It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized m…
[org.jenkins-ci.plugins.workflow:puppet-enterprise-pipeline] Incorrect Authorization in Puppet Enterprise Pipeline Jenkins Plugin
Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.
References
https://nvd.nist.gov/vuln/…
[com.elasticbox.jenkins-ci.plugins:elasticbox] Cleartext Storage of Sensitive Information in Jenkins ElasticBox CI Plugin
Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
References
https://nvd.nist.gov/vuln/detail/CVE-2019…
[jenkins.xtc:extensivetesting] Cleartext Storage of Sensitive Information in Jenkins Extensive Testing Plugin
Jenkins Extensive Testing Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
References
https://nvd.nist.gov/vuln/de…
[org.glassfish:javax.faces] Cross-site Scripting in Eclipse Mojarra
faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces, allows Reflected XSS because a client window field is mishandled.
References
https://nvd.nist.gov/vuln/detail…
[io.fabric8.pipeline:kubernetes-pipeline-arquillian-steps] Incorrect Authorization in Jenkins Kubernetes :: Pipeline :: Arquillian Steps Plugin
Jenkins Kubernetes :: Pipeline :: Arquillian Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-10…
[io.fabric8.pipeline:kubernetes-pipeline-steps] Incorrect Authorization in Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin
Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-10…
[org.apereo.cas:cas-server-support-simple-mfa] Use of Insufficiently Random Values in Apereo CAS
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG’s algorithm not being cryptographically strong.
…
[org.apache.jspwiki:jspwiki-main] Cross-site Scripting in Apache JSPWiki
In Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in …
[org.gradle:gradle-core] Use of a weak cryptographic algorithm in Gradle
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.
References
https://nvd.nist….