CVE-2019-10393 – jenkins-script-security-plugin: handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts
https://notcve.org/view.php?id=CVE-2019-10393
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts. Una vulnerabilidad de omisión del sandbox en Jenkins Script Security Plugin versión 1.62 y anteriores, relacionada con el manejo de nombres de métodos en expresiones de llamada a método permitió a atacantes ejecutar código arbitrario en scripts del sandbox. • http://www.openwall.com/lists/oss-security/2019/09/12/2 https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1538 https://access.redhat.com/security/cve/CVE-2019-10393 https://bugzilla.redhat.com/show_bug.cgi?id=1819697 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2019-10399 – jenkins-script-security-plugin: handling of property names in property expressions in increment and decrement expressions allowed attackers to execute arbitrary code in sandboxed scripts
https://notcve.org/view.php?id=CVE-2019-10399
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions in increment and decrement expressions allowed attackers to execute arbitrary code in sandboxed scripts. Una vulnerabilidad de omisión del sandbox en Jenkins Script Security Plugin versión 1.62 y anteriores, relacionada con el manejo de nombres de propiedad en expresiones de propiedad en expresiones de incremento y decremento, permitió a atacantes ejecutar código arbitrario en scripts del sandbox. • http://www.openwall.com/lists/oss-security/2019/09/12/2 https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1538 https://access.redhat.com/security/cve/CVE-2019-10399 https://bugzilla.redhat.com/show_bug.cgi?id=1819713 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2019-10394 – jenkins-script-security-plugin: handling of property names in property expressions on the left-hand side of assignment expression leads to execute arbitrary code in sandboxed scripts
https://notcve.org/view.php?id=CVE-2019-10394
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts. Una vulnerabilidad de omisión del sandbox en Jenkins Script Security Plugin versión 1.62 y anteriores, relacionada con el manejo de nombres de propiedad en expresiones de propiedad en el lado izquierdo de las expresiones de asignación permitió a atacantes ejecutar código arbitrario en scripts de sandbox. • http://www.openwall.com/lists/oss-security/2019/09/12/2 https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1538 https://access.redhat.com/security/cve/CVE-2019-10394 https://bugzilla.redhat.com/show_bug.cgi?id=1819692 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2019-10400 – jenkins-script-security-plugin: handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to execute arbitrary code in sandboxed scripts
https://notcve.org/view.php?id=CVE-2019-10400
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to execute arbitrary code in sandboxed scripts. Una vulnerabilidad de omisión del sandbox en Jenkins Script Security Plugin versión 1.62 y anteriores, relacionada con el manejo de subexpresiones en expresiones de incremento y decremento que no implican asignación actual, permitió a atacantes ejecutar código arbitrario en scripts del sandbox. • http://www.openwall.com/lists/oss-security/2019/09/12/2 https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1538 https://access.redhat.com/security/cve/CVE-2019-10400 https://bugzilla.redhat.com/show_bug.cgi?id=1819708 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2019-9812 – Mozilla Firefox sync Universal Cross-Site Scripting Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2019-9812
Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. ... Dado un proceso de contenido comprometido dentro del sandbox debido a una vulnerabilidad separada, es posible escapar de ese sandbox cargando accounts.firefox.com en ese proceso y forzando un inicio de sesión en una cuenta de Firefox Sync maliciosa. La configuración de preferencias que deshabilita el sandbox es sincronizada con la máquina local y el navegador comprometido se reiniciará sin el sandbox si es activado un bloqueo. ... This vulnerability allows remote attackers to escape the sandbox on affected installations of Mozilla Firefox. • https://bugzilla.mozilla.org/show_bug.cgi?id=1538008 https://bugzilla.mozilla.org/show_bug.cgi?id=1538015 https://www.mozilla.org/security/advisories/mfsa2019-25 https://www.mozilla.org/security/advisories/mfsa2019-26 https://www.mozilla.org/security/advisories/mfsa2019-27 https://access.redhat.com/security/cve/CVE-2019-9812 https://bugzilla.redhat.com/show_bug.cgi?id=1748660 • CWE-250: Execution with Unnecessary Privileges •