An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x before 0.6.2 and 0.7.x before 0.7.3. When using JupyterHub with GitLab group whitelisting for access control, group membership was not checked correctly, allowing members not in…
[org.apache.activemq:activemq-openwire-generator] ActiveMQ’s OpenWire protocol exposes certain system details as plain text
When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 it was found that certain system details (such as the OS and kernel version) are exposed as plain text.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-15709
https://lists.apa…
[bootstrap] Bootstrap vulnerable to Cross-Site Scripting (XSS)
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-14040
https://github.com/twbs/bootstrap/issues/26423
https://github.com/twbs/bootstrap/issues/26625
https://github.c…
[Microsoft.NETCore.Jit] .NET Core Denial of Service Vulnerability
.NET Core 1.0, .NET Core 1.1, NET Core 2.0 and PowerShell Core 6.0.0 allow a denial of Service vulnerability due to how specially crafted requests are handled, aka “.NET Core Denial of Service Vulnerability”.
References
https://nvd.nist.gov/vuln/detai…
[org.jenkins-ci.main:jenkins-core] Improper Authorization in Jenkins Core
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me …
[org.jenkins-ci.main:jenkins-core] Improper Authorization in Jenkins Core
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefin…
[org.apache.mesos:mesos] Docker image code execution with Apache Mesos
A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1…
[org.springframework.data:spring-data-rest-core] Remote code execution in PATCH requests in Spring Data REST
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) can use specially crafted JSON data to run arbitrary Java code.
References
https://nvd.nist.gov/vuln/detail/C…
[org.apache.deltaspike.modules:jsf-module-project] Cross-site Scripting in Apache DeltaSpike
The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get’s cut off after 10 characters (by default), so the impact might be limited. A fix got applied and released in Apache deltaspi…
[com.github.pagehelper:pagehelper] MyBatis PageHelper vulnerable to time-blind SQL injection via orderBy parameter
MyBatis PageHelper versions 3.5.x through 5.3.x were discovered to contain a time-blind SQL injection vulnerability via the orderBy parameter.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-28111
https://github.com/pagehelper/Mybatis-PageHelper
…