Page 9 of 52 results (0.009 seconds)

CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0

CVE-2019-10150 – atomic-openshift: OpenShift builds don't verify SSH Host Keys for the git repository

https://notcve.org/view.php?id=CVE-2019-10150

It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output. Se encontró que OpenShift Container Platform versiones 3.6.x hasta 4.6.0, no realizan la comprobación de clave del host SSH cuando es usada la autenticación de la clave ssh durante las compilaciones. Un atacante, con la capacidad de redireccionar el tráfico de la red, podría usar esto para alterar la salida de compilación resultante. It was found that OpenShift Container Platform does not perform SSH Host Key checking when using ssh key authentication during builds. • https://access.redhat.com/errata/RHSA-2019:2989 https://access.redhat.com/errata/RHSA-2019:3007 https://access.redhat.com/errata/RHSA-2019:3143 https://access.redhat.com/errata/RHSA-2019:3811 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150 https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication https://access.redhat.com/security/cve/CVE-2019-10150 https://bugzilla.redhat.com/show_bug.cgi?id=1713433 • CWE-287: Improper Authentication •

CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0

CVE-2019-11244 – kubectl creates world-writeable cached schema files

https://notcve.org/view.php?id=CVE-2019-11244

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation. En Kubernetes versión 1.8.x hasta versión 1.14.x, el componente kubectl almacena en caché la información del esquema en la ubicación especificada por --cache-dir (defaulting to $HOME/.kube/http-cache), escrita con permisos world-writeable (rw-rw-rw-). Si se especifica --cache-dir y se apunta a una ubicación distinta accesible para otros usuarios o grupos, los archivos escritos pueden ser modificados por otros usuarios o grupos e interrumpir la invocación de Kubectl. A flaw was found in kubectl that leaves http-cache files with read/write permissions for any user. • http://www.securityfocus.com/bid/108064 https://access.redhat.com/errata/RHSA-2019:3942 https://access.redhat.com/errata/RHSA-2020:0020 https://access.redhat.com/errata/RHSA-2020:0074 https://github.com/kubernetes/kubernetes/issues/76676 https://security.netapp.com/advisory/ntap-20190509-0002 https://access.redhat.com/security/cve/CVE-2019-11244 https://bugzilla.redhat.com/show_bug.cgi?id=1703209 • CWE-524: Use of Cache Containing Sensitive Information CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 9.8EPSS: 1%CPEs: 14EXPL: 0

CVE-2018-11307 – jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis

https://notcve.org/view.php?id=CVE-2018-11307

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. Se detectó un problema en jackson-databind versiones 2.0.0 hasta 2.9.5 de FasterXML. El uso de escritura predeterminada de Jackson junto con una clase de gadget de iBatis permite la exfiltración de contenido. • https://access.redhat.com/errata/RHSA-2019:0782 https://access.redhat.com/errata/RHSA-2019:1822 https://access.redhat.com/errata/RHSA-2019:1823 https://access.redhat.com/errata/RHSA-2019:2804 https://access.redhat.com/errata/RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:3002 https://access.redhat.com/errata/RHSA-2019:3140 https://access.redhat.com/errata/RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3892 https://access.redhat.com/errata/RHSA • CWE-502: Deserialization of Untrusted Data •

CVSS: 10.0EPSS: 97%CPEs: 4EXPL: 9

CVE-2019-7609 – Kibana Arbitrary Code Execution

https://notcve.org/view.php?id=CVE-2019-7609

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. Las versiones anteriores a las 5.6.15 y 6.6.1 de Kibana contienen un error de ejecución de código arbitrario en el visualizador Timelion. Un atacante con acceso a la aplicación Timelion podría enviar una petición que intente ejecutar código javascript. • https://github.com/LandGrey/CVE-2019-7609 https://github.com/mpgn/CVE-2019-7609 https://github.com/hekadan/CVE-2019-7609 https://github.com/rhbb/CVE-2019-7609 https://github.com/wolf1892/CVE-2019-7609 https://github.com/Akshay15-png/CVE-2019-7609 https://github.com/dnr6419/CVE-2019-7609 https://github.com/OliveiraaX/CVE-2019-7609-KibanaRCE http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html https://access.redhat.com/errat • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 8.8EPSS: 2%CPEs: 4EXPL: 0

CVE-2019-0542 – xterm.js: Mishandling of special characters allows for remote code execution

https://notcve.org/view.php?id=CVE-2019-0542

A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js. Existe una vulnerabilidad de ejecución remota de código en Xterm.js cuando el componente maneja mal los caracteres especiales, también conocida como "Xterm Remote Code Execution Vulnerability". Esto afecta a xterm.js It was found that xterm.js does not sanitize terminal escape sequences in browser terminals allowing for execution of arbitrary commands. An attacker could exploit this by convincing a user with a xterm.js browser terminal to display an escape sequence by, for example, reading a from a log file containing attacker-controlled input. • http://www.securityfocus.com/bid/106434 https://access.redhat.com/errata/RHBA-2019:0959 https://access.redhat.com/errata/RHSA-2019:1422 https://access.redhat.com/errata/RHSA-2019:2551 https://access.redhat.com/errata/RHSA-2019:2552 https://github.com/xtermjs/xterm.js/releases https://access.redhat.com/security/cve/CVE-2019-0542 https://bugzilla.redhat.com/show_bug.cgi?id=1668531 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •