CVE-2020-24333
https://notcve.org/view.php?id=CVE-2020-24333
A vulnerability in Arista’s CloudVision Portal (CVP) prior to 2020.2 allows users with “read-only” or greater access rights to the Configlet Management module to download files not intended for access, located on the CVP server, by accessing a specific API. Una vulnerabilidad en CloudVision Portal (CVP) de Arista versiones anteriores a 2020.2, permite a usuarios con derechos de acceso "read-only" o superiores en el módulo Configlet Management descargar archivos no previstos para acceso, ubicados en el servidor CVP, mediante el acceso a una API específica • https://www.arista.com/en/support/advisories-notices https://www.arista.com/en/support/advisories-notices/security-advisories/11706-security-advisory-51 •
CVE-2020-13881
https://notcve.org/view.php?id=CVE-2020-13881
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used. En el archivo support.c en pam_tacplus versiones 1.3.8 hasta 1.5.1, el secreto compartido TACACS+ es registrado por medio de syslog si el nivel de registro DEBUG y journald son usados • http://www.openwall.com/lists/oss-security/2020/06/08/1 https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0 https://github.com/kravietz/pam_tacplus/issues/149 https://lists.debian.org/debian-lts-announce/2020/06/msg00007.html https://lists.debian.org/debian-lts-announce/2021/08/msg00006.html https://usn.ubuntu.com/4521-1 https://www.arista.com/en/support/advisories-notices/security-advisories/11705-security-advisory-50 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2019-17596 – golang: invalid public key causes panic in dsa.Verify
https://notcve.org/view.php?id=CVE-2019-17596
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. Go versiones anteriores a 1.12.11 y versiones 1.3.x anteriores a 1.13.2, puede entrar en pánico tras intentar procesar el tráfico de red que contiene una clave pública DSA no válida. Existen varios escenarios de ataque, tal y como el tráfico de un cliente hacia un servidor que comprueba los certificados del cliente. • https://github.com/pquerna/poc-dsa-verify-CVE-2019-17596 http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html https://access.redhat.com/errata/RHSA-2020:0101 https://access.redhat.com/errata/RHSA-2020:0329 https://github.com/golang/go/issues/34960 https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html https& • CWE-295: Improper Certificate Validation CWE-436: Interpretation Conflict •