CVSS: 7.8EPSS: 4%CPEs: 29EXPL: 0CVE-2023-1108 – Undertow: infinite loop in sslconduit during close
https://notcve.org/view.php?id=CVE-2023-1108
10 Mar 2023 — A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates. Se encontró una falla en undertow. Este problema hace posible lograr una denegación de servicio debido a un estado de protocolo de enlace inesperado actualizado en SslConduit, donde el bucle nunca termina Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized i... • https://access.redhat.com/errata/RHSA-2023:1184 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.5EPSS: 1%CPEs: 27EXPL: 1CVE-2019-14900 – hibernate: SQL injection issue in Hibernate ORM
https://notcve.org/view.php?id=CVE-2019-14900
12 May 2020 — A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. Se encontró un fallo en Hibernate ORM en versiones anteriores a 5.3.18, 5.4.18 y 5.5.0.Beta1. Una inyección SQL en la implementación de la API JPA Criteria pu... • https://github.com/shanika04/hibernate-orm • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2019-14860 – syndesis: default CORS configuration is allow all
https://notcve.org/view.php?id=CVE-2019-14860
30 Oct 2019 — It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information. Se detectó que la configuración de Syndesis para Cross-Origin Resource Sharing fue establecida para permitir todos los orígenes. Un atacante podría utilizar esta falta de protección para conducir ataques de phishing y acceder aún más a información no autorizada. This release of Red H... • https://access.redhat.com/errata/RHSA-2019:3892 • CWE-942: Permissive Cross-domain Policy with Untrusted Domains •
CVSS: 7.5EPSS: 0%CPEs: 31EXPL: 0CVE-2019-0201 – zookeeper: Information disclosure in Apache ZooKeeper
https://notcve.org/view.php?id=CVE-2019-0201
23 May 2019 — An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthentica... • http://www.securityfocus.com/bid/108427 • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 2CVE-2018-10906 – fusermount - user_allow_other Restriction Bypass and SELinux Label Control
https://notcve.org/view.php?id=CVE-2018-10906
24 Jul 2018 — In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects. En fuse, en v... • https://packetstorm.news/files/id/148749 • CWE-269: Improper Privilege Management CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 89%CPEs: 70EXPL: 6CVE-2018-1270 – spring-framework: Possible RCE via spring messaging
https://notcve.org/view.php?id=CVE-2018-1270
06 Apr 2018 — Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. Spring Framework, en versiones 5.0 anteriores a la 5.0.5 y versiones 4.3 anteriores a la 4.3.15, así como versiones más antiguas no soportadas, permite ... • https://packetstorm.news/files/id/147974 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-1233 – Debian Security Advisory 3451-1
https://notcve.org/view.php?id=CVE-2016-1233
22 Jan 2016 — An unspecified udev rule in the Debian fuse package in jessie before 2.9.3-15+deb8u2, in stretch before 2.9.5-1, and in sid before 2.9.5-1 sets world-writable permissions for the /dev/cuse character device, which allows local users to gain privileges via a character device in /dev, related to an ioctl. Una regla udev no especificada en el paquete fuse de Debian en jessie en versiones anteriores a 2.9.3-15+deb8u2, en stretch en versiones anteriores a 2.9.5-1 y en sid en versiones anteriores a 2.9.5-1 fija lo... • http://www.debian.org/security/2016/dsa-3451 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 4CVE-2015-3202 – Fuse 2.9.3-15 - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2015-3202
21 May 2015 — fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature. fusermount en FUSE anterior a 2.9.3-15 no limpia correctamente el entorno antes de llamar a (1) mount o (2) umount como root, lo que permite a usuarios locales escribir en ficheros arbitrarios a través de una variable de entorno LIBMOUNT_MTAB ... • https://packetstorm.news/files/id/132021 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 0%CPEs: 33EXPL: 0CVE-2011-0541 – fuse: unprivileged user can unmount arbitrary locations via symlink attack
https://notcve.org/view.php?id=CVE-2011-0541
02 Sep 2011 — fuse 2.8.5 and earlier does not properly handle when /etc/mtab cannot be updated, which allows local users to unmount arbitrary directories via a symlink attack. Fuse v2.8.5 y anteriores no se comporta de forma adecuada cuando /etc/mtlab no puede ser actualizado, lo que permite a usuarios locales desmontar directorios de su elección a través de un ataque de enlaces simbólicos. • http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse%3Ba=commit%3Bh=bf5ffb5fd8558bd799791834def431c0cee5a11f • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 9.1EPSS: 0%CPEs: 33EXPL: 0CVE-2011-0542 – fuse: unprivileged user can unmount arbitrary locations via symlink attack
https://notcve.org/view.php?id=CVE-2011-0542
02 Sep 2011 — fusermount in fuse 2.8.5 and earlier does not perform a chdir to / before performing a mount or umount, which allows local users to unmount arbitrary directories via unspecified vectors. Fusermount en Fuse v2.8.5 y anteriores no realizar un chdir a / después de realizar el montado o desmontado, lo que permite a usuarios locales desmontar directorios de su elección a través de vectores no especificados. • http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse%3Ba=commit%3Bh=1e7607ff89c65b005f69e27aeb1649d624099873 • CWE-264: Permissions, Privileges, and Access Controls •