May 2022 – Page 3 – トピトピニュース

[org.jenkins-ci.main:jenkins-core] Missing Authorization in Jenkins

Posted inHIGH
Posted byGitHub
05/25/202210/26/2022

FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-21695
https://www.jenkins.io…

[apache-airflow] Missing Authentication for Critical Function in Apache Airflow

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, infor…

[org.jenkins-ci.plugins:nuget] XML external entity vulnerability in Jenkins Nuget Plugin

Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-21658
https://www.jenkins.io/security/advisory/2021-05-25/#SECURITY-2340
http://w…

[System.Drawing.Common] .NET Core Remote Code Execution Vulnerability

A remote code execution vulnerability exists when parsing certain types of graphics files. This vulnerability only exists on systems running on MacOS or Linux. This CVE ID is unique from CVE-2021-26701.
References

https://nvd.nist.gov/vuln/detail/CVE-…

[Microsoft.NETCore.App.Runtime.ios-arm] Denial of service in .NET core

.NET Core and Visual Studio Denial of Service Vulnerability due to a vulnerability which exists when creating HTTPS web request during X509 certificate chain building.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-1721
https://portal.msrc.micro…

[org.jenkins-ci.main:jenkins-core] Improper Input Validation in Jenkins

Posted inHIGH
Posted byGitHub
05/25/202210/26/2022

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global config.xml file.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-21605
https://www.jen…

[jupyterhub] Cross-Site Request Forgery in JupyterHub

JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
References

https://nvd.nist.gov/vuln/detail/CVE-2020-36191
https://github.com/jupyte…

[Microsoft.AspNetCore.App.Runtime.linux-musl-arm] ASP.NET Core and Visual Studio Denial of Service Vulnerability

Posted inHIGH
Posted byGitHub
05/25/202211/04/2022

A denial-of-service vulnerability exists in the way Kestrel parses HTTP/2 requests. The security update addresses the vulnerability by fixing the way the Kestrel parses HTTP/2 requests. Users are advised to upgrade.
References

https://nvd.nist.gov/vul…

[org.keycloak:keycloak-core] Keycloak vulnerable to Server-Side Request Forgery

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) …

[io.jenkins.plugin-management:plugin-management-parent-pom] Download of Code Without Integrity Check in Jenkins Plugin Installation Manager

Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-2320
https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-1856
http://www.openwall.com/lists/oss…

トピトピニュース

Month: May 2022

Featured

シンガポール発のコーヒーチェーン「フラッシュコーヒー」が2年で250店舗に拡大した理由

個人情報を考える週間: パスワードとオンラインアカウントを安全に保つためのヒント

ウクライナ戦争に見るワイパー攻撃の実態とデジタル情報操作

「エースコンバット」と「トップガンマーヴェリック」が夢のコラボ！マーヴェリックスキンの「F-14A Tomcat」や「F/A-18E Super Hornet」が登場！