CVSS: 5.9EPSS: 1%CPEs: 73EXPL: 0CVE-2019-2684 – OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling (RMI, 8218453)
https://notcve.org/view.php?id=CVE-2019-2684
17 Apr 2019 — Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded a... • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00007.html •
CVSS: 5.4EPSS: 1%CPEs: 4EXPL: 0CVE-2019-1003050
https://notcve.org/view.php?id=CVE-2019-1003050
10 Apr 2019 — The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names. El control de formulario f: validateButton para la interfaz de usuario de Jenkins no escapa apropiadamente de las URL de tareas en Jenkins versión 2.171 y anteriores y Jenkins LTS versión 2.164.1 y anteriores, resultando en una vulnerabilidad d... • http://www.securityfocus.com/bid/107889 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 1%CPEs: 4EXPL: 0CVE-2019-1003049
https://notcve.org/view.php?id=CVE-2019-1003049
10 Apr 2019 — Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches. Los usuarios que almacenaron su autenticación CLI antes de que Jenkins se actualizara a la versión 2.150.2 o posteriores, o a la versión 2.160 o posteriores, permanecerían autenticados en... • http://www.securityfocus.com/bid/107901 • CWE-613: Insufficient Session Expiration •
CVSS: 8.8EPSS: 87%CPEs: 68EXPL: 6CVE-2019-0211 – Apache HTTP Server Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-0211
03 Apr 2019 — In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected. En Apache HTTP Server 2.4, versiones 2.4.17 a 2.4.38, con el evento MPM, worker o prefork, el código ejecutándose en procesos hijo (o hilos) m... • https://packetstorm.news/files/id/152441 • CWE-250: Execution with Unnecessary Privileges CWE-416: Use After Free •
CVSS: 6.4EPSS: 49%CPEs: 7EXPL: 1CVE-2019-1002101 – kubectl cp path traversal
https://notcve.org/view.php?id=CVE-2019-1002101
01 Apr 2019 — The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. ... • https://github.com/brompwnie/CVE-2019-1002101-Helpers • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.5EPSS: 10%CPEs: 5EXPL: 0CVE-2019-1002100 – kube-apiserver: DoS with crafted patch of type json-patch
https://notcve.org/view.php?id=CVE-2019-1002100
01 Apr 2019 — In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type: application/json-patch+json"`) that consumes excessive resources while processing, causing a Denial of Service on the API Server. En todas las versiones de Kubernetes anteriores a las v1.11.8, v1.12.6 y v1.13.4, los usuarios autorizados para realizar peticio... • http://www.securityfocus.com/bid/107290 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.8EPSS: 2%CPEs: 2EXPL: 0CVE-2019-1003040 – jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
https://notcve.org/view.php?id=CVE-2019-1003040
28 Mar 2019 — A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. Una vulnerabilidad de omisión de sandbox en Jenkins Script Security Plugin, en sus versiones 1.55 y anteriores, permite a los atacantes invocar constructores arbitrarios en los scripts en "sandbox". A flaw was found in the Jenkins Script Security plugin. Groovy Plugins could be circumvented through methods supporting type casts and type coercion allowing a... • http://www.openwall.com/lists/oss-security/2019/03/28/2 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-704: Incorrect Type Conversion or Cast •
CVSS: 9.8EPSS: 2%CPEs: 2EXPL: 0CVE-2019-1003041 – jenkins-plugin-workflow-cps: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
https://notcve.org/view.php?id=CVE-2019-1003041
28 Mar 2019 — A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. Una vulnerabilidad de omisión de sandbox en Jenkins Pipeline: el plugin "groovy", en sus versiones 2.64 y anteriores, permite a los atacantes invocar constructores arbitrarios en los scripts en "sandbox". A flaw was found in the Jenkins Workflow CPS plugin. Groovy Plugins could be circumvented through methods supporting type casts and type coercion allowi... • http://www.openwall.com/lists/oss-security/2019/03/28/2 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-704: Incorrect Type Conversion or Cast •
CVSS: 6.1EPSS: 2%CPEs: 2EXPL: 0CVE-2019-3826
https://notcve.org/view.php?id=CVE-2019-3826
26 Mar 2019 — A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts. Se ha detectado un error de Cross-Site Scripting (XSS) almacenado basado en DOM en Prometheus, en versiones anteriores a la 2.7.1. Un atacante podría explotar esta vulnerabilidad convenciendo a un usuario autenticado para que v... • https://access.redhat.com/errata/RHBA-2019:0327 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 94%CPEs: 4EXPL: 12CVE-2019-7609 – Kibana Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2019-7609
25 Mar 2019 — Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. Las versiones anteriores a las 5.6.15 y 6.6.1 de Kibana contienen un error de ejecución de código arbitrario en el visualizador Timelion. Un atacante con ac... • https://packetstorm.news/files/id/174569 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •