CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0164 – mcollective: world readable client config
https://notcve.org/view.php?id=CVE-2014-0164
02 May 2014 — openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1.2.7 and 2.0.5, uses world-readable permissions for the mcollective client.cfg configuration file, which allows local users to obtain credentials and other sensitive information by reading the file. openshift-origin-broker-util, utilizado en Red Hat OpenShift Enterprise 1.2.7 y 2.0.5, utiliza permisos de lectura universal para el archivo de configuración de mcollective client.cfg, lo que permite a usuarios locales obtener credenciales y ... • http://rhn.redhat.com/errata/RHSA-2014-0460.html • CWE-310: Cryptographic Issues CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0188 – OpenShift: openshift-origin-broker plugin allows impersonation
https://notcve.org/view.php?id=CVE-2014-0188
23 Apr 2014 — The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to a passthrough trigger. El openshift-origin-broker en Red Hat OpenShift Enterprise 2.0.5, 1.2.7, y anteriores no maneja adecuadamente las peticiones de autenticación provenientes del plugin de autenticación de us... • http://rhn.redhat.com/errata/RHSA-2014-0422.html • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 0CVE-2014-1869 – stapler-adjunct-zeroclipboard: multiple cross-site scripting (XSS) flaws
https://notcve.org/view.php?id=CVE-2014-1869
08 Feb 2014 — Multiple cross-site scripting (XSS) vulnerabilities in ZeroClipboard.swf in ZeroClipboard before 1.3.2, as maintained by Jon Rohan and James M. Greene, allow remote attackers to inject arbitrary web script or HTML via vectors related to certain SWF query parameters (aka loaderInfo.parameters). Múltiples vulnerabilidades de XSS en ZeroClipboard.swf en ZeroClipboard anterior a 1.3.2, mantenido por Jon Rohan y James M. Greene, permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través de vect... • http://secunia.com/advisories/56821 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 91%CPEs: 7EXPL: 2CVE-2013-2186 – commons-fileupload: Arbitrary file upload via deserialization
https://notcve.org/view.php?id=CVE-2013-2186
16 Oct 2013 — The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance. La clase DiskFileItem en Apache Commons FileUpload, tal como se utiliza en Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2 y 6.0.0; y Red Hat JBoss Web Server 1.0.2 permite a atacantes remotos escribir en archivos arbitrarios a tr... • https://github.com/GrrrDog/ACEDcup • CWE-20: Improper Input Validation CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVSS: 5.8EPSS: 0%CPEs: 25EXPL: 0CVE-2012-2125 – rubygems: Two security fixes in v1.8.23
https://notcve.org/view.php?id=CVE-2012-2125
04 Sep 2013 — RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack. RubyGems anteriores a 1.8.23 pueden redirigir conexiones HTTPS a HTTP, lo cual facilita a atacantes remotos observar o modificar una gema durante la instalación a través de un ataque man-in-the-middle. Red Hat Enterprise MRG is a next-generation IT infrastructure for enterprise computing. MRG offers increased performance, rel... • http://rhn.redhat.com/errata/RHSA-2013-1203.html •
CVSS: 4.3EPSS: 0%CPEs: 25EXPL: 0CVE-2012-2126 – rubygems: Two security fixes in v1.8.23
https://notcve.org/view.php?id=CVE-2012-2126
04 Sep 2013 — RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack. RubyGems anteriores a 1.8.23 no verifican un certificado SSL, lo cual permite a atacantes remotos modificar una gema durante la instalación a través de un ataque man-in-the-middle. Red Hat Enterprise MRG is a next-generation IT infrastructure for enterprise computing. MRG offers increased performance, reliability, interoperability, and faster computing ... • http://rhn.redhat.com/errata/RHSA-2013-1203.html • CWE-310: Cryptographic Issues •
CVSS: 7.8EPSS: 0%CPEs: 26EXPL: 0CVE-2013-2119 – rubygem-passenger: incorrect temporary file usage
https://notcve.org/view.php?id=CVE-2013-2119
05 Aug 2013 — Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem. Las versiones 3.0.21 y 4.0.x anteriores a 4.0.5 de la gema Phusion Passenger para Ruby permite a usuarios locales causar denegación de servicio (prevención de inicio de la aplicación) u obtener privilegios creando un fichero "con... • http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released • CWE-264: Permissions, Privileges, and Access Controls CWE-377: Insecure Temporary File •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-0164 – openshift-origin-port-proxy: openshift-port-proxy-cfg lockwrap() tmp file creation
https://notcve.org/view.php?id=CVE-2013-0164
24 Feb 2013 — The lockwrap function in port-proxy/bin/openshift-port-proxy-cfg in Red Hat OpenShift Origin before 1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp. La función "lockwrap" en port-proxy/bin/openshift-port-proxy-cfg en Red Hat OpenShift Origin anterior a v1.1 permite a usuarios locales sobrescribir archivos arbitrarios mediante un ataque de enlaces simbólicos en un archivo temporal con un nombre predecible en /tmp. • http://rhn.redhat.com/errata/RHSA-2013-0220.html • CWE-264: Permissions, Privileges, and Access Controls CWE-377: Insecure Temporary File •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2012-5658 – Origin: rhc-chk.rb password exposure in log files
https://notcve.org/view.php?id=CVE-2012-5658
24 Feb 2013 — rhc-chk.rb in Red Hat OpenShift Origin before 1.1, when -d (debug mode) is used, outputs the password and other sensitive information in cleartext, which allows context-dependent attackers to obtain sensitive information, as demonstrated by including log files or Bugzilla reports in support channels. RHC-chk.rb en Red Hat OpenShift Origin anterior a v1,1, cuando -d (modo de depuración) se utiliza, muestra la contraseña y otra información confidencial en texto plano, lo que permite a atacantes dependientes d... • http://rhn.redhat.com/errata/RHSA-2013-0220.html • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2012-5646 – openshift-origin-node-util: restorer.php preg_match shell code injection
https://notcve.org/view.php?id=CVE-2012-5646
24 Feb 2013 — node-util/www/html/restorer.php in the Red Hat OpenShift Origin before 1.0.5-3 allows remote attackers to execute arbitrary commands via a crafted uuid in the PATH_INFO. node-util/www/html/restorer.php en Red Hat OpenShift Origin anterior a v1.0.5-3 permite a atacantes remotos ejecutar comandos arbitrarios mediante un uuid falsificado en el PATH_INFO. • http://rhn.redhat.com/errata/RHSA-2013-0148.html • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •