CVE-2017-5390 – Mozilla: Insecure communication methods in Developer Tools JSON viewer (MFSA 2017-02)
https://notcve.org/view.php?id=CVE-2017-5390
The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers data, allowing for potential privilege escalation. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. El visor JSON en Developer Tools emplea métodos inseguros para crear un canal de comunicación para copiar y visualizar datos de cabeceras HTTP o JSON, lo que permite un potencial escalado de privilegios. La vulnerabilidad afecta a Thunderbird en versiones anteriores a la 45.7, Firefox ESR en versiones anteriores a la 45.7 y Firefox en versiones anteriores a la 51. • http://rhn.redhat.com/errata/RHSA-2017-0190.html http://rhn.redhat.com/errata/RHSA-2017-0238.html http://www.securityfocus.com/bid/95769 http://www.securitytracker.com/id/1037693 https://bugzilla.mozilla.org/show_bug.cgi?id=1297361 https://security.gentoo.org/glsa/201702-13 https://security.gentoo.org/glsa/201702-22 https://www.debian.org/security/2017/dsa-3771 https://www.debian.org/security/2017/dsa-3832 https://www.mozilla.org/security/advisories/mfsa2017-01 http •
CVE-2017-5380 – Mozilla: Potential use-after-free during DOM manipulations (MFSA 2017-02)
https://notcve.org/view.php?id=CVE-2017-5380
A potential use-after-free found through fuzzing during DOM manipulation of SVG content. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. Se ha encontrado un potencial uso de memoria previamente liberada mediante fuzzing durante la manipulación DOM del contenido SVG. La vulnerabilidad afecta a Thunderbird en versiones anteriores a la 45.7, Firefox ESR en versiones anteriores a la 45.7 y Firefox en versiones anteriores a la 51. • http://rhn.redhat.com/errata/RHSA-2017-0190.html http://rhn.redhat.com/errata/RHSA-2017-0238.html http://www.securityfocus.com/bid/95769 http://www.securitytracker.com/id/1037693 https://bugzilla.mozilla.org/show_bug.cgi?id=1322107 https://security.gentoo.org/glsa/201702-13 https://security.gentoo.org/glsa/201702-22 https://www.debian.org/security/2017/dsa-3771 https://www.debian.org/security/2017/dsa-3832 https://www.mozilla.org/security/advisories/mfsa2017-01 http • CWE-416: Use After Free •
CVE-2016-8612 – mod_cluster: Protocol parsing logic error
https://notcve.org/view.php?id=CVE-2016-8612
Apache HTTP Server mod_cluster before version httpd 2.4.23 is vulnerable to an Improper Input Validation in the protocol parsing logic in the load balancer resulting in a Segmentation Fault in the serving httpd process. Apache HTTP Server mod_cluster, en versiones anteriores a httpd 2.4.23, es vulnerable a una validación de entradas incorrecta en la lógica de análisis de protocolo en el balanceador de carga, lo que resulta en un fallo de segmentación en el proceso httpd en servicio. An error was found in protocol parsing logic of mod_cluster load balancer Apache HTTP Server modules. An attacker could use this flaw to cause a Segmentation Fault in the serving httpd process. • http://rhn.redhat.com/errata/RHSA-2016-2957.html http://www.securityfocus.com/bid/94939 https://access.redhat.com/errata/RHSA-2017:0193 https://access.redhat.com/errata/RHSA-2017:0194 https://bugzilla.redhat.com/show_bug.cgi?id=1387605 https://security.netapp.com/advisory/ntap-20180601-0005 https://access.redhat.com/security/cve/CVE-2016-8612 • CWE-20: Improper Input Validation •
CVE-2016-7061 – EAP: Sensitive data can be exposed at the server level in domain mode
https://notcve.org/view.php?id=CVE-2016-7061
An information disclosure vulnerability was found in JBoss Enterprise Application Platform before 7.0.4. It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information. Se ha detectado una vulnerabilidad de divulgación de información en JBoss Enterprise Application Platform en versiones anteriores a la 7.0.4. Se ha descubierto que, al configurar RBAC y marcar información como sensible, los usuarios con rol Monitor pueden visualizar dicha información sensible It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information. • http://rhn.redhat.com/errata/RHSA-2017-0170.html http://rhn.redhat.com/errata/RHSA-2017-0171.html http://rhn.redhat.com/errata/RHSA-2017-0172.html http://rhn.redhat.com/errata/RHSA-2017-0173.html http://rhn.redhat.com/errata/RHSA-2017-0244.html http://rhn.redhat.com/errata/RHSA-2017-0245.html http://rhn.redhat.com/errata/RHSA-2017-0246.html http://rhn.redhat.com/errata/RHSA-2017-0247.html http://rhn.redhat.com/errata/RHSA-2017-0250.html http://www • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-8743 – httpd: Apache HTTP Request Parsing Whitespace Defects
https://notcve.org/view.php?id=CVE-2016-8743
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. El servidor HTTP Apache, en todas las distribuciones anteriores a la 2.2.32 y la 2.4.25 era liberal en el espacio en blanco aceptado de peticiones y enviado en lineas y cabeceras de respuesta. La aceptación de estos comportamientos diferentes representaba un problema a nivel de seguridad cuando httpd participa en cualquier cadena de proxies o interactúa con servidores de aplicaciones backend, ya sea mediante mod_proxy o utilizando mecanismos CGI convencionales y puede dar lugar al tráfico de peticiones, división de respuestas y contaminación de la caché. It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. • http://rhn.redhat.com/errata/RHSA-2017-1415.html http://www.debian.org/security/2017/dsa-3796 http://www.securityfocus.com/bid/95077 http://www.securitytracker.com/id/1037508 https://access.redhat.com/errata/RHSA-2017:0906 https://access.redhat.com/errata/RHSA-2017:1161 https://access.redhat.com/errata/RHSA-2017:1413 https://access.redhat.com/errata/RHSA-2017:1414 https://access.redhat.com/errata/RHSA-2017:1721 https://h20566.www2.hpe.com/hpsc/doc/public/display • CWE-20: Improper Input Validation •