CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2016-0789 – jenkins: HTTP response splitting vulnerability (SECURITY-238)
https://notcve.org/view.php?id=CVE-2016-0789
07 Apr 2016 — CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. Vulnerabilidad de inyección CRLF en la documentación de comando de la CLI en Jenkins en versiones anteriores a 1.650 y LTS en versiones anteriores a 1.642.2 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques de separación de respuesta HTTP ... • http://rhn.redhat.com/errata/RHSA-2016-1773.html • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2016-0790 – jenkins: Non-constant time comparison of API token (SECURITY-241)
https://notcve.org/view.php?id=CVE-2016-0790
07 Apr 2016 — Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach. Jenkins en versiones anteriores a 1.650 y LTS en versiones anteriores a 1.642.2 no utiliza un algoritmo de tiempo constante para verificar tokens API, lo que hace más fácil para atacantes remotos determinar tokens API a través de una aproximación por fuerza bruta. OpenShift Enterprise by Red Hat is the company's ... • http://rhn.redhat.com/errata/RHSA-2016-1773.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2016-0791 – jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245)
https://notcve.org/view.php?id=CVE-2016-0791
07 Apr 2016 — Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach. Jenkins en versiones anteriores a 1.650 y LTS en versiones anteriores a 1.642.2 no utiliza un algoritmo de tiempo constante para verificar tokens CSRF, lo que hace más fácil para atacantes remotos eludir el mecanismo de protección CSRF a través de una aproximación por fuerza bruta. OpenShift Enterp... • http://rhn.redhat.com/errata/RHSA-2016-1773.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 96%CPEs: 3EXPL: 7CVE-2016-0792 – Jenkins < 1.650 - Java Deserialization
https://notcve.org/view.php?id=CVE-2016-0792
07 Apr 2016 — Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando. Múltiples terminales API no especificadas en Jenkins en versiones anteriores a 1.650 y LTS en versiones anteriores a 1.642.2 permiten a usuarios remotos autenticados ejecutar código arbitrario a través de datos serializados en un archivo XML, relacionado con XStream y groovy.util.Expando. O... • https://packetstorm.news/files/id/143523 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 25%CPEs: 6EXPL: 0CVE-2016-2074 – openvswitch: MPLS buffer overflow vulnerability
https://notcve.org/view.php?id=CVE-2016-2074
29 Mar 2016 — Buffer overflow in lib/flow.c in ovs-vswitchd in Open vSwitch 2.2.x and 2.3.x before 2.3.3 and 2.4.x before 2.4.1 allows remote attackers to execute arbitrary code via crafted MPLS packets, as demonstrated by a long string in an ovs-appctl command. Desbordamiento de buffer en lib/flow.c en ovs-vswitchd en Open vSwitch 2.2.x y 2.3.x en versiones anteriores a 2.3.3 y 2.4.x en versiones anteriores a 2.4.1 permite a atacantes remotos ejecutar código arbitrario a través de paquetes MPLS manipulados, según lo dem... • http://openvswitch.org/pipermail/announce/2016-March/000082.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2015-7537 – jenkins: CSRF vulnerability in some administrative actions (SECURITY-225)
https://notcve.org/view.php?id=CVE-2015-7537
27 Jan 2016 — Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method. Vulnerabilidad de CSRF en Jenkins en versiones anteriores a 1.640 y LTS en versiones anteriores a 1.625.2 permite a atacantes remotos secuestrar la autenticación de los administradores en peticiones que tienen un impacto no especificado a través de vectores re... • http://rhn.redhat.com/errata/RHSA-2016-0489.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2015-7538 – jenkins: CSRF protection ineffective (SECURITY-233)
https://notcve.org/view.php?id=CVE-2015-7538
27 Jan 2016 — Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors. Jenkins en versiones anteriores a 1.640 y LTS en versiones anteriores a 1.625.2 permite a atacantes remotos eludir el mecanismo de protección CSRF a través de vectores no especificados. OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service solution designed for on-premise or private cloud deployments. The following security issues are addressed ... • http://rhn.redhat.com/errata/RHSA-2016-0489.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.6EPSS: 0%CPEs: 4EXPL: 0CVE-2015-7539 – jenkins: Jenkins plugin manager vulnerable to MITM attacks (SECURITY-234)
https://notcve.org/view.php?id=CVE-2015-7539
27 Jan 2016 — The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin. The Plugins Manager in Jenkins en versiones anteriores a 1.640 y LTS en versiones anteriores a 1.625.2 no verifica sumas de comprobación para archivos de plugin referenciados en datos del sitio de actualización, lo que facilita a atacantes man-in-the-middle ejecutar c... • http://rhn.redhat.com/errata/RHSA-2016-0489.html • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 9.8EPSS: 2%CPEs: 27EXPL: 3CVE-2015-5254 – ObjectMessage: unsafe deserialization
https://notcve.org/view.php?id=CVE-2015-5254
08 Jan 2016 — Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. Apache ActiveMQ 5.x en versiones anteriores a 5.13.0 no restringe las clases que pueden ser serializadas en el broker, lo que permite a atacantes remotos ejecutar código arbitrario a través de un objeto ObjectMessage Java Message Service (JMS) serializado manipulado. It was found... • https://github.com/jas502n/CVE-2015-5254 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2015-7528 – OpenShift: pod log location must validate container if provided
https://notcve.org/view.php?id=CVE-2015-7528
03 Dec 2015 — Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name. Kubernetes en versiones anteriores a 1.2.0-alpha.5 permite a atacantes remotos leer logs de pod arbitrarios a través de un nombre de contenedor. It was found that OpenShift's API back end did not verify requests for pod log locations, allowing a pod on a Node to request logs for any other pod on that Node. A remote attacker could use this flaw to view sensitive information via pod logs that they would no... • http://rhn.redhat.com/errata/RHSA-2015-2615.html • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •