In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remo…
[org.apache.ode:ode] Apache ODE Path Traversal vulnerability
The ODE process deployment web service was sensible to deployment messages with forged names. Using a path for the name was allowing directory traversal, resulting in the potential writing of files under unwanted locations, the overwriting of existing …
[org.graylog2:graylog2-server] Cross-site Scripting in Graylog Server
Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-11650
https://github.com/Graylog2/graylog2-server/pull/4727
http…
[org.graylog2:graylog2-server] Cross-site Scripting in Graylog
Graylog before v2.4.4 has an XSS security issue with unescaped text in dashboard names, related to components/dashboard/Dashboard.jsx, components/dashboard/EditDashboardModal.jsx, and pages/ShowDashboardPage.jsx.
References
https://nvd.nist.gov/vuln/d…
[org.apache.struts:struts2-core] Special top object can be used to access Struts’ internals
ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts’ internals or can be used to affect container’s settings. Applying better regex which includes pattern to exclude request parameters t…
[org.apache.struts:struts2-core] Possible DoS attack when using URLValidator
If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
References
https://nvd.nist.gov/vuln/…
[org.jvnet.hudson.plugins:groovy-postbuild] Jenkins Groovy Postbuild Plugin vulnerable to Cross-site Scripting
A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user’s brow…
[org.csanchez.jenkins.plugins:kubernetes] Exposure of Sensitive Information in Jenkins Kubernetes Plugin
A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being written to logs.
References
https://nvd.nist.gov/vuln/deta…
[net.opentsdb:opentsdb] OpenTSDB Cross-site Scripting vulnerability
An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter json to the /q URI.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-12973
https://github.com/OpenTSDB/opentsdb/issues/1240
https://github.com/advisories/GHSA-r68m-wq3x-2hqw
[io.jenkins:configuration-as-code] Jenkins Configuration as Code Plugin vulnerable to Exposure of Sensitive Information
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in ConfigurationAsCode.java that allows attackers with Overall/Read access to obtain the YAML export of the Jenkins configuration. Ve…