CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9798 – Health endpoint offers list of onboarded services to unauthenticated users
https://notcve.org/view.php?id=CVE-2024-9798
10 Oct 2024 — The health endpoint is public so everybody can see a list of all services. It is potentially valuable information for attackers. El endpoint de salud es público, por lo que todos pueden ver una lista de todos los servicios. Es información potencialmente valiosa para los atacantes. • https://github.com/zowe/api-layer • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6834 – Imperative Local Command Injection allows Activity Masking
https://notcve.org/view.php?id=CVE-2024-6834
17 Jul 2024 — A vulnerability in APIML Spring Cloud Gateway which leverages user privileges by unexpected signing proxied request by Zowe's client certificate. This allows access to a user to the endpoints requiring an internal client certificate without any credentials. It could lead to managing components in there and allow an attacker to handle the whole communication including user credentials. Una vulnerabilidad en APIML Spring Cloud Gateway que aprovecha los privilegios del usuario mediante una solicitud de firma i... • https://github.com/zowe/api-layer • CWE-250: Execution with Unnecessary Privileges •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-4326 – Imperative Local Command Injection allows Activity Masking
https://notcve.org/view.php?id=CVE-2021-4326
22 Feb 2023 — A vulnerability in Imperative framework which allows already-privileged local actors to execute arbitrary shell commands via plugin install/update commands, or maliciously formed environment variables. Impacts Zowe CLI. • https://github.com/zowe/imperative •