009 http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E http://openwall.com/lists/oss-security/2017/10/13/1 http://www.securityfocus.com/bid/101261 https://access.redhat.com/errata/RHSA-2017:3123 https://access.redhat.com/errata/RHSA-2017:3124 https://access.redhat.com/errata/RHSA-2017:3244 https://access.redhat.com/errata/RHSA-2017:3451 https:/ • CWE-138: Improper Neutralization of Special Elements CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2017-2582 – keycloak: SAML request parser replaces special strings with system properties
https://notcve.org/view.php?id=CVE-2017-2582
It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. Se ha descubierto que cuando se analizan los mensajes SAML, la clase StaxParserUtil de keycloak en versiones anteriores a la 2.5.1 reemplaza cadenas especiales para obtener valores de atributos con la propiedad del sistema. Esto podría permitir que un atacante determine valores de las propiedades del sistema en el sistema atacado formateando el campo ID de petición SAML para que sea la propiedad del sistema elegida, la cual se puede obtener en el campo "InResponseTO" en la respuesta. It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. • http://www.securityfocus.com/bid/101046 http://www.securitytracker.com/id/1041707 https://access.redhat.com/errata/RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:3216 https://access.redhat.com/errata/RHSA-2017:3217 https://access.redhat.com/errata/RHSA-2017:3218 https://access.redhat.com/errata/RHSA-2017:3219 https: • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2017-2595 – wildfly: Arbitrary file read via path traversal
https://notcve.org/view.php?id=CVE-2017-2595
It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal. Se ha encontrado que el visor de archivos de log en Red Hat JBoss Enterprise Application 6 y 7 permite que un archivo arbitrario sea leído por el usuario autenticado a través de un salto de directorio. • http://rhn.redhat.com/errata/RHSA-2017-1409.html http://rhn.redhat.com/errata/RHSA-2017-1551.html http://www.securityfocus.com/bid/98967 http://www.securitytracker.com/id/1038757 https://access.redhat.com/errata/RHSA-2017:1410 https://access.redhat.com/errata/RHSA-2017:1411 https://access.redhat.com/errata/RHSA-2017:1412 https://access.redhat.com/errata/RHSA-2017:1548 https://access.redhat.com/errata/RHSA-2017:1549 https://access.redhat.com/errata/RHSA-2017:1550 h • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 1CVE-2017-2666 – undertow: HTTP Request smuggling vulnerability due to permitting invalid characters in HTTP requests
https://notcve.org/view.php?id=CVE-2017-2666
It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. Se ha descubierto en Undertow que el código que analizaba la línea de petición HTTP permitía caracteres no válidos. Esto podría ser explotado, en conjunto con un proxy que también permita caracteres inválidos pero con una interpretación diferente, para inyectar datos en la respuesta HTTP. • https://github.com/tafamace/CVE-2017-2666 http://rhn.redhat.com/errata/RHSA-2017-1409.html http://www.securityfocus.com/bid/98966 https://access.redhat.com/errata/RHSA-2017:1410 https://access.redhat.com/errata/RHSA-2017:1411 https://access.redhat.com/errata/RHSA-2017:1412 https://access.redhat.com/errata/RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3458 ht • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.5EPSS: 2%CPEs: 7EXPL: 0CVE-2017-2670 – undertow: IO thread DoS via unclean Websocket closing
https://notcve.org/view.php?id=CVE-2017-2670
It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS. Se ha encontrado en Undertow en versiones anteriores a la 1.3.28 que con el cierre no seguro de TCP, el servidor Websocket entra en bucle infinito en cada hilo IO, provocando efectivamente una denegación de servicio (DoS). It was found that with non-clean TCP close, Websocket server gets into infinite loop on every IO thread, effectively causing DoS. • http://rhn.redhat.com/errata/RHSA-2017-1409.html http://www.securityfocus.com/bid/98965 https://access.redhat.com/errata/RHSA-2017:1410 https://access.redhat.com/errata/RHSA-2017:1411 https://access.redhat.com/errata/RHSA-2017:1412 https://access.redhat.com/errata/RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3458 https://bugzilla.redhat.com/show_bug.cgi?id&# • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •