CVSS: 6.8EPSS: 0%CPEs: 13EXPL: 0CVE-2022-42439 – IBM App Connect Enterprise information disclosure
https://notcve.org/view.php?id=CVE-2022-42439
IBM App Connect Enterprise 11.0.0.17 through 11.0.0.19 and 12.0.4.0 and 12.0.5.0 contains an unspecified vulnerability in the Discovery Connector nodes which may cause a 3rd party system’s credentials to be exposed to a privileged attacker. IBM X-Force ID: 238211. • https://exchange.xforce.ibmcloud.com/vulnerabilities/238211 https://www.ibm.com/support/pages/node/6952435 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2020-35513 – kernel: Nfsd failure to clear umask after processing an open or create
https://notcve.org/view.php?id=CVE-2020-35513
A flaw incorrect umask during file or directory modification in the Linux kernel NFS (network file system) functionality was found in the way user create and delete object using NFSv4.2 or newer if both simultaneously accessing the NFS by the other process that is not using new NFSv4.2. A user with access to the NFS could use this flaw to starve the resources causing denial of service. Se encontró un fallo sin máscara incorrecto durante la modificación de archivos o directorios en la funcionalidad Linux kernel NFS (sistema de archivo de red) en la manera en que el usuario crea y elimina objetos usando NFSv4.2 o más reciente si ambos acceden simultáneamente al NFS por el otro proceso que no está usando el nuevo NFSv4.2. Un usuario con acceso al NFS podría usar este fallo para privar de recursos causando una denegación de servicio • https://bugzilla.redhat.com/show_bug.cgi?id=1911309 https://patchwork.kernel.org/project/linux-nfs/patch/20180403203916.GH20297%40fieldses.org https://access.redhat.com/security/cve/CVE-2020-35513 • CWE-271: Privilege Dropping / Lowering Errors •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2020-1760 – ceph: header-splitting in RGW GetObject has a possible XSS
https://notcve.org/view.php?id=CVE-2020-1760
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input. Se encontró un fallo en Ceph Object Gateway, donde admite peticiones enviadas por un usuario anónimo en Amazon S3. Este fallo podría conllevar a posibles ataques de tipo XSS debido a una falta de neutralización apropiada de una entrada no segura. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1760 https://lists.debian.org/debian-lts-announce/2021/08/msg00013.html https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P3A2UFR5IUIEXJUCF64GQ5OVLCZGODXE https://security.gentoo.org/glsa/202105-39 https://usn.ubuntu.com/4528-1 https://www.openwall.com/lists/oss-security/2020/04/07/1 https://access.redhat.com/security/cve/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 21EXPL: 1CVE-2020-8945 – CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull
https://notcve.org/view.php?id=CVE-2020-8945
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification. El contenedor Proglottis Go versiones anteriores a 0.1.1 para la biblioteca GPGME, presenta un uso de la memoria previamente liberada, como es demostrado por el uso para las extracciones de imágenes de contenedores para Docker o CRI-O. Esto conlleva a un bloqueo o posible ejecución de código durante una comprobación de la firma GPG. A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. • https://access.redhat.com/errata/RHSA-2020:0679 https://access.redhat.com/errata/RHSA-2020:0689 https://access.redhat.com/errata/RHSA-2020:0697 https://bugzilla.redhat.com/show_bug.cgi?id=1795838 https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1 https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1 https://github.com/proglottis/gpgme/pull/23 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIF • CWE-416: Use After Free •
CVSS: 7.0EPSS: 0%CPEs: 17EXPL: 0CVE-2019-19921 – runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation
https://notcve.org/view.php?id=CVE-2019-19921
runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.) runc versiones hasta 1.0.0-rc9, posee un Control de Acceso Incorrecto conllevando a una escalada de privilegios, relacionado con el archivo libcontainer/rootfs_linux.go. Para explotar esto, un atacante debe ser capaz de generar dos contenedores con configuraciones de montaje de volumen personalizadas y ser capaz de ejecutar imágenes personalizadas. (Esta vulnerabilidad no afecta a Docker debido a un detalle de implementación que bloquea el ataque). • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html https://access.redhat.com/errata/RHSA-2020:0688 https://access.redhat.com/errata/RHSA-2020:0695 https://github.com/opencontainers/runc/issues/2197 https://github.com/opencontainers/runc/pull/2190 https://github.com/opencontainers/runc/releases https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3S • CWE-41: Improper Resolution of Path Equivalence CWE-706: Use of Incorrectly-Resolved Name or Reference •