CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-10355 – jenkins-plugin-script-security: Sandbox bypass through type casts in Script Security Plugin
https://notcve.org/view.php?id=CVE-2019-10355
31 Jul 2019 — A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts. Una vulnerabilidad de omisión del sandbox en el Plugin Script Security de Jenkins versión 1.61 y anteriores, relacionada con el manejo de conversiones de tipos permitió a los atacantes ejecutar código arbitrario en scripts del sandbox. A flaw was found in Jenkins Script Security plugin. Sandbox protection could be circumvent... • http://www.openwall.com/lists/oss-security/2019/07/31/1 • CWE-704: Incorrect Type Conversion or Cast •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-10356 – jenkins-plugin-script-security: Sandbox bypass through method pointer expressions in Script Security Plugin
https://notcve.org/view.php?id=CVE-2019-10356
31 Jul 2019 — A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts. Una vulnerabilidad de omisión de sandbox en el Plugin Script Security de Jenkins versión 1.61 y anteriores, relacionada con el manejo de expresiones de puntero de método permitió a los atacantes ejecutar código arbitrario en scripts del sandbox. A flaw was found in the Jenkins Script Security plugin. Sandbox ... • http://www.openwall.com/lists/oss-security/2019/07/31/1 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-10357 – jenkins-plugin-workflow-cps-global-lib: Missing permission check in Pipeline: Shared Groovy Libraries Plugin
https://notcve.org/view.php?id=CVE-2019-10357
31 Jul 2019 — A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries. Una falta de comprobación de permisos en el Plugin Shared Groovy Libraries de Jenkins Pipeline versión 2.14 y anteriores, permitió a los usuarios con acceso General y de Lectura obtener información limitada sobre el contenido de los repositorios SCM referenciados mediante las ... • http://www.openwall.com/lists/oss-security/2019/07/31/1 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 1%CPEs: 61EXPL: 0CVE-2019-14379 – jackson-databind: default typing mishandling leading to remote code execution
https://notcve.org/view.php?id=CVE-2019-14379
29 Jul 2019 — SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. El archivo SubTypeValidator.java en jackson-databind de FasterXML en versiones anteriores a la 2.9.9.2 maneja inapropiadamente la escritura predeterminada cuando se usa ehcache (debido a net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), lo que conlleva a la ejecuc... • http://seclists.org/fulldisclosure/2022/Mar/23 • CWE-502: Deserialization of Untrusted Data CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 9.8EPSS: 2%CPEs: 28EXPL: 1CVE-2019-1010238 – pango: pango_log2vis_get_embedding_levels() heap-based buffer overflow
https://notcve.org/view.php?id=CVE-2019-1010238
19 Jul 2019 — Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize. Pango versión 1.42 y posterior de Gnome, está afectada por: Desbordamiento de Búfer. • https://access.redhat.com/errata/RHBA-2019:2824 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2019-10354 – jenkins: Unauthorized view fragment access (SECURITY-534)
https://notcve.org/view.php?id=CVE-2019-10354
17 Jul 2019 — A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information. Una vulnerabilidad en el framework web Stapler usado en Jenkins versiones 2.185 y anteriores, LTS versiones 2.176.1 y anteriores, ha permitido a los atacantes acceder directamente a los fragmentos de visualización, omitiendo las comprobaciones de permisos y posiblemente obtener infor... • http://www.openwall.com/lists/oss-security/2019/07/17/2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2019-3889 – atomic-openshift: reflected XSS in authentication flow
https://notcve.org/view.php?id=CVE-2019-3889
11 Jul 2019 — A reflected XSS vulnerability exists in authorization flow of OpenShift Container Platform versions: openshift-online-3, openshift-enterprise-3.4 through 3.7 and openshift-enterprise-3.9 through 3.11. An attacker could use this flaw to steal authorization data by getting them to click on a malicious link. Se presenta una vulnerabilidad de tipo XSS reflejada en el flujo de autorización de OpenShift Container Platform versiones: openshift-online- versión 3, openshift-enterprise- versiones 3.4 hasta 3.7 y open... • https://access.redhat.com/errata/RHSA-2019:3722 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10165 – openshift: OAuth access tokens written in plaintext to API server audit logs
https://notcve.org/view.php?id=CVE-2019-10165
26 Jun 2019 — OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources. OpenShift Container Platform anterior a versión 4.1.3, escribe tokens OAuth en texto plano en los registros de auditoría para el servidor de la API Kubernetes y el servidor de la API OpenShift. Un usuario con privilegios suficientes... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10165 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10150 – atomic-openshift: OpenShift builds don't verify SSH Host Keys for the git repository
https://notcve.org/view.php?id=CVE-2019-10150
12 Jun 2019 — It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output. Se encontró que OpenShift Container Platform versiones 3.6.x hasta 4.6.0, no realizan la comprobación de clave del host SSH cuando es usada la autenticación de la clave ssh durante las compilaciones. Un atacante, con la capacidad de redireccio... • https://access.redhat.com/errata/RHSA-2019:2989 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-3899 – heketi: heketi can be installed using insecure defaults
https://notcve.org/view.php?id=CVE-2019-3899
22 Apr 2019 — It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11. Se encontró que la configuración predeterminada de Heketi no requiere ninguna autenticación, y expone potencialmente la interfaz de gestión a un mal uso. Esta situación sólo afecta a heketi tal y como se envía con Openshift Container Platform versión 3.11. It was found that the default c... • https://access.redhat.com/errata/RHSA-2019:3255 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function CWE-592: DEPRECATED: Authentication Bypass Issues •