CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-22234 – CVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated
https://notcve.org/view.php?id=CVE-2024-22234
20 Feb 2024 — In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable ... • https://github.com/shellfeel/CVE-2024-22243-CVE-2024-22234 • CWE-284: Improper Access Control •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22241
https://notcve.org/view.php?id=CVE-2024-22241
06 Feb 2024 — Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges can inject a malicious payload into the login banner and takeover the user account. Aria Operations for Networks contiene una vulnerabilidad de cross-site scripting. Un actor malintencionado con privilegios de administrador puede inyectar un payload malicioso en el banner de inicio de sesión y apoderarse de la cuenta del usuario. Aria Operations for Networks contains a cross site scripting vul... • https://www.vmware.com/security/advisories/VMSA-2024-0002.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22240
https://notcve.org/view.php?id=CVE-2024-22240
06 Feb 2024 — Aria Operations for Networks contains a local file read vulnerability. A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information. Aria Operations for Networks contiene una vulnerabilidad de lectura de archivos locales. Un actor malintencionado con privilegios de administrador puede aprovechar esta vulnerabilidad y provocar acceso no autorizado a información confidencial. Aria Operations for Networks contains a local file read vulnerability... • https://www.vmware.com/security/advisories/VMSA-2024-0002.html • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22239
https://notcve.org/view.php?id=CVE-2024-22239
06 Feb 2024 — Aria Operations for Networks contains a local privilege escalation vulnerability. A console user with access to Aria Operations for Networks may exploit this vulnerability to escalate privileges to gain regular shell access. Aria Operations for Networks contiene una vulnerabilidad de escalada de privilegios local. Un usuario de consola con acceso a Aria Operations for Networks puede aprovechar esta vulnerabilidad para escalar privilegios y obtener acceso regular al shell. Aria Operations for Networks contai... • https://www.vmware.com/security/advisories/VMSA-2024-0002.html • CWE-269: Improper Privilege Management •
CVSS: 6.4EPSS: 1%CPEs: 1EXPL: 0CVE-2024-22238
https://notcve.org/view.php?id=CVE-2024-22238
06 Feb 2024 — Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges may be able to inject malicious code into user profile configurations due to improper input sanitization. Aria Operations for Networks contiene una vulnerabilidad de cross-site scripting. Un actor malicioso con privilegios de administrador puede inyectar código malicioso en las configuraciones del perfil de usuario debido a una sanitización de entrada inadecuada. Aria Operations for Networks c... • https://www.vmware.com/security/advisories/VMSA-2024-0002.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22237
https://notcve.org/view.php?id=CVE-2024-22237
06 Feb 2024 — Aria Operations for Networks contains a local privilege escalation vulnerability. A console user with access to Aria Operations for Networks may exploit this vulnerability to escalate privileges to gain root access to the system. Aria Operations for Networks contiene una vulnerabilidad de escalada de privilegios local. Un usuario de consola con acceso a Aria Operations for Networks puede aprovechar esta vulnerabilidad para escalar privilegios y obtener acceso raíz al sistema. Aria Operations for Networks co... • https://www.vmware.com/security/advisories/VMSA-2024-0002.html • CWE-269: Improper Privilege Management •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-34042
https://notcve.org/view.php?id=CVE-2023-34042
05 Feb 2024 — The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue. El archivo spring-security.xsd dentro del jar spring-se... • https://spring.io/security/cve-2023-34042 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-22236
https://notcve.org/view.php?id=CVE-2024-22236
31 Jan 2024 — In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency. En Spring Cloud Contract, versiones 4.1.x anteriores a 4.1.1, versiones 4.0.x anteriores a 4.0.5 y versiones 3.1.x anteriores a 3.1.10, la ejecuc... • https://spring.io/security/cve-2024-22236 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 1%CPEs: 2EXPL: 0CVE-2024-22233 – CVE-2024-22233: Spring Framework server Web DoS Vulnerability
https://notcve.org/view.php?id=CVE-2024-22233
22 Jan 2024 — In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all... • https://security.netapp.com/advisory/ntap-20240614-0005 •
CVSS: 9.9EPSS: 0%CPEs: 12EXPL: 0CVE-2023-34063
https://notcve.org/view.php?id=CVE-2023-34063
16 Jan 2024 — Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows. Aria Automation contiene una vulnerabilidad de control de acceso faltante. Un actor malicioso autenticado puede explotar esta vulnerabilidad y provocar acceso no autorizado a organizaciones y workflows remotos. • https://www.vmware.com/security/advisories/VMSA-2024-0001.html • CWE-862: Missing Authorization •