CVSS: 7.5EPSS: 83%CPEs: 444EXPL: 7CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. • https://github.com/imabee101/CVE-2023-44487 https://github.com/studiogangster/CVE-2023-44487 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/sigridou/CVE-2023-44487- https://github.com/ByteHackr/CVE-2023-44487 https://github.com/ReToCode/golang-CVE-2023-44487 http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www. • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45383
https://notcve.org/view.php?id=CVE-2022-45383
An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission. Una verificación de permisos incorrecta en Jenkins Support Core Plugin 1206.v14049fa_b_d860 y versiones anteriores permite a atacantes con permiso Support/DownloadBundle descargar un paquete de soporte creado previamente que contiene información limitada a usuarios con permiso General/Administrador. • http://www.openwall.com/lists/oss-security/2022/11/15/4 https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2804 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25187
https://notcve.org/view.php?id=CVE-2022-25187
Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle. Jenkins Support Core Plugin versiones 2.79 y anteriores, no redacta determinada información confidencial en el paquete de soporte • https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2186 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21621
https://notcve.org/view.php?id=CVE-2021-21621
Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations. Jenkins Support Core Plugin versiones 2.72 y anteriores, proporcionan la autenticación de usuario serializada como parte de la información "About user (basic authentication details only)", que puede incluir el ID de sesión del usuario creando el paquete de soporte en algunas configuraciones • https://www.jenkins.io/security/advisory/2021-02-24/#SECURITY-2150 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16539
https://notcve.org/view.php?id=CVE-2019-16539
A missing permission check in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete support bundles. Una falta de comprobación de permisos en Jenkins Support Core Plugin versión 2.63 y anteriores, permite a atacantes con permiso General y de Lectura eliminar paquetes de soporte. • http://www.openwall.com/lists/oss-security/2019/11/21/1 https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1634 • CWE-281: Improper Preservation of Permissions •